Reduce the access scope to specific instance

openshift · Jan 30, 2024 · 275e1fb · 275e1fb
1 parent 7079912
commit 275e1fb
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 12 deletions.
diff --git a/cmd/infra/powervs/create.go b/cmd/infra/powervs/create.go
@@ -344,10 +344,6 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions)
 		return fmt.Errorf("error setup base domain: %w", err)
 	}
 
-	if err = infra.setupSecrets(options); err != nil {
-		return fmt.Errorf("error setup secrets: %w", err)
-	}
-
 	gtag, err := globaltaggingv1.NewGlobalTaggingV1(&globaltaggingv1.GlobalTaggingV1Options{Authenticator: getIAMAuth()})
 	if err != nil {
 		return err
@@ -388,28 +384,43 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions)
 		return fmt.Errorf("cloud connection is not up: %w", err)
 	}
 
+	if err = infra.setupSecrets(options); err != nil {
+		return fmt.Errorf("error setup secrets: %w", err)
+	}
+
 	log(options.InfraID).Info("Setup infra completed in", "duration", time.Since(startTime).String())
 	return nil
 }
 
 // setupSecrets generate secrets for control plane components
 func (infra *Infra) setupSecrets(options *CreateInfraOptions) error {
 	var err error
+	var powerVsCloudInstanceID string
+
+	if options.CloudInstanceID != "" {
+		powerVsCloudInstanceID = options.CloudInstanceID
+	} else if infra.CloudInstanceID != "" {
+		powerVsCloudInstanceID = infra.CloudInstanceID
+	} else {
+		return fmt.Errorf("error setup secrets: unable to limit access scope to instance level: cloud instance not found")
+	}
 
 	if options.RecreateSecrets {
-		deleteSecrets(options.Name, options.Namespace, infra.AccountID, infra.ResourceGroupID)
+		deleteSecrets(options.Name, options.Namespace, powerVsCloudInstanceID, infra.AccountID, infra.ResourceGroupID)
 	}
 
 	log(infra.ID).Info("Creating Secrets ...")
 
 	infra.Secrets = Secrets{}
 
+	kubeCloudControllerManagerCR = updateCRYaml(kubeCloudControllerManagerCR, powerVsCloudInstanceID)
 	infra.Secrets.KubeCloudControllerManager, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
 		kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, options.Namespace)
 	if err != nil {
 		return fmt.Errorf("error setup kube cloud controller manager secret: %w", err)
 	}
 
+	nodePoolManagementCR = updateCRYaml(nodePoolManagementCR, powerVsCloudInstanceID)
 	infra.Secrets.NodePoolManagement, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
 		nodePoolManagementCR, nodePoolManagementCreds, options.Namespace)
 	if err != nil {
@@ -422,6 +433,7 @@ func (infra *Infra) setupSecrets(options *CreateInfraOptions) error {
 		return fmt.Errorf("error setup ingress operator secret: %w", err)
 	}
 
+	storageOperatorCR = updateCRYaml(storageOperatorCR, powerVsCloudInstanceID)
 	infra.Secrets.StorageOperator, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
 		storageOperatorCR, storageOperatorCreds, options.Namespace)
 	if err != nil {

diff --git a/cmd/infra/powervs/destroy.go b/cmd/infra/powervs/destroy.go
@@ -180,11 +180,6 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf
 		log(options.InfraID).Error(err, "error deleting dns record from cis domain")
 	}
 
-	if err = deleteSecrets(options.Name, options.Namespace, accountID, resourceGroupID); err != nil {
-		errL = append(errL, fmt.Errorf("error deleting secrets: %w", err))
-		log(options.InfraID).Error(err, "error deleting secrets")
-	}
-
 	if err = deleteCOS(ctx, options, resourceGroupID); err != nil {
 		errL = append(errL, fmt.Errorf("error deleting cos buckets: %w", err))
 		log(options.InfraID).Error(err, "error deleting cos buckets")
@@ -218,6 +213,11 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf
 		}
 	}
 
+	if err = deleteSecrets(options.Name, options.Namespace, powerVsCloudInstanceID, accountID, resourceGroupID); err != nil {
+		errL = append(errL, fmt.Errorf("error deleting secrets: %w", err))
+		log(options.InfraID).Error(err, "error deleting secrets")
+	}
+
 	var session *ibmpisession.IBMPISession
 	if !skipPowerVs {
 		session, err = createPowerVSSession(accountID, options.Region, options.Zone, options.Debug)
@@ -302,14 +302,16 @@ func deleteDNSRecords(ctx context.Context, options *DestroyInfraOptions) error {
 }
 
 // deleteSecrets delete secrets generated for control plane components
-func deleteSecrets(name, namespace, accountID string, resourceGroupID string) error {
+func deleteSecrets(name, namespace, CloudInstanceID string, accountID string, resourceGroupID string) error {
 
+	kubeCloudControllerManagerCR = updateCRYaml(kubeCloudControllerManagerCR, CloudInstanceID)
 	err := deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
 		kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, namespace)
 	if err != nil {
 		return fmt.Errorf("error deleting kube cloud controller manager secret: %w", err)
 	}
 
+	nodePoolManagementCR = updateCRYaml(nodePoolManagementCR, CloudInstanceID)
 	err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
 		nodePoolManagementCR, nodePoolManagementCreds, namespace)
 	if err != nil {
@@ -322,6 +324,7 @@ func deleteSecrets(name, namespace, accountID string, resourceGroupID string) er
 		return fmt.Errorf("error deleting ingress operator secret: %w", err)
 	}
 
+	storageOperatorCR = updateCRYaml(storageOperatorCR, CloudInstanceID)
 	err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
 		storageOperatorCR, storageOperatorCreds, namespace)
 	if err != nil {

diff --git a/cmd/infra/powervs/service_id.go b/cmd/infra/powervs/service_id.go
@@ -2,9 +2,10 @@ package powervs
 
 import (
 	"fmt"
+	"strings"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/yaml"
-	"strings"
 
 	"github.com/IBM/platform-services-go-sdk/iamidentityv1"
 
@@ -44,6 +45,9 @@ spec:
     - attributes:
       - name: serviceName
         value: power-iaas
+      - name: serviceInstance
+        value: %s
+        operator: stringEquals
       roles:
       - crn:v1:bluemix:public:iam::::role:Viewer
       - crn:v1:bluemix:public:iam::::serviceRole:Reader
@@ -63,6 +67,9 @@ spec:
     - attributes:
       - name: serviceName
         value: power-iaas
+      - name: serviceInstance
+        value: %s
+        operator: stringEquals
       roles:
       - crn:v1:bluemix:public:iam::::serviceRole:Manager
       - crn:v1:bluemix:public:iam::::role:Editor
@@ -101,6 +108,9 @@ spec:
     - attributes:
       - name: serviceName
         value: power-iaas
+      - name: serviceInstance
+        value: %s
+        operator: stringEquals
       roles:
       - crn:v1:bluemix:public:iam::::serviceRole:Manager
       - crn:v1:bluemix:public:iam::::role:Editor
@@ -193,6 +203,10 @@ func extractServiceIDFromCRN(crn string) string {
 	return crnL[len(crnL)-1]
 }
 
+func updateCRYaml(crYaml, serviceInstanceValue string) string {
+	return fmt.Sprintf(crYaml, serviceInstanceValue)
+}
+
 // deleteServiceIDByCRN deletes serviceID passed via crn
 func deleteServiceIDByCRN(name string, apiKey string, crn string) error {
 	serviceID := extractServiceIDFromCRN(crn)