Skip to content

Commit

Permalink
Delete irsa roles (#232)
Browse files Browse the repository at this point in the history
* Delete irsa roles

* Delete the same rolles we create for irsa

* Update CHANGELOG
  • Loading branch information
mnitchev authored Nov 15, 2023
1 parent 8a11cd0 commit db36ce7
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 20 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Fixed

- Fix not deleting all IRSA rolles.

## [0.13.1] - 2023-11-10

### Fixed
Expand Down
2 changes: 1 addition & 1 deletion controllers/awsmachinetemplate_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ func (r *AWSMachineTemplateReconciler) reconcileDelete(ctx context.Context, iamS
}
if role == iam.ControlPlaneRole {
if r.EnableRoute53Role {
err = iamService.DeleteRoute53Role()
err = iamService.DeleteRolesForIRSA()
if err != nil {
return ctrl.Result{}, err
}
Expand Down
36 changes: 17 additions & 19 deletions pkg/iam/iam.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ func (s *IAMService) ReconcileKiamRole() error {
func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
s.log.Info("reconciling IAM roles for IRSA")

for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole, ClusterAutoscalerRole} {
for _, roleTypeToReconcile := range getIRSARoles() {
var params Route53RoleParams
params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
if err != nil {
Expand All @@ -179,7 +179,6 @@ func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain
func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string) (Route53RoleParams, error) {
namespace := "kube-system"
serviceAccount, err := getServiceAccount(roleTypeToReconcile)

if err != nil {
s.log.Error(err, "failed to get service account for role")
return Route53RoleParams{}, err
Expand Down Expand Up @@ -439,26 +438,15 @@ func (s *IAMService) DeleteRoute53Role() error {

func (s *IAMService) DeleteRolesForIRSA() error {
s.log.Info("deleting IAM roles for IRSA")
defer s.log.Info("finished deleting IAM roles for IRSA")

// delete cert-manager role
err := s.deleteRole(roleName(CertManagerRole, s.clusterName))
if err != nil {
return err
}

// delete route53 role
err = s.deleteRole(roleName(Route53Role, s.clusterName))
if err != nil {
return err
}

// delete AWS Load Balancer Controller role
err = s.deleteRole(roleName(ALBConrollerRole, s.clusterName))
if err != nil {
return err
for _, roleTypeToReconcile := range getIRSARoles() {
err := s.deleteRole(roleName(roleTypeToReconcile, s.clusterName))
if err != nil {
return err
}
}

s.log.Info("finished deleting IAM roles for IRSA")
return nil
}

Expand Down Expand Up @@ -677,3 +665,13 @@ func getServiceAccount(role string) (string, error) {

return "", fmt.Errorf("cannot get service account for specified role - %s", role)
}

func getIRSARoles() []string {
return []string{
Route53Role,
CertManagerRole,
ALBConrollerRole,
EBSCSIDriverRole,
ClusterAutoscalerRole,
}
}

0 comments on commit db36ce7

Please sign in to comment.