Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-24 23:08:43 -04:00
Code Issues Projects Releases Packages Wiki Activity

Use tags for UID and role parsing (#242)

Browse source 
* Apply tags to all applicable GCP resources

* Move GCP UID and role from VM metadata to labels

* Adjust Azure tags to be in line with GCP and AWS

* Dont rely on resource name to find resources

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-10-24 16:58:21 +02:00 committed by GitHub
parent c2814aeddb
commit b35b74b772
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 344 additions and 360 deletions
Download patch file Download diff file Expand all files Collapse all files

5
internal/cloud/aws/logger.go
View file

@ -18,6 +18,7 @@ import (
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
logs "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
"github.com/edgelesssys/constellation/v2/internal/cloud"
"k8s.io/utils/clock"
)
@ -147,7 +148,7 @@ func (l *Logger) createStream(ctx context.Context, imds imdsAPI) error {
l.streamName = name
// find log group with matching Constellation UID
uid, err := readInstanceTag(ctx, imds, tagUID)
uid, err := readInstanceTag(ctx, imds, cloud.TagUID)
if err != nil {
return err
}
@ -162,7 +163,7 @@ func (l *Logger) createStream(ctx context.Context, imds imdsAPI) error {
if err != nil {
continue // we may not have permission to read the tags of a log group outside the Constellation scope
}
if tags.Tags[tagUID] == uid {
if tags.Tags[cloud.TagUID] == uid {
l.groupName = *group.LogGroupName
res.NextToken = nil // stop pagination
break

45
internal/cloud/aws/logger_test.go
View file

@ -17,6 +17,7 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
logs "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
"github.com/edgelesssys/constellation/v2/internal/cloud"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"go.uber.org/goleak"
@ -40,8 +41,8 @@ func TestCreateStream(t *testing.T) {
"success new stream minimal": {
imds: &stubIMDS{
tags: map[string]string{
tagName: "test-instance",
tagUID: "uid",
tagName: "test-instance",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
@ -50,7 +51,7 @@ func TestCreateStream(t *testing.T) {
{LogGroupName: aws.String("test-group")},
},
},
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
},
wantStream: "test-instance",
wantGroup: "test-group",
@ -58,8 +59,8 @@ func TestCreateStream(t *testing.T) {
"success one group of many": {
imds: &stubIMDS{
tags: map[string]string{
tagName: "test-instance",
tagUID: "uid",
tagName: "test-instance",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
@ -89,13 +90,13 @@ func TestCreateStream(t *testing.T) {
"some-tag": "random-tag",
},
"other-group": {
tagUID: "other-uid",
cloud.TagUID: "other-uid",
},
"another-group": {
"some-tag": "uid",
},
"test-group": {
tagUID: "uid",
cloud.TagUID: "uid",
},
},
},
@ -105,8 +106,8 @@ func TestCreateStream(t *testing.T) {
"success stream exists": {
imds: &stubIMDS{
tags: map[string]string{
tagName: "test-instance",
tagUID: "uid",
tagName: "test-instance",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
@ -115,7 +116,7 @@ func TestCreateStream(t *testing.T) {
{LogGroupName: aws.String("test-group")},
},
},
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
createErr: &types.ResourceAlreadyExistsException{},
},
wantStream: "test-instance",
@ -124,8 +125,8 @@ func TestCreateStream(t *testing.T) {
"create stream error": {
imds: &stubIMDS{
tags: map[string]string{
tagName: "test-instance",
tagUID: "uid",
tagName: "test-instance",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
@ -134,7 +135,7 @@ func TestCreateStream(t *testing.T) {
{LogGroupName: aws.String("test-group")},
},
},
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
createErr: someErr,
},
wantErr: true,
@ -151,14 +152,14 @@ func TestCreateStream(t *testing.T) {
{LogGroupName: aws.String("test-group")},
},
},
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
},
wantErr: true,
},
"missing name tag": {
imds: &stubIMDS{
tags: map[string]string{
tagUID: "uid",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
@ -167,33 +168,33 @@ func TestCreateStream(t *testing.T) {
{LogGroupName: aws.String("test-group")},
},
},
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
},
wantErr: true,
},
"describe groups error": {
imds: &stubIMDS{
tags: map[string]string{
tagName: "test-instance",
tagUID: "uid",
tagName: "test-instance",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
describeErr: someErr,
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
},
wantErr: true,
},
"no matching groups": {
imds: &stubIMDS{
tags: map[string]string{
tagName: "test-instance",
tagUID: "uid",
tagName: "test-instance",
cloud.TagUID: "uid",
},
},
logs: &stubLogs{
describeRes1: &logs.DescribeLogGroupsOutput{},
listTags: map[string]map[string]string{"test-group": {tagUID: "uid"}},
listTags: map[string]map[string]string{"test-group": {cloud.TagUID: "uid"}},
},
wantErr: true,
},

13
internal/cloud/aws/metadata.go
View file

@ -17,14 +17,13 @@ import (
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/edgelesssys/constellation/v2/internal/cloud"
"github.com/edgelesssys/constellation/v2/internal/cloud/metadata"
"github.com/edgelesssys/constellation/v2/internal/role"
)
const (
tagName = "Name"
tagRole = "constellation-role"
tagUID = "constellation-uid"
)
type ec2API interface {
@ -62,7 +61,7 @@ func (m *Metadata) Supported() bool {
// List retrieves all instances belonging to the current Constellation.
func (m *Metadata) List(ctx context.Context) ([]metadata.InstanceMetadata, error) {
uid, err := readInstanceTag(ctx, m.imds, tagUID)
uid, err := readInstanceTag(ctx, m.imds, cloud.TagUID)
if err != nil {
return nil, fmt.Errorf("retrieving uid tag: %w", err)
}
@ -85,7 +84,7 @@ func (m *Metadata) Self(ctx context.Context) (metadata.InstanceMetadata, error)
if err != nil {
return metadata.InstanceMetadata{}, fmt.Errorf("retrieving name tag: %w", err)
}
instanceRole, err := readInstanceTag(ctx, m.imds, tagRole)
instanceRole, err := readInstanceTag(ctx, m.imds, cloud.TagRole)
if err != nil {
return metadata.InstanceMetadata{}, fmt.Errorf("retrieving role tag: %w", err)
}
@ -128,7 +127,7 @@ func (m *Metadata) GetInstance(ctx context.Context, providerID string) (metadata
// UID returns the UID of the Constellation.
func (m *Metadata) UID(ctx context.Context) (string, error) {
return readInstanceTag(ctx, m.imds, tagUID)
return readInstanceTag(ctx, m.imds, cloud.TagUID)
}
// SupportsLoadBalancer returns true if the cloud provider supports load balancers.
@ -151,7 +150,7 @@ func (m *Metadata) getAllInstancesInGroup(ctx context.Context, uid string) ([]ty
instanceReq := &ec2.DescribeInstancesInput{
Filters: []types.Filter{
{
Name: aws.String("tag:" + tagUID),
Name: aws.String("tag:" + cloud.TagUID),
Values: []string{uid},
},
},
@ -199,7 +198,7 @@ func (m *Metadata) convertToMetadataInstance(ec2Instances []types.Instance) ([]m
}
newInstance.Name = name
instanceRole, err := findTag(ec2Instance.Tags, tagRole)
instanceRole, err := findTag(ec2Instance.Tags, cloud.TagRole)
if err != nil {
return nil, fmt.Errorf("retrieving tag for instance %s: %w", *ec2Instance.InstanceId, err)
}

43
internal/cloud/aws/metadata_test.go
View file

@ -17,6 +17,7 @@ import (
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
"github.com/aws/aws-sdk-go-v2/service/ec2"
"github.com/aws/aws-sdk-go-v2/service/ec2/types"
"github.com/edgelesssys/constellation/v2/internal/cloud"
"github.com/edgelesssys/constellation/v2/internal/cloud/metadata"
"github.com/edgelesssys/constellation/v2/internal/role"
"github.com/stretchr/testify/assert"
@ -41,8 +42,8 @@ func TestSelf(t *testing.T) {
},
},
tags: map[string]string{
tagName: "test-instance",
tagRole: "controlplane",
tagName: "test-instance",
cloud.TagRole: "controlplane",
},
},
wantSelf: metadata.InstanceMetadata{
@ -62,8 +63,8 @@ func TestSelf(t *testing.T) {
},
},
tags: map[string]string{
tagName: "test-instance",
tagRole: "worker",
tagName: "test-instance",
cloud.TagRole: "worker",
},
},
wantSelf: metadata.InstanceMetadata{
@ -77,8 +78,8 @@ func TestSelf(t *testing.T) {
imds: &stubIMDS{
getInstanceIdentityDocumentErr: someErr,
tags: map[string]string{
tagName: "test-instance",
tagRole: "controlplane",
tagName: "test-instance",
cloud.TagRole: "controlplane",
},
},
wantErr: true,
@ -106,7 +107,7 @@ func TestSelf(t *testing.T) {
},
},
tags: map[string]string{
tagRole: "controlplane",
cloud.TagRole: "controlplane",
},
},
wantErr: true,
@ -165,11 +166,11 @@ func TestList(t *testing.T) {
Value: aws.String("name-1"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("controlplane"),
},
{
Key: aws.String(tagUID),
Key: aws.String(cloud.TagUID),
Value: aws.String("uid"),
},
},
@ -187,11 +188,11 @@ func TestList(t *testing.T) {
Value: aws.String("name-2"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("worker"),
},
{
Key: aws.String(tagUID),
Key: aws.String(cloud.TagUID),
Value: aws.String("uid"),
},
},
@ -210,7 +211,7 @@ func TestList(t *testing.T) {
"success single page": {
imds: &stubIMDS{
tags: map[string]string{
tagUID: "uid",
cloud.TagUID: "uid",
},
},
ec2: &stubEC2{
@ -234,7 +235,7 @@ func TestList(t *testing.T) {
"success multiple pages": {
imds: &stubIMDS{
tags: map[string]string{
tagUID: "uid",
cloud.TagUID: "uid",
},
},
ec2: &stubEC2{
@ -255,11 +256,11 @@ func TestList(t *testing.T) {
Value: aws.String("name-3"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("worker"),
},
{
Key: aws.String(tagUID),
Key: aws.String(cloud.TagUID),
Value: aws.String("uid"),
},
},
@ -302,7 +303,7 @@ func TestList(t *testing.T) {
"describe instances fails": {
imds: &stubIMDS{
tags: map[string]string{
tagUID: "uid",
cloud.TagUID: "uid",
},
},
ec2: &stubEC2{
@ -350,7 +351,7 @@ func TestConvertToMetadataInstance(t *testing.T) {
Value: aws.String("name-1"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("controlplane"),
},
},
@ -377,7 +378,7 @@ func TestConvertToMetadataInstance(t *testing.T) {
Value: aws.String("name-1"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("controlplane"),
},
},
@ -417,7 +418,7 @@ func TestConvertToMetadataInstance(t *testing.T) {
Value: aws.String("name-1"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("controlplane"),
},
},
@ -439,7 +440,7 @@ func TestConvertToMetadataInstance(t *testing.T) {
Value: aws.String("name-1"),
},
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("controlplane"),
},
},
@ -458,7 +459,7 @@ func TestConvertToMetadataInstance(t *testing.T) {
},
Tags: []types.Tag{
{
Key: aws.String(tagRole),
Key: aws.String(cloud.TagRole),
Value: aws.String("controlplane"),
},
},