Unify configuration format for CCM and Volume Provisioner (#282)

Author: owainlewis

pkg/cloudprovider/providers/oci/ccm.go

@@ -25,8 +25,6 @@ import (
 	providercfg "github.com/oracle/oci-cloud-controller-manager/pkg/cloudprovider/providers/oci/config"
 	"github.com/oracle/oci-cloud-controller-manager/pkg/oci/client"
 	"github.com/oracle/oci-cloud-controller-manager/pkg/oci/instance/metadata"
-	"github.com/oracle/oci-go-sdk/common"
-	"github.com/oracle/oci-go-sdk/common/auth"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -84,7 +82,7 @@ func NewCloudProvider(config *providercfg.Config) (cloudprovider.Interface, erro
 	// main.go so capture it here and then pass it into all components.
 	logger := zap.L()
 
-	cp, err := buildConfigurationProvider(logger, config)
+	cp, err := providercfg.NewConfigurationProvider(config)
 	if err != nil {
 		return nil, err
 	}
@@ -127,7 +125,6 @@ func init() {
 		if err != nil {
 			return nil, err
 		}
-		cfg.Complete()
 
 		if err = cfg.Validate(); err != nil {
 			return nil, err
@@ -218,27 +215,6 @@ func (cp *CloudProvider) HasClusterID() bool {
 	return true
 }
 
-func buildConfigurationProvider(logger *zap.Logger, config *providercfg.Config) (common.ConfigurationProvider, error) {
-	if config.Auth.UseInstancePrincipals {
-		logger.Info("Using instance principals configuration provider")
-		cp, err := auth.InstancePrincipalConfigurationProvider()
-		if err != nil {
-			return nil, errors.Wrap(err, "InstancePrincipalConfigurationProvider")
-		}
-		return cp, nil
-	}
-	logger.Info("Using raw configuration provider")
-	cp := common.NewRawConfigurationProvider(
-		config.Auth.TenancyID,
-		config.Auth.UserID,
-		config.Auth.Region,
-		config.Auth.Fingerprint,
-		config.Auth.PrivateKey,
-		&config.Auth.Passphrase,
-	)
-	return cp, nil
-}
-
 // NewRateLimiter builds and returns a struct containing read and write
 // rate limiters. Defaults are used where no (0) value is provided.
 func NewRateLimiter(logger *zap.SugaredLogger, config *providercfg.RateLimiterConfig) client.RateLimiter {

pkg/cloudprovider/providers/oci/config/config.go

@@ -16,8 +16,12 @@ package config
 
 import (
 	"io"
+	"os"
 
+	"github.com/oracle/oci-go-sdk/common"
+	"github.com/oracle/oci-go-sdk/common/auth"
 	"github.com/pkg/errors"
+
 	"go.uber.org/zap"
 	"gopkg.in/yaml.v2"
 )
@@ -26,21 +30,26 @@ import (
 // API.
 type AuthConfig struct {
 	Region      string `yaml:"region"`
-	RegionKey   string `yaml:"regionKey"`
 	TenancyID   string `yaml:"tenancy"`
 	UserID      string `yaml:"user"`
 	PrivateKey  string `yaml:"key"`
 	Fingerprint string `yaml:"fingerprint"`
 	Passphrase  string `yaml:"passphrase"`
 
-	// TODO(apryde): depreciate
-	UseInstancePrincipals bool   `yaml:"useInstancePrincipals"`
-	VCNID                 string `yaml:"vcn"`
+	// Used by the flex driver for OCID expansion. This should be moved to top level
+	// as it doesn't strictly relate to OCI authentication.
+	RegionKey string `yaml:"regionKey"`
+
+	// The fields below are deprecated and remain purely for backwards compatibility.
+	// At some point these need to be removed.
 
-	// CompartmentID is DEPRECIATED and should be set on the top level Config
+	// When set to true, clients will use an instance principal configuration provider
+	// and ignore auth fields.
+	UseInstancePrincipals bool `yaml:"useInstancePrincipals"`
+	// CompartmentID is DEPRECATED and should be set on the top level Config
 	// struct.
 	CompartmentID string `yaml:"compartment"`
-	// PrivateKeyPassphrase is DEPRECIATED in favour of Passphrase.
+	// PrivateKeyPassphrase is DEPRECATED in favour of Passphrase.
 	PrivateKeyPassphrase string `yaml:"key_passphrase"`
 }
 
@@ -97,7 +106,7 @@ type Config struct {
 	LoadBalancer LoadBalancerConfig `yaml:"loadBalancer"`
 	RateLimiter  *RateLimiterConfig `yaml:"rateLimiter"`
 
-	// TODO(apryde): use in CCM.
+	// When set to true, clients will use an instance principal configuration provider and ignore auth fields.
 	UseInstancePrincipals bool `yaml:"useInstancePrincipals"`
 	// CompartmentID is the OCID of the Compartment within which the cluster
 	// resides.
@@ -112,18 +121,26 @@ func (c *Config) Complete() {
 	if !c.LoadBalancer.Disabled && c.LoadBalancer.SecurityListManagementMode == "" {
 		c.LoadBalancer.SecurityListManagementMode = ManagementModeAll // default
 		if c.LoadBalancer.DisableSecurityListManagement {
-			zap.S().Warnf("cloud-provider config: \"loadBalancer.disableSecurityListManagement\" is DEPRECIATED and will be removed in a later release. Please set \"loadBalancer.SecurityListManagementMode: %s\".", ManagementModeNone)
+			zap.S().Warnf("cloud-provider config: \"loadBalancer.disableSecurityListManagement\" is DEPRECATED and will be removed in a later release. Please set \"loadBalancer.SecurityListManagementMode: %s\".", ManagementModeNone)
 			c.LoadBalancer.SecurityListManagementMode = ManagementModeNone
 		}
 	}
+
+	// Ensure backwards compatibility fields are set correctly.
 	if c.CompartmentID == "" && c.Auth.CompartmentID != "" {
-		zap.S().Warn("cloud-provider config: \"auth.compartment\" is DEPRECIATED and will be removed in a later release. Please set \"compartment\".")
+		zap.S().Warn("cloud-provider config: \"auth.compartment\" is DEPRECATED and will be removed in a later release. Please set \"compartment\".")
 		c.CompartmentID = c.Auth.CompartmentID
 	}
+
 	if c.Auth.Passphrase == "" && c.Auth.PrivateKeyPassphrase != "" {
-		zap.S().Warn("cloud-provider config: \"auth.key_passphrase\" is DEPRECIATED and will be removed in a later release. Please set \"auth.passphrase\".")
+		zap.S().Warn("cloud-provider config: \"auth.key_passphrase\" is DEPRECATED and will be removed in a later release. Please set \"auth.passphrase\".")
 		c.Auth.Passphrase = c.Auth.PrivateKeyPassphrase
 	}
+
+	if c.Auth.UseInstancePrincipals == true {
+		zap.S().Warn("cloud-provider config: \"auth.useInstancePrincipals\" is DEPRECATED and will be removed in a later release. Please set \"auth.useInstancePrincipals\".")
+		c.UseInstancePrincipals = true
+	}
 }
 
 // Validate validates the OCI cloud-provider config.
@@ -143,5 +160,53 @@ func ReadConfig(r io.Reader) (*Config, error) {
 		return nil, errors.Wrap(err, "unmarshalling cloud-provider config")
 	}
 
+	// Ensure defaults are correctly set
+	cfg.Complete()
+
 	return cfg, nil
 }
+
+// FromFile will load a cloud provider configuration file from a given file path.
+func FromFile(path string) (*Config, error) {
+	f, err := os.Open(path)
+	defer f.Close()
+
+	if err != nil {
+		return nil, err
+	}
+
+	return ReadConfig(f)
+}
+
+// NewConfigurationProvider takes a cloud provider config file and returns an OCI ConfigurationProvider
+// to be consumed by the OCI SDK.
+func NewConfigurationProvider(cfg *Config) (common.ConfigurationProvider, error) {
+	var conf common.ConfigurationProvider
+	if cfg != nil {
+		err := cfg.Validate()
+		if err != nil {
+			return nil, errors.Wrap(err, "invalid client config")
+		}
+
+		if cfg.UseInstancePrincipals {
+			cp, err := auth.InstancePrincipalConfigurationProvider()
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to instantiate InstancePrincipalConfigurationProvider")
+			}
+			return cp, nil
+		}
+
+		conf = common.NewRawConfigurationProvider(
+			cfg.Auth.TenancyID,
+			cfg.Auth.UserID,
+			cfg.Auth.Region,
+			cfg.Auth.Fingerprint,
+			cfg.Auth.PrivateKey,
+			common.String(cfg.Auth.PrivateKeyPassphrase))
+
+	} else {
+		conf = common.DefaultConfigProvider()
+	}
+
+	return conf, nil
+}

pkg/cloudprovider/providers/oci/config/config_test.go

@@ -33,73 +33,41 @@ auth:
   user: ocid1.user.oc1..aaaaaaaai77mql2xerv7cn6wu3nhxang3y4jk56vo5bn5l5lysl34avnui3q
   key: |
     -----BEGIN RSA PRIVATE KEY-----
-    MIIEowIBAAKCAQEA4KpLGy/BLbph55HMjWLxCO657DLQTk4o+WWPi1+5oeAUVgyh
-    kdvPR22jn9HiAL9jKv7PR3/OdHSp/6E3d05htksI7Tct4M/eWVMGRIzoMJvpJ99e
-    ZP7MtQT9yknbJDSJoibSwLmPoInnPE/WbcgrTKSAfNURK0bKw1tnLd85qt7zdLI3
-    g6O/14Bsmf+ovGiQHP6oiTuC4l3D8eTLlKdSrRVqZXhdvslpZU8MtNB8pPHMB4GZ
-    R6HccBi7TJY7kkNg+5flRBTdYL8bvaji3zxSlvawvet+bJmEtApkUoLnovLCviVp
-    NVTJZb5iQxMJLZlDJJT/ruq+HMJ3PiiYFOjFVwIDAQABAoIBAQDNkiT9MFoj/Hpf
-    SOKRsKn60W3gObKvJAeMBKkvD50tCHuzLQWeEDJ/GkxxDbwtkPItwlBqDQEdQC7Z
-    UGwPR/JSuh/l5uqc3beHpleC3CgNamwSZunZoegv7uxGcAQMAeK6M6n+XQyWCflD
-    D46Wj2VHUPKcxt1Z6wHXdchYifwbYwUNA3hOlRJK3ODgk/X6UjTGb3+gpY3qU4kX
-    Iz5L1ekCSgVIPBFVwdZQUyUC7+iIySaK+qcmEEx/UwOZ6uxhcmRzca31cjeaRS4H
-    pUjrl/aqLIW57E2MQ/vSzfQn7kEGBOrS0RjHZgq9u4Qdq6EkjHj3fenKpwWB7S1z
-    4t0PpinJAoGBAPRmxAcCd88EhWh5HhN+RWjmXdDCOmZ0yXbxxVBTQtK5pPnP8I9A
-    3Jd2ughHk7dFBvgKbHkVsyWgAk8zRZdD2hkQBOXvoeJF2scmvgFUBs1otf6xiFsf
-    IC0I8A/wXn3IHmyrG7xmPAtHWKvTTAFg7IjIIofcX7cuzMeLXEUMvLQdAoGBAOtT
-    wJCtPTNs4c3vhO4gba98c30U3tHmbLVKJXGEeZkSv3/ez5eIiYBJTzwLB2+ppy8j
-    2lYsdkLvsoyKF3LUwyt0gsX+AU9DJ2dmSJZ3E67UHsY6+qog5QlYfWWD8mKWeE9L
-    2r0rhG6l0WHR15LdvVc9MJ8e3YVUvNJJJJhQ2v0DAoGAAosXOyNxb7wST1YDVBya
-    SE8tZsC+rtZESnKVpRJYvayk5NyfGj6IjSL1KKTmCqAzRF2HZ3MsXBXgMEbOUJaq
-    LFyYUHQ/8QTdE/l5PLZNI9IVIsNiMeCPCyjuppvPv+tXNbZKIZnGwi9J4u/d+J2z
-    mHDMuzE15cgc5W6z1Rwe0pkCgYBzRwvF05dvYZ8bqoGLxQb2OBi65UZhvGb0R+Yf
-    va1zduOoWBWJPbFdzoup9h0mbg0f4ohKPm2QTKtCfUMPVXpmByUoqE0r7tGWrVxR
-    mPNjaTXKFYpFXOfVtCt5VzGdaeh1r8rvcCnnqgLv0EOyBj2CRs9So2QQtHnq6Tms
-    A6/C0QKBgAw8IsCnkNoZujCEOR/6ZHbK3eeyAs2yuJumsjYYosIGZ/bzsXTpfzAw
-    bs45GZxrW67zB/0HA7bVWS9ZkCVflHI2uBCFofm+y55IAzg9/c1xYU19PA3KRxHZ
-    D/yEDdXVK/lIzNt7kIMFhtoYGrwv1JQGfK5Wh2bi+AwbBDZ45/17
     -----END RSA PRIVATE KEY-----
   fingerprint: 97:84:f7:26:a3:7b:74:d0:bd:4e:08:a7:79:c9:d0:1d
 
+useInstancePrincipals: false
+vcn: ocid1.vcn.oc1..
 compartment: ocid1.compartment.oc1..aaaaaaaa3um2atybwhder4qttfhgon4j3hcxgmsvnyvx4flfjyewkkwfzwnq
 
 loadBalancer:
   disableSecurityListManagement: false
   subnet1: ocid1.subnet.oc1.phx.aaaaaaaasa53hlkzk6nzksqfccegk2qnkxmphkblst3riclzs4rhwg7rg57q
   subnet2: ocid1.subnet.oc1.phx.aaaaaaaahuxrgvs65iwdz7ekwgg3l5gyah7ww5klkwjcso74u3e4i64hvtvq
 `
+
+const validConfigLegacyFormat = `
+auth:
+  region: us-phoenix-1
+  tenancy: ocid1.tenancy.oc1..aaaaaaaatyn7scrtwtqedvgrxgr2xunzeo6uanvyhzxqblctwkrpisvke4kq
+  user: ocid1.user.oc1..aaaaaaaai77mql2xerv7cn6wu3nhxang3y4jk56vo5bn5l5lysl34avnui3q
+  key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    -----END RSA PRIVATE KEY-----
+  fingerprint: 97:84:f7:26:a3:7b:74:d0:bd:4e:08:a7:79:c9:d0:1d
+
+  key_passphrase: secretpassphrase
+  useInstancePrincipals: true
+  compartment: ocid1.compartment.oc1
+`
+
 const validConfigNoRegion = `
 auth:
   tenancy: ocid1.tenancy.oc1..aaaaaaaatyn7scrtwtqedvgrxgr2xunzeo6uanvyhzxqblctwkrpisvke4kq
   compartment: ocid1.compartment.oc1..aaaaaaaa3um2atybwhder4qttfhgon4j3hcxgmsvnyvx4flfjyewkkwfzwnq
   user: ocid1.user.oc1..aaaaaaaai77mql2xerv7cn6wu3nhxang3y4jk56vo5bn5l5lysl34avnui3q
   key: |
     -----BEGIN RSA PRIVATE KEY-----
-    MIIEowIBAAKCAQEA4KpLGy/BLbph55HMjWLxCO657DLQTk4o+WWPi1+5oeAUVgyh
-    kdvPR22jn9HiAL9jKv7PR3/OdHSp/6E3d05htksI7Tct4M/eWVMGRIzoMJvpJ99e
-    ZP7MtQT9yknbJDSJoibSwLmPoInnPE/WbcgrTKSAfNURK0bKw1tnLd85qt7zdLI3
-    g6O/14Bsmf+ovGiQHP6oiTuC4l3D8eTLlKdSrRVqZXhdvslpZU8MtNB8pPHMB4GZ
-    R6HccBi7TJY7kkNg+5flRBTdYL8bvaji3zxSlvawvet+bJmEtApkUoLnovLCviVp
-    NVTJZb5iQxMJLZlDJJT/ruq+HMJ3PiiYFOjFVwIDAQABAoIBAQDNkiT9MFoj/Hpf
-    SOKRsKn60W3gObKvJAeMBKkvD50tCHuzLQWeEDJ/GkxxDbwtkPItwlBqDQEdQC7Z
-    UGwPR/JSuh/l5uqc3beHpleC3CgNamwSZunZoegv7uxGcAQMAeK6M6n+XQyWCflD
-    D46Wj2VHUPKcxt1Z6wHXdchYifwbYwUNA3hOlRJK3ODgk/X6UjTGb3+gpY3qU4kX
-    Iz5L1ekCSgVIPBFVwdZQUyUC7+iIySaK+qcmEEx/UwOZ6uxhcmRzca31cjeaRS4H
-    pUjrl/aqLIW57E2MQ/vSzfQn7kEGBOrS0RjHZgq9u4Qdq6EkjHj3fenKpwWB7S1z
-    4t0PpinJAoGBAPRmxAcCd88EhWh5HhN+RWjmXdDCOmZ0yXbxxVBTQtK5pPnP8I9A
-    3Jd2ughHk7dFBvgKbHkVsyWgAk8zRZdD2hkQBOXvoeJF2scmvgFUBs1otf6xiFsf
-    IC0I8A/wXn3IHmyrG7xmPAtHWKvTTAFg7IjIIofcX7cuzMeLXEUMvLQdAoGBAOtT
-    wJCtPTNs4c3vhO4gba98c30U3tHmbLVKJXGEeZkSv3/ez5eIiYBJTzwLB2+ppy8j
-    2lYsdkLvsoyKF3LUwyt0gsX+AU9DJ2dmSJZ3E67UHsY6+qog5QlYfWWD8mKWeE9L
-    2r0rhG6l0WHR15LdvVc9MJ8e3YVUvNJJJJhQ2v0DAoGAAosXOyNxb7wST1YDVBya
-    SE8tZsC+rtZESnKVpRJYvayk5NyfGj6IjSL1KKTmCqAzRF2HZ3MsXBXgMEbOUJaq
-    LFyYUHQ/8QTdE/l5PLZNI9IVIsNiMeCPCyjuppvPv+tXNbZKIZnGwi9J4u/d+J2z
-    mHDMuzE15cgc5W6z1Rwe0pkCgYBzRwvF05dvYZ8bqoGLxQb2OBi65UZhvGb0R+Yf
-    va1zduOoWBWJPbFdzoup9h0mbg0f4ohKPm2QTKtCfUMPVXpmByUoqE0r7tGWrVxR
-    mPNjaTXKFYpFXOfVtCt5VzGdaeh1r8rvcCnnqgLv0EOyBj2CRs9So2QQtHnq6Tms
-    A6/C0QKBgAw8IsCnkNoZujCEOR/6ZHbK3eeyAs2yuJumsjYYosIGZ/bzsXTpfzAw
-    bs45GZxrW67zB/0HA7bVWS9ZkCVflHI2uBCFofm+y55IAzg9/c1xYU19PA3KRxHZ
-    D/yEDdXVK/lIzNt7kIMFhtoYGrwv1JQGfK5Wh2bi+AwbBDZ45/17
     -----END RSA PRIVATE KEY-----
   fingerprint: 97:84:f7:26:a3:7b:74:d0:bd:4e:08:a7:79:c9:d0:1d
 
@@ -138,3 +106,18 @@ func TestReadConfigShouldSetCompartmentIDWhenProvidedValidConfig(t *testing.T) {
 			cfg.CompartmentID, expected)
 	}
 }
+
+func TestBackwardsCompatibilityFieldsAreSetCorrectly(t *testing.T) {
+	cfg, err := ReadConfig(strings.NewReader(validConfigLegacyFormat))
+	if err != nil {
+		t.Fatalf("expected no error but got '%v'", err)
+	}
+
+	if cfg.CompartmentID != "ocid1.compartment.oc1" {
+		t.Errorf("Compartment ID was not set correctly: cfg.CompartmentID = %v", cfg.CompartmentID)
+	}
+
+	if cfg.Auth.Passphrase != "secretpassphrase" {
+		t.Errorf("Passphrase was not set correctly: cfg.Auth.Passphrase = %v", cfg.Auth.Passphrase)
+	}
+}

pkg/flexvolume/block/config_test.go

@@ -183,7 +183,6 @@ func TestValidateConfig(t *testing.T) {
 			in: &Config{
 				Config: providercfg.Config{
 					Auth: providercfg.AuthConfig{
-						VCNID:     "ocid1.user.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 						RegionKey: "phx",
 					},
 					UseInstancePrincipals: true,