pkg/destroy/azure: Delete app registrations during cluster destroy

[joelddiaz]

With cloud-cred-operator tagging Service Principals, we can now located the Service Principals by tag, and find their parent Application Registration and delete them as part of cluster destroy.

This should keep the App Registrations created by cloud-cred-operator from leaking out after cluster create/destroy.

[abhinavdahiya]

dont' log errors with ERROR level, the destroy for azure returns them and prints them in DEBUG.

[abhinavdahiya]

hmm.. this should be Authorizer

[joelddiaz]

fixed

[abhinavdahiya]

why not use https://godoc.org/github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac#ApplicationsClient.Get vs listing for appID can there be more than one with same ID???

[joelddiaz]

the Get requires querying the objectID not the appID

[jdiaz@minigoomba ~]$ az ad app list --display-name jdiaz-app | jq -r ".[].appId , .[].objectId"
9ba357ad-0bf5-4a0c-8c3f-8e6eee8e6b36
10dbbb0c-29ae-4705-8bf9-95e99f0e8a3b

And all you get from the service principal is the appID of the app registration.

[abhinavdahiya]

use somethings like

installer/pkg/asset/installconfig/azure/dns.go

Lines 121 to 132 in 0454021

	for zonesPage, err := client.azureClient.List(ctx, to.Int32Ptr(100)); zonesPage.NotDone(); err = zonesPage.NextWithContext(ctx) {
	if err != nil {
	return nil, err
	}
	//TODO: filter out private zone and show only public zones.
	//the property is present in the REST api response, but not mapped yet in the stable SDK (present in preview)
	//https://github.com/Azure/azure-sdk-for-go/blob/07f918ba2d513bbc5b75bc4caac845e10f27449e/services/preview/dns/mgmt/2018-03-01-preview/dns/models.go#L857
	for _, zone := range zonesPage.Values() {
	allZones[to.String(zone.Name)] = to.String(zone.ID)
	}
	}
	return allZones, nil

[joelddiaz]

👍 i much prefer this. will change it

[abhinavdahiya]

/test e2e-azure

LGTM

con you squash the commits 80ca614 and 96d22b6

[abhinavdahiya]

/test e2e-azure

[joelddiaz]

squashed

[joelddiaz]

/retest

[joelddiaz]

/test e2e-azure

[joelddiaz]

/test e2e-azure

[abhinavdahiya]

https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/2262/pull-ci-openshift-installer-master-e2e-azure/146/artifacts/e2e-azure/pods/openshift-cloud-credential-operator_cloud-credential-operator-65d96ddfdf-96fdd_manager.log

The cred operator created service principals.

https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/2262/pull-ci-openshift-installer-master-e2e-azure/146/artifacts/e2e-azure/installer/.openshift_install.log
time="2019-08-26T15:03:06Z" level=debug msg="deleting public records"
time="2019-08-26T15:03:08Z" level=debug msg="removing matching private records from ci.azure.devcluster.openshift.com"
time="2019-08-26T15:03:10Z" level=info msg=deleted record=api.ci-op-1xw3yxn7-2dc90
time="2019-08-26T15:03:11Z" level=info msg=deleted record="*.apps.ci-op-1xw3yxn7-2dc90"
time="2019-08-26T15:03:11Z" level=debug msg="deleting resource group"
time="2019-08-26T15:17:01Z" level=info msg=deleted resource group=ci-op-1xw3yxn7-2dc90-7jkwd-rg
time="2019-08-26T15:17:01Z" level=debug msg="deleting application registrations
time="2019-08-26T15:17:02Z" level=debug msg="Purging asset "Terraform Variables" from disk"

Doesn't seem to have cleaned up any???

[joelddiaz]

time="2019-08-26T15:17:01Z" level=debug msg="deleting application registrations
time="2019-08-26T15:17:02Z" level=debug msg="Purging asset "Terraform Variables" from disk"

Doesn't seem to have cleaned up any???

I think I see what's happening. The cloud-cred-operator clips the infra prefix to 20 characters (https://github.com/openshift/cloud-credential-operator/blob/master/pkg/azure/actuator.go#L497-L500), so when searching for Service Principals, this code should do the same.

[abhinavdahiya]

time="2019-08-26T15:17:01Z" level=debug msg="deleting application registrations
time="2019-08-26T15:17:02Z" level=debug msg="Purging asset "Terraform Variables" from disk"

Doesn't seem to have cleaned up any???

I think I see what's happening. The cloud-cred-operator clips the infra prefix to 20 characters (https://github.com/openshift/cloud-credential-operator/blob/master/pkg/azure/actuator.go#L497-L500), so when searching for Service Principals, this code should do the same.

https://github.com/openshift/cloud-credential-operator/blob/14ea16f11aaf6b77d3bce0dcfb93546e12da6942/pkg/azure/actuator.go#L504-L506

make it unclip the credential name, why is it clipping the infra-id??

[joelddiaz]

I think I see what's happening. The cloud-cred-operator clips the infra prefix to 20 characters (https://github.com/openshift/cloud-credential-operator/blob/master/pkg/azure/actuator.go#L497-L500), so when searching for Service Principals, this code should do the same.

https://github.com/openshift/cloud-credential-operator/blob/14ea16f11aaf6b77d3bce0dcfb93546e12da6942/pkg/azure/actuator.go#L504-L506

make it unclip the credential name, why is it clipping the infra-id??

I think it was done out of concern for the 93 character limit. @ingvagabund maybe you can give more context?

[ingvagabund]

I think it was done out of concern for the 93 character limit. @ingvagabund maybe you can give more context?

Two things:

1. aws actuator clips the infra name when generating a user name: https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/actuator/actuator.go#L1119-L1121. I followed the same pattern
2. Azure does not allow application (SP) names to be longer than 93 characters. It errors otherwise.

[joelddiaz]

/test e2e-azure

[abhinavdahiya]

I think it was done out of concern for the 93 character limit. @ingvagabund maybe you can give more context?

Two things:

1. aws actuator clips the infra name when generating a user name: https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/actuator/actuator.go#L1119-L1121. I followed the same pattern

2. Azure does not allow application (SP) names to be longer than 93 characters. It errors otherwise.

But if depend on infra-id to filter the the service principals, I would rather truncate the credential name here.. the infra-id is max 32..

[joelddiaz]

PR to raise infra field length to 32 here openshift/cloud-credential-operator#108

[joelddiaz]

/test e2e-azure

[joelddiaz]

looks like it's deleting the app registrations now

time="2019-08-27T18:08:30Z" level=debug msg="deleting application registrations"
time="2019-08-27T18:08:31Z" level=info msg=deleted appID=f18a9b1f-72ff-43db-8a73-abf73bc37ad9
time="2019-08-27T18:08:37Z" level=info msg=deleted appID=47c260de-9275-4db2-b889-c34334c33ee9
time="2019-08-27T18:08:43Z" level=info msg=deleted appID=2e39df42-0018-472c-b1b0-20c524eb2d3c

just need to get through CI now...

[abhinavdahiya]

/approve

[joelddiaz]

/retest

[joelddiaz]

/retest

[abhinavdahiya]

/test e2e-azure

[joelddiaz]

/retest

[joelddiaz]

/test e2e-aws-scaleup-rhel7

[abhinavdahiya]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, joelddiaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@joelddiaz: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	742e463	link	/test e2e-aws-scaleup-rhel7
ci/prow/e2e-libvirt	742e463	link	/test e2e-libvirt

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.