New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/destroy/azure: Delete app registrations during cluster destroy #2262
pkg/destroy/azure: Delete app registrations during cluster destroy #2262
Conversation
dep ensure -v (with some code importing github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac)
dont' log errors with ERROR level, the destroy for azure returns them and prints them in DEBUG. |
pkg/destroy/azure/azure.go
Outdated
} | ||
|
||
func (o *ClusterUninstaller) configureClients() { | ||
o.resourceGroupsClient = resources.NewGroupsGroupClient(o.SubscriptionID) | ||
o.resourceGroupsClient.Authorizer = o.Authorizer | ||
o.resourceGroupsClient.Authorizer = o.ResourceManagerAuthorizer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm.. this should be Authorizer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
for _, sp := range servicePrincipals { | ||
logger = logger.WithField("appID", *sp.AppID) | ||
appFilter := fmt.Sprintf("appId eq '%s'", *sp.AppID) | ||
appResults, err := appClient.List(ctx, appFilter) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not use https://godoc.org/github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac#ApplicationsClient.Get vs listing for appID can there be more than one with same ID???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the Get requires querying the objectID not the appID
[jdiaz@minigoomba ~]$ az ad app list --display-name jdiaz-app | jq -r ".[].appId , .[].objectId"
9ba357ad-0bf5-4a0c-8c3f-8e6eee8e6b36
10dbbb0c-29ae-4705-8bf9-95e99f0e8a3b
And all you get from the service principal is the appID of the app registration.
pkg/destroy/azure/azure.go
Outdated
return matchedSPs, err | ||
} | ||
|
||
for { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use somethings like
installer/pkg/asset/installconfig/azure/dns.go
Lines 121 to 132 in 0454021
for zonesPage, err := client.azureClient.List(ctx, to.Int32Ptr(100)); zonesPage.NotDone(); err = zonesPage.NextWithContext(ctx) { | |
if err != nil { | |
return nil, err | |
} | |
//TODO: filter out private zone and show only public zones. | |
//the property is present in the REST api response, but not mapped yet in the stable SDK (present in preview) | |
//https://github.com/Azure/azure-sdk-for-go/blob/07f918ba2d513bbc5b75bc4caac845e10f27449e/services/preview/dns/mgmt/2018-03-01-preview/dns/models.go#L857 | |
for _, zone := range zonesPage.Values() { | |
allZones[to.String(zone.Name)] = to.String(zone.ID) | |
} | |
} | |
return allZones, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 i much prefer this. will change it
792ff7c
to
96d22b6
Compare
/test e2e-azure |
96d22b6
to
73a2b95
Compare
squashed |
/retest |
/test e2e-azure |
1 similar comment
/test e2e-azure |
The cred operator created service principals.
Doesn't seem to have cleaned up any??? |
I think I see what's happening. The cloud-cred-operator clips the infra prefix to 20 characters (https://github.com/openshift/cloud-credential-operator/blob/master/pkg/azure/actuator.go#L497-L500), so when searching for Service Principals, this code should do the same. |
make it unclip the credential name, why is it clipping the infra-id?? |
73a2b95
to
d6f6c15
Compare
I think it was done out of concern for the 93 character limit. @ingvagabund maybe you can give more context? |
Two things:
|
/test e2e-azure |
But if depend on infra-id to filter the the service principals, I would rather truncate the credential name here.. the infra-id is max 32.. |
PR to raise infra field length to 32 here openshift/cloud-credential-operator#108 |
With cloud-cred-operator tagging Service Principals, we can now located the Service Principals by tag, and find their parent Application Registration and delete them as part of cluster destroy.
d6f6c15
to
742e463
Compare
/test e2e-azure |
looks like it's deleting the app registrations now
just need to get through CI now... |
/approve |
/retest |
1 similar comment
/retest |
/test e2e-azure |
/retest |
/test e2e-aws-scaleup-rhel7 |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
@joelddiaz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
With cloud-cred-operator tagging Service Principals, we can now located the Service Principals by tag, and find their parent Application Registration and delete them as part of cluster destroy.
This should keep the App Registrations created by cloud-cred-operator from leaking out after cluster create/destroy.