[WIP ]Fix: wrong AWS creds passed to External DNS (#1248)

* Fix: wrong AWS creds passed to External DNS * Wrap errors
banzaicloud · Oct 20, 2018 · 9c492a1 · 9c492a1
1 parent 8f3458e
commit 9c492a1
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 61 deletions.
diff --git a/cluster/hooks.go b/cluster/hooks.go
@@ -39,6 +39,7 @@ import (
 	"github.com/banzaicloud/pipeline/secret"
 	"github.com/ghodss/yaml"
 	"github.com/go-errors/errors"
+	"github.com/goph/emperror"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/viper"
 	"k8s.io/api/core/v1"
@@ -862,8 +863,7 @@ func RegisterDomainPostHook(input interface{}) error {
 
 	dnsSvc, err := dns.GetExternalDnsServiceClient()
 	if err != nil {
-		log.Errorf("Getting external dns service client failed: %s", err.Error())
-		return err
+		return emperror.Wrap(err, "Getting external dns service client failed")
 	}
 
 	if dnsSvc == nil {
@@ -873,44 +873,38 @@ func RegisterDomainPostHook(input interface{}) error {
 
 	org, err := auth.GetOrganizationById(orgId)
 	if err != nil {
-		log.Errorf("Retrieving organization with id %d failed: %s", orgId, err.Error())
-		return err
+		return emperror.Wrapf(err, "Retrieving organization with id %d failed", orgId)
 	}
 
 	domain := fmt.Sprintf("%s.%s", org.Name, domainBase)
 
 	registered, err := dnsSvc.IsDomainRegistered(orgId, domain)
 	if err != nil {
-		log.Errorf("Checking if domain '%s' is already registered failed: %s", domain, err.Error())
-		return err
+		return emperror.Wrapf(err, "Checking if domain '%s' is already registered failed", domain)
 	}
 
 	if !registered {
 		if err = dnsSvc.RegisterDomain(orgId, domain); err != nil {
-			log.Errorf("Registering domain '%s' failed: %s", domain, err.Error())
-			return err
+			return emperror.Wrapf(err, "Registering domain '%s' failed", domain)
 		}
 	} else {
 		log.Infof("Domain '%s' already registered", domain)
 	}
 
-	secretSources, err := InstallSecrets(
+	route53Secret, err := secret.Store.GetByName(orgId, route53.IAMUserAccessKeySecretName)
+	if err != nil {
+		return emperror.Wrap(err, "Failed to install route53 secret into cluster")
+	}
+	_, err = InstallSecrets(
 		commonCluster,
 		&pkgSecret.ListSecretsQuery{
 			Type: pkgCluster.Amazon,
-			Tags: []string{pkgSecret.TagBanzaiHidden},
+			IDs:  []string{route53Secret.ID},
 		},
 		route53SecretNamespace,
 	)
 	if err != nil {
-		log.Errorf("Failed to install route53 secret into cluster: %s", err.Error())
-		return err
-	}
-
-	route53Secret, err := secret.Store.GetByName(orgId, secretSources[0].Name)
-	if err != nil {
-		log.Errorf("Failed to get the route53 secret : %s", err.Error())
-		return err
+		return emperror.Wrap(err, "Failed to install route53 secret into cluster")
 	}
 
 	log.Info("route53 secret successfully installed into cluster.")
@@ -931,7 +925,7 @@ func RegisterDomainPostHook(input interface{}) error {
 
 	externalDnsValuesJson, err := json.Marshal(externalDnsValues)
 	if err != nil {
-		return errors.Errorf("Json Convert Failed : %s", err.Error())
+		return emperror.Wrap(err, "Json Convert Failed")
 	}
 	chartVersion := viper.GetString(pipConfig.DNSExternalDnsChartVersion)
 

diff --git a/config/config.toml.example b/config/config.toml.example
@@ -95,7 +95,7 @@ domain = "example.org"
 # Kubernetes namespace which the secret for interacting with external DNS server (Route53) is created into
 secretNamespace = "default"
 
-# The interval in mintutes at which the garbage collector runs to clean up unused organisation level domains
+# The interval in minutes at which the garbage collector runs to clean up unused organisation level domains
 gcIntervalMinute = 1
 
 gcLogLevel = "debug"

diff --git a/dns/route53/route53.go b/dns/route53/route53.go
@@ -483,25 +483,15 @@ func (dns *awsRoute53) unregisterDomain(orgId uint, domain string) error {
 	}
 
 	// delete route53 secret
-	secrets, err := secret.Store.List(orgId,
-		&secretTypes.ListSecretsQuery{
-			Type: cluster.Amazon,
-			Tags: []string{secretTypes.TagBanzaiHidden},
-		})
-
-	if err != nil {
+	secretItem, err := secret.Store.GetByName(orgId, IAMUserAccessKeySecretName)
+	if err != nil && err != secret.ErrSecretNotExists {
 		dns.updateStateWithError(state, err)
 		return err
 	}
-
-	for _, item := range secrets {
-		if item.Name == IAMUserAccessKeySecretName {
-			if err := secret.Store.Delete(orgId, item.ID); err != nil {
-				dns.updateStateWithError(state, err)
-				return err
-			}
-
-			break
+	if secretItem != nil {
+		if err := secret.Store.Delete(orgId, secretItem.ID); err != nil {
+			dns.updateStateWithError(state, err)
+			return err
 		}
 	}
 
@@ -784,34 +774,12 @@ func (dns *awsRoute53) setupAmazonAccess(iamUser string, ctx *context) error {
 // getRoute53Secret returns the secret from Vault that stores the IAM user
 // aws access credentials that is used for accessing the Route53 Amazon service
 func (dns *awsRoute53) getRoute53Secret(orgId uint) (*secret.SecretItemResponse, error) {
-	awsAccessSecrets, err := secret.Store.List(orgId,
-		&secretTypes.ListSecretsQuery{
-			Type:   cluster.Amazon,
-			Tags:   []string{secretTypes.TagBanzaiHidden},
-			Values: true,
-		})
-
-	if err != nil {
+	route53Secret, err := secret.Store.GetByName(orgId, IAMUserAccessKeySecretName)
+	if err != nil && err != secret.ErrSecretNotExists {
 		return nil, err
 	}
 
-	// route53 secret
-	var route53Secrets []*secret.SecretItemResponse
-	for _, awsAccessSecret := range awsAccessSecrets {
-		if awsAccessSecret.Name == IAMUserAccessKeySecretName {
-			route53Secrets = append(route53Secrets, awsAccessSecret)
-		}
-	}
-
-	if len(route53Secrets) > 1 {
-		return nil, fmt.Errorf("multiple secrets found with name '%s'", IAMUserAccessKeySecretName)
-	}
-
-	if len(route53Secrets) == 1 {
-		return route53Secrets[0], nil
-	}
-
-	return nil, nil
+	return route53Secret, nil
 }
 
 // storeRoute53Secret stores the provided Amazon access key in Vault