From 3bbe4dff00a6cdd6a929788fb524cfdd8f7d5379 Mon Sep 17 00:00:00 2001 From: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Date: Wed, 11 Oct 2023 10:53:47 -0400 Subject: [PATCH] feat(health): add iammanager.keikoproj.io/Iamrole health check (#15899) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --- .../Iamrole/health.lua | 33 +++++++++++++++++++ .../Iamrole/health_test.yaml | 20 +++++++++++ .../Iamrole/testdata/degraded_error.yaml | 29 ++++++++++++++++ .../degraded_rolesMaxLimitReached.yaml | 26 +++++++++++++++ .../Iamrole/testdata/healthy.yaml | 27 +++++++++++++++ .../testdata/progressing_noStatus.yaml | 20 +++++++++++ 6 files changed, 155 insertions(+) create mode 100644 resource_customizations/iammanager.keikoproj.io/Iamrole/health.lua create mode 100644 resource_customizations/iammanager.keikoproj.io/Iamrole/health_test.yaml create mode 100644 resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_error.yaml create mode 100644 resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_rolesMaxLimitReached.yaml create mode 100644 resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/healthy.yaml create mode 100644 resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/progressing_noStatus.yaml diff --git a/resource_customizations/iammanager.keikoproj.io/Iamrole/health.lua b/resource_customizations/iammanager.keikoproj.io/Iamrole/health.lua new file mode 100644 index 0000000000000..0b89687e08637 --- /dev/null +++ b/resource_customizations/iammanager.keikoproj.io/Iamrole/health.lua @@ -0,0 +1,33 @@ +local hs = {} +if obj.status ~= nil then + -- Each message may or may not use these. + local roleName = obj.status.roleName or "" + local roleARN = obj.status.roleARN or "" + local roleID = obj.status.roleID or "" + + if obj.status.state == "Ready" then + hs.status = "Healthy" + hs.message = "Role '" .. roleName .. "' exists with ARN '" .. roleARN .. "' and ID '" .. roleID .. "'." + return hs + end + + local message = "" + -- Current non-ready statuses: https://github.com/keikoproj/iam-manager/blob/3aeb2f8ec3005e1c53a057b3b0f79e14a0e5b9cb/api/v1alpha1/iamrole_types.go#L150-L156 + if obj.status.state == "Error" or obj.status.state == "RolesMaxLimitReached" or obj.status.state == "PolicyNotAllowed" or obj.status.state == "RoleNameNotAvailable" then + hs.status = "Degraded" + message = "Failed to reconcile the Iamrole " + if obj.status.retryCount ~= nil and obj.status.retryCount > 0 then + message = message .. "(retry " .. tostring(obj.status.retryCount) .. ") " + end + message = message .. "for role '" .. roleName .. "' with ARN '" .. roleARN .. "' and ID '" .. roleID .. "'." + if obj.status.errorDescription ~= nil then + message = message .. " Reconciliation error was: " .. obj.status.errorDescription + end + hs.message = message + return hs + end +end + +hs.status = "Progressing" +hs.message = "Waiting for Iamrole to be reconciled" +return hs diff --git a/resource_customizations/iammanager.keikoproj.io/Iamrole/health_test.yaml b/resource_customizations/iammanager.keikoproj.io/Iamrole/health_test.yaml new file mode 100644 index 0000000000000..660276f41f475 --- /dev/null +++ b/resource_customizations/iammanager.keikoproj.io/Iamrole/health_test.yaml @@ -0,0 +1,20 @@ +tests: +- healthStatus: + status: Degraded + message: |- + Failed to reconcile the Iamrole (retry 1) for role 'k8s-test' with ARN 'arn:aws:iam::111111111111:role/k8s-test' and ID 'ABCDEFGHIJKLMNOPQRSTU'. Reconciliation error was: NoSuchEntity: The role with name k8s-test cannot be found. + status code: 404, request id: f80c99fc-c78d-4b1c-806d-3a162fbbc900 + inputPath: testdata/degraded_error.yaml +- healthStatus: + status: Degraded + message: |- + Failed to reconcile the Iamrole for role 'k8s-test' with ARN '' and ID ''. Reconciliation error was: maximum number of allowed roles reached. You must delete any existing role before proceeding further + inputPath: testdata/degraded_rolesMaxLimitReached.yaml +- healthStatus: + status: Healthy + message: Role 'k8s-test' exists with ARN 'arn:aws:iam::111111111111:role/k8s-test' and ID 'ABCDEFGHIJKLMNOPQRSTU'. + inputPath: testdata/healthy.yaml +- healthStatus: + status: Progressing + message: 'Waiting for Iamrole to be reconciled' + inputPath: testdata/progressing_noStatus.yaml diff --git a/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_error.yaml b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_error.yaml new file mode 100644 index 0000000000000..3bf3e7cee2b85 --- /dev/null +++ b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_error.yaml @@ -0,0 +1,29 @@ +apiVersion: iammanager.keikoproj.io/v1alpha1 +kind: Iamrole +metadata: + finalizers: + - iamrole.finalizers.iammanager.keikoproj.io + name: iamrole + namespace: test +spec: + PolicyDocument: + Statement: + - Action: + - ec2:* + Effect: Deny + Resource: + - '*' + - Action: + - iam:* + Effect: Deny + Resource: + - '*' +status: + errorDescription: "NoSuchEntity: The role with name k8s-test cannot + be found.\n\tstatus code: 404, request id: f80c99fc-c78d-4b1c-806d-3a162fbbc900" + lastUpdatedTimestamp: "2023-10-10T19:31:06Z" + retryCount: 1 + roleARN: arn:aws:iam::111111111111:role/k8s-test + roleID: ABCDEFGHIJKLMNOPQRSTU + roleName: k8s-test + state: Error diff --git a/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_rolesMaxLimitReached.yaml b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_rolesMaxLimitReached.yaml new file mode 100644 index 0000000000000..906c72083bede --- /dev/null +++ b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/degraded_rolesMaxLimitReached.yaml @@ -0,0 +1,26 @@ +apiVersion: iammanager.keikoproj.io/v1alpha1 +kind: Iamrole +metadata: + finalizers: + - iamrole.finalizers.iammanager.keikoproj.io + name: iamrole + namespace: test +spec: + PolicyDocument: + Statement: + - Action: + - ec2:* + Effect: Deny + Resource: + - '*' + - Action: + - iam:* + Effect: Deny + Resource: + - '*' +status: + errorDescription: maximum number of allowed roles reached. You must delete any existing role before proceeding further + lastUpdatedTimestamp: "2023-10-10T19:25:26Z" + retryCount: 0 + roleName: k8s-test + state: RolesMaxLimitReached diff --git a/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/healthy.yaml b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/healthy.yaml new file mode 100644 index 0000000000000..273cf3a571234 --- /dev/null +++ b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/healthy.yaml @@ -0,0 +1,27 @@ +apiVersion: iammanager.keikoproj.io/v1alpha1 +kind: Iamrole +metadata: + finalizers: + - iamrole.finalizers.iammanager.keikoproj.io + name: iamrole + namespace: default +spec: + PolicyDocument: + Statement: + - Action: + - 'ec2:*' + Effect: Deny + Resource: + - '*' + - Action: + - 'iam:*' + Effect: Deny + Resource: + - '*' +status: + lastUpdatedTimestamp: '2023-10-10T20:36:23Z' + retryCount: 0 + roleARN: 'arn:aws:iam::111111111111:role/k8s-test' + roleID: ABCDEFGHIJKLMNOPQRSTU + roleName: k8s-test + state: Ready diff --git a/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/progressing_noStatus.yaml b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/progressing_noStatus.yaml new file mode 100644 index 0000000000000..29c18a4c0380a --- /dev/null +++ b/resource_customizations/iammanager.keikoproj.io/Iamrole/testdata/progressing_noStatus.yaml @@ -0,0 +1,20 @@ +apiVersion: iammanager.keikoproj.io/v1alpha1 +kind: Iamrole +metadata: + finalizers: + - iamrole.finalizers.iammanager.keikoproj.io + name: iamrole + namespace: default +spec: + PolicyDocument: + Statement: + - Action: + - 'ec2:*' + Effect: Deny + Resource: + - '*' + - Action: + - 'iam:*' + Effect: Deny + Resource: + - '*'