Add dev env rules exception

Comply with the Authorizer changes
Azure · Feb 15, 2022 · cee82e5 · cee82e5
1 parent 507c785
commit cee82e5
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 38 deletions.
diff --git a/pkg/cluster/deploystorage_resources.go b/pkg/cluster/deploystorage_resources.go
@@ -75,9 +75,37 @@ func (m *manager) clusterServicePrincipalRBAC() *arm.Resource {
 }
 
 // storageAccount will return storage account resource.
-// Old accounts are not encrypted and can't be retrofitted.
-// flag is to controll this behaviour in update/create
+// Legacy storage accounts (public) are not encrypted and cannot be retrofitted.
+// The flag controls this behavior in update/create.
 func (m *manager) storageAccount(name, region string, encrypted bool) *arm.Resource {
+
+	virtualNetworkRules := []mgmtstorage.VirtualNetworkRule{
+		{
+			VirtualNetworkResourceID: to.StringPtr(m.doc.OpenShiftCluster.Properties.MasterProfile.SubnetID),
+			Action:                   mgmtstorage.Allow,
+		},
+		{
+			VirtualNetworkResourceID: to.StringPtr(m.doc.OpenShiftCluster.Properties.WorkerProfiles[0].SubnetID),
+			Action:                   mgmtstorage.Allow,
+		},
+		{
+			VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.ResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/rp-pe-vnet-001/subnets/rp-pe-subnet"),
+			Action:                   mgmtstorage.Allow,
+		},
+		{
+			VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.ResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/rp-vnet/subnets/rp-subnet"),
+			Action:                   mgmtstorage.Allow,
+		},
+	}
+
+	// Prod includes a gateway rule as well
+	if !m.env.IsLocalDevelopmentMode() {
+		virtualNetworkRules = append(virtualNetworkRules, mgmtstorage.VirtualNetworkRule{
+			VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.GatewayResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/gateway-vnet/subnets/gateway-subnet"),
+			Action:                   mgmtstorage.Allow,
+		})
+	}
+
 	sa := &mgmtstorage.Account{
 		Kind: mgmtstorage.StorageV2,
 		Sku: &mgmtstorage.Sku{
@@ -88,30 +116,9 @@ func (m *manager) storageAccount(name, region string, encrypted bool) *arm.Resou
 			EnableHTTPSTrafficOnly: to.BoolPtr(true),
 			MinimumTLSVersion:      mgmtstorage.TLS12,
 			NetworkRuleSet: &mgmtstorage.NetworkRuleSet{
-				Bypass: mgmtstorage.AzureServices,
-				VirtualNetworkRules: &[]mgmtstorage.VirtualNetworkRule{
-					{
-						VirtualNetworkResourceID: to.StringPtr(m.doc.OpenShiftCluster.Properties.MasterProfile.SubnetID),
-						Action:                   mgmtstorage.Allow,
-					},
-					{
-						VirtualNetworkResourceID: to.StringPtr(m.doc.OpenShiftCluster.Properties.WorkerProfiles[0].SubnetID),
-						Action:                   mgmtstorage.Allow,
-					},
-					{
-						VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.ResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/rp-pe-vnet-001/subnets/rp-pe-subnet"),
-						Action:                   mgmtstorage.Allow,
-					},
-					{
-						VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.ResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/rp-vnet/subnets/rp-subnet"),
-						Action:                   mgmtstorage.Allow,
-					},
-					{
-						VirtualNetworkResourceID: to.StringPtr("/subscriptions/" + m.env.SubscriptionID() + "/resourceGroups/" + m.env.GatewayResourceGroup() + "/providers/Microsoft.Network/virtualNetworks/gateway-vnet/subnets/gateway-subnet"),
-						Action:                   mgmtstorage.Allow,
-					},
-				},
-				DefaultAction: "Deny",
+				Bypass:              mgmtstorage.AzureServices,
+				VirtualNetworkRules: &virtualNetworkRules,
+				DefaultAction:       "Deny",
 			},
 		},
 		Name:     &name,

diff --git a/pkg/operator/controllers/storageaccounts/storageaccount_controller.go b/pkg/operator/controllers/storageaccounts/storageaccount_controller.go
@@ -25,7 +25,6 @@ import (
 	arov1alpha1 "github.com/Azure/ARO-RP/pkg/operator/apis/aro.openshift.io/v1alpha1"
 	aroclient "github.com/Azure/ARO-RP/pkg/operator/clientset/versioned"
 	"github.com/Azure/ARO-RP/pkg/operator/controllers"
-	"github.com/Azure/ARO-RP/pkg/util/aad"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/storage"
 	"github.com/Azure/ARO-RP/pkg/util/clusterauthorizer"
@@ -82,22 +81,14 @@ func (r *Reconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.
 	if err != nil {
 		return reconcile.Result{}, err
 	}
-	// Grab azure-credentials from secret
-	credentials, err := clusterauthorizer.AzCredentials(ctx, r.kubernetescli)
-	if err != nil {
-		return reconcile.Result{}, err
-	}
+
 	resource, err := azure.ParseResourceID(instance.Spec.ResourceID)
 	if err != nil {
 		return reconcile.Result{}, err
 	}
-	// create service principal token from azure-credentials
-	token, err := aad.GetToken(ctx, r.log, string(credentials.ClientID), string(credentials.ClientSecret), string(credentials.TenantID), azEnv.ActiveDirectoryEndpoint, azEnv.ResourceManagerEndpoint)
-	if err != nil {
-		return reconcile.Result{}, err
-	}
+
 	// create refreshable authorizer from token
-	authorizer, err := clusterauthorizer.NewAzRefreshableAuthorizer(token)
+	authorizer, err := clusterauthorizer.NewAzRefreshableAuthorizer(ctx, r.log, &azEnv, r.kubernetescli)
 	if err != nil {
 		return reconcile.Result{}, err
 	}