Fixing client code (#60)

* Fixing client code * Moving secret provider to auth config * Updating lib and rebasing * Rebasing with master branch * Changes to pass secret provider interface * Update go.mod * Updating lib * Updating sample code * Fixing UT * Updating lib and addressing comments * Fix done while testing * Addressing comments * Addressing comments * Passing k8s client * Updating lib * Updating lib * Removing GC dependency * make vet fix * Moving to G2 resource group ID * Updating lib
IBM · Jan 30, 2023 · 4e3a8e7 · 4e3a8e7
1 parent f038dbf
commit 4e3a8e7
Show file tree

Hide file tree

Showing 14 changed files with 160 additions and 133 deletions.
diff --git a/block/provider/create_snapshot.go b/block/provider/create_snapshot.go
@@ -47,7 +47,7 @@ func (vpcs *VPCSession) CreateSnapshot(sourceVolumeID string, snapshotParameters
 	snapshotTemplate := &models.Snapshot{
 		Name:          snapshotParameters.Name,
 		SourceVolume:  &models.SourceVolume{ID: sourceVolumeID},
-		ResourceGroup: &models.ResourceGroup{ID: vpcs.Config.VPCConfig.ResourceGroupID},
+		ResourceGroup: &models.ResourceGroup{ID: vpcs.Config.VPCConfig.G2ResourceGroupID},
 	}
 
 	err = retry(vpcs.Logger, func() error {

diff --git a/block/provider/provider.go b/block/provider/provider.go
@@ -26,6 +26,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/IBM/secret-utils-lib/pkg/k8s_utils"
+
 	"github.com/IBM/ibmcloud-volume-interface/config"
 	"github.com/IBM/ibmcloud-volume-interface/lib/metrics"
 	"github.com/IBM/ibmcloud-volume-interface/lib/provider"
@@ -70,61 +72,32 @@ type VPCBlockProvider struct {
 var _ local.Provider = &VPCBlockProvider{}
 
 // NewProvider initialises an instance of an IaaS provider.
-func NewProvider(conf *vpcconfig.VPCBlockConfig, logger *zap.Logger) (local.Provider, error) {
+func NewProvider(conf *vpcconfig.VPCBlockConfig, k8sClient *k8s_utils.KubernetesClient, logger *zap.Logger) (local.Provider, error) {
 	logger.Info("Entering NewProvider")
 
 	if conf.VPCConfig == nil {
 		return nil, errors.New("incomplete config for VPCBlockProvider")
 	}
 
-	//Do config validation and enable only one generationType (i.e VPC-Classic | VPC-NG)
-	gcConfigFound := (conf.VPCConfig.EndpointURL != "" || conf.VPCConfig.PrivateEndpointURL != "") && (conf.VPCConfig.TokenExchangeURL != "" || conf.VPCConfig.IKSTokenExchangePrivateURL != "") && (conf.VPCConfig.APIKey != "") && (conf.VPCConfig.ResourceGroupID != "")
-	g2ConfigFound := (conf.VPCConfig.G2EndpointPrivateURL != "" || conf.VPCConfig.G2EndpointURL != "") && (conf.VPCConfig.IKSTokenExchangePrivateURL != "" || conf.VPCConfig.G2TokenExchangeURL != "") && (conf.VPCConfig.G2APIKey != "") && (conf.VPCConfig.G2ResourceGroupID != "")
-	//if both config found, look for VPCTypeEnabled, otherwise default to GC
-	//Incase of NG configurations, override the base properties.
-	if (gcConfigFound && g2ConfigFound && conf.VPCConfig.VPCTypeEnabled == VPCNextGen) || (!gcConfigFound && g2ConfigFound) {
-		// overwrite the common variable in case of g2 i.e gen2, first preferences would be private endpoint
-		if conf.VPCConfig.G2EndpointPrivateURL != "" {
-			conf.VPCConfig.EndpointURL = conf.VPCConfig.G2EndpointPrivateURL
-		} else {
-			conf.VPCConfig.EndpointURL = conf.VPCConfig.G2EndpointURL
-		}
-
-		// update iam based public toke exchange endpoint
-		conf.VPCConfig.TokenExchangeURL = conf.VPCConfig.G2TokenExchangeURL
-
-		conf.VPCConfig.APIKey = conf.VPCConfig.G2APIKey
-		conf.VPCConfig.ResourceGroupID = conf.VPCConfig.G2ResourceGroupID
+	if conf.VPCConfig.G2EndpointPrivateURL != "" {
+		conf.VPCConfig.G2EndpointURL = conf.VPCConfig.G2EndpointPrivateURL
+	}
 
-		//Set API Generation As 2 (if unspecified in config/ENV-VAR)
-		if conf.VPCConfig.G2VPCAPIGeneration <= 0 {
-			conf.VPCConfig.G2VPCAPIGeneration = NEXTGenProvider
-		}
-		conf.VPCConfig.VPCAPIGeneration = conf.VPCConfig.G2VPCAPIGeneration
+	//Set API Generation As 2
+	conf.VPCConfig.G2VPCAPIGeneration = NEXTGenProvider
 
-		//Set the APIVersion Date, it can be different in GC and NG
-		if conf.VPCConfig.G2APIVersion != "" {
-			conf.VPCConfig.APIVersion = conf.VPCConfig.G2APIVersion
-		}
+	//Set the APIVersion Date, it can be different in GC and NG
+	if conf.VPCConfig.G2APIVersion != "" {
+		conf.VPCConfig.APIVersion = conf.VPCConfig.G2APIVersion
+	}
 
-		//set provider-type (this usually comes from the secret)
-		if conf.VPCConfig.VPCBlockProviderType != VPCNextGen {
-			conf.VPCConfig.VPCBlockProviderType = VPCNextGen
-		}
+	//set provider-type
+	conf.VPCConfig.VPCBlockProviderType = VPCNextGen
 
-		//Mark this as enabled/active
-		if conf.VPCConfig.VPCTypeEnabled != VPCNextGen {
-			conf.VPCConfig.VPCTypeEnabled = VPCNextGen
-		}
-	} else { //This is GC, no-override required
-		conf.VPCConfig.VPCBlockProviderType = VPCClassic //incase of gc, i dont see its being set in slclient.toml, but NG cluster has this
-		// For backward compatibility as some of the cluster storage secret may not have private gc endpoint url
-		if conf.VPCConfig.PrivateEndpointURL != "" {
-			conf.VPCConfig.EndpointURL = conf.VPCConfig.PrivateEndpointURL
-		}
-	}
+	//Mark this as enabled/active
+	conf.VPCConfig.VPCTypeEnabled = VPCNextGen
 
-	contextCF, err := vpcauth.NewVPCContextCredentialsFactory(conf)
+	contextCF, err := vpcauth.NewVPCContextCredentialsFactory(conf, k8sClient)
 	if err != nil {
 		return nil, err
 	}
@@ -153,11 +126,11 @@ func NewProvider(conf *vpcconfig.VPCBlockConfig, logger *zap.Logger) (local.Prov
 		ContextCF:      contextCF,
 		httpClient:     httpClient,
 		APIConfig: riaas.Config{
-			BaseURL:       conf.VPCConfig.EndpointURL,
+			BaseURL:       conf.VPCConfig.G2EndpointURL,
 			HTTPClient:    httpClient,
-			APIVersion:    conf.VPCConfig.APIVersion,
-			APIGeneration: conf.VPCConfig.VPCAPIGeneration,
-			ResourceGroup: conf.VPCConfig.ResourceGroupID,
+			APIVersion:    conf.VPCConfig.G2APIVersion,
+			APIGeneration: conf.VPCConfig.G2VPCAPIGeneration,
+			ResourceGroup: conf.VPCConfig.G2ResourceGroupID,
 		},
 	}
 	// Update VPC config for IKS deployment

diff --git a/block/provider/provider_test.go b/block/provider/provider_test.go
@@ -22,6 +22,8 @@ import (
 	"context"
 	"net/http"
 	"net/http/httptest"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -33,6 +35,7 @@ import (
 	vpcconfig "github.com/IBM/ibmcloud-volume-vpc/block/vpcconfig"
 	"github.com/IBM/ibmcloud-volume-vpc/common/vpcclient/riaas/fakes"
 	volumeServiceFakes "github.com/IBM/ibmcloud-volume-vpc/common/vpcclient/vpcvolume/fakes"
+	"github.com/IBM/secret-utils-lib/pkg/k8s_utils"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap"
@@ -105,9 +108,13 @@ func TestNewProvider(t *testing.T) {
 		},
 	}
 
-	prov, err := NewProvider(conf, logger)
-	assert.Nil(t, prov)
-	assert.NotNil(t, err)
+	kc, _ := k8s_utils.FakeGetk8sClientSet()
+	pwd, _ := os.Getwd()
+	file := filepath.Join(pwd, "..", "..", "etc", "libconfig.toml")
+	err = k8s_utils.FakeCreateSecret(kc, "DEFAULT", file)
+	prov, err := NewProvider(conf, &kc, logger)
+	assert.NotNil(t, prov)
+	assert.Nil(t, err)
 }
 
 func GetTestProvider(t *testing.T, logger *zap.Logger) (*VPCBlockProvider, error) {

diff --git a/block/utils/init_provider.go b/block/utils/init_provider.go
@@ -27,19 +27,20 @@ import (
 	vpcconfig "github.com/IBM/ibmcloud-volume-vpc/block/vpcconfig"
 	"github.com/IBM/ibmcloud-volume-vpc/common/registry"
 	iks_vpc_provider "github.com/IBM/ibmcloud-volume-vpc/iks/provider"
+	"github.com/IBM/secret-utils-lib/pkg/k8s_utils"
 	"go.uber.org/zap"
 	"golang.org/x/net/context"
 )
 
 // InitProviders initialization for all providers as per configurations
-func InitProviders(conf *vpcconfig.VPCBlockConfig, logger *zap.Logger) (registry.Providers, error) {
+func InitProviders(conf *vpcconfig.VPCBlockConfig, k8sClient *k8s_utils.KubernetesClient, logger *zap.Logger) (registry.Providers, error) {
 	var haveProviders bool
 	providerRegistry := &registry.ProviderRegistry{}
 
 	// VPC provider registration
 	if conf.VPCConfig != nil && conf.VPCConfig.Enabled {
 		logger.Info("Configuring VPC Block Provider")
-		prov, err := vpc_provider.NewProvider(conf, logger)
+		prov, err := vpc_provider.NewProvider(conf, k8sClient, logger)
 		if err != nil {
 			logger.Info("VPC block provider error!")
 			return nil, err
@@ -51,7 +52,7 @@ func InitProviders(conf *vpcconfig.VPCBlockConfig, logger *zap.Logger) (registry
 	// IKS provider registration
 	if conf.IKSConfig != nil && conf.IKSConfig.Enabled {
 		logger.Info("Configuring IKS-VPC Block Provider")
-		prov, err := iks_vpc_provider.NewProvider(conf, logger)
+		prov, err := iks_vpc_provider.NewProvider(conf, k8sClient, logger)
 		if err != nil {
 			logger.Info("VPC block provider error!")
 			return nil, err
@@ -106,7 +107,7 @@ func GenerateContextCredentials(conf *vpcconfig.VPCBlockConfig, providerID strin
 	switch {
 	case (conf.VPCConfig != nil && providerID == conf.VPCConfig.VPCBlockProviderName):
 		ctxLogger.Info("Calling provider/init_provider.go ForIAMAccessToken")
-		return contextCredentialsFactory.ForIAMAccessToken(conf.VPCConfig.APIKey, ctxLogger)
+		return contextCredentialsFactory.ForIAMAccessToken(conf.VPCConfig.G2APIKey, ctxLogger)
 
 	case (conf.IKSConfig != nil && providerID == conf.IKSConfig.IKSBlockProviderName):
 		return provider.ContextCredentials{}, nil // Get credentials  in OpenSession method

diff --git a/common/auth/factory.go b/common/auth/factory.go
@@ -22,26 +22,27 @@ import (
 	"github.com/IBM/ibmcloud-volume-interface/provider/iam"
 	vpcconfig "github.com/IBM/ibmcloud-volume-vpc/block/vpcconfig"
 	vpciam "github.com/IBM/ibmcloud-volume-vpc/common/iam"
+	"github.com/IBM/secret-utils-lib/pkg/k8s_utils"
 )
 
 // NewVPCContextCredentialsFactory ...
-func NewVPCContextCredentialsFactory(config *vpcconfig.VPCBlockConfig) (*auth.ContextCredentialsFactory, error) {
+func NewVPCContextCredentialsFactory(config *vpcconfig.VPCBlockConfig, k8sClient *k8s_utils.KubernetesClient) (*auth.ContextCredentialsFactory, error) {
 	authConfig := &iam.AuthConfiguration{
-		IamURL:          config.VPCConfig.TokenExchangeURL,
+		IamURL:          config.VPCConfig.G2TokenExchangeURL,
 		IamClientID:     config.VPCConfig.IamClientID,
 		IamClientSecret: config.VPCConfig.IamClientSecret,
 	}
-	ccf, err := auth.NewContextCredentialsFactory(authConfig, iam.VPC)
+	ccf, err := auth.NewContextCredentialsFactory(authConfig, k8sClient, iam.VPC)
 	if err != nil {
 		return nil, err
 	}
 	if config.VPCConfig.IKSTokenExchangePrivateURL != "" {
 		authIKSConfig := &vpciam.IksAuthConfiguration{
-			IamAPIKey:       config.VPCConfig.APIKey,
+			IamAPIKey:       config.VPCConfig.G2APIKey,
 			PrivateAPIRoute: config.VPCConfig.IKSTokenExchangePrivateURL, // Only for private cluster
 			CSRFToken:       config.APIConfig.PassthroughSecret,          // required for private cluster
 		}
-		ccf.TokenExchangeService, err = vpciam.NewTokenExchangeIKSService(authIKSConfig)
+		ccf.TokenExchangeService, err = vpciam.NewTokenExchangeIKSService(authIKSConfig, k8sClient)
 		if err != nil {
 			return nil, err
 		}

diff --git a/common/auth/factory_test.go b/common/auth/factory_test.go
@@ -18,24 +18,35 @@
 package auth
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/IBM/ibmcloud-volume-interface/config"
 	vpcconfig "github.com/IBM/ibmcloud-volume-vpc/block/vpcconfig"
+	"github.com/IBM/secret-utils-lib/pkg/k8s_utils"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestNewContextCredentialsFactory(t *testing.T) {
 	conf := &vpcconfig.VPCBlockConfig{
 		VPCConfig: &config.VPCProviderConfig{
-			Enabled:         true,
-			EndpointURL:     "test-iam-url",
-			VPCTimeout:      "30s",
-			IamClientID:     "test-iam_client_id",
-			IamClientSecret: "test-iam_client_secret",
+			Enabled:                    true,
+			EndpointURL:                "test-iam-url",
+			VPCTimeout:                 "30s",
+			IamClientID:                "test-iam_client_id",
+			IamClientSecret:            "test-iam_client_secret",
+			IKSTokenExchangePrivateURL: "token-exchange-private-URL",
+		},
+		APIConfig: &config.APIConfig{
+			PassthroughSecret: "pass-through-secret",
 		},
 	}
 
-	_, err := NewVPCContextCredentialsFactory(conf)
-	assert.NotNil(t, err)
+	kc, _ := k8s_utils.FakeGetk8sClientSet()
+	pwd, _ := os.Getwd()
+	file := filepath.Join(pwd, "..", "..", "etc", "libconfig.toml")
+	_ = k8s_utils.FakeCreateSecret(kc, "DEFAULT", file)
+	_, err := NewVPCContextCredentialsFactory(conf, &kc)
+	assert.Nil(t, err)
 }
diff --git a/common/iam/token_exchange_iks.go b/common/iam/token_exchange_iks.go
@@ -29,15 +29,16 @@ import (
 	util "github.com/IBM/ibmcloud-volume-interface/lib/utils"
 	"github.com/IBM/ibmcloud-volume-interface/provider/iam"
 	"github.com/IBM/secret-common-lib/pkg/secret_provider"
+	k8s_utils "github.com/IBM/secret-utils-lib/pkg/k8s_utils"
 	sp "github.com/IBM/secret-utils-lib/pkg/secret_provider"
 	"go.uber.org/zap"
 )
 
 // tokenExchangeIKSService ...
 type tokenExchangeIKSService struct {
-	iksAuthConfig  *IksAuthConfiguration
-	httpClient     *http.Client
-	secretprovider sp.SecretProviderInterface
+	iksAuthConfig *IksAuthConfiguration
+	httpClient    *http.Client
+	spObject      sp.SecretProviderInterface
 }
 
 // IksAuthConfiguration ...
@@ -51,22 +52,19 @@ type IksAuthConfiguration struct {
 var _ iam.TokenExchangeService = &tokenExchangeIKSService{}
 
 // NewTokenExchangeIKSService ...
-func NewTokenExchangeIKSService(iksAuthConfig *IksAuthConfiguration) (iam.TokenExchangeService, error) {
+func NewTokenExchangeIKSService(iksAuthConfig *IksAuthConfiguration, k8sClient *k8s_utils.KubernetesClient) (iam.TokenExchangeService, error) {
 	httpClient, err := config.GeneralCAHttpClient()
 	if err != nil {
 		return nil, err
 	}
 	providerType := map[string]string{
 		secret_provider.ProviderType: secret_provider.VPC,
 	}
-	spObject, err := secret_provider.NewSecretProvider(providerType)
-	if err != nil {
-		return nil, err
-	}
+	spObject, err := secret_provider.NewSecretProvider(k8sClient, providerType)
 	return &tokenExchangeIKSService{
-		iksAuthConfig:  iksAuthConfig,
-		httpClient:     httpClient,
-		secretprovider: spObject,
+		iksAuthConfig: iksAuthConfig,
+		httpClient:    httpClient,
+		spObject:      spObject,
 	}, nil
 }
 
@@ -94,7 +92,7 @@ func (tes *tokenExchangeIKSService) ExchangeRefreshTokenForAccessToken(refreshTo
 // ExchangeIAMAPIKeyForAccessToken ...
 func (tes *tokenExchangeIKSService) ExchangeIAMAPIKeyForAccessToken(iamAPIKey string, logger *zap.Logger) (*iam.AccessToken, error) {
 	logger.Info("Fetching using secret provider")
-	token, _, err := tes.secretprovider.GetDefaultIAMToken(false)
+	token, _, err := tes.spObject.GetDefaultIAMToken(false)
 	if err != nil {
 		logger.Error("Error fetching iam token", zap.Error(err))
 		return nil, err

diff --git a/common/iam/token_exchange_iks_test.go b/common/iam/token_exchange_iks_test.go
@@ -23,6 +23,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -33,6 +34,7 @@ import (
 	util "github.com/IBM/ibmcloud-volume-interface/lib/utils"
 	"github.com/IBM/ibmcloud-volume-interface/lib/utils/reasoncode"
 	"github.com/IBM/ibmcloud-volume-interface/provider/iam"
+	"github.com/IBM/secret-utils-lib/pkg/k8s_utils"
 	sp "github.com/IBM/secret-utils-lib/pkg/secret_provider"
 )
 
@@ -79,7 +81,7 @@ func Test_IKSExchangeRefreshTokenForAccessToken_Success(t *testing.T) {
 	tes.httpClient, err = config.GeneralCAHttpClient()
 	assert.Nil(t, err)
 	tes.iksAuthConfig = iksAuthConfig
-	tes.secretprovider = new(sp.FakeSecretProvider)
+	tes.spObject = new(sp.FakeSecretProvider)
 
 	r, err := tes.ExchangeRefreshTokenForAccessToken("testrefreshtoken", logger)
 	assert.Nil(t, err)
@@ -121,7 +123,7 @@ func Test_IKSExchangeRefreshTokenForAccessToken_FailedDuringRequest(t *testing.T
 	tes.httpClient, err = config.GeneralCAHttpClient()
 	assert.Nil(t, err)
 	tes.iksAuthConfig = iksAuthConfig
-	tes.secretprovider = new(sp.FakeSecretProvider)
+	tes.spObject = new(sp.FakeSecretProvider)
 
 	r, err := tes.ExchangeRefreshTokenForAccessToken("badrefreshtoken", logger)
 	assert.Nil(t, r)
@@ -154,7 +156,7 @@ func Test_IKSExchangeRefreshTokenForAccessToken_FailedDuringRequest_no_message(t
 	tes.httpClient, err = config.GeneralCAHttpClient()
 	assert.Nil(t, err)
 	tes.iksAuthConfig = iksAuthConfig
-	tes.secretprovider = new(sp.FakeSecretProvider)
+	tes.spObject = new(sp.FakeSecretProvider)
 
 	r, err := tes.ExchangeRefreshTokenForAccessToken("badrefreshtoken", logger)
 	assert.Nil(t, r)
@@ -188,7 +190,7 @@ func Test_IKSExchangeRefreshTokenForAccessToken_FailedWrongApiUrl(t *testing.T)
 	tes.httpClient, err = config.GeneralCAHttpClient()
 	assert.Nil(t, err)
 	tes.iksAuthConfig = iksAuthConfig
-	tes.secretprovider = new(sp.FakeSecretProvider)
+	tes.spObject = new(sp.FakeSecretProvider)
 
 	r, err := tes.ExchangeRefreshTokenForAccessToken("testrefreshtoken", logger)
 	assert.Nil(t, r)
@@ -260,7 +262,7 @@ func Test_IKSExchangeIAMAPIKeyForAccessToken(t *testing.T) {
 			tes.httpClient, err = config.GeneralCAHttpClient()
 			assert.Nil(t, err)
 			tes.iksAuthConfig = iksAuthConfig
-			tes.secretprovider = new(sp.FakeSecretProvider)
+			tes.spObject = new(sp.FakeSecretProvider)
 
 			_, actualError := tes.ExchangeIAMAPIKeyForAccessToken("apikey1", logger)
 			if testCase.expectedError == nil {
@@ -276,9 +278,12 @@ func TestNewTokenExchangeIKSService(t *testing.T) {
 	iksAuthConfig := &IksAuthConfiguration{
 		PrivateAPIRoute: server.URL,
 	}
-
-	_, err := NewTokenExchangeIKSService(iksAuthConfig)
-	assert.NotNil(t, err)
+	kc, _ := k8s_utils.FakeGetk8sClientSet()
+	pwd, _ := os.Getwd()
+	file := filepath.Join(pwd, "..", "..", "etc", "libconfig.toml")
+	_ = k8s_utils.FakeCreateSecret(kc, "DEFAULT", file)
+	_, err := NewTokenExchangeIKSService(iksAuthConfig, &kc)
+	assert.Nil(t, err)
 }
 
 func TestExchangeAccessTokenForIMSToken(t *testing.T) {