LOG-4369: Fix fluentd sts cloudwatch multiple roles release-5.7

openshift · Jul 19, 2023 · 12619ae · 12619ae
1 parent 368d2bb
commit 12619ae
Show file tree

Hide file tree

Showing 12 changed files with 73 additions and 53 deletions.
diff --git a/internal/collector/cloudwatch.go b/internal/collector/cloudwatch.go
@@ -11,19 +11,22 @@ import (
 )
 
 // Add volumes and env vars if output type is cloudwatch and role is found in the secret
-func addWebIdentityForCloudwatch(collector *v1.Container, podSpec *v1.PodSpec, forwarderSpec logging.ClusterLogForwarderSpec, secrets map[string]*v1.Secret) {
+func addWebIdentityForCloudwatch(collector *v1.Container, podSpec *v1.PodSpec, forwarderSpec logging.ClusterLogForwarderSpec, secrets map[string]*v1.Secret, collectorType logging.LogCollectionType) {
 	if secrets == nil {
 		return
 	}
 	for _, o := range forwarderSpec.Outputs {
-		// output secrets are keyed by output name
-		secret := secrets[o.Name]
 		if o.Type == logging.OutputTypeCloudwatch {
+			secret := secrets[o.Name]
 			if security.HasAwsRoleArnKey(secret) || security.HasAwsCredentialsKey(secret) {
 				log.V(3).Info("Found sts key in secret")
-				// Originally for fluentd and now for vector to use as well
 				AddWebIdentityTokenVolumes(collector, podSpec)
-				AddWebIdentityTokenEnvVars(collector, o, secret)
+				// LOG-4084 fluentd no longer setting env vars
+				if collectorType == logging.LogCollectionTypeVector {
+					log.V(3).Info("Found vector collector")
+					AddWebIdentityTokenEnvVars(collector, o, secret)
+				}
+				return
 			}
 		}
 	}
@@ -60,8 +63,7 @@ func AddWebIdentityTokenVolumes(collector *v1.Container, podSpec *v1.PodSpec) {
 // AddWebIdentityTokenEnvVars Appends web identity env vars based on attributes of the secret and forwarder spec
 func AddWebIdentityTokenEnvVars(collector *v1.Container, output logging.OutputSpec, secret *v1.Secret) {
 	// Necessary for vector to use sts
-	// Also updated fluentd config to read from these as env vars
-	log.V(3).Info("Adding env vars for sts Cloudwatch")
+	log.V(3).Info("Adding env vars for vector sts Cloudwatch")
 	collector.Env = append(collector.Env,
 		v1.EnvVar{
 			Name:  constants.AWSRegionEnvVarKey,

diff --git a/internal/collector/collector.go b/internal/collector/collector.go
@@ -161,7 +161,7 @@ func (f *Factory) NewPodSpec(trustedCABundle *v1.ConfigMap, forwarderSpec loggin
 
 	f.Visit(collector, podSpec)
 
-	addWebIdentityForCloudwatch(collector, podSpec, forwarderSpec, f.Secrets)
+	addWebIdentityForCloudwatch(collector, podSpec, forwarderSpec, f.Secrets, f.CollectorType)
 
 	podSpec.Containers = []v1.Container{
 		*collector,

diff --git a/internal/collector/collector_test.go b/internal/collector/collector_test.go
@@ -256,7 +256,7 @@ var _ = Describe("Factory#CollectorResourceRequirements", func() {
 	})
 })
 
-var _ = Describe("Factory#NewPodSpec Add Cloudwatch Resources", func() {
+var _ = Describe("Factory#NewPodSpec Add Cloudwatch STS Resources", func() {
 	var (
 		factory   *Factory
 		pipelines = []logging.PipelineSpec{
@@ -300,6 +300,15 @@ var _ = Describe("Factory#NewPodSpec Add Cloudwatch Resources", func() {
 			}
 			Fail(fmt.Sprintf("Expected collector to include env var '%s' with a value of '%s'", name, value))
 		}
+
+		// LOG-4084 fluentd no longer setting env vars
+		verifyNoLongerEnvVar = func(container v1.Container, name string) {
+			for _, elem := range container.Env {
+				if elem.Name == name {
+					Fail(fmt.Sprintf("Expected collector NOT to include env var '%s' with a value of '%s'", name, elem.Value))
+				}
+			}
+		}
 	)
 	Context("when collectorType is fluentd", func() {
 		BeforeEach(func() {
@@ -312,17 +321,17 @@ var _ = Describe("Factory#NewPodSpec Add Cloudwatch Resources", func() {
 		})
 		Context("when collector has a secret containing a credentials key", func() {
 
-			It("should find the AWS web identity env vars in the container", func() {
+			It("should NO LONGER be setting AWS ENV vars in the container", func() {
 				podSpec := *factory.NewPodSpec(nil, logging.ClusterLogForwarderSpec{
 					Outputs:   outputs,
 					Pipelines: pipelines,
 				}, "1234", "", tls.GetClusterTLSProfileSpec(nil))
 				collector := podSpec.Containers[0]
 
-				verifyEnvVar(collector, constants.AWSRegionEnvVarKey, outputs[0].OutputTypeSpec.Cloudwatch.Region)
-				verifyEnvVar(collector, constants.AWSRoleArnEnvVarKey, roleArn)
-				verifyEnvVar(collector, constants.AWSRoleSessionEnvVarKey, constants.AWSRoleSessionName)
-				verifyEnvVar(collector, constants.AWSWebIdentityTokenEnvVarKey, path.Join(constants.AWSWebIdentityTokenMount, constants.AWSWebIdentityTokenFilePath))
+				verifyNoLongerEnvVar(collector, constants.AWSRegionEnvVarKey)
+				verifyNoLongerEnvVar(collector, constants.AWSRoleArnEnvVarKey)
+				verifyNoLongerEnvVar(collector, constants.AWSRoleSessionEnvVarKey)
+				verifyNoLongerEnvVar(collector, constants.AWSWebIdentityTokenEnvVarKey)
 			})
 		})
 		Context("when collector has a secret containing a role_arn key", func() {
@@ -335,17 +344,17 @@ var _ = Describe("Factory#NewPodSpec Add Cloudwatch Resources", func() {
 					},
 				}
 			})
-			It("should find the AWS web identity env vars in the container", func() {
+			It("should NO LONGER be setting AWS ENV vars in the container", func() {
 				podSpec := *factory.NewPodSpec(nil, logging.ClusterLogForwarderSpec{
 					Outputs:   outputs,
 					Pipelines: pipelines,
 				}, "1234", "", tls.GetClusterTLSProfileSpec(nil))
 				collector := podSpec.Containers[0]
 
-				verifyEnvVar(collector, constants.AWSRegionEnvVarKey, outputs[0].OutputTypeSpec.Cloudwatch.Region)
-				verifyEnvVar(collector, constants.AWSRoleArnEnvVarKey, roleArn)
-				verifyEnvVar(collector, constants.AWSRoleSessionEnvVarKey, constants.AWSRoleSessionName)
-				verifyEnvVar(collector, constants.AWSWebIdentityTokenEnvVarKey, path.Join(constants.AWSWebIdentityTokenMount, constants.AWSWebIdentityTokenFilePath))
+				verifyNoLongerEnvVar(collector, constants.AWSRegionEnvVarKey)
+				verifyNoLongerEnvVar(collector, constants.AWSRoleArnEnvVarKey)
+				verifyNoLongerEnvVar(collector, constants.AWSRoleSessionEnvVarKey)
+				verifyNoLongerEnvVar(collector, constants.AWSWebIdentityTokenEnvVarKey)
 			})
 		})
 

diff --git a/internal/generator/fluentd/output/cloudwatch/aws.go b/internal/generator/fluentd/output/cloudwatch/aws.go
@@ -1,9 +1,11 @@
 package cloudwatch
 
 type AWSKey struct {
-	KeyIDPath     string
-	KeySecretPath string
-	KeyRoleArn    string
+	KeyIDPath           string
+	KeySecretPath       string
+	KeyRoleArn          string
+	KeyRoleSessionName  string
+	KeyWebIdentityToken string
 }
 
 func (a AWSKey) Name() string {
@@ -15,9 +17,9 @@ func (a AWSKey) Template() string {
 	if len(a.KeyRoleArn) > 0 {
 		return `{{define "` + a.Name() + `" -}}
 <web_identity_credentials>
-  role_arn "#{ENV['AWS_ROLE_ARN']}"
-  web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
-  role_session_name "#{ENV['AWS_ROLE_SESSION_NAME']}"
+  role_arn "{{ .KeyRoleArn }}"
+  web_identity_token_file "{{ .KeyWebIdentityToken }}"
+  role_session_name "{{ .KeyRoleSessionName }}"
 </web_identity_credentials>
 {{end}}`
 	}

diff --git a/internal/generator/fluentd/output/cloudwatch/cloudwatch.go b/internal/generator/fluentd/output/cloudwatch/cloudwatch.go
@@ -2,6 +2,7 @@ package cloudwatch
 
 import (
 	"fmt"
+	"path"
 	"regexp"
 	"strings"
 
@@ -106,7 +107,9 @@ func SecurityConfig(o logging.OutputSpec, secret *corev1.Secret) Element {
 	// First check for credentials or role_arn key, indicating a sts-enabled authentication
 	if security.HasAwsRoleArnKey(secret) || security.HasAwsCredentialsKey(secret) {
 		return AWSKey{
-			KeyRoleArn: ParseRoleArn(secret),
+			KeyRoleArn:          ParseRoleArn(secret),
+			KeyRoleSessionName:  constants.AWSRoleSessionName,
+			KeyWebIdentityToken: path.Join(constants.AWSWebIdentityTokenMount, constants.AWSWebIdentityTokenFilePath),
 		}
 	}
 	// Use ID and Secret

diff --git a/internal/generator/fluentd/output/cloudwatch/output_cloudwatch_test.go b/internal/generator/fluentd/output/cloudwatch/output_cloudwatch_test.go
@@ -1,6 +1,8 @@
 package cloudwatch
 
 import (
+	"github.com/openshift/cluster-logging-operator/internal/constants"
+	"path"
 	"testing"
 
 	"github.com/openshift/cluster-logging-operator/internal/generator/fluentd/elements"
@@ -341,8 +343,10 @@ var _ = Describe("Generating fluentd config for sts", func() {
 				Name: "my-secret",
 			},
 		}
-		roleArn = "arn:aws:iam::123456789012:role/my-role-to-assume"
-		secrets = map[string]*corev1.Secret{
+		roleArn              = "arn:aws:iam::123456789012:role/my-role-to-assume"
+		roleSessionName      = constants.AWSRoleSessionName
+		webIdentityTokenFile = path.Join(constants.AWSWebIdentityTokenMount, constants.AWSWebIdentityTokenFilePath)
+		secrets              = map[string]*corev1.Secret{
 			output.Secret.Name: {
 				Data: map[string][]byte{
 					"role_arn": []byte(roleArn),
@@ -408,9 +412,9 @@ var _ = Describe("Generating fluentd config for sts", func() {
     remove_log_group_name_key true
     concurrency 2
     <web_identity_credentials>
-	  role_arn "#{ENV['AWS_ROLE_ARN']}"
-	  web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
-	  role_session_name "#{ENV['AWS_ROLE_SESSION_NAME']}"
+	  role_arn "` + roleArn + `"
+	  web_identity_token_file "` + webIdentityTokenFile + `"
+	  role_session_name "` + roleSessionName + `"
     </web_identity_credentials>    
     include_time_key true
     log_rejected_request true
@@ -484,9 +488,9 @@ var _ = Describe("Generating fluentd config for sts", func() {
     remove_log_group_name_key true
     concurrency 2
     <web_identity_credentials>
-	  role_arn "#{ENV['AWS_ROLE_ARN']}"
-	  web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
-	  role_session_name "#{ENV['AWS_ROLE_SESSION_NAME']}"
+	  role_arn "` + roleArn + `"
+	  web_identity_token_file "` + webIdentityTokenFile + `"
+	  role_session_name "` + roleSessionName + `"
     </web_identity_credentials>    
     include_time_key true
     log_rejected_request true
@@ -554,9 +558,9 @@ var _ = Describe("Generating fluentd config for sts", func() {
     remove_log_group_name_key true
     concurrency 2
     <web_identity_credentials>
-	  role_arn "#{ENV['AWS_ROLE_ARN']}"
-	  web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
-	  role_session_name "#{ENV['AWS_ROLE_SESSION_NAME']}"
+	  role_arn "` + roleArn + `"
+	  web_identity_token_file "` + webIdentityTokenFile + `"
+	  role_session_name "` + roleSessionName + `"
     </web_identity_credentials>      
     include_time_key true
     log_rejected_request true
@@ -627,9 +631,9 @@ var _ = Describe("Generating fluentd config for sts", func() {
     remove_log_group_name_key true
     concurrency 2
     <web_identity_credentials>
-	  role_arn "#{ENV['AWS_ROLE_ARN']}"
-	  web_identity_token_file "#{ENV['AWS_WEB_IDENTITY_TOKEN_FILE']}"
-	  role_session_name "#{ENV['AWS_ROLE_SESSION_NAME']}"
+	  role_arn "` + roleArn + `"
+	  web_identity_token_file "` + webIdentityTokenFile + `"
+	  role_session_name "` + roleSessionName + `"
     </web_identity_credentials>     
     include_time_key true
     log_rejected_request true
@@ -649,7 +653,7 @@ var _ = Describe("Generating fluentd config for sts", func() {
 	})
 })
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Fluend Conf Generation")
+	RunSpecs(t, "Fluentd Conf Generation")
 }
diff --git a/internal/generator/fluentd/output/fluentdforward/fluentdforward_test.go b/internal/generator/fluentd/output/fluentdforward/fluentdforward_test.go
@@ -230,7 +230,7 @@ var _ = Describe("fluentd conf generation", func() {
 	)
 })
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Fluend Conf Generation")
+	RunSpecs(t, "Fluentd Conf Generation")
 }
diff --git a/internal/generator/fluentd/output/kafka/kafka_test.go b/internal/generator/fluentd/output/kafka/kafka_test.go
@@ -445,7 +445,7 @@ var _ = Describe("Generate fluentd config", func() {
 	)
 })
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "Fluentd Conf Generation")
 }
diff --git a/internal/generator/fluentd/output/loki/loki_conf_test.go b/internal/generator/fluentd/output/loki/loki_conf_test.go
@@ -314,7 +314,7 @@ var _ = Describe("[internal][generator][fluentd][output][loki] #Conf", func() {
 	)
 })
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Fluend Conf Generation")
+	RunSpecs(t, "Fluentd Conf Generation")
 }
diff --git a/internal/generator/fluentd/output/security/security_test.go b/internal/generator/fluentd/output/security/security_test.go
@@ -100,7 +100,7 @@ var _ = Describe("Helpers for outputLabelConf", func() {
 	})
 })
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Fluend Conf Generation")
+	RunSpecs(t, "Fluentd Conf Generation")
 }
diff --git a/internal/generator/fluentd/output/syslog/output_conf_syslog_test.go b/internal/generator/fluentd/output/syslog/output_conf_syslog_test.go
@@ -969,7 +969,7 @@ var _ = Describe("Generating external syslog server output store config blocks",
 	})
 })
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Fluend Conf Generation")
+	RunSpecs(t, "Fluentd Conf Generation")
 }
diff --git a/internal/generator/fluentd/suite_test.go b/internal/generator/fluentd/suite_test.go
@@ -7,7 +7,7 @@ import (
 	. "github.com/onsi/gomega"
 )
 
-func TestFluendConfGenerator(t *testing.T) {
+func TestFluentdConfGenerator(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Fluend Conf Generation")
+	RunSpecs(t, "Fluentd Conf Generation")
 }