ARO-RP/pkg/cluster/storageaccounts.go

package cluster

// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.

import (
	"context"
	"fmt"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"github.com/Azure/ARO-RP/pkg/api"
	"github.com/Azure/ARO-RP/pkg/util/arm"
	"github.com/Azure/ARO-RP/pkg/util/stringutils"
)

// migrateStorageAccounts redeploys storage accounts with firewall rules preventing external access
// The encryption flag is set to false/disabled for legacy storage accounts.
func (m *manager) migrateStorageAccounts(ctx context.Context) error {
	resourceGroup := stringutils.LastTokenByte(m.doc.OpenShiftCluster.Properties.ClusterProfile.ResourceGroupID, '/')
	ocpSubnets, err := m.subnetsWithServiceEndpoint(ctx, storageServiceEndpoint)
	if err != nil {
		return err
	}

	clusterStorageAccountName := "cluster" + m.doc.OpenShiftCluster.Properties.StorageSuffix
	registryStorageAccountName := m.doc.OpenShiftCluster.Properties.ImageRegistryStorageAccountName

	t := &arm.Template{
		Schema:         "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
		ContentVersion: "1.0.0.0",
		Resources: []*arm.Resource{
			m.storageAccount(clusterStorageAccountName, m.doc.OpenShiftCluster.Location, ocpSubnets, false, true),
			m.storageAccount(registryStorageAccountName, m.doc.OpenShiftCluster.Location, ocpSubnets, false, false),
		},
	}

	return arm.DeployTemplate(ctx, m.log, m.deployments, resourceGroup, "storage", t, nil)
}

func (m *manager) populateRegistryStorageAccountName(ctx context.Context) error {
	if m.doc.OpenShiftCluster.Properties.ImageRegistryStorageAccountName != "" {
		return nil
	}

	rc, err := m.imageregistrycli.ImageregistryV1().Configs().Get(ctx, "cluster", metav1.GetOptions{})
	if err != nil {
		return err
	}

	m.doc, err = m.db.PatchWithLease(ctx, m.doc.Key, func(doc *api.OpenShiftClusterDocument) error {
		if rc.Spec.Storage.Azure == nil {
			return fmt.Errorf("azure storage field is nil in image registry config")
		}

		doc.OpenShiftCluster.Properties.ImageRegistryStorageAccountName = rc.Spec.Storage.Azure.AccountName
		return nil
	})
	return err
}
populate registry storage account name 2021-09-06 17:42:15 +03:00			`package cluster`

			`// Copyright (c) Microsoft Corporation.`
			`// Licensed under the Apache License 2.0.`

			`import (`
			`"context"`
Fix some drift from multiple merges (#2317) 2022-08-09 09:53:57 +03:00			`"fmt"`
populate registry storage account name 2021-09-06 17:42:15 +03:00
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

			`"github.com/Azure/ARO-RP/pkg/api"`
storageacc handling for install/update 2021-09-10 14:04:26 +03:00			`"github.com/Azure/ARO-RP/pkg/util/arm"`
			`"github.com/Azure/ARO-RP/pkg/util/stringutils"`
populate registry storage account name 2021-09-06 17:42:15 +03:00			`)`

Addressing feedback generate 2022-01-26 00:10:52 +03:00			`// migrateStorageAccounts redeploys storage accounts with firewall rules preventing external access`
			`// The encryption flag is set to false/disabled for legacy storage accounts.`
storageacc handling for install/update 2021-09-10 14:04:26 +03:00			`func (m *manager) migrateStorageAccounts(ctx context.Context) error {`
			`resourceGroup := stringutils.LastTokenByte(m.doc.OpenShiftCluster.Properties.ClusterProfile.ResourceGroupID, '/')`
Add NACLs for OCP Subnets iff service endpoints set on subnets 2023-10-12 19:53:38 +03:00			`ocpSubnets, err := m.subnetsWithServiceEndpoint(ctx, storageServiceEndpoint)`
			`if err != nil {`
			`return err`
Fixed formatting issues and made the changes suggested in PR 2152 2022-06-07 10:04:16 +03:00			`}`
Add NACLs for OCP Subnets iff service endpoints set on subnets 2023-10-12 19:53:38 +03:00
storageacc handling for install/update 2021-09-10 14:04:26 +03:00			`clusterStorageAccountName := "cluster" + m.doc.OpenShiftCluster.Properties.StorageSuffix`
			`registryStorageAccountName := m.doc.OpenShiftCluster.Properties.ImageRegistryStorageAccountName`

			`t := &arm.Template{`
			`Schema: "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",`
			`ContentVersion: "1.0.0.0",`
			`Resources: []*arm.Resource{`
ARO-9712 disallow shared access keys for managed identity clusters 2024-10-09 18:18:05 +03:00			`m.storageAccount(clusterStorageAccountName, m.doc.OpenShiftCluster.Location, ocpSubnets, false, true),`
			`m.storageAccount(registryStorageAccountName, m.doc.OpenShiftCluster.Location, ocpSubnets, false, false),`
storageacc handling for install/update 2021-09-10 14:04:26 +03:00			`},`
			`}`

use the ARM deploytemplate code directly in pkg/cluster 2022-05-03 05:10:43 +03:00			`return arm.DeployTemplate(ctx, m.log, m.deployments, resourceGroup, "storage", t, nil)`
storageacc handling for install/update 2021-09-10 14:04:26 +03:00			`}`

populate registry storage account name 2021-09-06 17:42:15 +03:00			`func (m *manager) populateRegistryStorageAccountName(ctx context.Context) error {`
			`if m.doc.OpenShiftCluster.Properties.ImageRegistryStorageAccountName != "" {`
			`return nil`
			`}`

Addressing feedback FIx 2022-02-16 17:16:48 +03:00			`rc, err := m.imageregistrycli.ImageregistryV1().Configs().Get(ctx, "cluster", metav1.GetOptions{})`
populate registry storage account name 2021-09-06 17:42:15 +03:00			`if err != nil {`
			`return err`
			`}`

			`m.doc, err = m.db.PatchWithLease(ctx, m.doc.Key, func(doc *api.OpenShiftClusterDocument) error {`
handle nil and return error 2022-08-04 13:11:43 +03:00			`if rc.Spec.Storage.Azure == nil {`
			`return fmt.Errorf("azure storage field is nil in image registry config")`
			`}`

populate registry storage account name 2021-09-06 17:42:15 +03:00			`doc.OpenShiftCluster.Properties.ImageRegistryStorageAccountName = rc.Spec.Storage.Azure.AccountName`
			`return nil`
			`})`
			`return err`
			`}`