From 044ab0ea7c372083acd7bc59a3d1e846ca825789 Mon Sep 17 00:00:00 2001 From: Ludovic Cleroux Date: Tue, 26 Aug 2025 15:54:43 -0400 Subject: [PATCH] ROX-30638: Remove tenant Route53 record management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove all Route53 DNS record management functionality from fleet manager since tenant DNS records are now managed by external DNS. Changes: - Remove Route53 methods from AWS client interface and implementation - Remove Route53 management methods from CentralService - Delete CentralRoutesCNAMEManager worker that handled DNS record creation - Remove Route53 configuration fields from AWS config - Add database migration to remove routes_creation_id field - Remove E2E DNS test utilities and update multicluster tests - Update affected tests and regenerate mocks 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .github/workflows/ci.yaml | 2 - .github/workflows/multicluster-e2e.yaml | 1 - .secrets.baseline | 22 +-- Makefile | 10 - README.md | 1 - cmd/fleet-manager/main.go | 10 +- cmd/fleet-manager/main_test.go | 2 +- dev/env/defaults/00-defaults.env | 3 - dev/env/defaults/cluster-type-crc/env | 1 - .../defaults/cluster-type-infra-openshift/env | 1 - .../defaults/cluster-type-openshift-ci/env | 1 - dev/env/scripts/docker.sh | 3 + dev/env/scripts/lib.sh | 11 -- docs/development/implementation.md | 4 +- docs/development/populating-configuration.md | 10 - docs/development/setup-test-environment.md | 17 -- docs/legacy/feature-flags.md | 1 - .../templates/fleetshard-sync.yaml | 2 + e2e/dns/record_cleanup.go | 40 ---- e2e/dns/records_loader.go | 112 ----------- e2e/e2e_suite_test.go | 24 --- e2e/e2e_test.go | 77 +------- .../multicluster_migration_test.go | 28 +-- e2e/multicluster/multicluster_suite_test.go | 38 ---- e2e/testutil/assert.go | 23 ++- e2e/testutil/testutil.go | 17 -- fleetshard/main.go | 8 +- .../pkg/central/reconciler/reconciler.go | 136 ++++++++++++- go.mod | 3 +- go.sum | 2 - .../pkg/api/admin/private/api/openapi.yaml | 2 - .../pkg/api/admin/private/model_central.go | 1 - .../pkg/api/dbapi/central_request_types.go | 5 +- internal/central/pkg/config/aws.go | 24 +-- internal/central/pkg/config/central.go | 17 +- .../central/pkg/environments/development.go | 1 - .../central/pkg/environments/integration.go | 1 - .../central/pkg/environments/production.go | 19 +- internal/central/pkg/environments/stage.go | 23 ++- .../central/pkg/externaldns/externaldns.go | 9 - ...routes_creation_id_from_central_request.go | 33 ++++ internal/central/pkg/migrations/migrations.go | 1 + internal/central/pkg/presenters/central.go | 15 +- internal/central/pkg/services/central.go | 172 +--------------- internal/central/pkg/services/central_test.go | 4 +- .../pkg/services/centralservice_moq.go | 184 +++--------------- .../pkg/services/data_plane_central.go | 6 - .../centralmgrs/centrals_routes_cname_mgr.go | 112 ----------- internal/central/providers.go | 1 - .../central/test/integration/admin_test.go | 50 +++-- openapi/fleet-manager-private-admin.yaml | 2 - pkg/client/aws/client.go | 74 +------ pkg/client/aws/client_moq.go | 144 +------------- scripts/ci/multicluster_tests/deploy.sh | 1 - templates/secrets-template.yml | 8 - templates/service-template.yml | 10 - 56 files changed, 304 insertions(+), 1225 deletions(-) delete mode 100644 e2e/dns/record_cleanup.go delete mode 100644 e2e/dns/records_loader.go delete mode 100644 internal/central/pkg/externaldns/externaldns.go create mode 100644 internal/central/pkg/migrations/20250826000000_remove_routes_creation_id_from_central_request.go delete mode 100644 internal/central/pkg/workers/centralmgrs/centrals_routes_cname_mgr.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e6f0c11d42..827a773c5a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -54,8 +54,6 @@ jobs: AWS_ACCOUNT_ID: aws_accountid AWS_ACCESS_KEY: aws_accesskey AWS_SECRET_ACCESS_KEY: aws_secretaccesskey # pragma: allowlist secret - dummy value - ROUTE53_ACCESS_KEY: aws_route53_access_key # pragma: allowlist secret - dummy value - ROUTE53_SECRET_ACCESS_KEY: aws_route53_secret_access_key # pragma: allowlist secret - dummy value TEST_TIMEOUT: 30m services: postgres: diff --git a/.github/workflows/multicluster-e2e.yaml b/.github/workflows/multicluster-e2e.yaml index 66f164f8d5..b6f57af13b 100644 --- a/.github/workflows/multicluster-e2e.yaml +++ b/.github/workflows/multicluster-e2e.yaml @@ -95,7 +95,6 @@ jobs: - name: "Run" env: RUN_MULTICLUSTER_E2E: "true" - ENABLE_CENTRAL_EXTERNAL_DOMAIN: "true" run: "scripts/ci/multicluster_tests/entrypoint.sh" cleanup-clusters: diff --git a/.secrets.baseline b/.secrets.baseline index 92f556ea64..24ba19314c 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -259,7 +259,7 @@ "filename": "internal/central/pkg/services/centralservice_moq.go", "hashed_secret": "44e17306b837162269a410204daaa5ecee4ec22c", "is_verified": false, - "line_number": 1180 + "line_number": 1048 } ], "pkg/client/fleetmanager/impl/testdata/token": [ @@ -296,63 +296,63 @@ "filename": "templates/service-template.yml", "hashed_secret": "13032f402fed753c2248419ea4f69f99931f6dbc", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "30025f80f6e22cdafb85db387d50f90ea884576a", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "355f24fd038bcaf85617abdcaa64af51ed19bbcf", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "3d8a1dcd2c3c765ce35c9a9552d23273cc4ddace", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "4ac7b0522761eba972467942cd5cd7499dd2c361", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "7639ab2a6bcf2ea30a055a99468c9cd844d4c22a", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "b56360daf4793d2a74991a972b34d95bc00fb2da", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Base64 High Entropy String", "filename": "templates/service-template.yml", "hashed_secret": "c9a73ef9ee8ce9f38437227801c70bcc6740d1a1", "is_verified": false, - "line_number": 476 + "line_number": 471 }, { "type": "Secret Keyword", "filename": "templates/service-template.yml", "hashed_secret": "4e199b4a1c40b497a95fcd1cd896351733849949", "is_verified": false, - "line_number": 659, + "line_number": 654, "is_secret": false } ], @@ -382,5 +382,5 @@ } ] }, - "generated_at": "2025-09-04T08:53:01Z" + "generated_at": "2025-10-16T10:28:36Z" } diff --git a/Makefile b/Makefile index 04e865cc5c..9e4efb9163 100644 --- a/Makefile +++ b/Makefile @@ -364,7 +364,6 @@ test/cluster/cleanup: test/e2e: $(GINKGO_BIN) CLUSTER_ID=1234567890abcdef1234567890abcdef \ RUN_E2E=true \ - ENABLE_CENTRAL_EXTERNAL_DOMAIN=$(ENABLE_CENTRAL_EXTERNAL_DOMAIN) \ GITOPS_CONFIG_PATH=$(GITOPS_CONFIG_FILE) \ $(GINKGO_BIN) -r $(GINKGO_FLAGS) \ --randomize-suites \ @@ -379,7 +378,6 @@ test/e2e: $(GINKGO_BIN) test/e2e/multicluster: $(GINKGO_BIN) CLUSTER_ID=1234567890abcdef1234567890abcdef \ - ENABLE_CENTRAL_EXTERNAL_DOMAIN=$(ENABLE_CENTRAL_EXTERNAL_DOMAIN) \ GITOPS_CONFIG_PATH=$(GITOPS_CONFIG_FILE) \ RUN_MULTICLUSTER_E2E=true \ $(GINKGO_BIN) -r $(GINKGO_FLAGS) \ @@ -610,8 +608,6 @@ image/push/fleetshard-operator/internal: docker/login/internal secrets/touch: touch secrets/aws.accesskey \ secrets/aws.accountid \ - secrets/aws.route53accesskey \ - secrets/aws.route53secretaccesskey \ secrets/aws.secretaccesskey \ secrets/db.host \ secrets/db.name \ @@ -639,8 +635,6 @@ aws/setup: @echo -n "$(AWS_ACCOUNT_ID)" > secrets/aws.accountid @echo -n "$(AWS_ACCESS_KEY)" > secrets/aws.accesskey @echo -n "$(AWS_SECRET_ACCESS_KEY)" > secrets/aws.secretaccesskey - @echo -n "$(ROUTE53_ACCESS_KEY)" > secrets/aws.route53accesskey - @echo -n "$(ROUTE53_SECRET_ACCESS_KEY)" > secrets/aws.route53secretaccesskey .PHONY: aws/setup redhatsso/setup: @@ -689,8 +683,6 @@ deploy/secrets: -p AWS_ACCESS_KEY="$(shell ([ -s './secrets/aws.accesskey' ] && [ -z '${AWS_ACCESS_KEY}' ]) && cat ./secrets/aws.accesskey || echo '${AWS_ACCESS_KEY}')" \ -p AWS_ACCOUNT_ID="$(shell ([ -s './secrets/aws.accountid' ] && [ -z '${AWS_ACCOUNT_ID}' ]) && cat ./secrets/aws.accountid || echo '${AWS_ACCOUNT_ID}')" \ -p AWS_SECRET_ACCESS_KEY="$(shell ([ -s './secrets/aws.secretaccesskey' ] && [ -z '${AWS_SECRET_ACCESS_KEY}' ]) && cat ./secrets/aws.secretaccesskey || echo '${AWS_SECRET_ACCESS_KEY}')" \ - -p ROUTE53_ACCESS_KEY="$(shell ([ -s './secrets/aws.route53accesskey' ] && [ -z '${ROUTE53_ACCESS_KEY}' ]) && cat ./secrets/aws.route53accesskey || echo '${ROUTE53_ACCESS_KEY}')" \ - -p ROUTE53_SECRET_ACCESS_KEY="$(shell ([ -s './secrets/aws.route53secretaccesskey' ] && [ -z '${ROUTE53_SECRET_ACCESS_KEY}' ]) && cat ./secrets/aws.route53secretaccesskey || echo '${ROUTE53_SECRET_ACCESS_KEY}')" \ -p SSO_CLIENT_ID="$(shell ([ -s './secrets/redhatsso-service.clientId' ] && [ -z '${SSO_CLIENT_ID}' ]) && cat ./secrets/redhatsso-service.clientId || echo '${SSO_CLIENT_ID}')" \ -p SSO_CLIENT_SECRET="$(shell ([ -s './secrets/redhatsso-service.clientSecret' ] && [ -z '${SSO_CLIENT_SECRET}' ]) && cat ./secrets/redhatsso-service.clientSecret || echo '${SSO_CLIENT_SECRET}')" \ -p CENTRAL_IDP_CLIENT_SECRET="$(shell ([ -s './secrets/central.idp-client-secret' ] && [ -z '${CENTRAL_IDP_CLIENT_SECRET}' ]) && cat ./secrets/central.idp-client-secret || echo '${CENTRAL_IDP_CLIENT_SECRET}')" \ @@ -724,7 +716,6 @@ deploy/service: FLEET_MANAGER_IMAGE ?= $(SHORT_IMAGE_REF) deploy/service: IMAGE_TAG ?= $(image_tag) deploy/service: FLEET_MANAGER_ENV ?= "development" deploy/service: REPLICAS ?= "1" -deploy/service: ENABLE_CENTRAL_EXTERNAL_DOMAIN ?= "false" deploy/service: ENABLE_CENTRAL_LIFE_SPAN ?= "false" deploy/service: CENTRAL_LIFE_SPAN ?= "48" deploy/service: OCM_URL ?= "https://api.stage.openshift.com" @@ -758,7 +749,6 @@ endif -p REPO_DIGEST="$(FLEET_MANAGER_IMAGE)" \ -p IMAGE_TAG=$(IMAGE_TAG) \ -p REPLICAS="${REPLICAS}" \ - -p ENABLE_CENTRAL_EXTERNAL_DOMAIN="${ENABLE_CENTRAL_EXTERNAL_DOMAIN}" \ -p ENABLE_CENTRAL_LIFE_SPAN="${ENABLE_CENTRAL_LIFE_SPAN}" \ -p CENTRAL_LIFE_SPAN="${CENTRAL_LIFE_SPAN}" \ -p ENABLE_OCM_MOCK=$(ENABLE_OCM_MOCK) \ diff --git a/README.md b/README.md index fbe0cdf5fb..22f9218047 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@ ACS fleet-manager repository for the ACS managed service. - ## Quickstart ### Overview diff --git a/cmd/fleet-manager/main.go b/cmd/fleet-manager/main.go index 13db6dcb49..5112470a0a 100644 --- a/cmd/fleet-manager/main.go +++ b/cmd/fleet-manager/main.go @@ -14,18 +14,14 @@ import ( ) func main() { - // This is needed to make `glog` believe that the flags have already been parsed, otherwise - // every log messages is prefixed by an error message stating that the flags haven't been - // parsed. - _ = flag.CommandLine.Parse([]string{}) - - // pflag.CommandLine.AddGoFlagSet(flag.CommandLine) - // Always log to stderr by default if err := flag.Set("logtostderr", "true"); err != nil { glog.Infof("Unable to set logtostderr to true") } + flag.Parse() + defer glog.Flush() + env, err := environments.New(environments.GetEnvironmentStrFromEnv(), central.ConfigProviders(), ) diff --git a/cmd/fleet-manager/main_test.go b/cmd/fleet-manager/main_test.go index e2ff7ab738..91aa0af056 100644 --- a/cmd/fleet-manager/main_test.go +++ b/cmd/fleet-manager/main_test.go @@ -52,7 +52,7 @@ func TestInjections(t *testing.T) { var workerList []workers.Worker env.MustResolve(&workerList) - Expect(workerList).To(HaveLen(10)) + Expect(workerList).To(HaveLen(9)) } func createServicesCommand(env *environments.Env) *cobra.Command { diff --git a/dev/env/defaults/00-defaults.env b/dev/env/defaults/00-defaults.env index 66887237e3..62adddecfb 100644 --- a/dev/env/defaults/00-defaults.env +++ b/dev/env/defaults/00-defaults.env @@ -32,12 +32,9 @@ export OCM_SERVICE_TOKEN_DEFAULT="" export OCM_ADDON_SERVICE_CLIENT_ID_DEFAULT="" export OCM_ADDON_SERVICE_CLIENT_SECRET_DEFAULT="" export OCM_ADDON_SERVICE_TOKEN_DEFAULT="" -export ROUTE53_ACCESS_KEY_DEFAULT="" -export ROUTE53_SECRET_ACCESS_KEY_DEFAULT="" export SPAWN_LOGGER_DEFAULT="false" export DUMP_LOGS_DEFAULT="false" export SKIP_TESTS_DEFAULT="false" -export ENABLE_CENTRAL_EXTERNAL_DOMAIN_DEFAULT=false export FLEETSHARD_SYNC_RESOURCES_DEFAULT='{"requests":{"cpu":"200m","memory":"300Mi"},"limits":{"cpu":"200m","memory":"300Mi"}}' export EMAIL_SENDER_RESOURCES_DEFAULT='{"requests":{"cpu":"200m","memory":"300Mi"},"limits":{"cpu":"200m","memory":"300Mi"}}' diff --git a/dev/env/defaults/cluster-type-crc/env b/dev/env/defaults/cluster-type-crc/env index c48d4f1162..9e831cbf41 100644 --- a/dev/env/defaults/cluster-type-crc/env +++ b/dev/env/defaults/cluster-type-crc/env @@ -1,3 +1,2 @@ -export ENABLE_CENTRAL_EXTERNAL_DOMAIN="true" export ENABLE_EXTERNAL_CONFIG_DEFAULT="true" export AWS_AUTH_HELPER_DEFAULT="aws-saml" diff --git a/dev/env/defaults/cluster-type-infra-openshift/env b/dev/env/defaults/cluster-type-infra-openshift/env index 7b36211c4d..55de695e82 100644 --- a/dev/env/defaults/cluster-type-infra-openshift/env +++ b/dev/env/defaults/cluster-type-infra-openshift/env @@ -3,4 +3,3 @@ export EXPOSE_OPENSHIFT_ROUTER_DEFAULT="true" export ENABLE_EXTERNAL_CONFIG_DEFAULT="true" export AWS_AUTH_HELPER_DEFAULT="aws-saml" export INHERIT_IMAGEPULLSECRETS_DEFAULT="true" # pragma: allowlist secret -export ENABLE_CENTRAL_EXTERNAL_DOMAIN_DEFAULT="true" diff --git a/dev/env/defaults/cluster-type-openshift-ci/env b/dev/env/defaults/cluster-type-openshift-ci/env index 0c600101da..36abb4278d 100644 --- a/dev/env/defaults/cluster-type-openshift-ci/env +++ b/dev/env/defaults/cluster-type-openshift-ci/env @@ -1,6 +1,5 @@ export SPAWN_LOGGER_DEFAULT="true" export DUMP_LOGS_DEFAULT="true" export GOTESTSUM="/usr/local/bin/gotestsum" -export ENABLE_CENTRAL_EXTERNAL_DOMAIN=true # To be adjusted for runnign in OpenShift CI # export FLEETSHARD_SYNC_RESOURCES_DEFAULT='{"requests":{"cpu":"200m","memory":"300Mi"},"limits":{"cpu":"200m","memory":"300Mi"}}' diff --git a/dev/env/scripts/docker.sh b/dev/env/scripts/docker.sh index e2ada83b19..943dfc143b 100644 --- a/dev/env/scripts/docker.sh +++ b/dev/env/scripts/docker.sh @@ -95,6 +95,9 @@ should_skip_image_build() { if [[ "$CLUSTER_TYPE" == "openshift-ci" ]]; then return 0 fi + if [[ "$DEVCONTAINER" == "true" ]]; then + return 1 + fi if is_running_inside_docker; then return 0 fi diff --git a/dev/env/scripts/lib.sh b/dev/env/scripts/lib.sh index 372db3db2b..81b50b713c 100644 --- a/dev/env/scripts/lib.sh +++ b/dev/env/scripts/lib.sh @@ -94,15 +94,12 @@ init() { export OCM_ADDON_SERVICE_CLIENT_ID=${OCM_ADDON_SERVICE_CLIENT_ID:-$OCM_ADDON_SERVICE_CLIENT_ID_DEFAULT} export OCM_ADDON_SERVICE_CLIENT_SECRET=${OCM_ADDON_SERVICE_CLIENT_SECRET:-$OCM_ADDON_SERVICE_CLIENT_SECRET_DEFAULT} export OCM_ADDON_SERVICE_TOKEN=${OCM_ADDON_SERVICE_TOKEN:-$OCM_ADDON_SERVICE_TOKEN_DEFAULT} - export ROUTE53_ACCESS_KEY=${ROUTE53_ACCESS_KEY:-$ROUTE53_ACCESS_KEY_DEFAULT} - export ROUTE53_SECRET_ACCESS_KEY=${ROUTE53_SECRET_ACCESS_KEY:-$ROUTE53_SECRET_ACCESS_KEY_DEFAULT} export SPAWN_LOGGER=${SPAWN_LOGGER:-$SPAWN_LOGGER_DEFAULT} export DUMP_LOGS=${DUMP_LOGS:-$DUMP_LOGS_DEFAULT} export ENABLE_DB_PORT_FORWARDING=${ENABLE_DB_PORT_FORWARDING:-$ENABLE_DB_PORT_FORWARDING_DEFAULT} export ENABLE_FM_PORT_FORWARDING=${ENABLE_FM_PORT_FORWARDING:-$ENABLE_FM_PORT_FORWARDING_DEFAULT} export FLEETSHARD_SYNC_RESOURCES=${FLEETSHARD_SYNC_RESOURCES:-$FLEETSHARD_SYNC_RESOURCES_DEFAULT} export SKIP_TESTS=${SKIP_TESTS:-$SKIP_TESTS_DEFAULT} - export ENABLE_CENTRAL_EXTERNAL_DOMAIN=${ENABLE_CENTRAL_EXTERNAL_DOMAIN:-$ENABLE_CENTRAL_EXTERNAL_DOMAIN_DEFAULT} export FLEET_MANAGER_IMAGE=${FLEET_MANAGER_IMAGE:-$FLEET_MANAGER_IMAGE_DEFAULT} export ENABLE_EMAIL_SENDER=${ENABLE_EMAIL_SENDER:-$ENABLE_EMAIL_SENDER_DEFAULT} export EMAIL_SENDER_IMAGE=${EMAIL_SENDER_IMAGE:-$EMAIL_SENDER_IMAGE_DEFAULT} @@ -118,11 +115,6 @@ init() { log "FLEET_MANAGER_IMAGE not set, using ${FLEET_MANAGER_IMAGE}" fi - if [[ "$ENABLE_CENTRAL_EXTERNAL_DOMAIN" != "false" && ("$ROUTE53_ACCESS_KEY" == "" || "$ROUTE53_SECRET_ACCESS_KEY" == "") ]]; then - log "setting ENABLE_CENTRAL_EXTERNAL_DOMAIN to false since no Route53 credentials were provided" - ENABLE_CENTRAL_EXTERNAL_DOMAIN=false - fi - if [[ "$CLUSTER_TYPE" == "minikube" ]]; then eval "$(minikube docker-env)" fi @@ -162,15 +154,12 @@ ARGOCD_TENANT_APP_TARGET_REVISION: ${ARGOCD_TENANT_APP_TARGET_REVISION} OCM_SERVICE_CLIENT_ID: ******** OCM_SERVICE_CLIENT_SECRET: ******** OCM_SERVICE_TOKEN: ******** -ROUTE53_ACCESS_KEY: ******** -ROUTE53_SECRET_ACCESS_KEY: ******** SPAWN_LOGGER: ${SPAWN_LOGGER} DUMP_LOGS: ${DUMP_LOGS} ENABLE_DB_PORT_FORWARDING: ${ENABLE_DB_PORT_FORWARDING} ENABLE_FM_PORT_FORWARDING: ${ENABLE_FM_PORT_FORWARDING} FLEETSHARD_SYNC_RESOURCES: ${FLEETSHARD_SYNC_RESOURCES} SKIP_TESTS: ${SKIP_TESTS} -ENABLE_CENTRAL_EXTERNAL_DOMAIN: ${ENABLE_CENTRAL_EXTERNAL_DOMAIN} FLEET_MANAGER_IMAGE: ${FLEET_MANAGER_IMAGE} FLEETSHARD_SYNC_CONTAINER_COMMAND: ${FLEETSHARD_SYNC_CONTAINER_COMMAND} EMAIL_SENDER_IMAGE: ${EMAIL_SENDER_IMAGE} diff --git a/docs/development/implementation.md b/docs/development/implementation.md index 7b4faaa404..596acf8997 100644 --- a/docs/development/implementation.md +++ b/docs/development/implementation.md @@ -63,9 +63,9 @@ See [adding a new endpoint](./adding-a-new-endpoint.md) documentation for more i The Central Workers are responsible for reconciling Centrals as requested by an end-user. There are currently 7 central workers, which are located in the [centrals_mgrs folder](../internal/central/pkg/workers/centrals_mgrs): - [`centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/centrals_mgr.go) responsible for reconciling central metrics and performing cleanup of trial centrals, and cleanup of centrals of denied owners. -- [`deleting_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/deleting_centrals_mgr.go) responsible for handling the deletion of centrals e.g removing resources like AWS Route53 entry, IAM secrets client +- [`deleting_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/deleting_centrals_mgr.go) responsible for handling the deletion of centrals e.g removing resources like IAM secrets client - [`accepted_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/accepted_centrals_mgr.go) responsible for checking if user is within Quota before provisioning a central. Afterwards, it will periodically reconcile on all pending Central resources, attempt to find a valid OpenShift cluster to fit it's requirements (cloud provider, region, etc.) and provision a Central instance to the cluster. Once a suitable Dataplane cluster has been found, we'll update the status of the Central resource to reflect it's current progress. -- [`preparing_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/preparing_centrals_mgr.go) responsible for creating external resources e.g AWS Route53 DNS, IAM authentication secrets +- [`preparing_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/preparing_centrals_mgr.go) responsible for creating external resources e.g IAM authentication secrets - [`provisioning_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/provisioning_centrals_mgr.go) responsible for checking if a provisioned central is ready as reported by the fleetshard-operator - [`ready_centrals_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/ready_centrals_mgr.go) responsible for reconciling external resources of a ready centrals - [`centrals_routes_cname_mgr.go`](../internal/central/pkg/workers/centrals_mgrs/centrals_routes_cname_mgr.go) responsible for reconciliation of DNS records for each centrals' routes. diff --git a/docs/development/populating-configuration.md b/docs/development/populating-configuration.md index e950a0c9c5..c8f98bdd1e 100644 --- a/docs/development/populating-configuration.md +++ b/docs/development/populating-configuration.md @@ -57,12 +57,6 @@ make ocm/setup OCM_OFFLINE_TOKEN= Fleet Manager interacts with AWS to provide the following functionalities: * To be able to create and manage Data Plane clusters in a specific AWS account by passing the needed credentials to OpenShift Cluster Management -* To create [AWS's Route53](https://aws.amazon.com/route53/) DNS records in a - specific AWS account. These records are DNS records that point to some - routes related to Central instances that are created. - > NOTE: The domain name used for these records can be configured by setting - the domain name to be used for Central instances. This can be done - through the `--central-domain-name` Fleet Manager binary CLI flag For both functionalities, the same underlying AWS account is used. In order for the Fleet Manager to be able to start, create the following files: @@ -70,8 +64,6 @@ In order for the Fleet Manager to be able to start, create the following files: touch secrets/aws.accountid touch secrets/aws.accesskey touch secrets/aws.secretaccesskey -touch secrets/aws.route53accesskey -touch secrets/aws.route53secretaccesskey ``` If you need any of those functionalities keep reading. Otherwise, this section @@ -84,8 +76,6 @@ IAM user credentials to the control plane by running: AWS_ACCOUNT_ID= \ AWS_ACCESS_KEY= \ AWS_SECRET_ACCESS_KEY= \ -ROUTE53_ACCESS_KEY= \ -ROUTE53_SECRET_ACCESS_KEY= \ make aws/setup ``` > NOTE: If you are in Red Hat, the following [documentation](./getting-credentials-and-accounts.md#aws) diff --git a/docs/development/setup-test-environment.md b/docs/development/setup-test-environment.md index 036448baa8..2da2bdf588 100644 --- a/docs/development/setup-test-environment.md +++ b/docs/development/setup-test-environment.md @@ -91,23 +91,6 @@ To clean up the environment run $ make undeploy/dev # points to down.sh ``` -### DNS tests - -The test suite has auto-sensing logic built in to skip DNS e2e tests when the test environment does not support execution of DNS e2e tests. Currently this is only supported in OpenShift environments. - -To run the DNS e2e tests additionally to the default e2e test setup the cluster you're running against needs to have the openshift Route Custom Resource Definition installed and you need to set following environment variables: - -```shell -export ROUTE53_ACCESS_KEY="" -export ROUTE53_SECRET_ACCESS_KEY="" - -# Depending on cluster type and its default configuration you might need -export ENABLE_CENTRAL_EXTERNAL_DOMAIN_DEFAULT=true - -# If the domain you test against is not the default dev domain -export CENTRAL_DOMAIN_NAME="" -``` - ## Cluster setup Bootstrap a local cluster using one of the options below. diff --git a/docs/legacy/feature-flags.md b/docs/legacy/feature-flags.md index efcb91963c..3c756a0aa7 100644 --- a/docs/legacy/feature-flags.md +++ b/docs/legacy/feature-flags.md @@ -35,7 +35,6 @@ This lists the feature flags and their sub-configurations to enable/disable and ## Central - **enable-deletion-of-expired-central**: Enables deletion of eval Central instances when its life span has expired. - `central-lifespan` [Optional]: The desired lifespan of a Central instance in hour(s) (default: `48`). -- **enable-central-external-domain**: Enables custom Central domain. - **enable-evaluator-instance**: Enable the creation of one central evaluator instances per user - **central-idp-***: A collection of flags describing _static_ auth config for Central. diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml index 68d7538fb5..327f53d976 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml @@ -45,6 +45,8 @@ spec: imagePullPolicy: IfNotPresent command: - /usr/local/bin/fleetshard-sync + args: + - '-v=10' env: - name: OCM_TOKEN value: {{ .Values.fleetshardSync.ocmToken }} diff --git a/e2e/dns/record_cleanup.go b/e2e/dns/record_cleanup.go deleted file mode 100644 index 3abdd9f751..0000000000 --- a/e2e/dns/record_cleanup.go +++ /dev/null @@ -1,40 +0,0 @@ -package dns - -import ( - "context" - - "github.com/aws/aws-sdk-go-v2/service/route53" - "github.com/aws/aws-sdk-go-v2/service/route53/types" - . "github.com/onsi/gomega" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/public" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/services" -) - -// CleanupCentralRequestRecords deletes all route53 resoruces associated with the centralRequest -func CleanupCentralRequestRecords(route53Client *route53.Client, centralRequest public.CentralRequest) { - dnsLoader := NewRecordsLoader(route53Client, centralRequest) - recordSets := dnsLoader.LoadDNSRecords() - - action, err := services.CentralRoutesActionToRoute53ChangeAction(services.CentralRoutesActionDelete) - Expect(err).ToNot(HaveOccurred()) - - changes := []types.Change{} - for _, rs := range recordSets { - c := types.Change{ - Action: action, - ResourceRecordSet: rs, - } - changes = append(changes, c) - } - - if len(changes) == 0 { - return - } - - _, err = route53Client.ChangeResourceRecordSets(context.Background(), &route53.ChangeResourceRecordSetsInput{ - HostedZoneId: dnsLoader.rhacsZone.Name, - ChangeBatch: &types.ChangeBatch{Changes: changes}, - }) - - Expect(err).ToNot(HaveOccurred()) -} diff --git a/e2e/dns/records_loader.go b/e2e/dns/records_loader.go deleted file mode 100644 index e37b5e4a33..0000000000 --- a/e2e/dns/records_loader.go +++ /dev/null @@ -1,112 +0,0 @@ -// Package dns ... -package dns - -import ( - "context" - "fmt" - "net" - "net/url" - "sort" - "strings" - - "github.com/aws/aws-sdk-go-v2/service/route53" - "github.com/aws/aws-sdk-go-v2/service/route53/types" - . "github.com/onsi/gomega" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/public" -) - -// RecordsLoader loads DNS records from Route53 -type RecordsLoader struct { - route53Client *route53.Client - rhacsZone *types.HostedZone - CentralDomainNames []string - LastResult []*types.ResourceRecordSet -} - -// NewRecordsLoader creates a new instance of RecordsLoader -func NewRecordsLoader(route53Client *route53.Client, central public.CentralRequest) *RecordsLoader { - rhacsZone, err := getHostedZone(route53Client, central) - Expect(err).ToNot(HaveOccurred()) - - return &RecordsLoader{ - route53Client: route53Client, - CentralDomainNames: getCentralDomainNamesSorted(central), - rhacsZone: rhacsZone, - } -} - -// LoadDNSRecords loads DNS records from Route53 -func (loader *RecordsLoader) LoadDNSRecords() []*types.ResourceRecordSet { - if len(loader.CentralDomainNames) == 0 { - return []*types.ResourceRecordSet{} - } - idx := 0 - loadingRecords := true - nextRecord := &loader.CentralDomainNames[idx] - result := make([]*types.ResourceRecordSet, 0, len(loader.CentralDomainNames)) - -loading: - for loadingRecords { - output, err := loader.route53Client.ListResourceRecordSets(context.Background(), &route53.ListResourceRecordSetsInput{ - HostedZoneId: loader.rhacsZone.Id, - StartRecordName: nextRecord, - }) - Expect(err).ToNot(HaveOccurred()) - - for _, recordSet := range output.ResourceRecordSets { - if *recordSet.Name == loader.CentralDomainNames[idx] { - result = append(result, &recordSet) - idx++ - if idx == len(loader.CentralDomainNames) { - break loading - } - } - } - loadingRecords = output.IsTruncated - nextRecord = output.NextRecordName - } - loader.LastResult = result - return result -} - -func getHostedZone(route53Client *route53.Client, central public.CentralRequest) (*types.HostedZone, error) { - hostedZones, err := route53Client.ListHostedZones(context.Background(), &route53.ListHostedZonesInput{}) - if err != nil { - return nil, fmt.Errorf("failed to list hosted zones: %w", err) - } - - var rhacsZone *types.HostedZone - for _, zone := range hostedZones.HostedZones { - // Omit the . at the end of hosted zone name - name := removeLastChar(*zone.Name) - if strings.Contains(central.CentralUIURL, name) { - z := zone - rhacsZone = &z - break - } - } - - if rhacsZone == nil { - return nil, fmt.Errorf("failed to find Route53 hosted zone for Central [id: %v, status: %v, UI URL: %v]", - central.Id, central.Status, central.CentralUIURL) - } - - return rhacsZone, nil -} - -func removeLastChar(s string) string { - return s[:len(s)-1] -} - -func getCentralDomainNamesSorted(central public.CentralRequest) []string { - uiURL, err := url.Parse(central.CentralUIURL) - Expect(err).ToNot(HaveOccurred()) - dataHost, _, err := net.SplitHostPort(central.CentralDataURL) - Expect(err).ToNot(HaveOccurred()) - - centralUIDomain := uiURL.Host + "." - centralDataDomain := dataHost + "." - domains := []string{centralUIDomain, centralDataDomain} - sort.Strings(domains) - return domains -} diff --git a/e2e/e2e_suite_test.go b/e2e/e2e_suite_test.go index 15118df772..2e42509b37 100644 --- a/e2e/e2e_suite_test.go +++ b/e2e/e2e_suite_test.go @@ -7,9 +7,6 @@ import ( "testing" "time" - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/credentials" - "github.com/aws/aws-sdk-go-v2/service/route53" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" openshiftRouteV1 "github.com/openshift/api/route/v1" @@ -27,7 +24,6 @@ var ( routeService *k8s.RouteService dnsEnabled bool routesEnabled bool - route53Client *route53.Client waitTimeout = testutil.GetWaitTimeout() extendedWaitTimeout = testutil.GetWaitTimeout() * 3 dpCloudProvider = getEnvDefault("DP_CLOUD_PROVIDER", "standalone") @@ -64,26 +60,6 @@ var _ = BeforeSuite(func() { routesEnabled, err = k8s.IsRoutesResourceEnabled(k8sClient) Expect(err).ToNot(HaveOccurred()) - var accessKey, secretKey string - dnsEnabled, accessKey, secretKey = testutil.DNSConfiguration(routesEnabled) - - if dnsEnabled { - creds := aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider( - accessKey, - secretKey, - "")) - - _, err := creds.Retrieve(context.Background()) - Expect(err).ToNot(HaveOccurred()) - cfg := aws.Config{ - Credentials: creds, - Region: getEnvDefault("AWS_REGION", "us-east-1"), - } - Expect(err).ToNot(HaveOccurred()) - - route53Client = route53.NewFromConfig(cfg) - } - if val := os.Getenv("FLEET_MANAGER_ENDPOINT"); val != "" { fleetManagerEndpoint = val } diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go index d40f29d75b..c194d2a49d 100644 --- a/e2e/e2e_test.go +++ b/e2e/e2e_test.go @@ -16,7 +16,6 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" openshiftRouteV1 "github.com/openshift/api/route/v1" - "github.com/stackrox/acs-fleet-manager/e2e/dns" "github.com/stackrox/acs-fleet-manager/e2e/testutil" "github.com/stackrox/acs-fleet-manager/fleetshard/pkg/k8s" "github.com/stackrox/acs-fleet-manager/internal/central/constants" @@ -156,16 +155,6 @@ var _ = Describe("Central", Ordered, func() { Should(Succeed()) }) - // TODO: possible flake. Maybe this test will be executed after the routes are created - It("should not expose URLs until the routes are created", func() { - testutil.SkipIf(!routesEnabled, skipRouteMsg) - var centralRequest public.CentralRequest - Expect(testutil.GetCentralRequest(ctx, client, centralRequestID, ¢ralRequest)). - To(Succeed()) - Expect(centralRequest.CentralUIURL).To(BeEmpty()) - Expect(centralRequest.CentralDataURL).To(BeEmpty()) - }) - It("should transition central request state to ready", func() { Eventually(testutil.AssertCentralRequestReady(ctx, client, centralRequestID)). WithTimeout(extendedWaitTimeout). @@ -200,30 +189,6 @@ var _ = Describe("Central", Ordered, func() { Should(Succeed()) }) - It("should have created AWS Route53 records", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) - - var centralRequest public.CentralRequest - Expect(testutil.GetCentralRequest(ctx, client, centralRequestID, ¢ralRequest)). - To(Succeed()) - - var reencryptIngress openshiftRouteV1.RouteIngress - Eventually(testutil.AssertReencryptIngressRouteExist(context.Background(), routeService, centralRequest, &reencryptIngress)). - WithTimeout(waitTimeout). - WithPolling(defaultPolling). - Should(Succeed()) - - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, centralRequest) - - Eventually(dnsRecordsLoader.LoadDNSRecords). - WithTimeout(waitTimeout). - WithPolling(defaultPolling). - Should(HaveLen(len(dnsRecordsLoader.CentralDomainNames)), "Started at %s", time.Now()) - - recordSets := dnsRecordsLoader.LastResult - testutil.AssertDNSMatchesRouter(dnsRecordsLoader.CentralDomainNames, recordSets, &reencryptIngress) - }) - It("should backup important secrets in FM database", func() { expectedSecrets := k8s.NewSecretBackup(k8sClient, false).GetWatchedSecrets() Eventually(assertStoredSecrets(ctx, privateAPI, centralRequestID, expectedSecrets)). @@ -348,18 +313,6 @@ var _ = Describe("Central", Ordered, func() { Should(Succeed()) }) - It("should delete external DNS entries", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) - var centralRequest public.CentralRequest - Expect(testutil.GetCentralRequest(ctx, client, centralRequestID, ¢ralRequest)). - To(Succeed()) - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, centralRequest) - Eventually(dnsRecordsLoader.LoadDNSRecords). - WithTimeout(waitTimeout). - WithPolling(defaultPolling). - Should(BeEmpty(), "Started at %s", time.Now()) - }) - AfterAll(func() { Expect(restoreDefaultGitopsConfig()).To(Succeed()) }) @@ -428,16 +381,11 @@ var _ = Describe("Central", Ordered, func() { Should(Succeed()) }) - It("should delete external DNS entries", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) - var centralRequest public.CentralRequest - Expect(testutil.GetCentralRequest(ctx, client, centralRequestID, ¢ralRequest)). - To(Succeed()) - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, centralRequest) - Eventually(dnsRecordsLoader.LoadDNSRecords). + It("should be deleted from the api", func() { + Eventually(testutil.AssertCentralRequestDeleted(ctx, client, centralRequestID)). WithTimeout(waitTimeout). WithPolling(defaultPolling). - Should(BeEmpty(), "Started at %s", time.Now()) + Should(Succeed()) }) It("should be restorable", func() { @@ -468,17 +416,6 @@ var _ = Describe("Central", Ordered, func() { Should(Succeed()) }) - By("deleting external DNS entries", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) - var centralRequest public.CentralRequest - Expect(testutil.GetCentralRequest(ctx, client, centralRequestID, ¢ralRequest)). - To(Succeed()) - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, centralRequest) - Eventually(dnsRecordsLoader.LoadDNSRecords). - WithTimeout(waitTimeout). - WithPolling(defaultPolling). - Should(BeEmpty(), "Started at %s", time.Now()) - }) }) }) @@ -551,14 +488,6 @@ var _ = Describe("Central", Ordered, func() { Expect(k8sClient.Delete(ctx, namespace)).ToNot(HaveOccurred()) }) - It("should delete external DNS entries", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, readyCentralRequest) - Eventually(dnsRecordsLoader.LoadDNSRecords). - WithTimeout(waitTimeout). - WithPolling(defaultPolling). - Should(BeEmpty(), "Started at %s", time.Now()) - }) }) }) diff --git a/e2e/multicluster/multicluster_migration_test.go b/e2e/multicluster/multicluster_migration_test.go index 76b5be140c..642a0d721d 100644 --- a/e2e/multicluster/multicluster_migration_test.go +++ b/e2e/multicluster/multicluster_migration_test.go @@ -9,7 +9,6 @@ import ( . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" openshiftRouteV1 "github.com/openshift/api/route/v1" - "github.com/stackrox/acs-fleet-manager/e2e/dns" "github.com/stackrox/acs-fleet-manager/e2e/testutil" "github.com/stackrox/acs-fleet-manager/fleetshard/pkg/k8s" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/admin/private" @@ -64,11 +63,6 @@ var _ = Describe("Central Migration Test", Ordered, func() { }) AfterAll(func() { - // if the Id is empty we've never successfully created a CentralRequest, thus no cleanup necessary - if dnsEnabled && centralRequest.Id != "" { - dns.CleanupCentralRequestRecords(route53Client, centralRequest) - } - for _, note := range notes { GinkgoWriter.Println(note) } @@ -104,11 +98,9 @@ var _ = Describe("Central Migration Test", Ordered, func() { Should(Succeed()) }) - It("should have DNS CNAME records for cluster1 routes", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) + It("should have routes configured on cluster1", func() { testutil.GetCentralRequest(context.Background(), fleetmanagerClient, centralRequest.Id, ¢ralRequest) - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, centralRequest) routeService := k8s.NewRouteService(cluster1KubeClient) var reencryptIngress openshiftRouteV1.RouteIngress @@ -117,12 +109,7 @@ var _ = Describe("Central Migration Test", Ordered, func() { WithPolling(defaultPolling). Should(Succeed()) - Eventually(dnsRecordsLoader.LoadDNSRecords). - WithTimeout(waitTimeout). - WithPolling(3 * defaultPolling). - Should(HaveLen(len(dnsRecordsLoader.CentralDomainNames))) - - testutil.AssertDNSMatchesRouter(dnsRecordsLoader.CentralDomainNames, dnsRecordsLoader.LastResult, &reencryptIngress) + GinkgoWriter.Printf("Route host configured: %s\n", reencryptIngress.Host) }) }) @@ -155,11 +142,9 @@ var _ = Describe("Central Migration Test", Ordered, func() { WithPolling(defaultPolling). Should(Succeed()) }) - It("should have DNS CNAME records for cluster2 routes", func() { - testutil.SkipIf(!dnsEnabled, testutil.SkipDNSMsg) + It("should have routes configured on cluster2", func() { testutil.GetCentralRequest(context.Background(), fleetmanagerClient, centralRequest.Id, ¢ralRequest) - dnsRecordsLoader := dns.NewRecordsLoader(route53Client, centralRequest) routeService := k8s.NewRouteService(cluster2KubeClient) var reencryptIngress openshiftRouteV1.RouteIngress @@ -168,12 +153,7 @@ var _ = Describe("Central Migration Test", Ordered, func() { WithPolling(defaultPolling). Should(Succeed()) - Eventually(dnsRecordsLoader.LoadDNSRecords). - WithTimeout(waitTimeout). - WithPolling(3 * defaultPolling). - Should(HaveLen(len(dnsRecordsLoader.CentralDomainNames))) - - testutil.AssertDNSMatchesRouter(dnsRecordsLoader.CentralDomainNames, dnsRecordsLoader.LastResult, &reencryptIngress) + GinkgoWriter.Printf("Route host configured: %s\n", reencryptIngress.Host) }) }) diff --git a/e2e/multicluster/multicluster_suite_test.go b/e2e/multicluster/multicluster_suite_test.go index da681294ab..8aeee0c3b9 100644 --- a/e2e/multicluster/multicluster_suite_test.go +++ b/e2e/multicluster/multicluster_suite_test.go @@ -1,16 +1,11 @@ package multicluster import ( - "context" "os" "testing" - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/credentials" - "github.com/aws/aws-sdk-go-v2/service/route53" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "github.com/stackrox/acs-fleet-manager/e2e/testutil" "github.com/stackrox/acs-fleet-manager/fleetshard/pkg/k8s" "k8s.io/client-go/tools/clientcmd" ctrlClient "sigs.k8s.io/controller-runtime/pkg/client" @@ -21,8 +16,6 @@ var ( cluster2KubeClient ctrlClient.Client fleetManagerEndpoint = "http://localhost:8000" - route53Client *route53.Client - dnsEnabled bool ) func TestMulticlusterE2E(t *testing.T) { @@ -57,35 +50,4 @@ var _ = BeforeSuite(func() { fleetManagerEndpoint = fmOverride } - routesEnabled, err := k8s.IsRoutesResourceEnabled(cluster1KubeClient) - Expect(err).ToNot(HaveOccurred()) - - var accessKey, secretKey string - dnsEnabled, accessKey, secretKey = testutil.DNSConfiguration(routesEnabled) - - if dnsEnabled { - creds := aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider( - accessKey, - secretKey, - "")) - - _, err := creds.Retrieve(context.Background()) - Expect(err).ToNot(HaveOccurred()) - - cfg := aws.Config{ - Credentials: creds, - Region: getEnvDefault("AWS_REGION", "us-east-1"), - } - Expect(err).ToNot(HaveOccurred()) - - route53Client = route53.NewFromConfig(cfg) - } }) - -func getEnvDefault(key, defaultValue string) string { - value, ok := os.LookupEnv(key) - if !ok { - return defaultValue - } - return value -} diff --git a/e2e/testutil/assert.go b/e2e/testutil/assert.go index 76380a387a..901607ff9c 100644 --- a/e2e/testutil/assert.go +++ b/e2e/testutil/assert.go @@ -5,7 +5,6 @@ import ( "fmt" "net/url" - "github.com/aws/aws-sdk-go-v2/service/route53/types" . "github.com/onsi/gomega" openshiftRouteV1 "github.com/openshift/api/route/v1" "github.com/stackrox/acs-fleet-manager/fleetshard/pkg/k8s" @@ -44,15 +43,19 @@ func AssertCentralRequestDeprovisioning(ctx context.Context, client *fleetmanage return AssertCentralRequestStatus(ctx, client, id, constants.CentralRequestStatusDeprovision.String()) } -// AssertDNSMatchesRouter asserts that every domain in centralDomainNames is in recordSets and targets -// the correct hostname given by the routeIngress -func AssertDNSMatchesRouter(centralDomainNames []string, recordSets []*types.ResourceRecordSet, routeIngress *openshiftRouteV1.RouteIngress) { - for idx, domain := range centralDomainNames { - recordSet := recordSets[idx] - Expect(recordSet.ResourceRecords).To(HaveLen(1)) - record := recordSet.ResourceRecords[0] - Expect(*recordSet.Name).To(Equal(domain)) - Expect(*record.Value).To(Equal(routeIngress.RouterCanonicalHostname)) // TODO use route specific ingress instead of comparing with reencryptIngress for all cases +// AssertCentralRequestDeleted verifies the central has been completely deleted (soft-deleted) +func AssertCentralRequestDeleted(ctx context.Context, client *fleetmanager.Client, id string) func() error { + return func() error { + _, httpResp, err := client.PublicAPI().GetCentralById(ctx, id) + if err == nil { + return fmt.Errorf("expected central to be deleted, but it still exists") + } + + if httpResp.StatusCode != 404 { + return fmt.Errorf("expected a 404 Not Found response, but got: %d", httpResp.StatusCode) + } + + return nil } } diff --git a/e2e/testutil/testutil.go b/e2e/testutil/testutil.go index f0cc71a939..fef82d596e 100644 --- a/e2e/testutil/testutil.go +++ b/e2e/testutil/testutil.go @@ -14,11 +14,6 @@ import ( const defaultTimeout = 5 * time.Minute -var ( - // SkipDNSMsg is the message printed when DNS e2e tests or assertions should be skipped - SkipDNSMsg = "external DNS is not enabled for this test run" -) - // GetWaitTimeout gets the test wait timeout for polling operation from // OS environment WAIT_TIMEOUT or returns the defaultTimeout if unset func GetWaitTimeout() time.Duration { @@ -33,18 +28,6 @@ func GetWaitTimeout() time.Duration { return defaultTimeout } -// DNSConfiguration looks for propper environment variable setup to run e2e tests -// with Route53 DNS functionality enabled and returns it. -func DNSConfiguration(routesEnabled bool) (dnsEnabled bool, accessKey string, secretKey string) { - accessKey = os.Getenv("ROUTE53_ACCESS_KEY") - secretKey = os.Getenv("ROUTE53_SECRET_ACCESS_KEY") - enableExternal := os.Getenv("ENABLE_CENTRAL_EXTERNAL_DOMAIN") - dnsEnabled = accessKey != "" && - secretKey != "" && - enableExternal == "true" && routesEnabled - return dnsEnabled, accessKey, secretKey -} - // SkipIf skips a Gingko test container if condition is true func SkipIf(condition bool, message string) { if condition { diff --git a/fleetshard/main.go b/fleetshard/main.go index 64e768d98e..05533972e5 100644 --- a/fleetshard/main.go +++ b/fleetshard/main.go @@ -25,16 +25,14 @@ import ( ) func main() { - // This is needed to make `glog` believe that the flags have already been parsed, otherwise - // every log messages is prefixed by an error message stating the flags haven't been - // parsed. - _ = flag.CommandLine.Parse([]string{}) - // Always log to stderr by default, required for glog. if err := flag.Set("logtostderr", "true"); err != nil { glog.Info("Unable to set logtostderr to true") } + flag.Parse() + defer glog.Flush() + config, err := config.GetConfig() if err != nil { glog.Fatalf("Failed to load configuration: %v", err) diff --git a/fleetshard/pkg/central/reconciler/reconciler.go b/fleetshard/pkg/central/reconciler/reconciler.go index 083f982e7f..bd7595aba4 100644 --- a/fleetshard/pkg/central/reconciler/reconciler.go +++ b/fleetshard/pkg/central/reconciler/reconciler.go @@ -152,16 +152,24 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private remoteCentralNamespace := remoteCentral.Metadata.Namespace remoteCentralName := remoteCentral.Metadata.Name + glog.V(2).Infof("[DEBUG] Starting reconcile for central %s/%s (ID: %s, Status: %s)", remoteCentralNamespace, remoteCentralName, remoteCentral.Id, remoteCentral.RequestStatus) + // Only allow to start reconcile function once if !atomic.CompareAndSwapInt32(r.status, FreeStatus, BlockedStatus) { + glog.V(2).Infof("[DEBUG] Reconciler busy for central %s/%s, returning ErrBusy", remoteCentralNamespace, remoteCentralName) return nil, ErrBusy } - defer atomic.StoreInt32(r.status, FreeStatus) + defer func() { + atomic.StoreInt32(r.status, FreeStatus) + glog.V(2).Infof("[DEBUG] Reconciler status reset to FreeStatus for central %s/%s", remoteCentralNamespace, remoteCentralName) + }() centralHash, err := r.computeCentralHash(remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to compute central hash for %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, errors.Wrap(err, "computing central hash") } + glog.V(3).Infof("[DEBUG] Computed central hash for %s/%s: %x", remoteCentralNamespace, remoteCentralName, centralHash) shouldUpdateCentralHash := false defer func() { @@ -174,10 +182,13 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private }() changed := r.centralChanged(centralHash) + glog.V(2).Infof("[DEBUG] Central %s/%s changed since last reconcile: %t", remoteCentralNamespace, remoteCentralName, changed) needsReconcile := r.needsReconcileFunc(changed, remoteCentral, remoteCentral.Metadata.SecretsStored) + glog.V(2).Infof("[DEBUG] Central %s/%s needs reconcile: %t (changed: %t, secrets stored: %v)", remoteCentralNamespace, remoteCentralName, needsReconcile, changed, remoteCentral.Metadata.SecretsStored) if !needsReconcile && isRemoteCentralReady(&remoteCentral) { + glog.V(2).Infof("[DEBUG] Central %s/%s doesn't need reconcile and is ready, returning ErrCentralNotChanged", remoteCentralNamespace, remoteCentralName) shouldUpdateCentralHash = true return nil, ErrCentralNotChanged } @@ -185,120 +196,180 @@ func (r *CentralReconciler) Reconcile(ctx context.Context, remoteCentral private glog.Infof("Start reconcile central %s/%s", remoteCentralNamespace, remoteCentralName) if remoteCentral.Metadata.DeletionTimestamp != "" { + glog.V(2).Infof("[DEBUG] Central %s/%s has deletion timestamp: %s, starting deletion reconcile", remoteCentralNamespace, remoteCentralName, remoteCentral.Metadata.DeletionTimestamp) status, err := r.reconcileInstanceDeletion(ctx, remoteCentral) + if err != nil { + glog.Errorf("[DEBUG] Failed to reconcile deletion for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) + } else { + glog.V(2).Infof("[DEBUG] Successfully reconciled deletion for central %s/%s, status: %+v", remoteCentralNamespace, remoteCentralName, status) + } shouldUpdateCentralHash = err == nil return status, err } ns := r.getDesiredNamespace(remoteCentral) + glog.V(2).Infof("[DEBUG] Reconciling namespace %s for central %s/%s", ns.Name, remoteCentralNamespace, remoteCentralName) if err := r.namespaceReconciler.reconcile(ctx, ns); err != nil { + glog.Errorf("[DEBUG] Failed to reconcile namespace %s for central %s/%s: %v", ns.Name, remoteCentralNamespace, remoteCentralName, err) return nil, errors.Wrapf(err, "unable to ensure that namespace %s exists", remoteCentralNamespace) } + glog.V(2).Infof("[DEBUG] Successfully reconciled namespace %s for central %s/%s", ns.Name, remoteCentralNamespace, remoteCentralName) if len(r.tenantImagePullSecret) > 0 { + glog.V(2).Infof("[DEBUG] Ensuring image pull secret %s configured for central %s/%s", tenantImagePullSecretName, remoteCentralNamespace, remoteCentralName) err = r.ensureImagePullSecretConfigured(ctx, remoteCentralNamespace, tenantImagePullSecretName, r.tenantImagePullSecret) if err != nil { + glog.Errorf("[DEBUG] Failed to ensure image pull secret for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } + glog.V(2).Infof("[DEBUG] Successfully ensured image pull secret for central %s/%s", remoteCentralNamespace, remoteCentralName) + } else { + glog.V(3).Infof("[DEBUG] No tenant image pull secret configured for central %s/%s", remoteCentralNamespace, remoteCentralName) } + glog.V(2).Infof("[DEBUG] Restoring central secrets for %s/%s", remoteCentralNamespace, remoteCentralName) err = r.restoreCentralSecretsFunc(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to restore central secrets for %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } + glog.V(2).Infof("[DEBUG] Successfully restored central secrets for %s/%s", remoteCentralNamespace, remoteCentralName) + glog.V(2).Infof("[DEBUG] Ensuring encryption key secret exists for central %s/%s", remoteCentralNamespace, remoteCentralName) err = r.ensureEncryptionKeySecretExists(ctx, remoteCentralNamespace) if err != nil { + glog.Errorf("[DEBUG] Failed to ensure encryption key secret for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } + glog.V(2).Infof("[DEBUG] Successfully ensured encryption key secret for central %s/%s", remoteCentralNamespace, remoteCentralName) centralDBConnectionString := "" if r.managedDBEnabled { + glog.V(2).Infof("[DEBUG] Getting Central DB connection string for %s/%s (managed DB enabled)", remoteCentralNamespace, remoteCentralName) centralDBConnectionString, err = r.managedDbReconciler.getCentralDBConnectionString(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to get Central DB connection string for %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, fmt.Errorf("getting Central DB connection string: %w", err) } + glog.V(2).Infof("[DEBUG] Successfully obtained Central DB connection string for %s/%s", remoteCentralNamespace, remoteCentralName) + } else { + glog.V(3).Infof("[DEBUG] Managed DB not enabled for central %s/%s", remoteCentralNamespace, remoteCentralName) } + glog.V(2).Infof("[DEBUG] Ensuring ArgoCD application exists for central %s/%s", remoteCentralNamespace, remoteCentralName) if err := r.argoReconciler.ensureApplicationExists(ctx, remoteCentral, centralDBConnectionString); err != nil { + glog.Errorf("[DEBUG] Failed to ensure ArgoCD application for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, errors.Wrapf(err, "unable to install ArgoCD application for central %s/%s", remoteCentralNamespace, remoteCentralName) } + glog.V(2).Infof("[DEBUG] Successfully ensured ArgoCD application for central %s/%s", remoteCentralNamespace, remoteCentralName) + glog.V(2).Infof("[DEBUG] Reconciling declarative configuration data for central %s/%s", remoteCentralNamespace, remoteCentralName) if err = r.reconcileDeclarativeConfigurationData(ctx, remoteCentral); err != nil { + glog.Errorf("[DEBUG] Failed to reconcile declarative configuration data for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } + glog.V(2).Infof("[DEBUG] Successfully reconciled declarative configuration data for central %s/%s", remoteCentralNamespace, remoteCentralName) // Check whether deployment is ready. + glog.V(2).Infof("[DEBUG] Checking if Central deployment is ready for %s/%s", remoteCentralNamespace, remoteCentralName) centralDeploymentReady, err := isCentralDeploymentReady(ctx, r.client, remoteCentralNamespace) if err != nil { + glog.Errorf("[DEBUG] Failed to check Central deployment readiness for %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } + glog.V(2).Infof("[DEBUG] Central deployment ready status for %s/%s: %t", remoteCentralNamespace, remoteCentralName, centralDeploymentReady) + glog.V(2).Infof("[DEBUG] Ensuring TLS secret has owner reference for central %s/%s", remoteCentralNamespace, remoteCentralName) if err = r.ensureSecretHasOwnerReference(ctx, k8s.CentralTLSSecretName, remoteCentral); err != nil { + glog.Errorf("[DEBUG] Failed to ensure TLS secret owner reference for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } + glog.V(2).Infof("[DEBUG] Successfully ensured TLS secret owner reference for central %s/%s", remoteCentralNamespace, remoteCentralName) if !centralDeploymentReady { + glog.V(2).Infof("[DEBUG] Central deployment not ready for %s/%s", remoteCentralNamespace, remoteCentralName) if isRemoteCentralProvisioning(remoteCentral) && !needsReconcile { // no changes detected, wait until central become ready + glog.V(2).Infof("[DEBUG] Central %s/%s is provisioning and no changes detected, returning ErrCentralNotChanged", remoteCentralNamespace, remoteCentralName) return nil, ErrCentralNotChanged } + glog.V(2).Infof("[DEBUG] Central %s/%s deployment not ready, returning installing status", remoteCentralNamespace, remoteCentralName) return installingStatus(), nil } + glog.V(2).Infof("[DEBUG] Collecting reconciliation status for central %s/%s", remoteCentralNamespace, remoteCentralName) status, err := r.collectReconciliationStatus(ctx, &remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to collect reconciliation status for central %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, err } shouldUpdateCentralHash = true + glog.V(2).Infof("[DEBUG] Successfully collected reconciliation status for central %s/%s, updating central hash", remoteCentralNamespace, remoteCentralName) logStatus := *status logStatus.Secrets = obscureSecrets(status.Secrets) glog.Infof("Returning central status %+v", logStatus) + glog.V(2).Infof("[DEBUG] Completed reconcile for central %s/%s successfully", remoteCentralNamespace, remoteCentralName) return status, nil } func (r *CentralReconciler) restoreCentralSecrets(ctx context.Context, remoteCentral private.ManagedCentral) error { + glog.V(2).Infof("[DEBUG] Starting secret restoration for central %s/%s, stored secrets: %v", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, remoteCentral.Metadata.SecretsStored) restoreSecrets := []string{} for _, secretName := range remoteCentral.Metadata.SecretsStored { // pragma: allowlist secret + glog.V(3).Infof("[DEBUG] Checking if secret %s exists for central %s/%s", secretName, remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) exists, err := checkSecretExists(ctx, r.client, remoteCentral.Metadata.Namespace, secretName) if err != nil { + glog.Errorf("[DEBUG] Failed to check if secret %s exists for central %s/%s: %v", secretName, remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, err) return err } if !exists { + glog.V(2).Infof("[DEBUG] Secret %s does not exist for central %s/%s, adding to restore list", secretName, remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) restoreSecrets = append(restoreSecrets, secretName) + } else { + glog.V(3).Infof("[DEBUG] Secret %s already exists for central %s/%s", secretName, remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) } } if len(restoreSecrets) == 0 { - // nothing to restore + glog.V(2).Infof("[DEBUG] No secrets need restoration for central %s/%s", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) return nil } glog.Info(fmt.Sprintf("Restore secret for tenant: %s/%s", remoteCentral.Id, remoteCentral.Metadata.Namespace), restoreSecrets) + glog.V(2).Infof("[DEBUG] Fetching central data from fleet manager for secret restoration, central ID: %s", remoteCentral.Id) central, _, err := r.fleetmanagerClient.PrivateAPI().GetCentral(ctx, remoteCentral.Id) if err != nil { + glog.Errorf("[DEBUG] Failed to load secrets for central %s from fleet manager: %v", remoteCentral.Id, err) return fmt.Errorf("loading secrets for central %s: %w", remoteCentral.Id, err) } + glog.V(2).Infof("[DEBUG] Successfully fetched central data for secret restoration, central ID: %s", remoteCentral.Id) + glog.V(2).Infof("[DEBUG] Decrypting %d secrets for central %s", len(central.Metadata.Secrets), central.Id) decryptedSecrets, err := r.decryptSecrets(central.Metadata.Secrets) if err != nil { + glog.Errorf("[DEBUG] Failed to decrypt secrets for central %s: %v", central.Id, err) return fmt.Errorf("decrypting secrets for central %s: %w", central.Id, err) } + glog.V(2).Infof("[DEBUG] Successfully decrypted %d secrets for central %s", len(decryptedSecrets), central.Id) for _, secretName := range restoreSecrets { // pragma: allowlist secret + glog.V(2).Infof("[DEBUG] Restoring secret %s for central %s", secretName, central.Id) secretToRestore, secretFound := decryptedSecrets[secretName] if !secretFound { + glog.Errorf("[DEBUG] Secret %s not found in decrypted secret map for central %s", secretName, central.Id) return fmt.Errorf("finding secret %s in decrypted secret map", secretName) } if err := r.client.Create(ctx, secretToRestore); err != nil { + glog.Errorf("[DEBUG] Failed to recreate secret %s for central %s: %v", secretName, central.Id, err) return fmt.Errorf("recreating secret %s for central %s: %w", secretName, central.Id, err) } - + glog.V(2).Infof("[DEBUG] Successfully restored secret %s for central %s", secretName, central.Id) } + glog.V(2).Infof("[DEBUG] Completed secret restoration for central %s/%s, restored %d secrets", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, len(restoreSecrets)) return nil } @@ -307,13 +378,17 @@ func (r *CentralReconciler) reconcileInstanceDeletion(ctx context.Context, remot remoteCentralName := remoteCentral.Metadata.Name remoteCentralNamespace := remoteCentral.Metadata.Namespace + glog.V(2).Infof("[DEBUG] Starting instance deletion reconciliation for central %s/%s", remoteCentralNamespace, remoteCentralName) deleted, err := r.ensureCentralDeleted(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to ensure central deleted for %s/%s: %v", remoteCentralNamespace, remoteCentralName, err) return nil, errors.Wrapf(err, "delete central %s/%s", remoteCentralNamespace, remoteCentralName) } if deleted { + glog.V(2).Infof("[DEBUG] Central %s/%s successfully deleted", remoteCentralNamespace, remoteCentralName) return deletedStatus(), nil } + glog.V(2).Infof("[DEBUG] Central %s/%s deletion still in progress", remoteCentralNamespace, remoteCentralName) return nil, ErrDeletionInProgress } @@ -481,33 +556,48 @@ func stringMapNeedsUpdating(desired, actual map[string]string) bool { } func (r *CentralReconciler) collectReconciliationStatus(ctx context.Context, remoteCentral *private.ManagedCentral) (*private.DataPlaneCentralStatus, error) { + glog.V(3).Infof("[DEBUG] Starting status collection for central %s/%s (status: %s, ready: %t)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, remoteCentral.RequestStatus, isRemoteCentralReady(remoteCentral)) status := readyStatus() + // Do not report routes statuses if: // 1. Routes are not used on the cluster // 2. Central request is in status "Ready" - assuming that routes are already reported and saved if r.useRoutes && !isRemoteCentralReady(remoteCentral) { + glog.V(2).Infof("[DEBUG] Collecting routes statuses for central %s/%s (routes enabled: %t, central ready: %t)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, r.useRoutes, isRemoteCentralReady(remoteCentral)) var err error status.Routes, err = r.getRoutesStatuses(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to get routes statuses for central %s/%s: %v", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, err) return nil, err } + glog.V(2).Infof("[DEBUG] Successfully collected %d routes for central %s/%s", len(status.Routes), remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) + } else { + glog.V(3).Infof("[DEBUG] Skipping routes collection for central %s/%s (routes enabled: %t, central ready: %t)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, r.useRoutes, isRemoteCentralReady(remoteCentral)) } // Only report secrets if Central is ready, to ensure we're not trying to get secrets before they are created. if isRemoteCentralReady(remoteCentral) { + glog.V(2).Infof("[DEBUG] Collecting secrets for central %s/%s (central is ready)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) encSecrets, err := r.collectSecretsEncrypted(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to collect encrypted secrets for central %s/%s: %v", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, err) return nil, err } // Only report secrets if data hash differs to make sure we don't produce huge amount of data // if no update is required on the fleet-manager DB if encSecrets.sha256Sum != remoteCentral.Metadata.SecretDataSha256Sum { // pragma: allowlist secret + glog.V(2).Infof("[DEBUG] Secret hash changed for central %s/%s, updating secrets in status (old hash: %s, new hash: %s)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, remoteCentral.Metadata.SecretDataSha256Sum, encSecrets.sha256Sum) status.Secrets = encSecrets.secrets // pragma: allowlist secret status.SecretDataSha256Sum = encSecrets.sha256Sum // pragma: allowlist secret + } else { + glog.V(3).Infof("[DEBUG] Secret hash unchanged for central %s/%s, not updating secrets in status", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) } + } else { + glog.V(3).Infof("[DEBUG] Skipping secrets collection for central %s/%s (central not ready)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) } + glog.V(3).Infof("[DEBUG] Status collection completed for central %s/%s", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) return status, nil } @@ -712,34 +802,49 @@ func getRouteStatus(ingress openshiftRouteV1.RouteIngress) private.DataPlaneCent } func (r *CentralReconciler) ensureCentralDeleted(ctx context.Context, remoteCentral private.ManagedCentral) (bool, error) { + glog.V(2).Infof("[DEBUG] Starting central deletion process for %s/%s", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) globalDeleted := true + glog.V(2).Infof("[DEBUG] Deleting K8s resources for central %s/%s", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) k8sResourcesDeleted, err := r.tenantCleanup.DeleteK8sResources(ctx, remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) if err != nil { + glog.Errorf("[DEBUG] Failed to delete K8s resources for central %s/%s: %v", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, err) return false, err } + glog.V(2).Infof("[DEBUG] K8s resources deleted status for central %s/%s: %t", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, k8sResourcesDeleted) globalDeleted = globalDeleted && k8sResourcesDeleted + glog.V(2).Infof("[DEBUG] Ensuring instance pods terminated for central %s/%s", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) podsTerminated, err := r.ensureInstancePodsTerminated(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to ensure pods terminated for central %s/%s: %v", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, err) return false, err } + glog.V(2).Infof("[DEBUG] Pods terminated status for central %s/%s: %t", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, podsTerminated) globalDeleted = globalDeleted && podsTerminated if r.managedDBEnabled { + glog.V(2).Infof("[DEBUG] Ensuring managed DB deleted for central %s/%s", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) dbDeleted, err := r.managedDbReconciler.ensureDeleted(ctx, remoteCentral) if err != nil { + glog.Errorf("[DEBUG] Failed to ensure managed DB deleted for central %s/%s: %v", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, err) return false, err } + glog.V(2).Infof("[DEBUG] Managed DB deleted status for central %s/%s: %t", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, dbDeleted) globalDeleted = globalDeleted && dbDeleted + } else { + glog.V(3).Infof("[DEBUG] Managed DB not enabled for central %s/%s, skipping DB deletion", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) } + glog.V(2).Infof("[DEBUG] Central deletion process completed for %s/%s, global deleted status: %t", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, globalDeleted) return globalDeleted, nil } // centralChanged compares the given central to the last central reconciled using a hash func (r *CentralReconciler) centralChanged(currentHash [16]byte) bool { - return !bytes.Equal(r.lastCentralHash[:], currentHash[:]) + changed := !bytes.Equal(r.lastCentralHash[:], currentHash[:]) + glog.V(3).Infof("[DEBUG] Central hash comparison - current: %x, last: %x, changed: %t", currentHash, r.lastCentralHash, changed) + return changed } func (r *CentralReconciler) setLastCentralHash(currentHash [16]byte) { @@ -747,10 +852,13 @@ func (r *CentralReconciler) setLastCentralHash(currentHash [16]byte) { } func (r *CentralReconciler) computeCentralHash(central private.ManagedCentral) ([16]byte, error) { + glog.V(3).Infof("[DEBUG] Computing hash for central %s/%s", central.Metadata.Namespace, central.Metadata.Name) hash, err := util.MD5SumFromJSONStruct(¢ral) if err != nil { + glog.Errorf("[DEBUG] Failed to calculate MD5 hash for central %s/%s: %v", central.Metadata.Namespace, central.Metadata.Name, err) return [16]byte{}, fmt.Errorf("calculating MD5 from JSON: %w", err) } + glog.V(3).Infof("[DEBUG] Computed hash %x for central %s/%s", hash, central.Metadata.Namespace, central.Metadata.Name) return hash, nil } @@ -869,7 +977,10 @@ func generateDBPassword() (string, error) { func (r *CentralReconciler) ensureInstancePodsTerminated(ctx context.Context, remoteCentral private.ManagedCentral) (bool, error) { namespace := remoteCentral.Metadata.Namespace name := remoteCentral.Metadata.Name + glog.V(2).Infof("[DEBUG] Starting pod termination check for central %s/%s", namespace, name) + err := wait.PollUntilContextCancel(ctx, centralDeletePollInterval, true, func(ctx context.Context) (bool, error) { + glog.V(3).Infof("[DEBUG] Polling for pod termination in namespace %s for central %s", namespace, name) pods := &corev1.PodList{} labelKey := "app.kubernetes.io/part-of" labelValue := "stackrox-central-services" @@ -880,9 +991,12 @@ func (r *CentralReconciler) ensureInstancePodsTerminated(ctx context.Context, re ) if err != nil { + glog.Errorf("[DEBUG] Failed to list instance pods for central %s/%s: %v", namespace, name, err) return false, fmt.Errorf("listing instance pods: %w", err) } + glog.V(3).Infof("[DEBUG] Found %d pods with label %s=%s in namespace %s", len(pods.Items), labelKey, labelValue, namespace) + // Make sure that the returned pods are central service pods in the correct namespace var filteredPods []corev1.Pod for _, pod := range pods.Items { @@ -896,6 +1010,7 @@ func (r *CentralReconciler) ensureInstancePodsTerminated(ctx context.Context, re } if len(filteredPods) == 0 { + glog.V(2).Infof("[DEBUG] No central service pods found in namespace %s for central %s, termination complete", namespace, name) return true, nil } @@ -905,13 +1020,16 @@ func (r *CentralReconciler) ensureInstancePodsTerminated(ctx context.Context, re } glog.Infof("Waiting for pods to terminate: %s", podNames) + glog.V(2).Infof("[DEBUG] Still waiting for %d pods to terminate in namespace %s for central %s", len(filteredPods), namespace, name) return false, nil }) if err != nil { + glog.Errorf("[DEBUG] Failed while waiting for pods to terminate for central %s/%s: %v", namespace, name, err) return false, fmt.Errorf("waiting for pods to terminate: %w", err) } glog.Infof("All pods terminated for tenant %s in namespace %s.", name, namespace) + glog.V(2).Infof("[DEBUG] Pod termination completed successfully for central %s/%s", namespace, name) return true, nil } @@ -954,22 +1072,30 @@ func getNamespaceAnnotations(c private.ManagedCentral) map[string]string { } func (r *CentralReconciler) needsReconcile(changed bool, remoteCentral private.ManagedCentral, storedSecrets []string) bool { + glog.V(3).Infof("[DEBUG] Evaluating if reconcile needed for central %s/%s (changed: %t, stored secrets: %v)", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, changed, storedSecrets) + if !r.areSecretsStoredFunc(storedSecrets) { + glog.V(2).Infof("[DEBUG] Central %s/%s needs reconcile: secrets not properly stored", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) return true } if changed { + glog.V(2).Infof("[DEBUG] Central %s/%s needs reconcile: central configuration changed", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) return true } - if r.clock.Now().Sub(r.lastCentralHashTime) > time.Minute*15 { + timeSinceLastHash := r.clock.Now().Sub(r.lastCentralHashTime) + if timeSinceLastHash > time.Minute*15 { + glog.V(2).Infof("[DEBUG] Central %s/%s needs reconcile: time since last hash (%v) > 15 minutes", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name, timeSinceLastHash) return true } if force, ok := remoteCentral.Spec.TenantResourcesValues["forceReconcile"].(bool); ok && force { + glog.V(2).Infof("[DEBUG] Central %s/%s needs reconcile: forceReconcile flag set to true", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) return true } + glog.V(3).Infof("[DEBUG] Central %s/%s does not need reconcile", remoteCentral.Metadata.Namespace, remoteCentral.Metadata.Name) return false } diff --git a/go.mod b/go.mod index 5f27430943..5cc31266c4 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,6 @@ require ( github.com/aws/aws-sdk-go-v2/credentials v1.17.70 github.com/aws/aws-sdk-go-v2/service/kms v1.41.2 github.com/aws/aws-sdk-go-v2/service/rds v1.99.1 - github.com/aws/aws-sdk-go-v2/service/route53 v1.53.0 github.com/aws/aws-sdk-go-v2/service/ses v1.29.9 github.com/aws/smithy-go v1.22.4 github.com/bxcodec/faker/v3 v3.8.1 @@ -55,7 +54,6 @@ require ( github.com/spf13/pflag v1.0.6 github.com/stackrox/rox v0.0.0-20230323083409-e83503a98fb4 github.com/stretchr/testify v1.10.0 - github.com/zgalor/weberr v0.8.2 golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f golang.org/x/oauth2 v0.30.0 golang.org/x/sync v0.15.0 @@ -106,6 +104,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 // indirect github.com/aws/aws-sdk-go-v2/service/lambda v1.69.0 // indirect + github.com/aws/aws-sdk-go-v2/service/route53 v1.53.0 // indirect github.com/aws/aws-sdk-go-v2/service/s3 v1.69.0 // indirect github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.6 // indirect github.com/aws/aws-sdk-go-v2/service/sns v1.33.6 // indirect diff --git a/go.sum b/go.sum index 36eadcab1a..9ee285521a 100644 --- a/go.sum +++ b/go.sum @@ -881,8 +881,6 @@ github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M= github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= -github.com/zgalor/weberr v0.8.2 h1:rzGP0jQVt8hGSNnzjDAQNHMxNNrf3gUrYhpSgY76+mk= -github.com/zgalor/weberr v0.8.2/go.mod h1:cqK89mj84q3PRgqQXQFWJDzCorOd8xOtov/ulOnqDwc= github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is= diff --git a/internal/central/pkg/api/admin/private/api/openapi.yaml b/internal/central/pkg/api/admin/private/api/openapi.yaml index 11b2d59c4c..02f17f65f5 100644 --- a/internal/central/pkg/api/admin/private/api/openapi.yaml +++ b/internal/central/pkg/api/admin/private/api/openapi.yaml @@ -1091,8 +1091,6 @@ components: items: $ref: '#/components/schemas/Central_allOf_routes' type: array - routes_created: - type: boolean cluster_id: type: string namespace: diff --git a/internal/central/pkg/api/admin/private/model_central.go b/internal/central/pkg/api/admin/private/model_central.go index a5445e1db6..4b078182f0 100644 --- a/internal/central/pkg/api/admin/private/model_central.go +++ b/internal/central/pkg/api/admin/private/model_central.go @@ -40,7 +40,6 @@ type Central struct { InstanceType string `json:"instance_type,omitempty"` QuotaType string `json:"quota_type,omitempty"` Routes []CentralAllOfRoutes `json:"routes,omitempty"` - RoutesCreated bool `json:"routes_created,omitempty"` ClusterId string `json:"cluster_id,omitempty"` Namespace string `json:"namespace,omitempty"` Traits []string `json:"traits,omitempty"` diff --git a/internal/central/pkg/api/dbapi/central_request_types.go b/internal/central/pkg/api/dbapi/central_request_types.go index e044866f10..b40cffbc22 100644 --- a/internal/central/pkg/api/dbapi/central_request_types.go +++ b/internal/central/pkg/api/dbapi/central_request_types.go @@ -68,8 +68,6 @@ type CentralRequest struct { QuotaType string `json:"quota_type"` // Routes routes mapping for the central instance. It is an array and each item in the array contains a domain value and the corresponding route url. Routes api.JSON `json:"routes"` - // RoutesCreated if the routes mapping have been created in the DNS provider like Route53. Use a separate field to make it easier to query. - RoutesCreated bool `json:"routes_created"` // Namespace is the namespace of the provisioned central instance. // We store this in the database to ensure that old centrals whose namespace contained "owner-" information will continue to work. @@ -79,8 +77,7 @@ type CentralRequest struct { // It used used for equality checks of secrets in the dataplane cluster with the secrets stored in DB SecretDataSha256Sum string `json:"secret_data_sha256_sum"` - Namespace string `json:"namespace"` - RoutesCreationID string `json:"routes_creation_id"` + Namespace string `json:"namespace"` // DeletionTimestamp stores the timestamp of the DELETE api call for the resource. DeletionTimestamp sql.NullTime `json:"deletionTimestamp"` diff --git a/internal/central/pkg/config/aws.go b/internal/central/pkg/config/aws.go index 9369fd80e5..b9e6df1b95 100644 --- a/internal/central/pkg/config/aws.go +++ b/internal/central/pkg/config/aws.go @@ -17,22 +17,14 @@ type AWSConfig struct { AccessKeyFile string `json:"access_key_file"` SecretAccessKey string `json:"secret_access_key"` SecretAccessKeyFile string `json:"secret_access_key_file"` - - // Used for domain modifications in Route 53 - Route53AccessKey string `json:"route53_access_key"` - Route53AccessKeyFile string `json:"route53_access_key_file"` - Route53SecretAccessKey string `json:"route53_secret_access_key"` - Route53SecretAccessKeyFile string `json:"route53_secret_access_key_file"` } // NewAWSConfig ... func NewAWSConfig() *AWSConfig { return &AWSConfig{ - AccountIDFile: "secrets/aws.accountid", - AccessKeyFile: "secrets/aws.accesskey", - SecretAccessKeyFile: "secrets/aws.secretaccesskey", // pragma: allowlist secret - Route53AccessKeyFile: "secrets/aws.route53accesskey", - Route53SecretAccessKeyFile: "secrets/aws.route53secretaccesskey", // pragma: allowlist secret + AccountIDFile: "secrets/aws.accountid", + AccessKeyFile: "secrets/aws.accesskey", + SecretAccessKeyFile: "secrets/aws.secretaccesskey", // pragma: allowlist secret } } @@ -41,8 +33,6 @@ func (c *AWSConfig) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&c.AccountIDFile, "aws-account-id-file", c.AccountIDFile, "File containing AWS account id") fs.StringVar(&c.AccessKeyFile, "aws-access-key-file", c.AccessKeyFile, "File containing AWS access key") fs.StringVar(&c.SecretAccessKeyFile, "aws-secret-access-key-file", c.SecretAccessKeyFile, "File containing AWS secret access key") - fs.StringVar(&c.Route53AccessKeyFile, "aws-route53-access-key-file", c.Route53AccessKeyFile, "File containing AWS access key for route53") - fs.StringVar(&c.Route53SecretAccessKeyFile, "aws-route53-secret-access-key-file", c.Route53SecretAccessKeyFile, "File containing AWS secret access key for route53") } // ReadFiles ... @@ -59,13 +49,5 @@ func (c *AWSConfig) ReadFiles() error { if err != nil { return fmt.Errorf("reading secret access key file: %w", err) } - err = shared.ReadFileValueString(c.Route53AccessKeyFile, &c.Route53AccessKey) - if err != nil { - return fmt.Errorf("reading route 53 access key file: %w", err) - } - err = shared.ReadFileValueString(c.Route53SecretAccessKeyFile, &c.Route53SecretAccessKey) - if err != nil { - return fmt.Errorf("reading route 53 secret access key file: %w", err) - } return nil } diff --git a/internal/central/pkg/config/central.go b/internal/central/pkg/config/central.go index b3128150b8..09c7b9b3ac 100644 --- a/internal/central/pkg/config/central.go +++ b/internal/central/pkg/config/central.go @@ -10,8 +10,7 @@ import ( // CentralConfig ... type CentralConfig struct { - EnableCentralExternalDomain bool `json:"enable_central_external_domain"` - CentralDomainName string `json:"central_domain_name"` + CentralDomainName string `json:"central_domain_name"` CentralLifespan *CentralLifespanConfig `json:"central_lifespan"` Quota *CentralQuotaConfig `json:"central_quota"` @@ -29,19 +28,17 @@ type CentralConfig struct { // NewCentralConfig ... func NewCentralConfig() *CentralConfig { return &CentralConfig{ - EnableCentralExternalDomain: false, - CentralDomainName: "rhacs-dev.com", - CentralLifespan: NewCentralLifespanConfig(), - Quota: NewCentralQuotaConfig(), - CentralIDPClientSecretFile: "secrets/central.idp-client-secret", //pragma: allowlist secret - CentralIDPIssuer: "https://sso.redhat.com/auth/realms/redhat-external", - CentralRetentionPeriodDays: 7, + CentralDomainName: "rhacs-dev.com", + CentralLifespan: NewCentralLifespanConfig(), + Quota: NewCentralQuotaConfig(), + CentralIDPClientSecretFile: "secrets/central.idp-client-secret", //pragma: allowlist secret + CentralIDPIssuer: "https://sso.redhat.com/auth/realms/redhat-external", + CentralRetentionPeriodDays: 7, } } // AddFlags ... func (c *CentralConfig) AddFlags(fs *pflag.FlagSet) { - fs.BoolVar(&c.EnableCentralExternalDomain, "enable-central-external-domain", c.EnableCentralExternalDomain, "Enable custom domain for Central TLS") fs.BoolVar(&c.CentralLifespan.EnableDeletionOfExpiredCentral, "enable-deletion-of-expired-central", c.CentralLifespan.EnableDeletionOfExpiredCentral, "Enable the deletion of centrals when its life span has expired") fs.IntVar(&c.CentralLifespan.CentralLifespanInHours, "central-lifespan", c.CentralLifespan.CentralLifespanInHours, "The desired lifespan of a Central instance") fs.StringVar(&c.CentralDomainName, "central-domain-name", c.CentralDomainName, "The domain name to use for Central instances") diff --git a/internal/central/pkg/environments/development.go b/internal/central/pkg/environments/development.go index db4cd1b2f0..161d887015 100644 --- a/internal/central/pkg/environments/development.go +++ b/internal/central/pkg/environments/development.go @@ -18,7 +18,6 @@ func NewDevelopmentEnvLoader() environments.EnvLoader { "enable-sentry": "false", "enable-deny-list": "true", "enable-instance-limit-control": "false", - "enable-central-external-domain": "false", "cluster-compute-machine-type": "m5.2xlarge", "allow-evaluator-instance": "true", "quota-type": "quota-management-list", diff --git a/internal/central/pkg/environments/integration.go b/internal/central/pkg/environments/integration.go index b33cf668f0..6dde9fcfaa 100644 --- a/internal/central/pkg/environments/integration.go +++ b/internal/central/pkg/environments/integration.go @@ -36,7 +36,6 @@ func (b IntegrationEnvLoader) Defaults() map[string]string { "enable-deny-list": "true", "enable-instance-limit-control": "true", "max-allowed-instances": "1", - "enable-central-external-domain": "false", "cluster-compute-machine-type": "m5.xlarge", "allow-evaluator-instance": "true", "quota-type": "quota-management-list", diff --git a/internal/central/pkg/environments/production.go b/internal/central/pkg/environments/production.go index bdb737addf..68cd443bc2 100644 --- a/internal/central/pkg/environments/production.go +++ b/internal/central/pkg/environments/production.go @@ -5,15 +5,14 @@ import "github.com/stackrox/acs-fleet-manager/pkg/environments" // NewProductionEnvLoader ... func NewProductionEnvLoader() environments.EnvLoader { return environments.SimpleEnvLoader{ - "ocm-base-url": "https://api.openshift.com", - "ams-base-url": "https://api.openshift.com", - "v": "1", - "ocm-debug": "false", - "enable-ocm-mock": "false", - "enable-sentry": "true", - "enable-deny-list": "true", - "max-allowed-instances": "1", - "enable-central-external-domain": "true", - "cluster-compute-machine-type": "m5.2xlarge", + "ocm-base-url": "https://api.openshift.com", + "ams-base-url": "https://api.openshift.com", + "v": "1", + "ocm-debug": "false", + "enable-ocm-mock": "false", + "enable-sentry": "true", + "enable-deny-list": "true", + "max-allowed-instances": "1", + "cluster-compute-machine-type": "m5.2xlarge", } } diff --git a/internal/central/pkg/environments/stage.go b/internal/central/pkg/environments/stage.go index 0353a21c4c..7b35c1c7ae 100644 --- a/internal/central/pkg/environments/stage.go +++ b/internal/central/pkg/environments/stage.go @@ -5,17 +5,16 @@ import "github.com/stackrox/acs-fleet-manager/pkg/environments" // NewStageEnvLoader ... func NewStageEnvLoader() environments.EnvLoader { return environments.SimpleEnvLoader{ - "ocm-base-url": "https://api.stage.openshift.com", - "ams-base-url": "https://api.stage.openshift.com", - "enable-ocm-mock": "false", - "enable-deny-list": "true", - "max-allowed-instances": "1", - "enable-central-external-domain": "true", - "cluster-compute-machine-type": "m5.2xlarge", - "enable-additional-sso-issuers": "true", - "additional-sso-issuers-file": "config/additional-sso-issuers.yaml", - "jwks-file": "config/jwks-file-static.json", - "fleetshard-authz-config-file": "config/fleetshard-authz-development.yaml", - "admin-authz-config-file": "config/admin-authz-roles-dev.yaml", + "ocm-base-url": "https://api.stage.openshift.com", + "ams-base-url": "https://api.stage.openshift.com", + "enable-ocm-mock": "false", + "enable-deny-list": "true", + "max-allowed-instances": "1", + "cluster-compute-machine-type": "m5.2xlarge", + "enable-additional-sso-issuers": "true", + "additional-sso-issuers-file": "config/additional-sso-issuers.yaml", + "jwks-file": "config/jwks-file-static.json", + "fleetshard-authz-config-file": "config/fleetshard-authz-development.yaml", + "admin-authz-config-file": "config/admin-authz-roles-dev.yaml", } } diff --git a/internal/central/pkg/externaldns/externaldns.go b/internal/central/pkg/externaldns/externaldns.go deleted file mode 100644 index 78ad2131d0..0000000000 --- a/internal/central/pkg/externaldns/externaldns.go +++ /dev/null @@ -1,9 +0,0 @@ -package externaldns - -import "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/private" - -// IsEnabled checks if the external DNS feature is enabled for the given managed central. -func IsEnabled(managedCentral private.ManagedCentral) bool { - isEnabled, ok := managedCentral.Spec.TenantResourcesValues["externalDnsEnabled"].(bool) - return ok && isEnabled -} diff --git a/internal/central/pkg/migrations/20250826000000_remove_routes_creation_id_from_central_request.go b/internal/central/pkg/migrations/20250826000000_remove_routes_creation_id_from_central_request.go new file mode 100644 index 0000000000..4770c95c44 --- /dev/null +++ b/internal/central/pkg/migrations/20250826000000_remove_routes_creation_id_from_central_request.go @@ -0,0 +1,33 @@ +package migrations + +import ( + "github.com/go-gormigrate/gormigrate/v2" + "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/dbapi" + "gorm.io/gorm" +) + +func removeRoutesCreationIDFromCentralRequest() *gormigrate.Migration { + type CentralRequest struct { + RoutesCreationID string `json:"routes_creation_id"` + RoutesCreated bool `json:"routes_created"` + } + + return &gormigrate.Migration{ + ID: "20250826000000", + Migrate: func(tx *gorm.DB) error { + // Remove routes_creation_id and routes_created columns from central_requests table + // since Route53 record management has been moved to external DNS + if err := dropIfColumnExists(tx, &dbapi.CentralRequest{}, "routes_creation_id"); err != nil { + return err + } + return dropIfColumnExists(tx, &dbapi.CentralRequest{}, "routes_created") + }, + Rollback: func(tx *gorm.DB) error { + // Re-add the columns on rollback + if err := addColumnIfNotExists(tx, &CentralRequest{}, "routes_creation_id"); err != nil { + return err + } + return addColumnIfNotExists(tx, &CentralRequest{}, "routes_created") + }, + } +} diff --git a/internal/central/pkg/migrations/migrations.go b/internal/central/pkg/migrations/migrations.go index 614e4fac1c..6034c6c45d 100644 --- a/internal/central/pkg/migrations/migrations.go +++ b/internal/central/pkg/migrations/migrations.go @@ -57,6 +57,7 @@ func getMigrations() []*gormigrate.Migration { addSecretDataSha256SumToCentralRequest(), addEnteredProvisioningAtToCentralRequest(), renameLeaderLeaseTypes(), + removeRoutesCreationIDFromCentralRequest(), } } diff --git a/internal/central/pkg/presenters/central.go b/internal/central/pkg/presenters/central.go index 31f0bbbf19..2f4fe09ee0 100644 --- a/internal/central/pkg/presenters/central.go +++ b/internal/central/pkg/presenters/central.go @@ -13,7 +13,7 @@ const ( // PresentCentralRequest - create CentralRequest in an appropriate format ready to be returned by the API func PresentCentralRequest(request *dbapi.CentralRequest) public.CentralRequest { - outputRequest := public.CentralRequest{ + return public.CentralRequest{ Id: request.ID, Kind: "CentralRequest", Href: fmt.Sprintf("/api/rhacs/v1/centrals/%s", request.ID), @@ -28,16 +28,7 @@ func PresentCentralRequest(request *dbapi.CentralRequest) public.CentralRequest UpdatedAt: request.UpdatedAt, FailedReason: request.FailedReason, InstanceType: request.InstanceType, + CentralUIURL: fmt.Sprintf("https://%s", request.GetUIHost()), + CentralDataURL: fmt.Sprintf("%s:%d", request.GetDataHost(), sensorDataPort), } - - if request.RoutesCreated { - if request.GetUIHost() != "" { - outputRequest.CentralUIURL = fmt.Sprintf("https://%s", request.GetUIHost()) - } - if request.GetDataHost() != "" { - outputRequest.CentralDataURL = fmt.Sprintf("%s:%d", request.GetDataHost(), sensorDataPort) - } - } - - return outputRequest } diff --git a/internal/central/pkg/services/central.go b/internal/central/pkg/services/central.go index ea5be03743..c59a78e5fa 100644 --- a/internal/central/pkg/services/central.go +++ b/internal/central/pkg/services/central.go @@ -9,14 +9,11 @@ import ( "sync" "time" - "github.com/aws/aws-sdk-go-v2/service/route53" - route53Types "github.com/aws/aws-sdk-go-v2/service/route53/types" "github.com/golang/glog" "github.com/stackrox/acs-fleet-manager/internal/central/constants" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/dbapi" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/centrals/types" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/config" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/externaldns" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/presenters" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/rhsso" "github.com/stackrox/acs-fleet-manager/pkg/api" @@ -49,23 +46,8 @@ var ( } ) -// CentralRoutesAction ... -type CentralRoutesAction string - -// CentralRoutesActionUpsert ... -const CentralRoutesActionUpsert CentralRoutesAction = "UPSERT" - -// CentralRoutesActionDelete ... -const CentralRoutesActionDelete CentralRoutesAction = "DELETE" - const gracePeriod = 14 * 24 * time.Hour -// CNameRecordStatus ... -type CNameRecordStatus struct { - ID *string - Status *string -} - // CentralService ... // //go:generate moq -out centralservice_moq.go . CentralService @@ -100,8 +82,6 @@ type CentralService interface { // Use this only when you want to update the multiple columns that may contain zero-fields, otherwise use the `CentralService.Update()` method. // See https://gorm.io/docs/update.html#Updates-multiple-columns for more info Updates(centralRequest *dbapi.CentralRequest, values map[string]interface{}) *errors.ServiceError - ChangeCentralCNAMErecords(centralRequest *dbapi.CentralRequest, action CentralRoutesAction) (*route53.ChangeResourceRecordSetsOutput, *errors.ServiceError) - GetCNAMERecordStatus(centralRequest *dbapi.CentralRequest) (*CNameRecordStatus, error) DetectInstanceType(centralRequest *dbapi.CentralRequest) types.CentralInstanceType RegisterCentralDeprovisionJob(ctx context.Context, centralRequest *dbapi.CentralRequest) *errors.ServiceError // DeprovisionCentralForUsers registers all centrals for deprovisioning given the list of owners @@ -109,7 +89,6 @@ type CentralService interface { DeprovisionExpiredCentrals() *errors.ServiceError CountByStatus(status []constants.CentralStatus) ([]CentralStatusCount, error) CountByRegionAndInstanceType() ([]CentralRegionCount, error) - ListCentralsWithRoutesNotCreated() ([]*dbapi.CentralRequest, *errors.ServiceError) ListCentralsWithoutAuthConfig() ([]*dbapi.CentralRequest, *errors.ServiceError) VerifyAndUpdateCentralAdmin(ctx context.Context, centralRequest *dbapi.CentralRequest) *errors.ServiceError Restore(ctx context.Context, id string) *errors.ServiceError @@ -338,16 +317,11 @@ func (k *centralService) AcceptCentralRequest(centralRequest *dbapi.CentralReque centralRequest.Namespace = namespace // Set host. - if k.centralConfig.EnableCentralExternalDomain { - // the host should use the external domain name rather than the cluster domain - centralRequest.Host = k.centralConfig.CentralDomainName - } else { - clusterDNS, err := k.clusterService.GetClusterDNS(centralRequest.ClusterID) - if err != nil { - return errors.NewWithCause(errors.ErrorGeneral, err, "error retrieving cluster DNS") - } - centralRequest.Host = clusterDNS + clusterDNS, err := k.clusterService.GetClusterDNS(centralRequest.ClusterID) + if err != nil { + return errors.NewWithCause(errors.ErrorGeneral, err, "error retrieving cluster DNS") } + centralRequest.Host = clusterDNS // UpdateIgnoreNils the fields of the CentralRequest record in the database. updatedCentralRequest := &dbapi.CentralRequest{ @@ -594,31 +568,6 @@ func (k *centralService) DeprovisionExpiredCentrals() *errors.ServiceError { func (k *centralService) Delete(centralRequest *dbapi.CentralRequest, force bool) *errors.ServiceError { dbConn := k.connectionFactory.New() - // if the we don't have the clusterID we can only delete the row from the database - if centralRequest.ClusterID != "" { - routes, err := centralRequest.GetRoutes() - if err != nil { - return errors.NewWithCause(errors.ErrorGeneral, err, "failed to get routes") - } - managedCentral, err := k.managedCentralPresenter.PresentManagedCentral(centralRequest) - if err != nil { - return errors.NewWithCause(errors.ErrorGeneral, err, "failed to present managed central") - } - // Only delete the routes when they are set - if routes != nil && k.centralConfig.EnableCentralExternalDomain && !externaldns.IsEnabled(managedCentral) { - _, err := k.ChangeCentralCNAMErecords(centralRequest, CentralRoutesActionDelete) - if err != nil { - if force { - glog.Warningf("Failed to delete CNAME records for Central tenant %q: %v", centralRequest.ID, err) - glog.Warning("Continuing with deletion of Central tenant because force-deletion is specified") - } else { - return err - } - } - glog.Infof("Successfully deleted CNAME records for Central tenant %q", centralRequest.ID) - } - } - logStateChange("delete request", centralRequest.ID, nil) // soft delete the central request if err := dbConn.Delete(centralRequest).Error; err != nil { @@ -786,57 +735,6 @@ func (k *centralService) UpdateStatus(id string, status constants.CentralStatus) return true, nil } -// ChangeCentralCNAMErecords ... -func (k *centralService) ChangeCentralCNAMErecords(centralRequest *dbapi.CentralRequest, action CentralRoutesAction) (*route53.ChangeResourceRecordSetsOutput, *errors.ServiceError) { - routes, err := centralRequest.GetRoutes() - if routes == nil || err != nil { - return nil, errors.NewWithCause(errors.ErrorGeneral, err, "failed to get routes") - } - - changeAction, err := CentralRoutesActionToRoute53ChangeAction(action) - domainRecordBatch := buildCentralClusterCNAMESRecordBatch(routes, changeAction) - - // Create AWS client with the region of this Central Cluster - awsConfig := aws.Config{ - AccessKeyID: k.awsConfig.Route53AccessKey, - SecretAccessKey: k.awsConfig.Route53SecretAccessKey, // pragma: allowlist secret - } - awsClient, err := k.awsClientFactory.NewClient(awsConfig, centralRequest.Region) - if err != nil { - return nil, errors.NewWithCause(errors.ErrorGeneral, err, "Unable to create aws client") - } - - changeRecordsOutput, err := awsClient.ChangeResourceRecordSets(k.centralConfig.CentralDomainName, domainRecordBatch) - if err != nil { - return nil, errors.NewWithCause(errors.ErrorGeneral, err, "Unable to create domain record sets") - } - - return changeRecordsOutput, nil -} - -// GetCNAMERecordStatus ... -func (k *centralService) GetCNAMERecordStatus(centralRequest *dbapi.CentralRequest) (*CNameRecordStatus, error) { - awsConfig := aws.Config{ - AccessKeyID: k.awsConfig.Route53AccessKey, - SecretAccessKey: k.awsConfig.Route53SecretAccessKey, // pragma: allowlist secret - } - awsClient, err := k.awsClientFactory.NewClient(awsConfig, centralRequest.Region) - if err != nil { - return nil, errors.NewWithCause(errors.ErrorGeneral, err, "Unable to create aws client") - } - - changeOutput, err := awsClient.GetChange(centralRequest.RoutesCreationID) - if err != nil { - return nil, errors.NewWithCause(errors.ErrorGeneral, err, "Unable to CNAME record status") - } - - status := string(changeOutput.ChangeInfo.Status) - return &CNameRecordStatus{ - ID: changeOutput.ChangeInfo.Id, - Status: &status, - }, nil -} - func (k *centralService) Restore(ctx context.Context, id string) *errors.ServiceError { dbConn := k.connectionFactory.New() var centralRequest dbapi.CentralRequest @@ -857,8 +755,6 @@ func (k *centralService) Restore(ctx context.Context, id string) *errors.Service columnsToReset := []string{ "Routes", "Status", - "RoutesCreated", - "RoutesCreationID", "DeletedAt", "DeletionTimestamp", "ClientID", @@ -913,19 +809,15 @@ func (k *centralService) AssignCluster(ctx context.Context, centralID string, cl } central.ClusterID = clusterID - central.RoutesCreated = false central.Routes = nil - central.RoutesCreationID = "" central.Status = constants.CentralRequestStatusProvisioning.String() now := time.Now() central.EnteredProvisioningAt = dbapi.TimePtrToNullTime(&now) return k.Updates(central, map[string]interface{}{ "cluster_id": central.ClusterID, - "routes_created": central.RoutesCreated, "routes": central.Routes, "status": central.Status, - "routes_creation_id": central.RoutesCreationID, "entered_provisioning_at": central.EnteredProvisioningAt, }) } @@ -981,16 +873,6 @@ func (k *centralService) CountByStatus(status []constants.CentralStatus) ([]Cent return results, nil } -// ListCentralsWithRoutesNotCreated ... -func (k *centralService) ListCentralsWithRoutesNotCreated() ([]*dbapi.CentralRequest, *errors.ServiceError) { - dbConn := k.connectionFactory.New() - var results []*dbapi.CentralRequest - if err := dbConn.Where("routes IS NOT NULL").Where("routes_created = ?", "no").Find(&results).Error; err != nil { - return nil, errors.NewWithCause(errors.ErrorGeneral, err, "failed to list central requests") - } - return results, nil -} - // ListCentralsWithoutAuthConfig returns all _relevant_ central requests with // no auth config. For central requests without host set, we cannot compute // redirect_uri and hence cannot set up auth config. @@ -1017,39 +899,6 @@ func (k *centralService) ListCentralsWithoutAuthConfig() ([]*dbapi.CentralReques return filteredResults, nil } -func buildCentralClusterCNAMESRecordBatch(routes []dbapi.DataPlaneCentralRoute, action route53Types.ChangeAction) *route53Types.ChangeBatch { - var changes []route53Types.Change - for _, r := range routes { - c := buildResourceRecordChange(r.Domain, r.Router, action) - changes = append(changes, c) - } - recordChangeBatch := &route53Types.ChangeBatch{ - Changes: changes, - } - - return recordChangeBatch -} - -func buildResourceRecordChange(recordName string, clusterIngress string, action route53Types.ChangeAction) route53Types.Change { - recordTTL := int64(300) - - resourceRecordChange := route53Types.Change{ - Action: action, - ResourceRecordSet: &route53Types.ResourceRecordSet{ - Name: &recordName, - Type: route53Types.RRTypeCname, - TTL: &recordTTL, - ResourceRecords: []route53Types.ResourceRecord{ - { - Value: &clusterIngress, - }, - }, - }, - } - - return resourceRecordChange -} - func logStateChange(msg, id string, req *dbapi.CentralRequest) { if req != nil { glog.Infof("instance state change: id=%q: message=%s: request=%+v", id, msg, convertCentralRequestToString(req)) @@ -1084,9 +933,7 @@ func convertCentralRequestToString(req *dbapi.CentralRequest) string { "placement_id": req.PlacementID, "instance_type": req.InstanceType, "qouta_type": req.QuotaType, - "routes_created": req.RoutesCreated, "namespace": req.Namespace, - "routes_creation_id": req.RoutesCreationID, "deletion_timestamp": req.DeletionTimestamp, "internal": req.Internal, "expired_at": req.ExpiredAt, @@ -1172,14 +1019,3 @@ func (k *centralService) ChangeSubscription(ctx context.Context, centralID strin glog.Infof("Central %q cloud account parameters have been changed to %q with id %q", centralID, cloudProvider, cloudAccountID) return nil } - -// CentralRoutesActionToRoute53ChangeAction converts a CentralRoutesAction to a route53 types ChangeAction -func CentralRoutesActionToRoute53ChangeAction(a CentralRoutesAction) (route53Types.ChangeAction, error) { - changeAction := route53Types.ChangeAction(a) - switch changeAction { - case route53Types.ChangeActionCreate, route53Types.ChangeActionUpsert, route53Types.ChangeAction(CentralRoutesActionDelete): - return changeAction, nil - default: - return "", fmt.Errorf("invalid CentralChangeAction: %q, cannot convert to Route53 action", changeAction) - } -} diff --git a/internal/central/pkg/services/central_test.go b/internal/central/pkg/services/central_test.go index a484c5f818..43578e32ca 100644 --- a/internal/central/pkg/services/central_test.go +++ b/internal/central/pkg/services/central_test.go @@ -235,9 +235,9 @@ func Test_centralService_RestoreExpiredCentrals(t *testing.T) { expiredChecked := false updateQuery := m1.WithQuery(`UPDATE`).WithCallback( func(s string, nv []driver.NamedValue) { - expiredAt, _ := (nv[11].Value).(*time.Time) + expiredAt, _ := (nv[10].Value).(*time.Time) assert.Nil(t, expiredAt) - assert.Equal(t, "test-id", nv[13].Value) + assert.Equal(t, "test-id", nv[11].Value) expiredChecked = true }) svcErr := centralService.Restore(context.Background(), "test-id") diff --git a/internal/central/pkg/services/centralservice_moq.go b/internal/central/pkg/services/centralservice_moq.go index c1321f5f21..eb6522ff90 100644 --- a/internal/central/pkg/services/centralservice_moq.go +++ b/internal/central/pkg/services/centralservice_moq.go @@ -5,7 +5,6 @@ package services import ( "context" - "github.com/aws/aws-sdk-go-v2/service/route53" "github.com/stackrox/acs-fleet-manager/internal/central/constants" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/api/dbapi" "github.com/stackrox/acs-fleet-manager/internal/central/pkg/centrals/types" @@ -34,9 +33,6 @@ var _ CentralService = &CentralServiceMock{} // ChangeBillingParametersFunc: func(ctx context.Context, centralID string, billingModel string, cloudAccountID string, cloudProvider string, product string) *serviceError.ServiceError { // panic("mock out the ChangeBillingParameters method") // }, -// ChangeCentralCNAMErecordsFunc: func(centralRequest *dbapi.CentralRequest, action CentralRoutesAction) (*route53.ChangeResourceRecordSetsOutput, *serviceError.ServiceError) { -// panic("mock out the ChangeCentralCNAMErecords method") -// }, // ChangeSubscriptionFunc: func(ctx context.Context, centralID string, cloudAccountID string, cloudProvider string, subscriptionID string) *serviceError.ServiceError { // panic("mock out the ChangeSubscription method") // }, @@ -64,9 +60,6 @@ var _ CentralService = &CentralServiceMock{} // GetByIDFunc: func(id string) (*dbapi.CentralRequest, *serviceError.ServiceError) { // panic("mock out the GetByID method") // }, -// GetCNAMERecordStatusFunc: func(centralRequest *dbapi.CentralRequest) (*CNameRecordStatus, error) { -// panic("mock out the GetCNAMERecordStatus method") -// }, // HasAvailableCapacityInRegionFunc: func(centralRequest *dbapi.CentralRequest) (bool, *serviceError.ServiceError) { // panic("mock out the HasAvailableCapacityInRegion method") // }, @@ -76,9 +69,6 @@ var _ CentralService = &CentralServiceMock{} // ListByStatusFunc: func(status ...constants.CentralStatus) ([]*dbapi.CentralRequest, *serviceError.ServiceError) { // panic("mock out the ListByStatus method") // }, -// ListCentralsWithRoutesNotCreatedFunc: func() ([]*dbapi.CentralRequest, *serviceError.ServiceError) { -// panic("mock out the ListCentralsWithRoutesNotCreated method") -// }, // ListCentralsWithoutAuthConfigFunc: func() ([]*dbapi.CentralRequest, *serviceError.ServiceError) { // panic("mock out the ListCentralsWithoutAuthConfig method") // }, @@ -128,9 +118,6 @@ type CentralServiceMock struct { // ChangeBillingParametersFunc mocks the ChangeBillingParameters method. ChangeBillingParametersFunc func(ctx context.Context, centralID string, billingModel string, cloudAccountID string, cloudProvider string, product string) *serviceError.ServiceError - // ChangeCentralCNAMErecordsFunc mocks the ChangeCentralCNAMErecords method. - ChangeCentralCNAMErecordsFunc func(centralRequest *dbapi.CentralRequest, action CentralRoutesAction) (*route53.ChangeResourceRecordSetsOutput, *serviceError.ServiceError) - // ChangeSubscriptionFunc mocks the ChangeSubscription method. ChangeSubscriptionFunc func(ctx context.Context, centralID string, cloudAccountID string, cloudProvider string, subscriptionID string) *serviceError.ServiceError @@ -158,9 +145,6 @@ type CentralServiceMock struct { // GetByIDFunc mocks the GetByID method. GetByIDFunc func(id string) (*dbapi.CentralRequest, *serviceError.ServiceError) - // GetCNAMERecordStatusFunc mocks the GetCNAMERecordStatus method. - GetCNAMERecordStatusFunc func(centralRequest *dbapi.CentralRequest) (*CNameRecordStatus, error) - // HasAvailableCapacityInRegionFunc mocks the HasAvailableCapacityInRegion method. HasAvailableCapacityInRegionFunc func(centralRequest *dbapi.CentralRequest) (bool, *serviceError.ServiceError) @@ -170,9 +154,6 @@ type CentralServiceMock struct { // ListByStatusFunc mocks the ListByStatus method. ListByStatusFunc func(status ...constants.CentralStatus) ([]*dbapi.CentralRequest, *serviceError.ServiceError) - // ListCentralsWithRoutesNotCreatedFunc mocks the ListCentralsWithRoutesNotCreated method. - ListCentralsWithRoutesNotCreatedFunc func() ([]*dbapi.CentralRequest, *serviceError.ServiceError) - // ListCentralsWithoutAuthConfigFunc mocks the ListCentralsWithoutAuthConfig method. ListCentralsWithoutAuthConfigFunc func() ([]*dbapi.CentralRequest, *serviceError.ServiceError) @@ -237,13 +218,6 @@ type CentralServiceMock struct { // Product is the product argument value. Product string } - // ChangeCentralCNAMErecords holds details about calls to the ChangeCentralCNAMErecords method. - ChangeCentralCNAMErecords []struct { - // CentralRequest is the centralRequest argument value. - CentralRequest *dbapi.CentralRequest - // Action is the action argument value. - Action CentralRoutesAction - } // ChangeSubscription holds details about calls to the ChangeSubscription method. ChangeSubscription []struct { // Ctx is the ctx argument value. @@ -297,11 +271,6 @@ type CentralServiceMock struct { // ID is the id argument value. ID string } - // GetCNAMERecordStatus holds details about calls to the GetCNAMERecordStatus method. - GetCNAMERecordStatus []struct { - // CentralRequest is the centralRequest argument value. - CentralRequest *dbapi.CentralRequest - } // HasAvailableCapacityInRegion holds details about calls to the HasAvailableCapacityInRegion method. HasAvailableCapacityInRegion []struct { // CentralRequest is the centralRequest argument value. @@ -319,9 +288,6 @@ type CentralServiceMock struct { // Status is the status argument value. Status []constants.CentralStatus } - // ListCentralsWithRoutesNotCreated holds details about calls to the ListCentralsWithRoutesNotCreated method. - ListCentralsWithRoutesNotCreated []struct { - } // ListCentralsWithoutAuthConfig holds details about calls to the ListCentralsWithoutAuthConfig method. ListCentralsWithoutAuthConfig []struct { } @@ -392,35 +358,32 @@ type CentralServiceMock struct { CentralRequest *dbapi.CentralRequest } } - lockAcceptCentralRequest sync.RWMutex - lockAssignCluster sync.RWMutex - lockChangeBillingParameters sync.RWMutex - lockChangeCentralCNAMErecords sync.RWMutex - lockChangeSubscription sync.RWMutex - lockCountByRegionAndInstanceType sync.RWMutex - lockCountByStatus sync.RWMutex - lockDelete sync.RWMutex - lockDeprovisionCentralForUsers sync.RWMutex - lockDeprovisionExpiredCentrals sync.RWMutex - lockDetectInstanceType sync.RWMutex - lockGet sync.RWMutex - lockGetByID sync.RWMutex - lockGetCNAMERecordStatus sync.RWMutex - lockHasAvailableCapacityInRegion sync.RWMutex - lockList sync.RWMutex - lockListByStatus sync.RWMutex - lockListCentralsWithRoutesNotCreated sync.RWMutex - lockListCentralsWithoutAuthConfig sync.RWMutex - lockPrepareCentralRequest sync.RWMutex - lockRegisterCentralDeprovisionJob sync.RWMutex - lockRegisterCentralJob sync.RWMutex - lockResetCentralSecretBackup sync.RWMutex - lockRestore sync.RWMutex - lockRotateCentralRHSSOClient sync.RWMutex - lockUpdateIgnoreNils sync.RWMutex - lockUpdateStatus sync.RWMutex - lockUpdates sync.RWMutex - lockVerifyAndUpdateCentralAdmin sync.RWMutex + lockAcceptCentralRequest sync.RWMutex + lockAssignCluster sync.RWMutex + lockChangeBillingParameters sync.RWMutex + lockChangeSubscription sync.RWMutex + lockCountByRegionAndInstanceType sync.RWMutex + lockCountByStatus sync.RWMutex + lockDelete sync.RWMutex + lockDeprovisionCentralForUsers sync.RWMutex + lockDeprovisionExpiredCentrals sync.RWMutex + lockDetectInstanceType sync.RWMutex + lockGet sync.RWMutex + lockGetByID sync.RWMutex + lockHasAvailableCapacityInRegion sync.RWMutex + lockList sync.RWMutex + lockListByStatus sync.RWMutex + lockListCentralsWithoutAuthConfig sync.RWMutex + lockPrepareCentralRequest sync.RWMutex + lockRegisterCentralDeprovisionJob sync.RWMutex + lockRegisterCentralJob sync.RWMutex + lockResetCentralSecretBackup sync.RWMutex + lockRestore sync.RWMutex + lockRotateCentralRHSSOClient sync.RWMutex + lockUpdateIgnoreNils sync.RWMutex + lockUpdateStatus sync.RWMutex + lockUpdates sync.RWMutex + lockVerifyAndUpdateCentralAdmin sync.RWMutex } // AcceptCentralRequest calls AcceptCentralRequestFunc. @@ -547,42 +510,6 @@ func (mock *CentralServiceMock) ChangeBillingParametersCalls() []struct { return calls } -// ChangeCentralCNAMErecords calls ChangeCentralCNAMErecordsFunc. -func (mock *CentralServiceMock) ChangeCentralCNAMErecords(centralRequest *dbapi.CentralRequest, action CentralRoutesAction) (*route53.ChangeResourceRecordSetsOutput, *serviceError.ServiceError) { - if mock.ChangeCentralCNAMErecordsFunc == nil { - panic("CentralServiceMock.ChangeCentralCNAMErecordsFunc: method is nil but CentralService.ChangeCentralCNAMErecords was just called") - } - callInfo := struct { - CentralRequest *dbapi.CentralRequest - Action CentralRoutesAction - }{ - CentralRequest: centralRequest, - Action: action, - } - mock.lockChangeCentralCNAMErecords.Lock() - mock.calls.ChangeCentralCNAMErecords = append(mock.calls.ChangeCentralCNAMErecords, callInfo) - mock.lockChangeCentralCNAMErecords.Unlock() - return mock.ChangeCentralCNAMErecordsFunc(centralRequest, action) -} - -// ChangeCentralCNAMErecordsCalls gets all the calls that were made to ChangeCentralCNAMErecords. -// Check the length with: -// -// len(mockedCentralService.ChangeCentralCNAMErecordsCalls()) -func (mock *CentralServiceMock) ChangeCentralCNAMErecordsCalls() []struct { - CentralRequest *dbapi.CentralRequest - Action CentralRoutesAction -} { - var calls []struct { - CentralRequest *dbapi.CentralRequest - Action CentralRoutesAction - } - mock.lockChangeCentralCNAMErecords.RLock() - calls = mock.calls.ChangeCentralCNAMErecords - mock.lockChangeCentralCNAMErecords.RUnlock() - return calls -} - // ChangeSubscription calls ChangeSubscriptionFunc. func (mock *CentralServiceMock) ChangeSubscription(ctx context.Context, centralID string, cloudAccountID string, cloudProvider string, subscriptionID string) *serviceError.ServiceError { if mock.ChangeSubscriptionFunc == nil { @@ -885,38 +812,6 @@ func (mock *CentralServiceMock) GetByIDCalls() []struct { return calls } -// GetCNAMERecordStatus calls GetCNAMERecordStatusFunc. -func (mock *CentralServiceMock) GetCNAMERecordStatus(centralRequest *dbapi.CentralRequest) (*CNameRecordStatus, error) { - if mock.GetCNAMERecordStatusFunc == nil { - panic("CentralServiceMock.GetCNAMERecordStatusFunc: method is nil but CentralService.GetCNAMERecordStatus was just called") - } - callInfo := struct { - CentralRequest *dbapi.CentralRequest - }{ - CentralRequest: centralRequest, - } - mock.lockGetCNAMERecordStatus.Lock() - mock.calls.GetCNAMERecordStatus = append(mock.calls.GetCNAMERecordStatus, callInfo) - mock.lockGetCNAMERecordStatus.Unlock() - return mock.GetCNAMERecordStatusFunc(centralRequest) -} - -// GetCNAMERecordStatusCalls gets all the calls that were made to GetCNAMERecordStatus. -// Check the length with: -// -// len(mockedCentralService.GetCNAMERecordStatusCalls()) -func (mock *CentralServiceMock) GetCNAMERecordStatusCalls() []struct { - CentralRequest *dbapi.CentralRequest -} { - var calls []struct { - CentralRequest *dbapi.CentralRequest - } - mock.lockGetCNAMERecordStatus.RLock() - calls = mock.calls.GetCNAMERecordStatus - mock.lockGetCNAMERecordStatus.RUnlock() - return calls -} - // HasAvailableCapacityInRegion calls HasAvailableCapacityInRegionFunc. func (mock *CentralServiceMock) HasAvailableCapacityInRegion(centralRequest *dbapi.CentralRequest) (bool, *serviceError.ServiceError) { if mock.HasAvailableCapacityInRegionFunc == nil { @@ -1017,33 +912,6 @@ func (mock *CentralServiceMock) ListByStatusCalls() []struct { return calls } -// ListCentralsWithRoutesNotCreated calls ListCentralsWithRoutesNotCreatedFunc. -func (mock *CentralServiceMock) ListCentralsWithRoutesNotCreated() ([]*dbapi.CentralRequest, *serviceError.ServiceError) { - if mock.ListCentralsWithRoutesNotCreatedFunc == nil { - panic("CentralServiceMock.ListCentralsWithRoutesNotCreatedFunc: method is nil but CentralService.ListCentralsWithRoutesNotCreated was just called") - } - callInfo := struct { - }{} - mock.lockListCentralsWithRoutesNotCreated.Lock() - mock.calls.ListCentralsWithRoutesNotCreated = append(mock.calls.ListCentralsWithRoutesNotCreated, callInfo) - mock.lockListCentralsWithRoutesNotCreated.Unlock() - return mock.ListCentralsWithRoutesNotCreatedFunc() -} - -// ListCentralsWithRoutesNotCreatedCalls gets all the calls that were made to ListCentralsWithRoutesNotCreated. -// Check the length with: -// -// len(mockedCentralService.ListCentralsWithRoutesNotCreatedCalls()) -func (mock *CentralServiceMock) ListCentralsWithRoutesNotCreatedCalls() []struct { -} { - var calls []struct { - } - mock.lockListCentralsWithRoutesNotCreated.RLock() - calls = mock.calls.ListCentralsWithRoutesNotCreated - mock.lockListCentralsWithRoutesNotCreated.RUnlock() - return calls -} - // ListCentralsWithoutAuthConfig calls ListCentralsWithoutAuthConfigFunc. func (mock *CentralServiceMock) ListCentralsWithoutAuthConfig() ([]*dbapi.CentralRequest, *serviceError.ServiceError) { if mock.ListCentralsWithoutAuthConfigFunc == nil { diff --git a/internal/central/pkg/services/data_plane_central.go b/internal/central/pkg/services/data_plane_central.go index 208faa7dd9..0824780eb1 100644 --- a/internal/central/pkg/services/data_plane_central.go +++ b/internal/central/pkg/services/data_plane_central.go @@ -124,12 +124,6 @@ func (s *dataPlaneCentralService) ListByClusterID(clusterID string) (dbapi.Centr } func (s *dataPlaneCentralService) setCentralClusterReady(centralRequest *dbapi.CentralRequest) *serviceError.ServiceError { - if !centralRequest.RoutesCreated { - logger.Logger.V(10).Infof("routes for central %s are not created", centralRequest.ID) - return nil - } - logger.Logger.Infof("routes for central %s are created", centralRequest.ID) - // only send metrics data if the current central request is in "provisioning" status as this is the only case we want to report shouldSendMetric, err := s.checkCentralRequestCurrentStatus(centralRequest, constants.CentralRequestStatusProvisioning) if err != nil { diff --git a/internal/central/pkg/workers/centralmgrs/centrals_routes_cname_mgr.go b/internal/central/pkg/workers/centralmgrs/centrals_routes_cname_mgr.go deleted file mode 100644 index 047e74ebe9..0000000000 --- a/internal/central/pkg/workers/centralmgrs/centrals_routes_cname_mgr.go +++ /dev/null @@ -1,112 +0,0 @@ -package centralmgrs - -import ( - "github.com/golang/glog" - "github.com/google/uuid" - "github.com/pkg/errors" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/config" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/externaldns" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/presenters" - "github.com/stackrox/acs-fleet-manager/internal/central/pkg/services" - "github.com/stackrox/acs-fleet-manager/pkg/metrics" - "github.com/stackrox/acs-fleet-manager/pkg/workers" -) - -const centralDNSWorkerType = "central_dns" - -// CentralRoutesCNAMEManager ... -type CentralRoutesCNAMEManager struct { - workers.BaseWorker - centralService services.CentralService - centralConfig *config.CentralConfig - managedCentralPresenter *presenters.ManagedCentralPresenter -} - -var _ workers.Worker = &CentralRoutesCNAMEManager{} - -// NewCentralCNAMEManager ... -func NewCentralCNAMEManager(centralService services.CentralService, centralConfig *config.CentralConfig, managedCentralPresenter *presenters.ManagedCentralPresenter) *CentralRoutesCNAMEManager { - metrics.InitReconcilerMetricsForType(centralDNSWorkerType) - return &CentralRoutesCNAMEManager{ - BaseWorker: workers.BaseWorker{ - ID: uuid.New().String(), - WorkerType: centralDNSWorkerType, - Reconciler: workers.Reconciler{}, - }, - centralService: centralService, - centralConfig: centralConfig, - managedCentralPresenter: managedCentralPresenter, - } -} - -// Start ... -func (k *CentralRoutesCNAMEManager) Start() { - k.StartWorker(k) -} - -// Stop ... -func (k *CentralRoutesCNAMEManager) Stop() { - k.StopWorker(k) -} - -// Reconcile ... -func (k *CentralRoutesCNAMEManager) Reconcile() []error { - var errs []error - - centrals, listErr := k.centralService.ListCentralsWithRoutesNotCreated() - if listErr != nil { - errs = append(errs, errors.Wrap(listErr, "failed to list centrals whose routes are not created")) - } - if len(centrals) > 0 { - glog.Infof("centrals need routes created count = %d", len(centrals)) - } - - for _, central := range centrals { - managedCentral, err := k.managedCentralPresenter.PresentManagedCentral(central) - if err != nil { - errs = append(errs, errors.Wrapf(err, "failed to present managed central for central %s", central.ID)) - continue - } - if k.centralConfig.EnableCentralExternalDomain && !externaldns.IsEnabled(managedCentral) { - if central.RoutesCreationID == "" { - glog.Infof("creating CNAME records for central %s", central.ID) - - changeOutput, err := k.centralService.ChangeCentralCNAMErecords(central, services.CentralRoutesActionUpsert) - - if err != nil { - errs = append(errs, err) - continue - } - - switch { - case changeOutput == nil: - glog.Infof("creating CNAME records failed with nil result") - continue - case changeOutput.ChangeInfo == nil || changeOutput.ChangeInfo.Id == nil || changeOutput.ChangeInfo.Status == "": - glog.Infof("creating CNAME records failed with nil info") - continue - } - - central.RoutesCreationID = *changeOutput.ChangeInfo.Id - central.RoutesCreated = changeOutput.ChangeInfo.Status == "INSYNC" - } else { - recordStatus, err := k.centralService.GetCNAMERecordStatus(central) - if err != nil { - errs = append(errs, err) - continue - } - central.RoutesCreated = *recordStatus.Status == "INSYNC" - } - } else { - glog.Infof("external certificate is disabled, skip CNAME creation for Central %s", central.ID) - central.RoutesCreated = true - } - - if err := k.centralService.UpdateIgnoreNils(central); err != nil { - errs = append(errs, err) - continue - } - } - - return errs -} diff --git a/internal/central/providers.go b/internal/central/providers.go index 5ea1301c33..1fc56723bf 100644 --- a/internal/central/providers.go +++ b/internal/central/providers.go @@ -72,7 +72,6 @@ func ServiceProviders() di.Option { di.Provide(centralmgrs.NewDeletingCentralManager, di.As(new(workers.Worker))), di.Provide(centralmgrs.NewProvisioningCentralManager, di.As(new(workers.Worker))), di.Provide(centralmgrs.NewReadyCentralManager, di.As(new(workers.Worker))), - di.Provide(centralmgrs.NewCentralCNAMEManager, di.As(new(workers.Worker))), di.Provide(centralmgrs.NewCentralAuthConfigManager, di.As(new(workers.Worker))), di.Provide(centralmgrs.NewExpirationDateManager, di.As(new(workers.Worker))), di.Provide(gitops.NewEmptyReader), diff --git a/internal/central/test/integration/admin_test.go b/internal/central/test/integration/admin_test.go index 68479d9ad8..575507b40e 100644 --- a/internal/central/test/integration/admin_test.go +++ b/internal/central/test/integration/admin_test.go @@ -39,34 +39,30 @@ func TestAssignCluster(t *testing.T) { centrals := []*dbapi.CentralRequest{ { - MultiAZ: clusters[0].MultiAZ, - Owner: "assigclusteruser1", - Region: clusters[0].Region, - CloudProvider: clusters[0].CloudProvider, - Name: "assign-cluster-central", - OrganisationID: orgID, - Status: constants2.CentralRequestStatusReady.String(), - InstanceType: clusters[0].SupportedInstanceType, - ClusterID: clusters[0].ClusterID, - Meta: api.Meta{ID: api.NewID()}, - RoutesCreated: true, - Routes: dummyRoutesJSON, - RoutesCreationID: "dummy-route-creation-id", + MultiAZ: clusters[0].MultiAZ, + Owner: "assigclusteruser1", + Region: clusters[0].Region, + CloudProvider: clusters[0].CloudProvider, + Name: "assign-cluster-central", + OrganisationID: orgID, + Status: constants2.CentralRequestStatusReady.String(), + InstanceType: clusters[0].SupportedInstanceType, + ClusterID: clusters[0].ClusterID, + Meta: api.Meta{ID: api.NewID()}, + Routes: dummyRoutesJSON, }, { - MultiAZ: clusters[0].MultiAZ, - Owner: "assigclusteruser2", - Region: clusters[0].Region, - CloudProvider: clusters[0].CloudProvider, - Name: "assign-cluster-central-2", - OrganisationID: orgID, - Status: constants2.CentralRequestStatusReady.String(), - InstanceType: clusters[0].SupportedInstanceType, - ClusterID: clusters[0].ClusterID, - Meta: api.Meta{ID: api.NewID()}, - RoutesCreated: true, - Routes: dummyRoutesJSON, - RoutesCreationID: "dummy-route-creation-id", + MultiAZ: clusters[0].MultiAZ, + Owner: "assigclusteruser2", + Region: clusters[0].Region, + CloudProvider: clusters[0].CloudProvider, + Name: "assign-cluster-central-2", + OrganisationID: orgID, + Status: constants2.CentralRequestStatusReady.String(), + InstanceType: clusters[0].SupportedInstanceType, + ClusterID: clusters[0].ClusterID, + Meta: api.Meta{ID: api.NewID()}, + Routes: dummyRoutesJSON, }, } @@ -92,9 +88,7 @@ func TestAssignCluster(t *testing.T) { } require.Equal(t, "new-cluster-1234", cr.ClusterID, "ClusterID was not set properly.") - require.False(t, cr.RoutesCreated, "RoutesCreated should be reset to false.") require.Nil(t, cr.Routes, "Stored Routes content should be nil.") - require.Empty(t, cr.RoutesCreationID, "Stored RoutesCreationID should be reset to empty string") require.Equal(t, constants2.CentralRequestStatusProvisioning.String(), cr.Status, "Status should change from ready to provisioning.") require.True(t, cr.EnteredProvisioningAt.Valid, "EnteredProvisioning time should be valid") // can't require only Before here as this might introduce a timing flake when this test runs through faster then diff --git a/openapi/fleet-manager-private-admin.yaml b/openapi/fleet-manager-private-admin.yaml index 6cb51b5e19..50c79a210f 100644 --- a/openapi/fleet-manager-private-admin.yaml +++ b/openapi/fleet-manager-private-admin.yaml @@ -741,8 +741,6 @@ components: type: string router: type: string - routes_created: - type: boolean cluster_id: type: string namespace: diff --git a/pkg/client/aws/client.go b/pkg/client/aws/client.go index ea7028a3d3..1691ee64b6 100644 --- a/pkg/client/aws/client.go +++ b/pkg/client/aws/client.go @@ -3,25 +3,16 @@ package aws import ( "context" - "fmt" - - errors "github.com/zgalor/weberr" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws/retry" "github.com/aws/aws-sdk-go-v2/credentials" - "github.com/aws/aws-sdk-go-v2/service/route53" - "github.com/aws/aws-sdk-go-v2/service/route53/types" ) // Client ... // //go:generate moq -out client_moq.go . Client type Client interface { - // route53 - ListHostedZonesByNameInput(dnsName string) (*route53.ListHostedZonesByNameOutput, error) - ChangeResourceRecordSets(dnsName string, recordChangeBatch *types.ChangeBatch) (*route53.ChangeResourceRecordSetsOutput, error) - GetChange(changeID string) (*route53.GetChangeOutput, error) } // ClientFactory ... @@ -63,71 +54,14 @@ func newClient(creds Config, region string) (Client, error) { return nil, err } - cfg := aws.Config{ + // For future AWS service integrations, the config would be used here + _ = aws.Config{ Credentials: credentialsCache, Region: region, Retryer: func() aws.Retryer { return retry.AddWithMaxAttempts(retry.NewStandard(), 2) }, } - return &awsClient{ - route53Client: route53.NewFromConfig(cfg), - }, nil -} - -type awsClient struct { - route53Client *route53.Client + return &awsClient{}, nil } -// GetChange ... -func (client *awsClient) GetChange(changeID string) (*route53.GetChangeOutput, error) { - changeInput := &route53.GetChangeInput{ - Id: &changeID, - } - - change, err := client.route53Client.GetChange(context.TODO(), changeInput) - if err != nil { - return nil, errors.Wrapf(err, "failed to get DNS Change") - } - - return change, nil -} - -// ListHostedZonesByNameInput ... -func (client *awsClient) ListHostedZonesByNameInput(dnsName string) (*route53.ListHostedZonesByNameOutput, error) { - requestInput := &route53.ListHostedZonesByNameInput{ - DNSName: &dnsName, - MaxItems: aws.Int32(1), - } - - zone, err := client.route53Client.ListHostedZonesByName(context.TODO(), requestInput) - if err != nil { - return nil, errors.Wrapf(err, "failed to get DNS zone") - } - - return zone, nil -} - -// ChangeResourceRecordSets ... -func (client *awsClient) ChangeResourceRecordSets(dnsName string, recordChangeBatch *types.ChangeBatch) (*route53.ChangeResourceRecordSetsOutput, error) { - zones, err := client.ListHostedZonesByNameInput(dnsName) - if err != nil { - return nil, err - } - if len(zones.HostedZones) == 0 { - return nil, fmt.Errorf("No Hosted Zones found") - } - - hostedZoneID := zones.HostedZones[0].Id - - recordChanges := &route53.ChangeResourceRecordSetsInput{ - HostedZoneId: hostedZoneID, - ChangeBatch: recordChangeBatch, - } - - recordSetsOutput, err := client.route53Client.ChangeResourceRecordSets(context.TODO(), recordChanges) - - if err != nil { - return nil, errors.Wrapf(err, "failed to change resource record sets") - } - return recordSetsOutput, nil -} +type awsClient struct{} diff --git a/pkg/client/aws/client_moq.go b/pkg/client/aws/client_moq.go index 6e2c250a8a..a1e55d15c9 100644 --- a/pkg/client/aws/client_moq.go +++ b/pkg/client/aws/client_moq.go @@ -3,11 +3,7 @@ package aws -import ( - "github.com/aws/aws-sdk-go-v2/service/route53" - "github.com/aws/aws-sdk-go-v2/service/route53/types" - "sync" -) +import () // Ensure, that ClientMock does implement Client. // If this is not the case, regenerate this file with moq. @@ -19,15 +15,6 @@ var _ Client = &ClientMock{} // // // make and configure a mocked Client // mockedClient := &ClientMock{ -// ChangeResourceRecordSetsFunc: func(dnsName string, recordChangeBatch *types.ChangeBatch) (*route53.ChangeResourceRecordSetsOutput, error) { -// panic("mock out the ChangeResourceRecordSets method") -// }, -// GetChangeFunc: func(changeID string) (*route53.GetChangeOutput, error) { -// panic("mock out the GetChange method") -// }, -// ListHostedZonesByNameInputFunc: func(dnsName string) (*route53.ListHostedZonesByNameOutput, error) { -// panic("mock out the ListHostedZonesByNameInput method") -// }, // } // // // use mockedClient in code that requires Client @@ -35,136 +22,7 @@ var _ Client = &ClientMock{} // // } type ClientMock struct { - // ChangeResourceRecordSetsFunc mocks the ChangeResourceRecordSets method. - ChangeResourceRecordSetsFunc func(dnsName string, recordChangeBatch *types.ChangeBatch) (*route53.ChangeResourceRecordSetsOutput, error) - - // GetChangeFunc mocks the GetChange method. - GetChangeFunc func(changeID string) (*route53.GetChangeOutput, error) - - // ListHostedZonesByNameInputFunc mocks the ListHostedZonesByNameInput method. - ListHostedZonesByNameInputFunc func(dnsName string) (*route53.ListHostedZonesByNameOutput, error) - // calls tracks calls to the methods. calls struct { - // ChangeResourceRecordSets holds details about calls to the ChangeResourceRecordSets method. - ChangeResourceRecordSets []struct { - // DnsName is the dnsName argument value. - DnsName string - // RecordChangeBatch is the recordChangeBatch argument value. - RecordChangeBatch *types.ChangeBatch - } - // GetChange holds details about calls to the GetChange method. - GetChange []struct { - // ChangeID is the changeID argument value. - ChangeID string - } - // ListHostedZonesByNameInput holds details about calls to the ListHostedZonesByNameInput method. - ListHostedZonesByNameInput []struct { - // DnsName is the dnsName argument value. - DnsName string - } - } - lockChangeResourceRecordSets sync.RWMutex - lockGetChange sync.RWMutex - lockListHostedZonesByNameInput sync.RWMutex -} - -// ChangeResourceRecordSets calls ChangeResourceRecordSetsFunc. -func (mock *ClientMock) ChangeResourceRecordSets(dnsName string, recordChangeBatch *types.ChangeBatch) (*route53.ChangeResourceRecordSetsOutput, error) { - if mock.ChangeResourceRecordSetsFunc == nil { - panic("ClientMock.ChangeResourceRecordSetsFunc: method is nil but Client.ChangeResourceRecordSets was just called") - } - callInfo := struct { - DnsName string - RecordChangeBatch *types.ChangeBatch - }{ - DnsName: dnsName, - RecordChangeBatch: recordChangeBatch, - } - mock.lockChangeResourceRecordSets.Lock() - mock.calls.ChangeResourceRecordSets = append(mock.calls.ChangeResourceRecordSets, callInfo) - mock.lockChangeResourceRecordSets.Unlock() - return mock.ChangeResourceRecordSetsFunc(dnsName, recordChangeBatch) -} - -// ChangeResourceRecordSetsCalls gets all the calls that were made to ChangeResourceRecordSets. -// Check the length with: -// -// len(mockedClient.ChangeResourceRecordSetsCalls()) -func (mock *ClientMock) ChangeResourceRecordSetsCalls() []struct { - DnsName string - RecordChangeBatch *types.ChangeBatch -} { - var calls []struct { - DnsName string - RecordChangeBatch *types.ChangeBatch - } - mock.lockChangeResourceRecordSets.RLock() - calls = mock.calls.ChangeResourceRecordSets - mock.lockChangeResourceRecordSets.RUnlock() - return calls -} - -// GetChange calls GetChangeFunc. -func (mock *ClientMock) GetChange(changeID string) (*route53.GetChangeOutput, error) { - if mock.GetChangeFunc == nil { - panic("ClientMock.GetChangeFunc: method is nil but Client.GetChange was just called") - } - callInfo := struct { - ChangeID string - }{ - ChangeID: changeID, - } - mock.lockGetChange.Lock() - mock.calls.GetChange = append(mock.calls.GetChange, callInfo) - mock.lockGetChange.Unlock() - return mock.GetChangeFunc(changeID) -} - -// GetChangeCalls gets all the calls that were made to GetChange. -// Check the length with: -// -// len(mockedClient.GetChangeCalls()) -func (mock *ClientMock) GetChangeCalls() []struct { - ChangeID string -} { - var calls []struct { - ChangeID string - } - mock.lockGetChange.RLock() - calls = mock.calls.GetChange - mock.lockGetChange.RUnlock() - return calls -} - -// ListHostedZonesByNameInput calls ListHostedZonesByNameInputFunc. -func (mock *ClientMock) ListHostedZonesByNameInput(dnsName string) (*route53.ListHostedZonesByNameOutput, error) { - if mock.ListHostedZonesByNameInputFunc == nil { - panic("ClientMock.ListHostedZonesByNameInputFunc: method is nil but Client.ListHostedZonesByNameInput was just called") - } - callInfo := struct { - DnsName string - }{ - DnsName: dnsName, - } - mock.lockListHostedZonesByNameInput.Lock() - mock.calls.ListHostedZonesByNameInput = append(mock.calls.ListHostedZonesByNameInput, callInfo) - mock.lockListHostedZonesByNameInput.Unlock() - return mock.ListHostedZonesByNameInputFunc(dnsName) -} - -// ListHostedZonesByNameInputCalls gets all the calls that were made to ListHostedZonesByNameInput. -// Check the length with: -// -// len(mockedClient.ListHostedZonesByNameInputCalls()) -func (mock *ClientMock) ListHostedZonesByNameInputCalls() []struct { - DnsName string -} { - var calls []struct { - DnsName string } - mock.lockListHostedZonesByNameInput.RLock() - calls = mock.calls.ListHostedZonesByNameInput - mock.lockListHostedZonesByNameInput.RUnlock() - return calls } diff --git a/scripts/ci/multicluster_tests/deploy.sh b/scripts/ci/multicluster_tests/deploy.sh index 7c1da5a61c..fa4b0e7017 100755 --- a/scripts/ci/multicluster_tests/deploy.sh +++ b/scripts/ci/multicluster_tests/deploy.sh @@ -11,7 +11,6 @@ export CLUSTER_2_KUBECONFIG=${CLUSTER_2_KUBECONFIG:-"$HOME/.kube/cluster2"} # Bootstrap C1 export KUBECONFIG="$CLUSTER_1_KUBECONFIG" export INHERIT_IMAGEPULLSECRETS="true" # pragma: allowlist secret -export ENABLE_CENTRAL_EXTERNAL_DOMAIN="true" make deploy/bootstrap make deploy/dev diff --git a/templates/secrets-template.yml b/templates/secrets-template.yml index adc946bf04..9e2fa3f49f 100644 --- a/templates/secrets-template.yml +++ b/templates/secrets-template.yml @@ -62,12 +62,6 @@ parameters: - name: AWS_SECRET_ACCESS_KEY description: AWS secret access key used to create CCS clusters -- name: ROUTE53_ACCESS_KEY - description: AWS route 53 access key for creating CNAME records - -- name: ROUTE53_SECRET_ACCESS_KEY - description: AWS route 53 secret access key for creating CNAME records - - name: SSO_CLIENT_ID description: Client id used to interact with mas sso @@ -106,5 +100,3 @@ objects: aws.secretaccesskey: ${AWS_SECRET_ACCESS_KEY} redhatsso-service.clientId: ${SSO_CLIENT_ID} redhatsso-service.clientSecret: ${SSO_CLIENT_SECRET} - aws.route53accesskey: ${ROUTE53_ACCESS_KEY} - aws.route53secretaccesskey: ${ROUTE53_SECRET_ACCESS_KEY} diff --git a/templates/service-template.yml b/templates/service-template.yml index 30c2a164c2..b518358776 100644 --- a/templates/service-template.yml +++ b/templates/service-template.yml @@ -182,11 +182,6 @@ parameters: description: A list of supported cloud providers in a yaml format. value: "[{name: aws, default: true, regions: [{name: us-east-1, default: true, supported_instance_type: {standard: {}, eval: {}}}]}]" -- name: ENABLE_CENTRAL_EXTERNAL_DOMAIN - displayName: Enable Central TLS - description: Enable the Central TLS certificate - value: "true" - - name: ENABLE_TERMS_ACCEPTANCE displayName: Enable terms acceptance description: If enabled, centrals can't be created unless required terms are accepted @@ -666,8 +661,6 @@ objects: aws.secretaccesskey: badger redhatsso-service.clientId: badger redhatsso-service.clientSecret: badger - aws.route53accesskey: badger - aws.route53secretaccesskey: badger - apiVersion: v1 kind: ConfigMap metadata: @@ -894,7 +887,6 @@ objects: command: - /usr/local/bin/fleet-manager - serve - - --enable-central-external-domain=${ENABLE_CENTRAL_EXTERNAL_DOMAIN} - --providers-config-file=${PROVIDERS_CONFIG_FILE} - --quota-management-list-config-file=/config/quota-management-list-configuration.yaml - --deny-list-config-file=/config/deny-list-configuration.yaml @@ -904,8 +896,6 @@ objects: - --aws-access-key-file=/secrets/service/aws.accesskey - --aws-account-id-file=/secrets/fleet-manager-credentials/aws.accountid - --aws-secret-access-key-file=/secrets/service/aws.secretaccesskey - - --aws-route53-access-key-file=/secrets/fleet-manager-credentials/aws.route53accesskey - - --aws-route53-secret-access-key-file=/secrets/fleet-manager-credentials/aws.route53secretaccesskey - --central-idp-client-secret-file=/secrets/fleet-manager-credentials/central.idp-client-secret - --central-idp-client-id=${CENTRAL_IDP_CLIENT_ID} - --db-host-file=/secrets/rds/db.host