Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uui…

…d-unmigration
crobby · Aug 16, 2023 · 90f2ec1 · 90f2ec1
2 parents ffcec58 + b56138b
commit 90f2ec1
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 24 deletions.
diff --git a/cleanup/ad-guid-unmigration.sh b/cleanup/ad-guid-unmigration.sh
@@ -229,7 +229,19 @@ fi
 echo "$yaml" | kubectl apply -f -
 
 # Get the pod ID to tail the logs
-pod_id=$(kubectl --namespace=cattle-system get pod -l job-name=cattle-cleanup-job -o jsonpath="{.items[0].metadata.name}")
+retry_interval=1
+max_retries=10
+retry_count=0
+pod_id=""
+while [ $retry_count -lt $max_retries ]; do
+    pod_id=$(kubectl --namespace=cattle-system get pod -l job-name=cattle-cleanup-job -o jsonpath="{.items[0].metadata.name}")
+    if [ -n "$pod_id" ]; then
+        break
+    else
+        sleep $retry_interval
+        ((retry_count++))
+    fi
+done
 
 # 600 is equal to 5 minutes, because the sleep interval is 0.5 seconds
 job_start_timeout=600

diff --git a/pkg/agent/clean/adunmigration/ldap.go b/pkg/agent/clean/adunmigration/ldap.go
@@ -3,7 +3,6 @@ package adunmigration
 import (
 	"bytes"
 	"crypto/x509"
-	"encoding/json"
 	"fmt"
 	"os"
 	"regexp"
@@ -265,17 +264,9 @@ func updateADConfigMigrationStatus(status map[string]string, sc *config.ScaledCo
 		return err
 	}
 
-	authConfigJSON, err := json.Marshal(authConfigObj)
-	if err != nil {
-		return fmt.Errorf("failed to marshal authConfig object to JSON: %v", err)
-	}
-
-	// Create an empty unstructured object to hold the decoded JSON
-	storedADConfig := &unstructured.Unstructured{}
-
-	// Decode the JSON string into the unstructured object because mapstructure is dropping the metadata
-	if err := json.Unmarshal(authConfigJSON, storedADConfig); err != nil {
-		return fmt.Errorf("failed to unmarshal JSON into storedADConfig: %v", err)
+	storedADConfig, ok := authConfigObj.(*unstructured.Unstructured)
+	if !ok {
+		return fmt.Errorf("[%v] expected unstructured authconfig, got %T", migrateAdUserOperation, authConfigObj)
 	}
 
 	// Update annotations with migration status
@@ -284,7 +275,10 @@ func updateADConfigMigrationStatus(status map[string]string, sc *config.ScaledCo
 		annotations = make(map[string]string)
 	}
 	for annotation, value := range status {
-		annotations[adGUIDMigrationPrefix+annotation] = value
+		// We do not mirror the actual user lists to the AuthConfig
+		if annotation != migrateStatusSkipped && annotation != migrateStatusMissing {
+			annotations[adGUIDMigrationPrefix+annotation] = value
+		}
 	}
 	storedADConfig.SetAnnotations(annotations)
 

diff --git a/pkg/agent/clean/adunmigration/migrate.go b/pkg/agent/clean/adunmigration/migrate.go
@@ -8,6 +8,8 @@ package adunmigration
 import (
 	"context"
 	"fmt"
+	"strconv"
+	"strings"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -42,6 +44,7 @@ const (
 	AttributeObjectGUID       = "objectGUID"
 	migrateStatusSkipped      = "skippedUsers"
 	migrateStatusMissing      = "missingUsers"
+	migrateStatusCountSuffix  = "Count"
 	migrationStatusPercentage = "percentDone"
 	migrationStatusLastUpdate = "statusLastUpdated"
 )
@@ -487,13 +490,16 @@ func updateUnmigratedUsers(user string, status string, reset bool, sc *config.Sc
 	var currentList string
 	if reset {
 		delete(cm.Data, status)
+		delete(cm.Data, status+migrateStatusCountSuffix)
 	} else {
 		currentList = cm.Data[status]
 		if currentList == "" {
 			currentList = currentList + user
 		} else {
 			currentList = currentList + "," + user
 		}
+		count := strconv.Itoa(len(strings.Split(currentList, ",")))
+		cm.Data[status+migrateStatusCountSuffix] = count
 		cm.Data[status] = currentList
 	}
 

diff --git a/pkg/auth/providers/activedirectory/activedirectory_provider.go b/pkg/auth/providers/activedirectory/activedirectory_provider.go
@@ -41,6 +41,7 @@ const (
 	StatusMigrationFinishedWithMissing = "FinishedWithMissing"
 	StatusMigrationFailed              = "Failed"
 	StatusLoginDisabled                = "login is disabled while migration is running"
+	StatusACMigrationRunning           = "migration-ad-guid-migration-status"
 )
 
 var scopes = []string{UserScope, GroupScope}
@@ -92,21 +93,16 @@ func (p *adProvider) AuthenticateUser(ctx context.Context, input interface{}) (v
 		return v3.Principal{}, nil, "", errors.New("unexpected input type")
 	}
 
-	migrationConfigMap, err := p.configMaps.Get(StatusConfigMapNamespace, StatusConfigMapName)
-	if err != nil {
-		logrus.Infof("ad-guid-migration configmap does not exist, allowing logins by default: %v", err)
-	} else {
-		migrationStatus := migrationConfigMap.Data[StatusMigrationField]
-		if migrationStatus == StatusMigrationRunning {
-			return v3.Principal{}, nil, "", httperror.WrapAPIError(err, httperror.ClusterUnavailable, StatusLoginDisabled)
-		}
-	}
-
 	config, caPool, err := p.getActiveDirectoryConfig()
 	if err != nil {
 		return v3.Principal{}, nil, "", errors.New("can't find authprovider")
 	}
 
+	// If a migration is running, we need to block logins and indicate why we are doing so
+	if config.Annotations != nil && config.Annotations[StatusACMigrationRunning] == StatusMigrationRunning {
+		return v3.Principal{}, nil, "", httperror.WrapAPIError(err, httperror.ClusterUnavailable, StatusLoginDisabled)
+	}
+
 	principal, groupPrincipal, err := p.loginUser(login, config, caPool, false)
 	if err != nil {
 		return v3.Principal{}, nil, "", err