Remove Etcd RBAC enabling code against the V2 API backend

The use of Etcd API V2 is not supported. The kubernetes resources intended to be protected by Etcd RBAC are stored in the data-store backing the Etcd V3 API. These backend data-stores are independent. RBAC enabled through V2 API does not affect the data-store backing V3 API. Remove the Etcd RBAC configuration against V2 API during upgrade-activate. The active controller commissioned with 6.0 release will have Etcd auth enabled and users root and apiserver-etcd-client created. Test plan: AIO-SX: bootstrap, confirm omitted RBAC configration: PASS BnR, confirm omitted RBAC configration: PASS upgrade, confirm omitted RBAC configuration: PASS AIO-DX: upgrade, confirm removed RBAC configuration: PASS Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/826661 Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/826665 Partial-Bug: 1949219 Change-Id: I12bbf4cd76cbda036fa4784c6d1cc2eefd39e1b1 Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
2022-01-26 15:59:54 -05:00 · 2022-01-26 15:59:54 -05:00 · 49117ccaa7
commit 49117ccaa7
parent f6efaff6bf
1 changed files with 75 additions and 0 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/72-remove-etcd-rbac.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/72-remove-etcd-rbac.sh
@ -0,0 +1,75 @@
+#!/bin/bash
+
+# Copyright (c) 2022 Wind River Systems, Inc.
+
+# SPDX-License-Identifier: Apache-2.0
+
+# Remove Etcd RBAC against V2 backend
+#
+# Note: this can be removed in the release after STX7.0
+
+. /etc/platform/platform.conf
+
+# This will log to /var/log/platform.log
+function log {
+    logger -p local1.info $1
+}
+
+FROM_REL=$1
+TO_REL=$2
+ACTION=$3
+
+ACCEPTED_REL="21.12"
+
+STATIC="/opt/platform/puppet/${sw_version}/hieradata/static.yaml"
+NET_KEY="platform::etcd::params::bind_address"
+NETVER_KEY="platform::etcd::params::bind_address_version"
+
+PORT="2379"
+ETCD_CERT="/etc/etcd/etcd-client.crt"
+ETCD_KEY="/etc/etcd/etcd-client.key"
+ETCD_CA="/etc/etcd/ca.crt"
+ETCD_CMDS="auth disable
+user remove root
+user remove apiserver-etcd-client"
+
+remove-etcd-rbac()
+{
+    local host_addr
+    local host_ver
+    local server_url
+
+    if [[ ! -f "${STATIC}" ]]; then
+        log "Script $0 does not find static yaml file: $STATIC"
+        exit 1
+    fi
+
+    host_addr="$( grep "^${NET_KEY}:" "${STATIC}" | gawk '{print $NF}' )"
+    host_ver="$( grep "^${NETVER_KEY}:" "${STATIC}" | gawk '{print $NF}' )"
+
+    if [ "$host_ver" == "6" ]; then
+        server_url="https://[${host_addr}]:${PORT},https://127.0.0.1:${PORT}"
+    else
+        server_url="https://${host_addr}:${PORT},https://127.0.0.1:${PORT}"
+    fi
+
+    # Ignore the return code of etcdctl calls here because the
+    # configuration against v2 API does not persist BnR; it may be absent
+    while read -r cmd; do
+        etcdctl --cert-file="${ETCD_CERT}" \
+            --key-file="${ETCD_KEY}" \
+            --ca-file="${ETCD_CA}" \
+            --endpoint="${server_url}" \
+            $cmd
+    done <<<"$ETCD_CMDS"
+}
+
+log "Script ${0} invoked with from_release = ${FROM_REL} to_release = ${TO_REL} action = ${ACTION}"
+
+if [ ${FROM_REL} == "$ACCEPTED_REL" -a ${ACTION} == "activate" ]; then
+    remove-etcd-rbac
+else
+    log "Script $0: No actions required from release $FROM_REL to $TO_REL with action $ACTION"
+fi
+
+exit 0