Azure passthrough #433
Azure passthrough #433
Conversation
go get github.com/Azure/azure-sdk-for-go go mod vendor ; go mod tidy commit
go get github.com/Azure/go-autorest/autorest go get github.com/Azure/go-autorest/autorest/adal go get github.com/Azure/go-autorest/autorest/azure/auth go get github.com/Azure/go-autorest/autorest/to go get github.com/Azure/go-autorest/autorest/azure/cli go get github.com/Azure/go-autorest/autorest/validation followed by go mod vendor ; go mod tidy and committing the changes
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
approved
Codecov Report
@@ Coverage Diff @@
## master #433 +/- ##
==========================================
- Coverage 46.39% 46.17% -0.22%
==========================================
Files 94 91 -3
Lines 9688 9236 -452
==========================================
- Hits 4495 4265 -230
+ Misses 4612 4455 -157
+ Partials 581 516 -65
|
joelddiaz
force-pushed
the
azure-passthrough
branch
from
b990f9d to
83349f0
Compare
| func (a *Actuator) syncPassthrough(ctx context.Context, cr *minterv1.CredentialsRequest, cloudCredsSecret *corev1.Secret, logger log.FieldLogger) error { | ||
| syncErr := a.syncCredentialSecrets(ctx, cr, cloudCredsSecret, logger) | ||
|
|
||
| // Since we are live pivoting from Mint to Passthrough, try to clean up the old App Registration | ||
| cleanupErr := a.cleanupAfterPassthroughPivot(ctx, cr, cloudCredsSecret, logger) | ||
| if cleanupErr != nil { | ||
| logger.WithError(cleanupErr).Warn("unable to clean up previously minted App Regisration/Service Principal") | ||
| } | ||
| if syncErr == nil && cleanupErr != nil { | ||
| // A syncErr is more important to communicate about | ||
| // but do set a condition if the only issue was | ||
| // during cleanup. | ||
| return cleanupErr | ||
| } | ||
| return syncErr | ||
| } |
There was a problem hiding this comment.
| func (a *Actuator) syncPassthrough(ctx context.Context, cr *minterv1.CredentialsRequest, cloudCredsSecret *corev1.Secret, logger log.FieldLogger) error { | |
| syncErr := a.syncCredentialSecrets(ctx, cr, cloudCredsSecret, logger) | |
| // Since we are live pivoting from Mint to Passthrough, try to clean up the old App Registration | |
| cleanupErr := a.cleanupAfterPassthroughPivot(ctx, cr, cloudCredsSecret, logger) | |
| if cleanupErr != nil { | |
| logger.WithError(cleanupErr).Warn("unable to clean up previously minted App Regisration/Service Principal") | |
| } | |
| if syncErr == nil && cleanupErr != nil { | |
| // A syncErr is more important to communicate about | |
| // but do set a condition if the only issue was | |
| // during cleanup. | |
| return cleanupErr | |
| } | |
| return syncErr | |
| } | |
| func (a *Actuator) syncPassthrough(ctx context.Context, cr *minterv1.CredentialsRequest, cloudCredsSecret *corev1.Secret, logger log.FieldLogger) error { | |
| syncErr := a.syncCredentialSecrets(ctx, cr, cloudCredsSecret, logger) | |
| if syncErr != nil { | |
| return syncErr | |
| } | |
| // Since we are live pivoting from Mint to Passthrough, try to clean up the old App Registration | |
| cleanupErr := a.cleanupAfterPassthroughPivot(ctx, cr, cloudCredsSecret, logger) | |
| if cleanupErr != nil { | |
| logger.WithError(cleanupErr).Warn("unable to clean up previously minted App Regisration/Service Principal") | |
| } | |
| return cleanupErr | |
| } |
There was a problem hiding this comment.
This actually addresses the potential that we would fail to sync the secret, but still attempted a cleanup. That could lead to bad things. Good catch!
| // When a service principal is deleted, it's corresponding credentials becomes invalid. | ||
| // Pass-through credentials are not created through crafted service principal. | ||
| // When a request is deleted, there is no service principal to delete. | ||
| // Thus, corresponding secret still provides valid credentials. | ||
| // For that reason, existing secret object needs to be deleted as well to avoid | ||
| // credentials leaking. | ||
| // | ||
| // Also, there is no harm in deleting the secret in general. Every component consuming | ||
| // the secret will be forbidden to talk to Azure API once the service principal is destroyed. | ||
| existingSecret := &corev1.Secret{} | ||
| err = a.client.Get(ctx, client.ObjectKey{Namespace: cr.Spec.SecretRef.Namespace, Name: cr.Spec.SecretRef.Name}, existingSecret) | ||
| if err == nil { | ||
| logger.Infof("Deleting secret %v/%v", cr.Spec.SecretRef.Namespace, cr.Spec.SecretRef.Name) | ||
| if err := a.client.Delete(ctx, existingSecret); err != nil { | ||
| return fmt.Errorf("unable to delete secret %v/%v: %v", cr.Spec.SecretRef.Namespace, cr.Spec.SecretRef.Name, err) | ||
| } | ||
| } else if !kerrors.IsNotFound(err) { | ||
| return fmt.Errorf("unable to get secret %v/%v: %v", cr.Spec.SecretRef.Namespace, cr.Spec.SecretRef.Name, err) | ||
| } | ||
|
|
||
| if credentialsRootSecret.Annotations[constants.AnnotationKey] == constants.PassthroughAnnotation { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
why do we want to remove this code? I believe if we remove this, the target secret would not be removed when the credentials request is deleted.
There was a problem hiding this comment.
This code is already handled in the non-actuator-specific Delete() path https://github.com/openshift/cloud-credential-operator/blob/master/pkg/operator/credentialsrequest/credentialsrequest_controller.go#L436-L457
So this code was unnecessary to begin with.
| validate: func(t *testing.T, c client.Client) { | ||
| cr := getCredRequest(t, c) | ||
| s := &corev1.Secret{} | ||
| // secret should be deleted | ||
| assert.Error(t, c.Get(context.TODO(), | ||
| types.NamespacedName{Name: cr.Spec.SecretRef.Name, Namespace: cr.Spec.SecretRef.Namespace}, | ||
| s), | ||
|
|
||
| targetSecret := getCredRequestTargetSecret(t, c, cr) | ||
|
|
||
| rootSecret := getRootSecret(t, c) | ||
|
|
||
| // The targetSecret should be a copy of the root secret. | ||
| assertSecretEquality(t, rootSecret, targetSecret) | ||
| }, |
There was a problem hiding this comment.
Do we need to check for OrphanedCloudResource condition here?
There was a problem hiding this comment.
The condition is set by the credentials_request controller, so the best we can do with the test at the actuator-level is check for the right error returned by the actuator. (Although I should go ahead and add a test for the condition in the credentials_request controller. I'll work on that now).
|
@akhil-rane i fixed up the code where you suggested and added a whole new set of test cases at the credentialsrequest_controller level to cover the new OrphanedCloudResource condition. PTAL |
|
/test e2e-azure |
|
/test verify |
1 similar comment
|
/test verify |
|
/test e2e-azure-upgrade |
|
@joelddiaz: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-azure-upgrade |
|
@joelddiaz: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test verify |
|
this looks good |
|
@akhil-rane more changes to pull in an updated build-machinery-go package (that was failing the 'make verify' step). |
|
/test e2e-azure-upgrade |
|
yeah we can squash here, all good |
failing on installing yaml-patch binary otherwise
Stop trying to detect whether the creds in kube-system/azure-credentials are good enough for Minting new credentials. We now will only support Manual mode (where the annotator does nothing) and Passthrough mode where we will blindly annotate the Secret as 'passthrough'.
Update the Azure actuator to only support passthrough mode. Attempt to clean up previously created App Registrations / Service Principals, but treat failures to clean up as non-critical. In the event that we fail to clean up, set a new "OrphanedCloudResource" condition to document that we were unable to clean up. When successfully cleaning up, clear out the old AzureStatus fields. Add test cases covering the new OrphanedCloudResources condition.
joelddiaz
force-pushed
the
azure-passthrough
branch
from
bf76773 to
32b6237
Compare
|
/hold waiting for #426 |
openshift-ci
bot
added
the
do-not-merge/hold
|
@joelddiaz Here are the test cases for the card https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitems?query=trello%3ACCO%5C-173&sorting=id, PTAL! thanks. It's a little hard to reproduce the OrphanedCloudResource condition. And here I have some questions:
time="2021-12-17T07:31:13Z" level=error msg="error checking whether credentials already exists: invalid mode" controller=credreq cr=openshift-cloud-credential-operator/openshift-cloud-network-config-controller secret=openshift-cloud-network-config-controller/cloud-credentials time="2021-12-17T07:31:17Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/azure-disk-csi-driver-operator |
|
/test e2e-azure |
Yes, this could be tricky. Perhaps you install an old version of OpenShift with Mint mode, disable CCO (either by marking it unmanaged in CVO and scaling down CVO, or move CCO to Manual mode), then swap the credentials in kube-system/azure-credentials with ones that can't do Mint mode, then upgrade to the new OpenShift/CCO, re-enable CCO, and it should migrate to Passthrough but fail to clean up the previously minted App Registrations.
Yes, good point. I'll add a Jira under the installer team.
Yes, the docs will need some careful updates. cc @jeana-redhat |
Oh, and the test cases look good! |
|
/test e2e-azure |
|
/label px-approved |
openshift-ci
bot
added
the
px-approved
|
@lwan-wanglin @jeana-redhat anything else needed before getting the qe/docs approve labels? |
|
/test e2e-azure |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akhil-rane, joelddiaz The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@joelddiaz Thanks for your given steps , I can reproduce deleting SP failure case, and I filed a new test case to cover it . I missed one check(verify SPs are deleted from Azure cloud) on previous test cases, now I update this step to the test cases, but I meet a situation, I find cco just remove role assignment, but not deleting applications, is it expected? if not , please let me know, I will file a bug to track. For this PR, I think we can add qe-approved label. |
openshift-ci
bot
added
the
qe-approved
If you are seeing that the App Registration are not being deleted, that is not expected. Do open a BZ. |
|
Will def be able to doc this, just need to know when each piece is landing. I know y'all will keep me updated on that :) |
openshift-ci
bot
added
the
docs-approved
|
@joelddiaz: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/cherry-pick release-4.9 |
|
@akhil-rane: #433 failed to apply on top of branch "release-4.9": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Azure passthrough
7 participants
Migrate away from depending on the Azure Active Directory Graph API since it will be sunset in June 2022.
xref: https://issues.redhat.com/browse/CCO-173