Skip to content

Commit

Permalink
Reduce the access scope to specific instance
Browse files Browse the repository at this point in the history
  • Loading branch information
@Neha-dot-Yadav
Neha-dot-Yadav committed Jan 28, 2024
1 parent 7079912 commit f37164e
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 4 deletions.
5 changes: 4 additions & 1 deletion cmd/infra/powervs/create.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -397,19 +397,21 @@ func (infra *Infra) setupSecrets(options *CreateInfraOptions) error {
var err error

if options.RecreateSecrets {
deleteSecrets(options.Name, options.Namespace, infra.AccountID, infra.ResourceGroupID)
deleteSecrets(options.Name, options.Namespace, options.CloudInstanceID, infra.AccountID, infra.ResourceGroupID)
}

log(infra.ID).Info("Creating Secrets ...")

infra.Secrets = Secrets{}

kubeCloudControllerManagerCR = updateCRYaml(kubeCloudControllerManagerCR, options.CloudInstanceID)
infra.Secrets.KubeCloudControllerManager, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, options.Namespace)
if err != nil {
return fmt.Errorf("error setup kube cloud controller manager secret: %w", err)
}

nodePoolManagementCR = updateCRYaml(nodePoolManagementCR, options.CloudInstanceID)
infra.Secrets.NodePoolManagement, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
nodePoolManagementCR, nodePoolManagementCreds, options.Namespace)
if err != nil {
Expand All @@ -422,6 +424,7 @@ func (infra *Infra) setupSecrets(options *CreateInfraOptions) error {
return fmt.Errorf("error setup ingress operator secret: %w", err)
}

storageOperatorCR = updateCRYaml(storageOperatorCR, options.CloudInstanceID)
infra.Secrets.StorageOperator, err = setupServiceID(options.Name, cloudApiKey, infra.AccountID, infra.ResourceGroupID,
storageOperatorCR, storageOperatorCreds, options.Namespace)
if err != nil {
Expand Down
7 changes: 5 additions & 2 deletions cmd/infra/powervs/destroy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ func (options *DestroyInfraOptions) DestroyInfra(ctx context.Context, infra *Inf
log(options.InfraID).Error(err, "error deleting dns record from cis domain")
}

if err = deleteSecrets(options.Name, options.Namespace, accountID, resourceGroupID); err != nil {
if err = deleteSecrets(options.Name, options.Namespace, options.CloudInstanceID, accountID, resourceGroupID); err != nil {
errL = append(errL, fmt.Errorf("error deleting secrets: %w", err))
log(options.InfraID).Error(err, "error deleting secrets")
}
Expand Down Expand Up @@ -302,14 +302,16 @@ func deleteDNSRecords(ctx context.Context, options *DestroyInfraOptions) error {
}

// deleteSecrets delete secrets generated for control plane components
func deleteSecrets(name, namespace, accountID string, resourceGroupID string) error {
func deleteSecrets(name, namespace, CloudInstanceID, accountID string, resourceGroupID string) error {

kubeCloudControllerManagerCR = updateCRYaml(kubeCloudControllerManagerCR, CloudInstanceID)
err := deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
kubeCloudControllerManagerCR, kubeCloudControllerManagerCreds, namespace)
if err != nil {
return fmt.Errorf("error deleting kube cloud controller manager secret: %w", err)
}

nodePoolManagementCR = updateCRYaml(nodePoolManagementCR, CloudInstanceID)
err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
nodePoolManagementCR, nodePoolManagementCreds, namespace)
if err != nil {
Expand All @@ -322,6 +324,7 @@ func deleteSecrets(name, namespace, accountID string, resourceGroupID string) er
return fmt.Errorf("error deleting ingress operator secret: %w", err)
}

storageOperatorCR = updateCRYaml(storageOperatorCR, CloudInstanceID)
err = deleteServiceID(name, cloudApiKey, accountID, resourceGroupID,
storageOperatorCR, storageOperatorCreds, namespace)
if err != nil {
Expand Down
16 changes: 15 additions & 1 deletion cmd/infra/powervs/service_id.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@ package powervs

import (
"fmt"
"strings"

corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/yaml"
"strings"

"github.com/IBM/platform-services-go-sdk/iamidentityv1"

Expand Down Expand Up @@ -44,6 +45,9 @@ spec:
- attributes:
- name: serviceName
value: power-iaas
- name: serviceInstance
value: %s
operator: stringEquals
roles:
- crn:v1:bluemix:public:iam::::role:Viewer
- crn:v1:bluemix:public:iam::::serviceRole:Reader
Expand All @@ -63,6 +67,9 @@ spec:
- attributes:
- name: serviceName
value: power-iaas
- name: serviceInstance
value: %s
operator: stringEquals
roles:
- crn:v1:bluemix:public:iam::::serviceRole:Manager
- crn:v1:bluemix:public:iam::::role:Editor
Expand Down Expand Up @@ -101,6 +108,9 @@ spec:
- attributes:
- name: serviceName
value: power-iaas
- name: serviceInstance
value: %s
operator: stringEquals
roles:
- crn:v1:bluemix:public:iam::::serviceRole:Manager
- crn:v1:bluemix:public:iam::::role:Editor
Expand Down Expand Up @@ -193,6 +203,10 @@ func extractServiceIDFromCRN(crn string) string {
return crnL[len(crnL)-1]
}

func updateCRYaml(crYaml, serviceInstanceValue string) string {
return fmt.Sprintf(crYaml, serviceInstanceValue)
}

// deleteServiceIDByCRN deletes serviceID passed via crn
func deleteServiceIDByCRN(name string, apiKey string, crn string) error {
serviceID := extractServiceIDFromCRN(crn)
Expand Down

0 comments on commit f37164e

Please sign in to comment.