Merge pull request #742 from hasueki/bug-2015800

openshift-merge-robot · web-flow · commit 7023e842aa30 · 2022-01-29T09:26:26.000-05:00
Bug 2015800: fix(ibmcos): Resource key validation + update status granularly
diff --git a/pkg/storage/ibmcos/ibmcos.go b/pkg/storage/ibmcos/ibmcos.go
@@ -135,6 +135,11 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 	d.Config.Location = infra.Status.PlatformStatus.IBMCloud.Location
 	d.Config.ResourceGroupName = infra.Status.PlatformStatus.IBMCloud.ResourceGroupName
 
+	// Initialize IBMCOS status
+	if cr.Status.Storage.IBMCOS == nil {
+		cr.Status.Storage.IBMCOS = &imageregistryv1.ImageRegistryConfigStorageIBMCOS{}
+	}
+
 	// Get resource controller service
 	rc, err := d.getResouceControllerService()
 	if err != nil {
@@ -176,9 +181,8 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 				// Set resource group name
 				d.Config.ResourceGroupName = *rg.Name
 			}
-			cr.Status.Storage = imageregistryv1.ImageRegistryConfigStorage{
-				IBMCOS: d.Config.DeepCopy(),
-			}
+			cr.Status.Storage.IBMCOS.ServiceInstanceCRN = d.Config.ServiceInstanceCRN
+			cr.Status.Storage.IBMCOS.ResourceGroupName = d.Config.ResourceGroupName
 			cr.Spec.Storage.IBMCOS = d.Config.DeepCopy()
 			util.UpdateCondition(cr, defaults.StorageExists, operatorapi.ConditionFalse, "IBM COS Instance Active", "IBM COS service instance is active")
 		case resourcecontrollerv2.ListResourceInstancesOptionsStateProvisioningConst:
@@ -261,15 +265,15 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 		}
 
 		d.Config.ServiceInstanceCRN = *instance.CRN
-		cr.Status.Storage = imageregistryv1.ImageRegistryConfigStorage{
-			IBMCOS: d.Config.DeepCopy(),
-		}
+		cr.Status.Storage.IBMCOS.ServiceInstanceCRN = d.Config.ServiceInstanceCRN
+		cr.Status.Storage.IBMCOS.ResourceGroupName = d.Config.ResourceGroupName
+		cr.Status.Storage.ManagementState = cr.Spec.Storage.ManagementState
 		cr.Spec.Storage.IBMCOS = d.Config.DeepCopy()
 		util.UpdateCondition(cr, defaults.StorageExists, operatorapi.ConditionFalse, "IBM COS Instance Creation Successful", "IBM COS service instance was successfully created")
 	}
 
-	// Create resource key
 	if len(d.Config.ResourceKeyCRN) == 0 {
+		// Create resource key
 		keyName := fmt.Sprintf("%s-%s", infra.Status.InfrastructureName, defaults.ImageRegistryName)
 		roleCRN := "crn:v1:bluemix:public:iam::::serviceRole:Writer"
 		params := &resourcecontrollerv2.ResourceKeyPostParameters{}
@@ -289,11 +293,43 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 		}
 
 		d.Config.ResourceKeyCRN = *key.CRN
-		cr.Status.Storage = imageregistryv1.ImageRegistryConfigStorage{
-			IBMCOS: d.Config.DeepCopy(),
-		}
+		cr.Status.Storage.IBMCOS.ResourceKeyCRN = d.Config.ResourceKeyCRN
 		cr.Spec.Storage.IBMCOS = d.Config.DeepCopy()
 		util.UpdateCondition(cr, defaults.StorageExists, operatorapi.ConditionFalse, "IBM COS Resource Key Creation Successful", "IBM COS resource key was successfully created")
+	} else {
+		// Get resource key
+		key, resp, err := rc.GetResourceKeyWithContext(
+			d.Context,
+			&resourcecontrollerv2.GetResourceKeyOptions{
+				ID: &d.Config.ResourceKeyCRN,
+			},
+		)
+		if err != nil {
+			return fmt.Errorf("unable to get resource key for service instance: %s with resp code: %d", err.Error(), resp.StatusCode)
+		}
+
+		// Check if resource key is for service instance
+		if *key.SourceCRN != d.Config.ServiceInstanceCRN {
+			return fmt.Errorf("specified resource key is not valid for service instance")
+		}
+
+		if key.Credentials != nil {
+			// Check if resource key is HMAC enabled
+			if key.Credentials.GetProperty("cos_hmac_keys") == nil {
+				return fmt.Errorf("specified resource key credentials does not contain HMAC keys")
+			}
+			// Check if resource key has a valid IAM role
+			if *key.Credentials.IamRoleCRN != "crn:v1:bluemix:public:iam::::serviceRole:Writer" && *key.Credentials.IamRoleCRN != "crn:v1:bluemix:public:iam::::serviceRole:Manager" {
+				return fmt.Errorf("specified resource key's IAM role is not valid")
+			}
+			// Valid resource key
+			d.Config.ResourceKeyCRN = *key.CRN
+			cr.Status.Storage.IBMCOS.ResourceKeyCRN = d.Config.ResourceKeyCRN
+			cr.Spec.Storage.IBMCOS = d.Config.DeepCopy()
+			util.UpdateCondition(cr, defaults.StorageExists, operatorapi.ConditionFalse, "IBM COS Resource Key Valid", "IBM COS resource key exists and is valid")
+		} else {
+			return fmt.Errorf("specified resource key does not have any attached credentials")
+		}
 	}
 
 	// Check if bucket already exists
@@ -360,15 +396,6 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 			return err
 		}
 
-		if cr.Spec.Storage.ManagementState == "" {
-			cr.Spec.Storage.ManagementState = imageregistryv1.StorageManagementStateManaged
-		}
-		cr.Status.Storage = imageregistryv1.ImageRegistryConfigStorage{
-			IBMCOS: d.Config.DeepCopy(),
-		}
-		cr.Spec.Storage.IBMCOS = d.Config.DeepCopy()
-		util.UpdateCondition(cr, defaults.StorageExists, operatorapi.ConditionTrue, "Creation Successful", "IBM COS bucket was successfully created")
-
 		// Wait until the bucket exists
 		if err := client.WaitUntilBucketExistsWithContext(
 			d.Context,
@@ -381,6 +408,15 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 			}
 			return err
 		}
+
+		if cr.Spec.Storage.ManagementState == "" {
+			cr.Spec.Storage.ManagementState = imageregistryv1.StorageManagementStateManaged
+		}
+		cr.Status.Storage = imageregistryv1.ImageRegistryConfigStorage{
+			IBMCOS: d.Config.DeepCopy(),
+		}
+		cr.Spec.Storage.IBMCOS = d.Config.DeepCopy()
+		util.UpdateCondition(cr, defaults.StorageExists, operatorapi.ConditionTrue, "Creation Successful", "IBM COS bucket was successfully created")
 	}
 
 	return nil
