From d585dfb2ddf7c5fca7e241d643d54a02b20cd297 Mon Sep 17 00:00:00 2001 From: Wesley Hearn Date: Tue, 24 Jan 2023 13:43:19 -0500 Subject: [PATCH 1/2] Minor fixes for rotate-secret for things found during testing --- cmd/account/rotate-secret.go | 64 ++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 28 deletions(-) diff --git a/cmd/account/rotate-secret.go b/cmd/account/rotate-secret.go index 2d032a23..82853562 100644 --- a/cmd/account/rotate-secret.go +++ b/cmd/account/rotate-secret.go @@ -42,6 +42,7 @@ func newCmdRotateSecret(streams genericclioptions.IOStreams, flags *genericcliop rotateSecretCmd.Flags().StringVarP(&ops.profile, "aws-profile", "p", "", "specify AWS profile") rotateSecretCmd.Flags().BoolVar(&ops.updateCcsCreds, "ccs", false, "Also rotates osdCcsAdmin credential. Use caution.") + flags.Impersonate = pointer.StringPtr("backplane-cluster-admin") return rotateSecretCmd } @@ -219,9 +220,6 @@ func (o *rotateSecretOptions) run() error { "aws_secret_access_key": []byte(*createAccessKeyOutput.AccessKey.SecretAccessKey), } - // Escalte to backplane cluster admin - o.flags.Impersonate = pointer.StringPtr("backplane-cluster-admin") - // Update existing osdManagedAdmin secret err = common.UpdateSecret(o.kubeCli, o.accountCRName+"-secret", common.AWSAccountNamespace, newOsdManagedAdminSecretData) if err != nil { @@ -234,6 +232,23 @@ func (o *rotateSecretOptions) run() error { return err } + fmt.Println("AWS creds updated on hive.") + + clusterDeployments := &hiveapiv1.ClusterDeploymentList{} + listOpts := []client.ListOption{ + client.InNamespace(account.Spec.ClaimLinkNamespace), + } + + err = o.kubeCli.List(ctx, clusterDeployments, listOpts...) + if err != nil { + return err + } + + if len(clusterDeployments.Items) == 0 { + return fmt.Errorf("failed to retreive cluster deployments") + } + cdName := clusterDeployments.Items[0].ObjectMeta.Name + // Create syncset to deploy the updated creds to the cluster for CCO syncSetName := "aws-sync" syncSet := &hiveapiv1.SyncSet{ @@ -242,6 +257,11 @@ func (o *rotateSecretOptions) run() error { Namespace: account.Spec.ClaimLinkNamespace, }, Spec: hiveapiv1.SyncSetSpec{ + ClusterDeploymentRefs: []corev1.LocalObjectReference{ + { + Name: cdName, + }, + }, SyncSetCommonSpec: hiveapiv1.SyncSetCommonSpec{ ResourceApplyMode: "Upsert", Secrets: []hiveapiv1.SecretMapping{ @@ -258,40 +278,29 @@ func (o *rotateSecretOptions) run() error { }, }, } + fmt.Println("Syncing AWS creds down to cluster.") err = o.kubeCli.Create(ctx, syncSet) if err != nil { return err } - clusterDeployments := &hiveapiv1.ClusterDeploymentList{} - listOpts := []client.ListOption{ - client.InNamespace(account.Spec.ClaimLinkNamespace), - } - - err = o.kubeCli.List(ctx, clusterDeployments, listOpts...) - if err != nil { - return err - } - - if len(clusterDeployments.Items) == 0 { - return fmt.Errorf("failed to retreive cluster deployments") - } - cdName := clusterDeployments.Items[0].ObjectMeta.Name - - syncStatus := &hiveinternalv1alpha1.ClusterSync{ + fmt.Println("Watching Cluster Sync Status for deployment...") + hiveinternalv1alpha1.AddToScheme(o.kubeCli.Scheme()) + searchStatus := &hiveinternalv1alpha1.ClusterSync{ ObjectMeta: metav1.ObjectMeta{ Name: cdName, Namespace: account.Spec.ClaimLinkNamespace, }, } - - fmt.Printf("Watching Cluster Sync Status for deployment...") - + foundStatus := &hiveinternalv1alpha1.ClusterSync{} isSSSynced := false - for i := 0; i < 5; i++ { - o.kubeCli.Get(ctx, client.ObjectKeyFromObject(syncStatus), syncStatus) + for i := 0; i < 6; i++ { + err = o.kubeCli.Get(ctx, client.ObjectKeyFromObject(searchStatus), foundStatus) + if err != nil { + fmt.Println(err) + } - for _, status := range syncStatus.Status.SyncSets { + for _, status := range foundStatus.Status.SyncSets { if status.Name == syncSetName { if status.FirstSuccessTime != nil { isSSSynced = true @@ -301,15 +310,14 @@ func (o *rotateSecretOptions) run() error { } if isSSSynced { - fmt.Printf("Sync completed...") + fmt.Println("Sync completed...") break } - fmt.Printf("Sync not completed, sleeping 5 seconds and rechecking...") time.Sleep(time.Second * 5) } if !isSSSynced { - return fmt.Errorf("syncset failed to sync in 5mins. Please verify") + return fmt.Errorf("syncset failed to sync. Please verify") } // Clean up the SS on hive From 3485884bcaea00bdf7c9f1015ad9d46fcc726959 Mon Sep 17 00:00:00 2001 From: Wesley Hearn Date: Tue, 24 Jan 2023 17:58:03 -0500 Subject: [PATCH 2/2] Clean up Print's and give visual feedback to the waiting for syncset --- cmd/account/rotate-secret.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/cmd/account/rotate-secret.go b/cmd/account/rotate-secret.go index 82853562..a9a5ef3b 100644 --- a/cmd/account/rotate-secret.go +++ b/cmd/account/rotate-secret.go @@ -15,7 +15,6 @@ import ( hiveinternalv1alpha1 "github.com/openshift/hive/apis/hiveinternal/v1alpha1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/utils/pointer" "k8s.io/apimachinery/pkg/types" "k8s.io/cli-runtime/pkg/genericclioptions" @@ -42,7 +41,6 @@ func newCmdRotateSecret(streams genericclioptions.IOStreams, flags *genericcliop rotateSecretCmd.Flags().StringVarP(&ops.profile, "aws-profile", "p", "", "specify AWS profile") rotateSecretCmd.Flags().BoolVar(&ops.updateCcsCreds, "ccs", false, "Also rotates osdCcsAdmin credential. Use caution.") - flags.Impersonate = pointer.StringPtr("backplane-cluster-admin") return rotateSecretCmd } @@ -284,7 +282,7 @@ func (o *rotateSecretOptions) run() error { return err } - fmt.Println("Watching Cluster Sync Status for deployment...") + fmt.Printf("Watching Cluster Sync Status for deployment...") hiveinternalv1alpha1.AddToScheme(o.kubeCli.Scheme()) searchStatus := &hiveinternalv1alpha1.ClusterSync{ ObjectMeta: metav1.ObjectMeta{ @@ -297,7 +295,7 @@ func (o *rotateSecretOptions) run() error { for i := 0; i < 6; i++ { err = o.kubeCli.Get(ctx, client.ObjectKeyFromObject(searchStatus), foundStatus) if err != nil { - fmt.Println(err) + return err } for _, status := range foundStatus.Status.SyncSets { @@ -310,10 +308,11 @@ func (o *rotateSecretOptions) run() error { } if isSSSynced { - fmt.Println("Sync completed...") + fmt.Printf("\nSync completed...\n") break } + fmt.Printf(".") time.Sleep(time.Second * 5) } if !isSSSynced {