Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Delete irsa roles #232

Merged
merged 4 commits into from
Nov 15, 2023
Merged

Delete irsa roles #232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
de66e3a
Delete irsa roles
mnitchev Nov 15, 2023
99cd6c8
Merge branch 'master' into pr-delete-irsa-roles
mnitchev Nov 15, 2023
2bfc932
Delete the same rolles we create for irsa
mnitchev Nov 15, 2023
079e506
Update CHANGELOG
mnitchev Nov 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Fixed

- Fix not deleting all IRSA rolles.

## [0.13.1] - 2023-11-10

### Fixed
Expand Down
2 changes: 1 addition & 1 deletion controllers/awsmachinetemplate_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ func (r *AWSMachineTemplateReconciler) reconcileDelete(ctx context.Context, iamS
}
if role == iam.ControlPlaneRole {
if r.EnableRoute53Role {
err = iamService.DeleteRoute53Role()
err = iamService.DeleteRolesForIRSA()
if err != nil {
return ctrl.Result{}, err
}
Expand Down
36 changes: 17 additions & 19 deletions pkg/iam/iam.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ func (s *IAMService) ReconcileKiamRole() error {
func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain string) error {
s.log.Info("reconciling IAM roles for IRSA")

for _, roleTypeToReconcile := range []string{Route53Role, CertManagerRole, ALBConrollerRole, EBSCSIDriverRole, ClusterAutoscalerRole} {
for _, roleTypeToReconcile := range getIRSARoles() {
var params Route53RoleParams
params, err := s.generateRoute53RoleParams(roleTypeToReconcile, awsAccountID, cloudFrontDomain)
if err != nil {
Expand All @@ -179,7 +179,6 @@ func (s *IAMService) ReconcileRolesForIRSA(awsAccountID string, cloudFrontDomain
func (s *IAMService) generateRoute53RoleParams(roleTypeToReconcile string, awsAccountID string, cloudFrontDomain string) (Route53RoleParams, error) {
namespace := "kube-system"
serviceAccount, err := getServiceAccount(roleTypeToReconcile)

if err != nil {
s.log.Error(err, "failed to get service account for role")
return Route53RoleParams{}, err
Expand Down Expand Up @@ -439,26 +438,15 @@ func (s *IAMService) DeleteRoute53Role() error {

func (s *IAMService) DeleteRolesForIRSA() error {
s.log.Info("deleting IAM roles for IRSA")
defer s.log.Info("finished deleting IAM roles for IRSA")

// delete cert-manager role
err := s.deleteRole(roleName(CertManagerRole, s.clusterName))
if err != nil {
return err
}

// delete route53 role
err = s.deleteRole(roleName(Route53Role, s.clusterName))
if err != nil {
return err
}

// delete AWS Load Balancer Controller role
err = s.deleteRole(roleName(ALBConrollerRole, s.clusterName))
if err != nil {
return err
for _, roleTypeToReconcile := range getIRSARoles() {
err := s.deleteRole(roleName(roleTypeToReconcile, s.clusterName))
if err != nil {
return err
}
}

s.log.Info("finished deleting IAM roles for IRSA")
return nil
}

Expand Down Expand Up @@ -677,3 +665,13 @@ func getServiceAccount(role string) (string, error) {

return "", fmt.Errorf("cannot get service account for specified role - %s", role)
}

func getIRSARoles() []string {
return []string{
Route53Role,
CertManagerRole,
ALBConrollerRole,
EBSCSIDriverRole,
ClusterAutoscalerRole,
}
}