From 275e1fbc440ba60283d9d4831c10d0700d8a6269 Mon Sep 17 00:00:00 2001 From: Neha Yadav Date: Tue, 23 Jan 2024 19:16:46 +0530 Subject: [PATCH] Reduce the access scope to specific instance --- cmd/infra/powervs/create.go | 22 +++++++++++++++++----- cmd/infra/powervs/destroy.go | 15 +++++++++------ cmd/infra/powervs/service_id.go | 16 +++++++++++++++- 3 files changed, 41 insertions(+), 12 deletions(-) diff --git a/cmd/infra/powervs/create.go b/cmd/infra/powervs/create.go index f9bd87e7b98..61180fe21a3 100644 --- a/cmd/infra/powervs/create.go +++ b/cmd/infra/powervs/create.go @@ -344,10 +344,6 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions) return fmt.Errorf("error setup base domain: %w", err) } - if err = infra.setupSecrets(options); err != nil { - return fmt.Errorf("error setup secrets: %w", err) - } - gtag, err := globaltaggingv1.NewGlobalTaggingV1(&globaltaggingv1.GlobalTaggingV1Options{Authenticator: getIAMAuth()}) if err != nil { return err @@ -388,6 +384,10 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions) return fmt.Errorf("cloud connection is not up: %w", err) } + if err = infra.setupSecrets(options); err != nil { + return fmt.Errorf("error setup secrets: %w", err) + } + log(options.InfraID).Info("Setup infra completed in", "duration", time.Since(startTime).String()) return nil } @@ -395,21 +395,32 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions) // setupSecrets generate secrets for control plane components func (infra *Infra) setupSecrets(options *CreateInfraOptions) error { var err error + var powerVsCloudInstanceID string + + if options.CloudInstanceID != "" { + powerVsCloudInstanceID = options.CloudInstanceID + } else if infra.CloudInstanceID != "" { + powerVsCloudInstanceID = infra.CloudInstanceID + } else { + return fmt.Errorf("error setup secrets: unable to limit access scope to instance level: cloud instance not found") + } if options.RecreateSecrets { - deleteSecrets(options.Name, options.Namespace, infra.AccountID, infra.ResourceGroupID) + deleteSecrets(options.Name, options.Namespace, powerVsCloudInstanceID, infra.AccountID, infra.ResourceGroupID) } log(infra.ID).Info("Creating Secrets ...") infra.Secrets = Secrets{} + kubeCloudControllerManagerCR = updateCRYaml(kubeCloudControllerManagerCR, powerVsCloudInstanceID) infra.Secrets.KubeCloudControllerManager, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID, kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, options.Namespace) if err != nil { return fmt.Errorf("error setup kube cloud controller manager secret: %w", err) } + nodePoolManagementCR = updateCRYaml(nodePoolManagementCR, powerVsCloudInstanceID) infra.Secrets.NodePoolManagement, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID, nodePoolManagementCR, nodePoolManagementCreds, options.Namespace) if err != nil { @@ -422,6 +433,7 @@ func (infra *Infra) setupSecrets(options *CreateInfraOptions) error { return fmt.Errorf("error setup ingress operator secret: %w", err) } + storageOperatorCR = updateCRYaml(storageOperatorCR, powerVsCloudInstanceID) infra.Secrets.StorageOperator, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID, storageOperatorCR, storageOperatorCreds, options.Namespace) if err != nil { diff --git a/cmd/infra/powervs/destroy.go b/cmd/infra/powervs/destroy.go index 8b3734bfa07..c654f6cd13b 100644 --- a/cmd/infra/powervs/destroy.go +++ b/cmd/infra/powervs/destroy.go @@ -180,11 +180,6 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf log(options.InfraID).Error(err, "error deleting dns record from cis domain") } - if err = deleteSecrets(options.Name, options.Namespace, accountID, resourceGroupID); err != nil { - errL = append(errL, fmt.Errorf("error deleting secrets: %w", err)) - log(options.InfraID).Error(err, "error deleting secrets") - } - if err = deleteCOS(ctx, options, resourceGroupID); err != nil { errL = append(errL, fmt.Errorf("error deleting cos buckets: %w", err)) log(options.InfraID).Error(err, "error deleting cos buckets") @@ -218,6 +213,11 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf } } + if err = deleteSecrets(options.Name, options.Namespace, powerVsCloudInstanceID, accountID, resourceGroupID); err != nil { + errL = append(errL, fmt.Errorf("error deleting secrets: %w", err)) + log(options.InfraID).Error(err, "error deleting secrets") + } + var session *ibmpisession.IBMPISession if !skipPowerVs { session, err = createPowerVSSession(accountID, options.Region, options.Zone, options.Debug) @@ -302,14 +302,16 @@ func deleteDNSRecords(ctx context.Context, options *DestroyInfraOptions) error { } // deleteSecrets delete secrets generated for control plane components -func deleteSecrets(name, namespace, accountID string, resourceGroupID string) error { +func deleteSecrets(name, namespace, CloudInstanceID string, accountID string, resourceGroupID string) error { + kubeCloudControllerManagerCR = updateCRYaml(kubeCloudControllerManagerCR, CloudInstanceID) err := deleteServiceID(name, cloudApiKey, accountID, resourceGroupID, kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, namespace) if err != nil { return fmt.Errorf("error deleting kube cloud controller manager secret: %w", err) } + nodePoolManagementCR = updateCRYaml(nodePoolManagementCR, CloudInstanceID) err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID, nodePoolManagementCR, nodePoolManagementCreds, namespace) if err != nil { @@ -322,6 +324,7 @@ func deleteSecrets(name, namespace, accountID string, resourceGroupID string) er return fmt.Errorf("error deleting ingress operator secret: %w", err) } + storageOperatorCR = updateCRYaml(storageOperatorCR, CloudInstanceID) err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID, storageOperatorCR, storageOperatorCreds, namespace) if err != nil { diff --git a/cmd/infra/powervs/service_id.go b/cmd/infra/powervs/service_id.go index 76108dbaa0b..3141d1dae70 100644 --- a/cmd/infra/powervs/service_id.go +++ b/cmd/infra/powervs/service_id.go @@ -2,9 +2,10 @@ package powervs import ( "fmt" + "strings" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/yaml" - "strings" "github.com/IBM/platform-services-go-sdk/iamidentityv1" @@ -44,6 +45,9 @@ spec: - attributes: - name: serviceName value: power-iaas + - name: serviceInstance + value: %s + operator: stringEquals roles: - crn:v1:bluemix:public:iam::::role:Viewer - crn:v1:bluemix:public:iam::::serviceRole:Reader @@ -63,6 +67,9 @@ spec: - attributes: - name: serviceName value: power-iaas + - name: serviceInstance + value: %s + operator: stringEquals roles: - crn:v1:bluemix:public:iam::::serviceRole:Manager - crn:v1:bluemix:public:iam::::role:Editor @@ -101,6 +108,9 @@ spec: - attributes: - name: serviceName value: power-iaas + - name: serviceInstance + value: %s + operator: stringEquals roles: - crn:v1:bluemix:public:iam::::serviceRole:Manager - crn:v1:bluemix:public:iam::::role:Editor @@ -193,6 +203,10 @@ func extractServiceIDFromCRN(crn string) string { return crnL[len(crnL)-1] } +func updateCRYaml(crYaml, serviceInstanceValue string) string { + return fmt.Sprintf(crYaml, serviceInstanceValue) +} + // deleteServiceIDByCRN deletes serviceID passed via crn func deleteServiceIDByCRN(name string, apiKey string, crn string) error { serviceID := extractServiceIDFromCRN(crn)