OCPBUGS-33735: Remove GCP bootstrap ssh firewall rule

bfournie · bfournie · commit acbb5e3daefa · 2024-06-13T10:17:07.000-04:00
After the bootstrap has been deleted, remove the firewall rule
created for ssh access.
diff --git a/pkg/infrastructure/gcp/clusterapi/clusterapi.go b/pkg/infrastructure/gcp/clusterapi/clusterapi.go
@@ -229,6 +229,11 @@ func (p Provider) DestroyBootstrap(ctx context.Context, in clusterapi.BootstrapD
 	if err := gcp.DestroyStorage(ctx, in.Metadata.InfraID); err != nil {
 		return fmt.Errorf("failed to destroy storage: %w", err)
 	}
+
+	if err := removeBootstrapFirewallRules(ctx, in.Metadata.InfraID, in.Metadata.GCP.ProjectID); err != nil {
+		return fmt.Errorf("failed to remove bootstrap firewall rules: %w", err)
+	}
+
 	return nil
 }
 
diff --git a/pkg/infrastructure/gcp/clusterapi/firewallrules.go b/pkg/infrastructure/gcp/clusterapi/firewallrules.go
@@ -161,6 +161,28 @@ func addFirewallRule(ctx context.Context, name, network, projectID string, ports
 	return nil
 }
 
+// deleteFirewallRule deletes the firewall rule identified by name.
+func deleteFirewallRule(ctx context.Context, name, projectID string) error {
+	service, err := NewComputeService()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, time.Minute*3)
+	defer cancel()
+
+	op, err := service.Firewalls.Delete(projectID, name).Context(ctx).Do()
+	if err != nil {
+		return fmt.Errorf("failed to delete %s firewall rule: %w", name, err)
+	}
+
+	if err := WaitForOperationGlobal(ctx, projectID, op); err != nil {
+		return fmt.Errorf("failed to wait for delete %s firewall rule: %w", name, err)
+	}
+
+	return nil
+}
+
 // createFirewallRules creates the rules needed between the worker and master nodes.
 func createFirewallRules(ctx context.Context, in clusterapi.InfraReadyInput, network string) error {
 	projectID := in.InstallConfig.Config.Platform.GCP.ProjectID
@@ -221,3 +243,9 @@ func createBootstrapFirewallRules(ctx context.Context, in clusterapi.InfraReadyI
 	}
 	return addFirewallRule(ctx, firewallName, network, projectID, getBootstrapSSHPorts(), srcTags, targetTags, srcRanges)
 }
+
+// removeBootstrapFirewallRules removes the rules created for the bootstrap node.
+func removeBootstrapFirewallRules(ctx context.Context, infraID, projectID string) error {
+	firewallName := fmt.Sprintf("%s-bootstrap-in-ssh", infraID)
+	return deleteFirewallRule(ctx, firewallName, projectID)
+}

Original file line number	Diff line number	Diff line change
`@@ -229,6 +229,11 @@ func (p Provider) DestroyBootstrap(ctx context.Context, in clusterapi.BootstrapD`
`229`	`229`	`if err := gcp.DestroyStorage(ctx, in.Metadata.InfraID); err != nil {`
`230`	`230`	`return fmt.Errorf("failed to destroy storage: %w", err)`
`231`	`231`	`}`
	`232`	`+`
	`233`	`+ if err := removeBootstrapFirewallRules(ctx, in.Metadata.InfraID, in.Metadata.GCP.ProjectID); err != nil {`
	`234`	`+ return fmt.Errorf("failed to remove bootstrap firewall rules: %w", err)`
	`235`	`+ }`
	`236`	`+`
`232`	`237`	`return nil`
`233`	`238`	`}`
`234`	`239`