Skip to content

Commit

Permalink
adds support for service level isolation
Browse files Browse the repository at this point in the history
  • Loading branch information
TiberiuGC committed Aug 5, 2024
1 parent 484d70a commit 447c4bb
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 9 deletions.
25 changes: 19 additions & 6 deletions pkg/runtime/adoption_reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -522,16 +522,23 @@ func (r *adoptionReconciler) getEndpointURL(
func (r *adoptionReconciler) getOwnerAccountRoleARN(
acctID ackv1alpha1.AWSAccountID,
) (ackv1alpha1.AWSResourceName, error) {
globalAccountID := ackrtcache.OwnerAccountIDPrefix + string(acctID)
// v2
if r.cfg.FeatureGates.IsEnabled(featuregate.FeatureCARMv2) {
roleARN, err := r.cache.CARMMaps.GetValue(ackrtcache.OwnerAccountIDPrefix + string(acctID))
// use service level roleARN if present
serviceAccountID := r.sc.GetMetadata().ServiceAlias + "." + globalAccountID
if roleARN, err := r.cache.CARMMaps.GetValue(serviceAccountID); err == nil {
return ackv1alpha1.AWSResourceName(roleARN), nil
}
// otherwise use account level roleARN
roleARN, err := r.cache.CARMMaps.GetValue(globalAccountID)
if err != nil {
return "", fmt.Errorf("retrieving role ARN for accountID %q from %q configmap: %v", acctID, ackrtcache.ACKCARMMapV2, err)
}
return ackv1alpha1.AWSResourceName(roleARN), nil
}
// v1
roleARN, err := r.cache.Accounts.GetValue(ackrtcache.OwnerAccountIDPrefix + string(acctID))
roleARN, err := r.cache.Accounts.GetValue(globalAccountID)
if err != nil {
return "", fmt.Errorf("retrieving role ARN for accountID %q from %q configMap: %v", acctID, ackrtcache.ACKRoleAccountMap, err)
}
Expand All @@ -543,11 +550,17 @@ func (r *adoptionReconciler) getOwnerAccountRoleARN(
func (r *adoptionReconciler) getTeamRoleARN(
teamID ackv1alpha1.TeamID,
) (ackv1alpha1.AWSResourceName, error) {
roleARN, err := r.cache.CARMMaps.GetValue(ackrtcache.TeamIDPrefix + string(teamID))
if err == ackrtcache.ErrCARMConfigMapNotFound || err == ackrtcache.ErrKeyNotFound {
return "", fmt.Errorf("unable to retrieve role ARN from CARM v2 for account %s: %v", teamID, err)
globalTeamID := ackrtcache.OwnerAccountIDPrefix + string(teamID)
serviceTeamID := r.sc.GetMetadata().ServiceAlias + "." + globalTeamID
// use service level roleARN if present
if roleARN, err := r.cache.CARMMaps.GetValue(serviceTeamID); err == nil {
return ackv1alpha1.AWSResourceName(roleARN), nil
}
// otherwise use team level roleARN
roleARN, err := r.cache.CARMMaps.GetValue(globalTeamID)
if err != nil {
return "", fmt.Errorf("retrieving role ARN for teamID %q from configMap %q: %v", teamID, ackrtcache.ACKCARMMapV2, err)
}

return ackv1alpha1.AWSResourceName(roleARN), nil
}

Expand Down
20 changes: 17 additions & 3 deletions pkg/runtime/reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -1140,16 +1140,23 @@ func (r *resourceReconciler) getTeamID(
func (r *resourceReconciler) getOwnerAccountRoleARN(
acctID ackv1alpha1.AWSAccountID,
) (ackv1alpha1.AWSResourceName, error) {
globalAccountID := ackrtcache.OwnerAccountIDPrefix + string(acctID)
// v2
if r.cfg.FeatureGates.IsEnabled(featuregate.FeatureCARMv2) {
roleARN, err := r.cache.CARMMaps.GetValue(ackrtcache.OwnerAccountIDPrefix + string(acctID))
// use service level roleARN if present
serviceAccountID := r.sc.GetMetadata().ServiceAlias + "." + globalAccountID
if roleARN, err := r.cache.CARMMaps.GetValue(serviceAccountID); err == nil {
return ackv1alpha1.AWSResourceName(roleARN), nil
}
// otherwise use account level roleARN
roleARN, err := r.cache.CARMMaps.GetValue(globalAccountID)
if err != nil {
return "", fmt.Errorf("retrieving role ARN for accountID %q from %q configmap: %v", acctID, ackrtcache.ACKCARMMapV2, err)
}
return ackv1alpha1.AWSResourceName(roleARN), nil
}
// v1
roleARN, err := r.cache.Accounts.GetValue(ackrtcache.OwnerAccountIDPrefix + string(acctID))
roleARN, err := r.cache.Accounts.GetValue(globalAccountID)
if err != nil {
return "", fmt.Errorf("retrieving role ARN for accountID %q from %q configMap: %v", acctID, ackrtcache.ACKRoleAccountMap, err)
}
Expand All @@ -1161,7 +1168,14 @@ func (r *resourceReconciler) getOwnerAccountRoleARN(
func (r *resourceReconciler) getTeamRoleARN(
teamID ackv1alpha1.TeamID,
) (ackv1alpha1.AWSResourceName, error) {
roleARN, err := r.cache.CARMMaps.GetValue(ackrtcache.TeamIDPrefix + string(teamID))
globalTeamID := ackrtcache.TeamIDPrefix + string(teamID)
serviceTeamID := r.sc.GetMetadata().ServiceAlias + "." + globalTeamID
// use service level roleARN if present
if roleARN, err := r.cache.CARMMaps.GetValue(serviceTeamID); err == nil {
return ackv1alpha1.AWSResourceName(roleARN), nil
}
// otherwise use team level roleARN
roleARN, err := r.cache.CARMMaps.GetValue(globalTeamID)
if err != nil {
return "", fmt.Errorf("retrieving role ARN for teamID %q from configMap %q: %v", teamID, ackrtcache.ACKCARMMapV2, err)
}
Expand Down

0 comments on commit 447c4bb

Please sign in to comment.