Disconnect cluster in gitops (#3470)

ranatrk · web-flow · commit 3a2548b0486c · 2023-10-12T23:33:18.000+03:00
* Add delete service account resources

* Test pass for delete service account resources

* Add label managed-by to resources when  being created during reconciliation

* Fix DisconnectCluster function to include retrieving service account name and cluster role binding name and delete resources accordingly

* Add gitops disconnect cluster cmd

* Add service account name and cluster role binding name flags to gitops disconnect cmd

Add check service account name and check cluster role binding name functions to verify their existance with the connect-cluster label

* Add existing resources to simpleClientSet when creating it instead of using helper function in service account tests

* Make newGitopsClusterScheme unexposed

* Move prerun disinheritApiFlags to new function in common app pkg in cmd gitops pkg dir

* update go.mod
diff --git a/cmd/gitops/app/connect/clusters/cmd.go b/cmd/gitops/app/connect/clusters/cmd.go
@@ -1,8 +1,6 @@
 package connect
 
 import (
-	// "github.com/go-logr/stdr"
-
 	"github.com/spf13/cobra"
 	"github.com/weaveworks/weave-gitops-enterprise/pkg/cluster/connector"
 	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
diff --git a/cmd/gitops/app/connect/cmd.go b/cmd/gitops/app/connect/cmd.go
@@ -3,6 +3,7 @@ package connect
 import (
 	"github.com/spf13/cobra"
 	connect "github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/connect/clusters"
+	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/pkg/app"
 	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
 )
 
@@ -13,19 +14,7 @@ func Command(opts *config.Options) *cobra.Command {
 		Example: `
 # Connect a cluster
 gitops connect cluster`,
-		PreRunE: func(cmd *cobra.Command, args []string) error {
-			names := []string{
-				"endpoint",
-				"password",
-				"username",
-			}
-			flags := cmd.InheritedFlags()
-			for _, name := range names {
-				err := flags.SetAnnotation(name, cobra.BashCompOneRequiredFlag, []string{"false"})
-				return err
-			}
-			return nil
-		},
+		PreRunE: app.DisinheritAPIFlags,
 	}
 
 	cmd.AddCommand(connect.ConnectCommand(opts))
diff --git a/cmd/gitops/app/disconnect/clusters/cmd.go b/cmd/gitops/app/disconnect/clusters/cmd.go
@@ -0,0 +1,65 @@
+package disconnect
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/weaveworks/weave-gitops-enterprise/pkg/cluster/connector"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
+	"github.com/weaveworks/weave-gitops/core/logger"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+type disconnectOptionsFlags struct {
+	RemoteClusterContext   string
+	ServiceAccountName     string
+	ClusterRoleBindingName string
+	Namespace              string
+	Debug                  string
+}
+
+var disconnectOptionsCmdFlags disconnectOptionsFlags
+
+// DisconnectCommand is the command for disconnect clusters and includes all the required flags
+func DisconnectCommand(opts *config.Options) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "cluster",
+		Aliases: []string{"clusters"},
+		Short:   "Disconnect cluster from remote cluster by deleting resources",
+		Example: `
+# Disconnect cluster
+gitops disconnect cluster [PARAMS] <CLUSTER_NAME>
+`,
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		Args:          cobra.MinimumNArgs(1),
+		RunE:          disconnectClusterCmdRunE(opts),
+	}
+
+	cmd.Flags().StringVar(&disconnectOptionsCmdFlags.RemoteClusterContext, "connect-context", "", "Context name of the remote cluster")
+	cmd.Flags().StringVar(&disconnectOptionsCmdFlags.ServiceAccountName, "service-account", "weave-gitops-enterprise", "Service account name to be created/used")
+	cmd.Flags().StringVar(&disconnectOptionsCmdFlags.ClusterRoleBindingName, "cluster-role-binding", "weave-gitops-enterprise", "Cluster role binding name to be created/used")
+	cmd.Flags().StringVarP(&disconnectOptionsCmdFlags.Namespace, "namespace", "n", "default", "Namespace of remote cluster")
+	cmd.Flags().StringVarP(&disconnectOptionsCmdFlags.Debug, "debug", "d", "INFO", "Verbose level of logs")
+
+	return cmd
+}
+
+func disconnectClusterCmdRunE(opts *config.Options) func(*cobra.Command, []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		clusterName := args[0]
+
+		options := connector.ClusterConnectionOptions{
+			GitopsClusterName:      types.NamespacedName{Name: clusterName, Namespace: disconnectOptionsCmdFlags.Namespace},
+			ServiceAccountName:     disconnectOptionsCmdFlags.ServiceAccountName,
+			ClusterRoleBindingName: disconnectOptionsCmdFlags.ClusterRoleBindingName,
+			RemoteClusterContext:   disconnectOptionsCmdFlags.RemoteClusterContext,
+			ConfigPath:             opts.Kubeconfig,
+		}
+
+		newLogger, _ := logger.New(disconnectOptionsCmdFlags.Debug, false)
+		ctx := log.IntoContext(cmd.Context(), newLogger)
+
+		return connector.DisconnectCluster(ctx, &options)
+
+	}
+}
diff --git a/cmd/gitops/app/disconnect/cmd.go b/cmd/gitops/app/disconnect/cmd.go
@@ -0,0 +1,26 @@
+package disconnect
+
+import (
+	"github.com/spf13/cobra"
+	disconnect "github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/disconnect/clusters"
+
+	// "github.com/weaveworks/weave-gitops/cmd/gitops/app"
+	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/pkg/app"
+	"github.com/weaveworks/weave-gitops/cmd/gitops/config"
+)
+
+// Command returns the command for disconnect
+func Command(opts *config.Options) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "disconnect",
+		Short: "Disconnect clusters",
+		Example: `
+# Disconnect a cluster
+gitops disconnect cluster`,
+		PreRunE: app.DisinheritAPIFlags,
+	}
+
+	cmd.AddCommand(disconnect.DisconnectCommand(opts))
+
+	return cmd
+}
diff --git a/cmd/gitops/app/root/cmd.go b/cmd/gitops/app/root/cmd.go
@@ -14,6 +14,7 @@ import (
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/connect"
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/create"
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/delete"
+	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/disconnect"
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/generate"
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/get"
 	"github.com/weaveworks/weave-gitops-enterprise/cmd/gitops/app/remove"
@@ -142,6 +143,7 @@ func Command(client *adapters.HTTPClient) *cobra.Command {
 	rootCmd.AddCommand(generate.Command())
 	rootCmd.AddCommand(bootstrap.Command(options))
 	rootCmd.AddCommand(connect.Command(options))
+	rootCmd.AddCommand(disconnect.Command(options))
 
 	return rootCmd
 }
diff --git a/cmd/gitops/pkg/app/app.go b/cmd/gitops/pkg/app/app.go
@@ -0,0 +1,22 @@
+package app
+
+import "github.com/spf13/cobra"
+
+// DisinheritAPIFlags turns off the required flag for CLI options related to accessing the Weave GitOps API.
+//
+// Currently, our top-level Command defines some top-level flags that are useful for most commands
+// including endpoint,username, and passowrd
+// but not all commands require access to the API, and so this can be used to disable top-level flags.
+func DisinheritAPIFlags(cmd *cobra.Command, args []string) error {
+	names := []string{
+		"endpoint",
+		"password",
+		"username",
+	}
+	flags := cmd.InheritedFlags()
+	for _, name := range names {
+		err := flags.SetAnnotation(name, cobra.BashCompOneRequiredFlag, []string{"false"})
+		return err
+	}
+	return nil
+}
diff --git a/go.mod b/go.mod
@@ -92,6 +92,7 @@ require (
 	github.com/fluxcd/pkg/tar v0.2.0 // indirect
 	github.com/gitops-tools/pkg v0.1.0 // indirect
 	github.com/google/go-containerregistry v0.12.0 // indirect
+	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
 )
 
 require (
@@ -120,7 +121,6 @@ require (
 	github.com/mschoch/smat v0.2.0 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.opentelemetry.io/otel/metric v0.37.0 // indirect
-	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
 	google.golang.org/api v0.126.0 // indirect
 	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
diff --git a/pkg/cluster/connector/connector.go b/pkg/cluster/connector/connector.go
@@ -5,7 +5,10 @@ import (
 
 	gitopsv1alpha1 "github.com/weaveworks/cluster-controller/api/v1alpha1"
 	"github.com/weaveworks/weave-gitops/core/logger"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
@@ -42,12 +45,20 @@ type ClusterConnectionOptions struct {
 	GitopsClusterName types.NamespacedName
 }
 
-func getSecretNameForConfig(ctx context.Context, config *rest.Config, options *ClusterConnectionOptions) (string, error) {
+func getDynClientAndScheme(config *rest.Config) (dynamic.Interface, *runtime.Scheme, error) {
 	dynClient, err := dynamic.NewForConfig(config)
 	if err != nil {
-		return "", err
+		return nil, nil, err
 	}
-	scheme, err := NewGitopsClusterScheme()
+	scheme, err := newGitopsClusterScheme()
+	if err != nil {
+		return nil, nil, err
+	}
+	return dynClient, scheme, nil
+}
+
+func getSecretNameForConfig(ctx context.Context, config *rest.Config, options *ClusterConnectionOptions) (string, error) {
+	dynClient, scheme, err := getDynClientAndScheme(config)
 	if err != nil {
 		return "", err
 	}
@@ -68,7 +79,6 @@ func ConnectCluster(ctx context.Context, options *ClusterConnectionOptions) erro
 	if err != nil {
 		return err
 	}
-
 	// Get the context from SpokeClusterContext
 	spokeClusterConfig, err := configForContext(ctx, pathOpts, options.RemoteClusterContext)
 	if err != nil {
@@ -109,9 +119,9 @@ func ConnectCluster(ctx context.Context, options *ClusterConnectionOptions) erro
 	return nil
 }
 
-// NewGitopsClusterScheme returns a scheme with the GitopsCluster schema
+// newGitopsClusterScheme returns a scheme with the GitopsCluster schema
 // information registered.
-func NewGitopsClusterScheme() (*runtime.Scheme, error) {
+func newGitopsClusterScheme() (*runtime.Scheme, error) {
 	scheme := runtime.NewScheme()
 	err := gitopsv1alpha1.AddToScheme(scheme)
 	if err != nil {
@@ -120,3 +130,76 @@ func NewGitopsClusterScheme() (*runtime.Scheme, error) {
 
 	return scheme, nil
 }
+
+func deleteGitOpsClusterSecret(ctx context.Context, client kubernetes.Interface, secretName, namespace string) error {
+	lgr := log.FromContext(ctx)
+	err := client.CoreV1().Secrets(namespace).Delete(ctx, secretName, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	lgr.V(logger.LogLevelDebug).Info("gitops cluster secret deleted successfully!", "secret", secretName, "namespace", namespace)
+	return nil
+}
+
+// DisconnectCluster disconnects a cluster from a spoke cluster given its name and context
+// The Service account, Cluster Role binding and secret are deleted in the remote cluster and secret containing token in hub cluster is deleted
+func DisconnectCluster(ctx context.Context, options *ClusterConnectionOptions) error {
+	lgr := log.FromContext(ctx)
+	pathOpts := clientcmd.NewDefaultPathOptions()
+	pathOpts.LoadingRules.ExplicitPath = options.ConfigPath
+
+	// load hub kubeconfig
+	hubClusterConfig, err := configForContext(ctx, pathOpts, "")
+	if err != nil {
+		return err
+	}
+
+	// Get the context from SpokeClusterContext
+	spokeClusterConfig, err := configForContext(ctx, pathOpts, options.RemoteClusterContext)
+	if err != nil {
+		return err
+	}
+	secretName, err := getSecretNameForConfig(ctx, hubClusterConfig, options)
+	if err != nil {
+		return err
+	}
+
+	spokeKubernetesClient, err := kubernetes.NewForConfig(spokeClusterConfig)
+	if err != nil {
+		return err
+	}
+
+	managedbyReq, err := labels.NewRequirement("app.kubernetes.io/managed-by", selection.Equals, []string{managedByLabelName})
+	if err != nil {
+		return err
+	}
+
+	selector := labels.NewSelector()
+	selector = selector.Add(*managedbyReq)
+	err = checkServiceAccountName(ctx, spokeKubernetesClient, options, selector)
+	if err != nil {
+		return err
+	}
+	err = checkClusterRoleBindingName(ctx, spokeKubernetesClient, options, selector)
+	if err != nil {
+		return err
+	}
+
+	err = deleteServiceAccountResources(ctx, spokeKubernetesClient, *options)
+	if err != nil {
+		return err
+	}
+
+	hubKubernetesClient, err := kubernetes.NewForConfig(hubClusterConfig)
+	if err != nil {
+		return err
+	}
+	err = deleteGitOpsClusterSecret(ctx, hubKubernetesClient, secretName, options.GitopsClusterName.Namespace)
+	if err != nil {
+		return err
+	}
+
+	lgr.V(logger.LogLevelInfo).Info("Successfully disconnected cluster and deleted resources", "cluster", options.GitopsClusterName)
+
+	return nil
+}
diff --git a/pkg/cluster/connector/secret_test.go b/pkg/cluster/connector/secret_test.go
@@ -8,7 +8,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	gitopsv1alpha1 "github.com/weaveworks/cluster-controller/api/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -51,7 +50,7 @@ func TestCreateOrUpdateGitOpsClusterSecret(t *testing.T) {
 	assert.NoError(t, err)
 
 	//serialize config
-	expectedSecret := &v1.Secret{
+	expectedSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretName,
 			Namespace: corev1.NamespaceDefault,
@@ -71,7 +70,7 @@ func TestCreateOrUpdateGitOpsClusterSecret(t *testing.T) {
 }
 
 func newTestScheme(t *testing.T) *runtime.Scheme {
-	scheme, err := NewGitopsClusterScheme()
+	scheme, err := newGitopsClusterScheme()
 	assert.NoError(t, err)
 
 	return scheme
diff --git a/pkg/cluster/connector/service_account.go b/pkg/cluster/connector/service_account.go
diff --git a/pkg/cluster/connector/service_account_test.go b/pkg/cluster/connector/service_account_test.go
