-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NET-9500] Cleanup orphaned inline-certs and acl role/policy #4067
[NET-9500] Cleanup orphaned inline-certs and acl role/policy #4067
Conversation
|
||
oldBindingRules := make(map[string]*api.ACLBindingRule) | ||
|
||
// here we need to find binding rules with the old name that have a matching selector to the new gateway specific binding rule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so another direction we could've gone down here is to fetch all the gateways and then for each gateway match it to a binding rule and if we match each gateway to a new binding rule then we can safely delete all the binding rules, definitely open to push back to change this to utilize that heuristic for deleting binding rules rather than what we have here (and we already fetch all the gateways for the inline cert cleanup so it's not like we don't need that data anyways)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks fine but the test steps don't seem correct. Happy to re-review it with you before approval
repro steps should be fixed now! sorry about that! |
client, err := consul.NewClientFromConnMgr(c.ConsulConfig, c.ServerMgr) | ||
if err != nil { | ||
c.Logger.Error(err, "failed to create Consul client") | ||
continue | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to recreate the client every 60s?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we do this for the cache code as well, everytime the cache syncs we re-create the client so I wanted to mirror that functionality
|
||
// cleanupACLRoleAndPolicy deletes the old shared gateway ACL role and policy if they exist. | ||
func (c Cleaner) cleanupACLRoleAndPolicy(client *api.Client) (bool, error) { | ||
existingRules, _, err := client.ACL().BindingRuleList(c.AuthMethod, &api.QueryOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this list for all namespaces?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed on Slack that the gateway approach described below is probably more scalable in all use cases and would query directly whatever namespace the gateway resided in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we also always write the binding-rules into the default namespace and partition https://github.com/hashicorp/consul-k8s/blob/main/control-plane/api-gateway/cache/consul.go#L557
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
…4125) * add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go * Update control-plane/api-gateway/binding/cleanup.go * Update control-plane/api-gateway/binding/cleanup.go * Update control-plane/api-gateway/binding/cleanup_test.go * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
…4124) * add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go * Update control-plane/api-gateway/binding/cleanup.go * Update control-plane/api-gateway/binding/cleanup.go * Update control-plane/api-gateway/binding/cleanup_test.go * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* add cleanup goroutine to handle cleaning up old acl roles and inline certs * added first unit test * added more tests * fixing binding rule deleting * linting * added tests and cleaned up * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update control-plane/api-gateway/binding/cleanup_test.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Increase sleep time --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Changes proposed in this PR
How I've tested this PR
Run/Write tests
Manual Testing:
8501
to the consul server instanceconsul acl role list
and you will see the shared"managed-gateway-acl-role"
consul acl policy list
and you will see the shared"api-gateway-token-policy"
consul acl binding-rule list
and you will see the shared binding-rules referencing bothmanaged-gateway-acl-role
consul config list -kind inline-certificate
and you will see an inline certificate listedconsul_values.yaml
uncomment lines 3 and 4 and comment lines 4 and 5 (also make sure you build consul-k8s from this branch and have an up to date build of main of consul)export CONSUL_K8S_CHARTS_LOCATION="$HOME/hashi/consul-k8s/charts/consul"
and replace the value being set with the location of the helm charts in your local copy of consul-k8shelm upgrade --install consul $CONSUL_K8S_CHARTS_LOCATION -f ./consul_values.yaml -n consul --create-namespace --wait
to install the new version of consul-k8s that you builtconsul acl role list
and you will not see the shared"managed-gateway-acl-role"
consul acl policy list
and you will not see the shared"api-gateway-token-policy"
consul acl binding-rule list
and you will not see the shared binding-rules referencingmanaged-gateway-acl-role
consul config list -kind inline-certificate
and you will see no inline certificates listedHow I expect reviewers to test this PR
read the code
run the tests
do the above steps
Checklist