From 24c2711903ed5f9f519937c2e7042136fc332d17 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Mon, 12 Jun 2023 18:36:51 +0200 Subject: [PATCH 1/4] Make rds client load configuration solely from env variables --- fleetshard/config/config.go | 11 --------- .../central/cloudprovider/awsclient/rds.go | 23 +++---------------- 2 files changed, 3 insertions(+), 31 deletions(-) diff --git a/fleetshard/config/config.go b/fleetshard/config/config.go index dd54784c7e..41ee6774fc 100644 --- a/fleetshard/config/config.go +++ b/fleetshard/config/config.go @@ -30,18 +30,10 @@ type Config struct { FeatureFlagUpgradeOperatorEnabled bool `env:"FEATURE_FLAG_UPGRADE_OPERATOR_ENABLED" envDefault:"false"` BaseCrdURL string `env:"BASE_CRD_URL" envDefault:"https://raw.githubusercontent.com/stackrox/stackrox/%s/operator/bundle/manifests/"` - AWS AWS ManagedDB ManagedDB Telemetry Telemetry } -// AWS for configuring AWS specific parameters -type AWS struct { - Region string `env:"AWS_REGION" envDefault:"us-east-1"` - RoleARN string `env:"AWS_ROLE_ARN"` - TokenFile string `env:"AWS_STS_TOKEN_FILE" envDefault:"/var/run/secrets/tokens/aws-token"` -} - // ManagedDB for configuring managed DB specific parameters type ManagedDB struct { Enabled bool `env:"MANAGED_DB_ENABLED" envDefault:"false"` @@ -86,9 +78,6 @@ func validateManagedDBConfig(c Config, configErrors *errorhelpers.ErrorList) { if !c.ManagedDB.Enabled { return } - if c.AWS.RoleARN == "" { - configErrors.AddError(errors.New("MANAGED_DB_ENABLED == true and AWS_ROLE_ARN unset in the environment")) - } if c.ManagedDB.SecurityGroup == "" { configErrors.AddError(errors.New("MANAGED_DB_ENABLED == true and MANAGED_DB_SECURITY_GROUP unset in the environment")) } diff --git a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go index a67e59043e..14598fba6f 100644 --- a/fleetshard/pkg/central/cloudprovider/awsclient/rds.go +++ b/fleetshard/pkg/central/cloudprovider/awsclient/rds.go @@ -9,11 +9,8 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" - awscredentials "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/rds" - "github.com/aws/aws-sdk-go/service/sts" "github.com/golang/glog" "github.com/stackrox/acs-fleet-manager/fleetshard/config" "github.com/stackrox/acs-fleet-manager/fleetshard/pkg/central/cloudprovider" @@ -327,7 +324,7 @@ func (r *RDS) waitForInstanceToBeAvailable(ctx context.Context, instanceID strin // NewRDSClient initializes a new awsclient.RDS func NewRDSClient(config *config.Config) (*RDS, error) { - rdsClient, err := newRdsClient(config.AWS) + rdsClient, err := newRdsClient() if err != nil { return nil, fmt.Errorf("unable to create RDS client: %w", err) } @@ -432,22 +429,8 @@ func newDeleteCentralDBClusterInput(clusterID string, skipFinalSnapshot bool) *r return input } -func newRdsClient(awsConfig config.AWS) (*rds.RDS, error) { - cfg := &aws.Config{ - Region: aws.String(awsConfig.Region), - } - sess, err := session.NewSession(cfg) - if err != nil { - return nil, fmt.Errorf("unable to create session for STS client: %w", err) - } - stsClient := sts.New(sess) - - roleProvider := stscreds.NewWebIdentityRoleProviderWithOptions(stsClient, awsConfig.RoleARN, "rds", - stscreds.FetchTokenPath(awsConfig.TokenFile)) - - cfg.Credentials = awscredentials.NewCredentials(roleProvider) - - sess, err = session.NewSession(cfg) +func newRdsClient() (*rds.RDS, error) { + sess, err := session.NewSession() if err != nil { return nil, fmt.Errorf("unable to create session for RDS client: %w", err) } From 4b2b2faf2da606f6d951cb1722f7615e2c66f297 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Tue, 13 Jun 2023 11:24:06 +0200 Subject: [PATCH 2/4] Make dev deployment scripts use access key instead of the token --- .../01-fleetshard-sync-secrets.yaml | 3 ++- .../02-fleetshard-sync-deployment.yaml | 17 +++++++---------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml b/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml index 693eb6cd0f..0a1effa724 100644 --- a/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml +++ b/dev/env/manifests/fleetshard-sync/01-fleetshard-sync-secrets.yaml @@ -9,4 +9,5 @@ stringData: rhsso-service-account-client-id: "${RHSSO_SERVICE_ACCOUNT_CLIENT_ID}" rhsso-service-account-client-secret: "${RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" aws-role-arn: "${AWS_ROLE_ARN}" - aws-token: "${AWS_STATIC_TOKEN}" + aws-access-key-id: "${AWS_ACCESS_KEY_ID}" + aws-secret-access-key: "${AWS_SECRET_ACCESS_KEY}" diff --git a/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml b/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml index eb4d63c9ac..caa6f33395 100644 --- a/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml +++ b/dev/env/manifests/fleetshard-sync/02-fleetshard-sync-deployment.yaml @@ -51,11 +51,16 @@ spec: value: "$MANAGED_DB_SUBNET_GROUP" - name: MANAGED_DB_PERFORMANCE_INSIGHTS value: "$MANAGED_DB_PERFORMANCE_INSIGHTS" - - name: AWS_ROLE_ARN + - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: fleetshard-sync - key: "aws-role-arn" + key: "aws-access-key-id" + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: fleetshard-sync + key: "aws-secret-access-key" image: "${FLEET_MANAGER_IMAGE}" imagePullPolicy: IfNotPresent name: fleetshard-sync @@ -65,8 +70,6 @@ spec: name: secrets - mountPath: /config name: config - - mountPath: /var/run/secrets/tokens - name: aws-token restartPolicy: Always volumes: - name: secrets @@ -76,9 +79,3 @@ spec: - name: config configMap: name: config - - name: aws-token - secret: - secretName: fleetshard-sync # pragma: allowlist secret - items: - - key: aws-token - path: aws-token From fe02904fd549682b7f7c87a12558b33a850d391b Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Tue, 13 Jun 2023 11:39:29 +0200 Subject: [PATCH 3/4] Change dp-terraform chart --- .../templates/fleetshard-sync-secret.yaml | 4 ++++ .../templates/fleetshard-sync.yaml | 15 +++++++++++++++ dp-terraform/helm/rhacs-terraform/values.yaml | 3 +++ 3 files changed, 22 insertions(+) diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml index 716016cf78..88b76b390e 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml @@ -8,3 +8,7 @@ metadata: stringData: rhsso-service-account-client-id: {{ .Values.fleetshardSync.redHatSSO.clientId | quote }} rhsso-service-account-client-secret: {{ .Values.fleetshardSync.redHatSSO.clientSecret | quote }} + {{- if eq .Values.fleetshardSync.aws.enableTokenAuth false }} + aws-access-key-id: {{ required "fleetshardSync.aws.accessKeyId is required when fleetshardSync.aws.enableTokenAuth = false" .Values.fleetshardSync.aws.accessKeyId | quote }} + aws-secret-access-key: {{ required "fleetshardSync.aws.secretAccessKey is required when fleetshardSync.aws.enableTokenAuth = false" .Values.fleetshardSync.aws.secretAccessKey | quote }} + {{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml index 740214b525..7482232962 100644 --- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml +++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml @@ -80,6 +80,21 @@ spec: value: {{ .Values.fleetshardSync.telemetry.storage.endpoint | quote }} - name: TELEMETRY_STORAGE_KEY value: {{ .Values.fleetshardSync.telemetry.storage.key | quote }} + {{- if .Values.fleetshardSync.aws.enableTokenAuth }} + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/tokens/aws-token" + {{- else }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: fleetshard-sync + key: "aws-access-key-id" + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: fleetshard-sync + key: "aws-secret-access-key" + {{- end }} volumeMounts: - mountPath: /var/run/secrets/tokens name: aws-token diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 07b21ac924..22cd96ec1d 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -35,6 +35,9 @@ fleetshardSync: aws: region: "us-east-1" # TODO(2023-05-01): Remove the default value here as we now set it explicitly roleARN: "" + enableTokenAuth: true + accessKeyId: "" + secretAccessKey: "" telemetry: storage: endpoint: "" From f1a4360efd3326c7a5286de88ca330e7a8e6d92e Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Tue, 13 Jun 2023 15:04:43 +0200 Subject: [PATCH 4/4] Fix tests --- fleetshard/config/config_test.go | 13 ------------- .../pkg/central/reconciler/reconciler_test.go | 10 ++++++---- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/fleetshard/config/config_test.go b/fleetshard/config/config_test.go index 1e2c32f5fd..09b7ad3488 100644 --- a/fleetshard/config/config_test.go +++ b/fleetshard/config/config_test.go @@ -30,30 +30,17 @@ func TestSingleton_Failure(t *testing.T) { func TestSingleton_Success_WhenManagedDBEnabled(t *testing.T) { t.Setenv("CLUSTER_ID", "some-value") - t.Setenv("AWS_ROLE_ARN", "arn:aws:iam::012456789:role/fake_role") t.Setenv("MANAGED_DB_ENABLED", "true") t.Setenv("MANAGED_DB_SECURITY_GROUP", "some-group") cfg, err := GetConfig() require.NoError(t, err) - assert.Equal(t, cfg.AWS.RoleARN, "arn:aws:iam::012456789:role/fake_role") - assert.Equal(t, cfg.AWS.Region, "us-east-1") assert.Equal(t, cfg.ManagedDB.Enabled, true) assert.Equal(t, cfg.ManagedDB.SecurityGroup, "some-group") } -func TestSingleton_Failure_WhenManagedDBEnabledAndAWSRoleArnNotSet(t *testing.T) { - t.Setenv("CLUSTER_ID", "some-value") - t.Setenv("MANAGED_DB_ENABLED", "true") - t.Setenv("MANAGED_DB_SECURITY_GROUP", "some-group") - cfg, err := GetConfig() - assert.Error(t, err, "MANAGED_DB_ENABLED == true and AWS_ROLE_ARN unset in the environment") - assert.Nil(t, cfg) -} - func TestSingleton_Failure_WhenManagedDBEnabledAndManagedDbSecurityGroupNotSet(t *testing.T) { t.Setenv("CLUSTER_ID", "some-value") t.Setenv("MANAGED_DB_ENABLED", "true") - t.Setenv("AWS_ROLE_ARN", "arn:aws:iam::012456789:role/fake_role") cfg, err := GetConfig() assert.Error(t, err, "MANAGED_DB_ENABLED == true and MANAGED_DB_SECURITY_GROUP unset in the environment") assert.Nil(t, cfg) diff --git a/fleetshard/pkg/central/reconciler/reconciler_test.go b/fleetshard/pkg/central/reconciler/reconciler_test.go index f4a0c8690b..b46d985ad1 100644 --- a/fleetshard/pkg/central/reconciler/reconciler_test.go +++ b/fleetshard/pkg/central/reconciler/reconciler_test.go @@ -190,14 +190,16 @@ func TestReconcileCreateWithLabelOperatorVersion(t *testing.T) { } func TestReconcileCreateWithManagedDBNoCredentials(t *testing.T) { + t.Setenv("AWS_ACCESS_KEY", "") + t.Setenv("AWS_SECRET_ACCESS_KEY", "") + t.Setenv("AWS_REGION", "us-east-1") + t.Setenv("AWS_ROLE_ARN", "arn:aws:iam::012456789:role/fake_role") + t.Setenv("AWS_WEB_IDENTITY_TOKEN_FILE", "/var/run/secrets/tokens/aws-token") + fakeClient := testutils.NewFakeClientBuilder(t).Build() managedDBProvisioningClient, err := awsclient.NewRDSClient( &config.Config{ - AWS: config.AWS{ - Region: "us-east-1", - RoleARN: "arn:aws:iam::012456789:role/fake_role", - }, ManagedDB: config.ManagedDB{ SecurityGroup: "security-group", SubnetGroup: "db-group",