Merge pull request #3530 from Neha-dot-Yadav/cherry-pick-3491-to-rele…

…ase-4.14 [release-4.14] MULTIARCH-4084: Reduce the policy access scope to specific instance
openshift · Feb 14, 2024 · e2f4e4c · e2f4e4c
2 parents 64b8ff2 + 04fcfd6
commit e2f4e4c
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 12 deletions.
diff --git a/cmd/infra/powervs/create.go b/cmd/infra/powervs/create.go
@@ -344,10 +344,6 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions)
 		return fmt.Errorf("error setup base domain: %w", err)
 	}
 
-	if err = infra.setupSecrets(options); err != nil {
-		return fmt.Errorf("error setup secrets: %w", err)
-	}
-
 	gtag, err := globaltaggingv1.NewGlobalTaggingV1(&globaltaggingv1.GlobalTaggingV1Options{Authenticator: getIAMAuth()})
 	if err != nil {
 		return err
@@ -388,28 +384,50 @@ func (infra *Infra) SetupInfra(ctx context.Context, options *CreateInfraOptions)
 		return fmt.Errorf("cloud connection is not up: %w", err)
 	}
 
+	// setupSecrets need parameter cloudInstanceId, hence invoked after setupPowerVSCloudInstance
+	if err := infra.setupSecrets(options); err != nil {
+		return fmt.Errorf("error setup secrets: %w", err)
+	}
+
 	log(options.InfraID).Info("Setup infra completed in", "duration", time.Since(startTime).String())
 	return nil
 }
 
 // setupSecrets generate secrets for control plane components
 func (infra *Infra) setupSecrets(options *CreateInfraOptions) error {
 	var err error
+	var powerVsCloudInstanceID string
+
+	if options.CloudInstanceID != "" {
+		powerVsCloudInstanceID = options.CloudInstanceID
+	} else if infra.CloudInstanceID != "" {
+		powerVsCloudInstanceID = infra.CloudInstanceID
+	} else {
+		return fmt.Errorf("unable to limit access scope to instance level: cloud instance not found")
+	}
 
 	if options.RecreateSecrets {
-		deleteSecrets(options.Name, options.Namespace, infra.AccountID, infra.ResourceGroupID)
+		deleteSecrets(options.Name, options.Namespace, powerVsCloudInstanceID, infra.AccountID, infra.ResourceGroupID)
 	}
 
 	log(infra.ID).Info("Creating Secrets ...")
 
 	infra.Secrets = Secrets{}
 
+	kubeCloudControllerManagerCR, err = updateCRYaml(kubeCloudControllerManagerCR, "kubeCloudControllerManagerCRTemplate", powerVsCloudInstanceID)
+	if err != nil {
+		return fmt.Errorf("error updating kube cloud controller manager yaml: %w", err)
+	}
 	infra.Secrets.KubeCloudControllerManager, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
 		kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, options.Namespace)
 	if err != nil {
 		return fmt.Errorf("error setup kube cloud controller manager secret: %w", err)
 	}
 
+	nodePoolManagementCR, err = updateCRYaml(nodePoolManagementCR, "nodePoolManagementCRTemplate", powerVsCloudInstanceID)
+	if err != nil {
+		return fmt.Errorf("error updating nodepool management yaml: %w", err)
+	}
 	infra.Secrets.NodePoolManagement, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
 		nodePoolManagementCR, nodePoolManagementCreds, options.Namespace)
 	if err != nil {
@@ -422,6 +440,10 @@ func (infra *Infra) setupSecrets(options *CreateInfraOptions) error {
 		return fmt.Errorf("error setup ingress operator secret: %w", err)
 	}
 
+	storageOperatorCR, err = updateCRYaml(storageOperatorCR, "storageOperatorCRTemplate", powerVsCloudInstanceID)
+	if err != nil {
+		return fmt.Errorf("error updating storage operator yaml: %w", err)
+	}
 	infra.Secrets.StorageOperator, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
 		storageOperatorCR, storageOperatorCreds, options.Namespace)
 	if err != nil {

diff --git a/cmd/infra/powervs/destroy.go b/cmd/infra/powervs/destroy.go
@@ -180,11 +180,6 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf
 		log(options.InfraID).Error(err, "error deleting dns record from cis domain")
 	}
 
-	if err = deleteSecrets(options.Name, options.Namespace, accountID, resourceGroupID); err != nil {
-		errL = append(errL, fmt.Errorf("error deleting secrets: %w", err))
-		log(options.InfraID).Error(err, "error deleting secrets")
-	}
-
 	if err = deleteCOS(ctx, options, resourceGroupID); err != nil {
 		errL = append(errL, fmt.Errorf("error deleting cos buckets: %w", err))
 		log(options.InfraID).Error(err, "error deleting cos buckets")
@@ -218,6 +213,11 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf
 		}
 	}
 
+	if err = deleteSecrets(options.Name, options.Namespace, powerVsCloudInstanceID, accountID, resourceGroupID); err != nil {
+		errL = append(errL, fmt.Errorf("error deleting secrets: %w", err))
+		log(options.InfraID).Error(err, "error deleting secrets")
+	}
+
 	var session *ibmpisession.IBMPISession
 	if !skipPowerVs {
 		session, err = createPowerVSSession(accountID, options.Region, options.Zone, options.Debug)
@@ -302,14 +302,23 @@ func deleteDNSRecords(ctx context.Context, options *DestroyInfraOptions) error {
 }
 
 // deleteSecrets delete secrets generated for control plane components
-func deleteSecrets(name, namespace, accountID string, resourceGroupID string) error {
+func deleteSecrets(name, namespace, cloudInstanceID string, accountID string, resourceGroupID string) error {
+	var e error
 
+	kubeCloudControllerManagerCR, e = updateCRYaml(kubeCloudControllerManagerCR, "kubeCloudControllerManagerCRTemplate", cloudInstanceID)
+	if e != nil {
+		return fmt.Errorf("error updating kube cloud controller manager yaml: %w", e)
+	}
 	err := deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
 		kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, namespace)
 	if err != nil {
 		return fmt.Errorf("error deleting kube cloud controller manager secret: %w", err)
 	}
 
+	nodePoolManagementCR, e = updateCRYaml(nodePoolManagementCR, "nodePoolManagementCRTemplate", cloudInstanceID)
+	if e != nil {
+		return fmt.Errorf("error updating nodepool management yaml: %w", e)
+	}
 	err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
 		nodePoolManagementCR, nodePoolManagementCreds, namespace)
 	if err != nil {
@@ -322,6 +331,10 @@ func deleteSecrets(name, namespace, accountID string, resourceGroupID string) er
 		return fmt.Errorf("error deleting ingress operator secret: %w", err)
 	}
 
+	storageOperatorCR, e = updateCRYaml(storageOperatorCR, "storageOperatorCRTemplate", cloudInstanceID)
+	if e != nil {
+		return fmt.Errorf("error updating storage operator yaml: %w", e)
+	}
 	err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
 		storageOperatorCR, storageOperatorCreds, namespace)
 	if err != nil {

diff --git a/cmd/infra/powervs/service_id.go b/cmd/infra/powervs/service_id.go
@@ -1,10 +1,13 @@
 package powervs
 
 import (
+	"bytes"
 	"fmt"
+	"strings"
+	"text/template"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/yaml"
-	"strings"
 
 	"github.com/IBM/platform-services-go-sdk/iamidentityv1"
 
@@ -13,6 +16,10 @@ import (
 	ccoibmcloud "github.com/openshift/cloud-credential-operator/pkg/ibmcloud"
 )
 
+type PolicyParams struct {
+	CloudInstanceID string
+}
+
 var kubeCloudControllerManagerCR = `
 apiVersion: cloudcredential.openshift.io/v1
 kind: CredentialsRequest
@@ -44,6 +51,9 @@ spec:
     - attributes:
       - name: serviceName
         value: power-iaas
+      - name: serviceInstance
+        value: {{.CloudInstanceID}}
+        operator: stringEquals
       roles:
       - crn:v1:bluemix:public:iam::::role:Viewer
       - crn:v1:bluemix:public:iam::::serviceRole:Reader
@@ -63,6 +73,9 @@ spec:
     - attributes:
       - name: serviceName
         value: power-iaas
+      - name: serviceInstance
+        value: {{.CloudInstanceID}}
+        operator: stringEquals
       roles:
       - crn:v1:bluemix:public:iam::::serviceRole:Manager
       - crn:v1:bluemix:public:iam::::role:Editor
@@ -101,6 +114,9 @@ spec:
     - attributes:
       - name: serviceName
         value: power-iaas
+      - name: serviceInstance
+        value: {{.CloudInstanceID}}
+        operator: stringEquals
       roles:
       - crn:v1:bluemix:public:iam::::serviceRole:Manager
       - crn:v1:bluemix:public:iam::::role:Editor
@@ -188,6 +204,23 @@ func deleteServiceID(name, APIKey, accountID, resourceGroupID, crYaml, secretRef
 	return nil
 }
 
+func updateCRYaml(crYaml, templateName string, serviceInstanceValue string) (string, error) {
+	params := PolicyParams{
+		CloudInstanceID: serviceInstanceValue,
+	}
+
+	tmpl, err := template.New(templateName).Parse(crYaml)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse the template %s, err: %w", templateName, err)
+	}
+
+	b := &bytes.Buffer{}
+	if err = tmpl.Execute(b, params); err != nil {
+		return "", fmt.Errorf("failed to execute %s: err: %w", templateName, err)
+	}
+	return b.String(), nil
+}
+
 func extractServiceIDFromCRN(crn string) string {
 	crnL := strings.Split(crn, ":")
 	return crnL[len(crnL)-1]

diff --git a/cmd/infra/powervs/service_id_test.go b/cmd/infra/powervs/service_id_test.go
@@ -52,6 +52,7 @@ func TestCreateServiceIDClient(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			g := NewGomegaWithT(t)
 
+			test.input.crYaml, _ = updateCRYaml(test.input.crYaml, "crYaml_template", "cloud_ins_id_1234")
 			_, err := createServiceIDClient(test.input.name, test.input.apiKey, test.input.account, test.input.resourceGroupID, test.input.crYaml, test.input.secretRefName, test.input.secretRefNamespace)
 			if test.errExpected {
 				g.Expect(err).ToNot(BeNil())