ARO-4376 pass dbPlatformWorkloadIdentityRoleSets to cluster validate

Azure · Jun 12, 2024 · e548102 · e548102
1 parent a6b3437
commit e548102
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 64 deletions.
diff --git a/cmd/aro/rp.go b/cmd/aro/rp.go
@@ -181,7 +181,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}
 
-	b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, aead, metrics)
+	b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, aead, metrics)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/backend/backend.go b/pkg/backend/backend.go
@@ -28,12 +28,13 @@ type backend struct {
 	baseLog *logrus.Entry
 	env     env.Interface
 
-	dbAsyncOperations   database.AsyncOperations
-	dbBilling           database.Billing
-	dbGateway           database.Gateway
-	dbOpenShiftClusters database.OpenShiftClusters
-	dbSubscriptions     database.Subscriptions
-	dbOpenShiftVersions database.OpenShiftVersions
+	dbAsyncOperations                  database.AsyncOperations
+	dbBilling                          database.Billing
+	dbGateway                          database.Gateway
+	dbOpenShiftClusters                database.OpenShiftClusters
+	dbSubscriptions                    database.Subscriptions
+	dbOpenShiftVersions                database.OpenShiftVersions
+	dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets
 
 	aead    encryption.AEAD
 	m       metrics.Emitter
@@ -54,8 +55,8 @@ type Runnable interface {
 }
 
 // NewBackend returns a new runnable backend
-func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD, m metrics.Emitter) (Runnable, error) {
-	b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, aead, m)
+func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD, m metrics.Emitter) (Runnable, error) {
+	b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, aead, m)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +66,7 @@ func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
 	return b, nil
 }
 
-func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD, m metrics.Emitter) (*backend, error) {
+func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD, m metrics.Emitter) (*backend, error) {
 	billing, err := billing.NewManager(env, dbBilling, dbSubscriptions, log)
 	if err != nil {
 		return nil, err
@@ -75,12 +76,13 @@ func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
 		baseLog: log,
 		env:     env,
 
-		dbAsyncOperations:   dbAsyncOperations,
-		dbBilling:           dbBilling,
-		dbGateway:           dbGateway,
-		dbOpenShiftClusters: dbOpenShiftClusters,
-		dbSubscriptions:     dbSubscriptions,
-		dbOpenShiftVersions: dbOpenShiftVersions,
+		dbAsyncOperations:                  dbAsyncOperations,
+		dbBilling:                          dbBilling,
+		dbGateway:                          dbGateway,
+		dbOpenShiftClusters:                dbOpenShiftClusters,
+		dbSubscriptions:                    dbSubscriptions,
+		dbOpenShiftVersions:                dbOpenShiftVersions,
+		dbPlatformWorkloadIdentityRoleSets: dbPlatformWorkloadIdentityRoleSets,
 
 		billing: billing,
 		aead:    aead,

diff --git a/pkg/backend/openshiftcluster.go b/pkg/backend/openshiftcluster.go
@@ -30,7 +30,7 @@ import (
 type openShiftClusterBackend struct {
 	*backend
 
-	newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error)
+	newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, database.PlatformWorkloadIdentityRoleSets, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error)
 }
 
 func newOpenShiftClusterBackend(b *backend) *openShiftClusterBackend {
@@ -129,7 +129,7 @@ func (ocb *openShiftClusterBackend) handle(ctx context.Context, log *logrus.Entr
 		}
 	}
 
-	m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.dbGateway, ocb.dbOpenShiftVersions, ocb.aead, ocb.billing, doc, subscriptionDoc, hr, ocb.m)
+	m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.dbGateway, ocb.dbOpenShiftVersions, ocb.dbPlatformWorkloadIdentityRoleSets, ocb.aead, ocb.billing, doc, subscriptionDoc, hr, ocb.m)
 	if err != nil {
 		return ocb.endLease(ctx, log, stop, doc, api.ProvisioningStateFailed, err)
 	}

diff --git a/pkg/backend/openshiftcluster_test.go b/pkg/backend/openshiftcluster_test.go
@@ -302,6 +302,7 @@ func TestBackendTry(t *testing.T) {
 			dbSubscriptions, _ := testdatabase.NewFakeSubscriptions()
 			uuidGen := deterministicuuid.NewTestUUIDGenerator(deterministicuuid.OPENSHIFT_VERSIONS)
 			dbOpenShiftVersions, _ := testdatabase.NewFakeOpenShiftVersions(uuidGen)
+			dbPlatformWorkloadIdentityRoleSets, _ := testdatabase.NewFakePlatformWorkloadIdentityRoleSets(uuidGen)
 
 			f := testdatabase.NewFixture().WithOpenShiftClusters(dbOpenShiftClusters).WithSubscriptions(dbSubscriptions)
 			tt.mocks(manager, dbOpenShiftClusters)
@@ -311,11 +312,11 @@ func TestBackendTry(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error) {
+			createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, database.PlatformWorkloadIdentityRoleSets, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error) {
 				return manager, nil
 			}
 
-			b, err := newBackend(ctx, log, _env, nil, nil, nil, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, nil, &noop.Noop{})
+			b, err := newBackend(ctx, log, _env, nil, nil, nil, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, nil, &noop.Noop{})
 			if err != nil {
 				t.Fatal(err)
 			}

diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
@@ -57,11 +57,12 @@ type Interface interface {
 
 // manager contains information needed to install and maintain an ARO cluster
 type manager struct {
-	log                 *logrus.Entry
-	env                 env.Interface
-	db                  database.OpenShiftClusters
-	dbGateway           database.Gateway
-	dbOpenShiftVersions database.OpenShiftVersions
+	log                                *logrus.Entry
+	env                                env.Interface
+	db                                 database.OpenShiftClusters
+	dbGateway                          database.Gateway
+	dbOpenShiftVersions                database.OpenShiftVersions
+	dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets
 
 	billing           billing.Manager
 	doc               *api.OpenShiftClusterDocument
@@ -122,7 +123,7 @@ type manager struct {
 }
 
 // New returns a cluster manager
-func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD,
+func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD,
 	billing billing.Manager, doc *api.OpenShiftClusterDocument, subscriptionDoc *api.SubscriptionDocument, hiveClusterManager hive.ClusterManager, metricsEmitter metrics.Emitter,
 ) (Interface, error) {
 	r, err := azure.ParseResourceID(doc.OpenShiftCluster.ID)
@@ -186,37 +187,38 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 	}
 
 	return &manager{
-		log:                   log,
-		env:                   _env,
-		db:                    db,
-		dbGateway:             dbGateway,
-		dbOpenShiftVersions:   dbOpenShiftVersions,
-		billing:               billing,
-		doc:                   doc,
-		subscriptionDoc:       subscriptionDoc,
-		fpAuthorizer:          fpAuthorizer,
-		localFpAuthorizer:     localFPAuthorizer,
-		metricsEmitter:        metricsEmitter,
-		disks:                 compute.NewDisksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		virtualMachines:       compute.NewVirtualMachinesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		interfaces:            network.NewInterfacesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		armInterfaces:         armInterfacesClient,
-		publicIPAddresses:     network.NewPublicIPAddressesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		armPublicIPAddresses:  armPublicIPAddressesClient,
-		loadBalancers:         network.NewLoadBalancersClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		armLoadBalancers:      armLoadBalancersClient,
-		privateEndpoints:      network.NewPrivateEndpointsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		securityGroups:        network.NewSecurityGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		deployments:           features.NewDeploymentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		resourceGroups:        features.NewResourceGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		resources:             features.NewResourcesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		privateZones:          privatedns.NewPrivateZonesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		virtualNetworkLinks:   privatedns.NewVirtualNetworkLinksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		roleAssignments:       authorization.NewRoleAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		roleDefinitions:       authorization.NewRoleDefinitionsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		denyAssignments:       authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
-		fpPrivateEndpoints:    network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
-		rpPrivateLinkServices: network.NewPrivateLinkServicesClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer),
+		log:                                log,
+		env:                                _env,
+		db:                                 db,
+		dbGateway:                          dbGateway,
+		dbOpenShiftVersions:                dbOpenShiftVersions,
+		dbPlatformWorkloadIdentityRoleSets: dbPlatformWorkloadIdentityRoleSets,
+		billing:                            billing,
+		doc:                                doc,
+		subscriptionDoc:                    subscriptionDoc,
+		fpAuthorizer:                       fpAuthorizer,
+		localFpAuthorizer:                  localFPAuthorizer,
+		metricsEmitter:                     metricsEmitter,
+		disks:                              compute.NewDisksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		virtualMachines:                    compute.NewVirtualMachinesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		interfaces:                         network.NewInterfacesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armInterfaces:                      armInterfacesClient,
+		publicIPAddresses:                  network.NewPublicIPAddressesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armPublicIPAddresses:               armPublicIPAddressesClient,
+		loadBalancers:                      network.NewLoadBalancersClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armLoadBalancers:                   armLoadBalancersClient,
+		privateEndpoints:                   network.NewPrivateEndpointsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		securityGroups:                     network.NewSecurityGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		deployments:                        features.NewDeploymentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		resourceGroups:                     features.NewResourceGroupsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		resources:                          features.NewResourcesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		privateZones:                       privatedns.NewPrivateZonesClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		virtualNetworkLinks:                privatedns.NewVirtualNetworkLinksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		roleAssignments:                    authorization.NewRoleAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		roleDefinitions:                    authorization.NewRoleDefinitionsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		denyAssignments:                    authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		fpPrivateEndpoints:                 network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
+		rpPrivateLinkServices:              network.NewPrivateLinkServicesClient(_env.Environment(), _env.SubscriptionID(), msiAuthorizer),
 
 		dns:     dns.NewManager(_env, localFPAuthorizer),
 		storage: storage,

diff --git a/pkg/cluster/validate.go b/pkg/cluster/validate.go
@@ -11,7 +11,7 @@ import (
 
 func (m *manager) validateResources(ctx context.Context) error {
 	ocDynamicValidator := validate.NewOpenShiftClusterDynamicValidator(
-		m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer,
+		m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer, m.dbPlatformWorkloadIdentityRoleSets,
 	)
 	err := ocDynamicValidator.Dynamic(ctx)
 	if err != nil {

diff --git a/pkg/validate/openshiftcluster_validatedynamic.go b/pkg/validate/openshiftcluster_validatedynamic.go
@@ -17,6 +17,7 @@ import (
 	"github.com/sirupsen/logrus"
 
 	"github.com/Azure/ARO-RP/pkg/api"
+	"github.com/Azure/ARO-RP/pkg/database"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
 	"github.com/Azure/ARO-RP/pkg/validate/dynamic"
@@ -34,24 +35,27 @@ func NewOpenShiftClusterDynamicValidator(
 	oc *api.OpenShiftCluster,
 	subscriptionDoc *api.SubscriptionDocument,
 	fpAuthorizer autorest.Authorizer,
+	dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets,
 ) OpenShiftClusterDynamicValidator {
 	return &openShiftClusterDynamicValidator{
 		log: log,
 		env: env,
 
-		oc:              oc,
-		subscriptionDoc: subscriptionDoc,
-		fpAuthorizer:    fpAuthorizer,
+		oc:                                 oc,
+		subscriptionDoc:                    subscriptionDoc,
+		fpAuthorizer:                       fpAuthorizer,
+		dbPlatformWorkloadIdentityRoleSets: dbPlatformWorkloadIdentityRoleSets,
 	}
 }
 
 type openShiftClusterDynamicValidator struct {
 	log *logrus.Entry
 	env env.Interface
 
-	oc              *api.OpenShiftCluster
-	subscriptionDoc *api.SubscriptionDocument
-	fpAuthorizer    autorest.Authorizer
+	oc                                 *api.OpenShiftCluster
+	subscriptionDoc                    *api.SubscriptionDocument
+	fpAuthorizer                       autorest.Authorizer
+	dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets
 }
 
 // ensureAccessTokenClaims can detect an error when the service principal (fp, cluster sp) has accidentally deleted from