✨ Miscellaneous code cleanup (#881)

* extract constants and remove permissions

Signed-off-by: Alex <alexchan2988@gmail.com>

* Addressing miscellaneous code cleanup

Signed-off-by: Gaurav Jaswal <jaswalkiranavtar@gmail.com>

---------

Signed-off-by: Alex <alexchan2988@gmail.com>
Signed-off-by: Gaurav Jaswal <jaswalkiranavtar@gmail.com>
Co-authored-by: Alex <alexchan2988@gmail.com>

Author: jaswalkiranavtar

manifests/klusterlet/management/klusterlet-agent-deployment.yaml

@@ -121,10 +121,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-          {{if eq .RegistrationDriver.AuthType "awsirsa"}}
-          - name: PATH
-            value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/awscli/dist
-          {{end}}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

manifests/klusterlet/management/klusterlet-registration-deployment.yaml

@@ -107,10 +107,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-          {{if eq .RegistrationDriver.AuthType "awsirsa"}}
-          - name: PATH
-            value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/awscli/dist
-          {{end}}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

manifests/klusterlet/management/klusterlet-work-deployment.yaml

@@ -92,10 +92,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-          {{if eq .RegistrationDriver.AuthType "awsirsa"}}
-          - name: PATH
-            value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/awscli/dist
-          {{end}}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

manifests/managed-cluster-policy/AccessPolicy.tmpl

@@ -1,6 +1,10 @@
 package helpers
 
-import "strings"
+import (
+	"crypto/md5" // #nosec G501
+	"encoding/hex"
+	"strings"
+)
 
 // GetAwsAccountIdAndClusterName Parses aws accountId and cluster-name from clusterArn
 // e.g. if clusterArn is arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1
@@ -19,3 +23,8 @@ func GetAwsRegion(clusterArn string) string {
 	clusterStringParts := strings.Split(clusterArn, ":")
 	return clusterStringParts[3]
 }
+
+func Md5HashSuffix(hubClusterAccountId string, hubClusterName string, managedClusterAccountId string, managedClusterName string) string {
+	hash := md5.Sum([]byte(strings.Join([]string{hubClusterAccountId, hubClusterName, managedClusterAccountId, managedClusterName}, "#"))) // #nosec G401
+	return hex.EncodeToString(hash[:])
+}

pkg/common/helpers/aws.go

@@ -0,0 +1,6 @@
+package helpers
+
+const (
+	AwsIrsaAuthType = "awsirsa"
+	CSRAuthType     = "csr"
+)

pkg/common/helpers/constants.go

@@ -427,7 +427,7 @@ func (n *clusterManagerController) getImagePullSecret(ctx context.Context) (stri
 func getIdentityCreatorRoleAndTags(cm operatorapiv1.ClusterManager) string {
 	if cm.Spec.RegistrationConfiguration != nil {
 		for _, registrationDriver := range cm.Spec.RegistrationConfiguration.RegistrationDrivers {
-			if registrationDriver.AuthType == "awsirsa" && registrationDriver.AwsIrsa != nil {
+			if registrationDriver.AuthType == commonhelper.AwsIrsaAuthType && registrationDriver.AwsIrsa != nil {
 				hubClusterArn := registrationDriver.AwsIrsa.HubClusterArn
 				hubClusterAccountId, hubClusterName := commonhelper.GetAwsAccountIdAndClusterName(hubClusterArn)
 				return "arn:aws:iam::" + hubClusterAccountId + ":role/" + hubClusterName + "_managed-cluster-identity-creator"

pkg/common/helpers/helpers.go

@@ -21,6 +21,7 @@ import (
 	operatorapiv1 "open-cluster-management.io/api/operator/v1"
 
 	"open-cluster-management.io/ocm/manifests"
+	commonhelpers "open-cluster-management.io/ocm/pkg/common/helpers"
 	"open-cluster-management.io/ocm/pkg/operator/helpers"
 )
 
@@ -77,11 +78,11 @@ func (c *runtimeReconcile) reconcile(ctx context.Context, cm *operatorapiv1.Clus
 		var enabledRegistrationDrivers []string
 		for _, registrationDriver := range cm.Spec.RegistrationConfiguration.RegistrationDrivers {
 			enabledRegistrationDrivers = append(enabledRegistrationDrivers, registrationDriver.AuthType)
-			if registrationDriver.AuthType == "awsirsa" && registrationDriver.AwsIrsa != nil {
+			if registrationDriver.AuthType == commonhelpers.AwsIrsaAuthType && registrationDriver.AwsIrsa != nil {
 				config.HubClusterArn = registrationDriver.AwsIrsa.HubClusterArn
 				config.AutoApprovedARNPatterns = strings.Join(registrationDriver.AwsIrsa.AutoApprovedIdentities, ",")
 				config.AwsResourceTags = strings.Join(registrationDriver.AwsIrsa.Tags, ",")
-			} else if registrationDriver.AuthType == "csr" && registrationDriver.CSR != nil {
+			} else if registrationDriver.AuthType == commonhelpers.CSRAuthType && registrationDriver.CSR != nil {
 				config.AutoApprovedCSRUsers = strings.Join(registrationDriver.CSR.AutoApprovedIdentities, ",")
 			}
 		}

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go

@@ -42,7 +42,6 @@ const (
 	klusterletFinalizer                   = "operator.open-cluster-management.io/klusterlet-cleanup"
 	managedResourcesEvictionTimestampAnno = "operator.open-cluster-management.io/managed-resources-eviction-timestamp"
 	klusterletNamespaceLabelKey           = "operator.open-cluster-management.io/klusterlet"
-	AwsIrsaAuthType                       = "awsirsa"
 )
 
 type klusterletController struct {
@@ -346,7 +345,7 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto
 		config.RegistrationKubeAPIBurst = klusterlet.Spec.RegistrationConfiguration.KubeAPIBurst
 		// Configuring Registration driver depending on registration auth
 		if &klusterlet.Spec.RegistrationConfiguration.RegistrationDriver != nil &&
-			klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AuthType == AwsIrsaAuthType {
+			klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AuthType == commonhelpers.AwsIrsaAuthType {
 
 			hubClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.HubClusterArn
 			managedClusterArn := klusterlet.Spec.RegistrationConfiguration.RegistrationDriver.AwsIrsa.ManagedClusterArn

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_runtime_reconcile.go

@@ -42,6 +42,7 @@ import (
 	"open-cluster-management.io/sdk-go/pkg/patcher"
 
 	"open-cluster-management.io/ocm/manifests"
+	commonhelpers "open-cluster-management.io/ocm/pkg/common/helpers"
 	testingcommon "open-cluster-management.io/ocm/pkg/common/testing"
 	"open-cluster-management.io/ocm/pkg/operator/helpers"
 	testinghelper "open-cluster-management.io/ocm/pkg/operator/helpers/testing"
@@ -1012,7 +1013,7 @@ func TestGetServersFromKlusterlet(t *testing.T) {
 func TestAWSIrsaAuthInSingletonModeWithInvalidClusterArns(t *testing.T) {
 	klusterlet := newKlusterlet("klusterlet", "testns", "cluster1")
 	awsIrsaRegistrationDriver := operatorapiv1.RegistrationDriver{
-		AuthType: AwsIrsaAuthType,
+		AuthType: commonhelpers.AwsIrsaAuthType,
 		AwsIrsa: &operatorapiv1.AwsIrsa{
 			HubClusterArn:     "arn:aws:bks:us-west-2:123456789012:cluster/hub-cluster1",
 			ManagedClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1",
@@ -1043,7 +1044,7 @@ func TestAWSIrsaAuthInSingletonModeWithInvalidClusterArns(t *testing.T) {
 func TestAWSIrsaAuthInSingletonMode(t *testing.T) {
 	klusterlet := newKlusterlet("klusterlet", "testns", "cluster1")
 	awsIrsaRegistrationDriver := operatorapiv1.RegistrationDriver{
-		AuthType: AwsIrsaAuthType,
+		AuthType: commonhelpers.AwsIrsaAuthType,
 		AwsIrsa: &operatorapiv1.AwsIrsa{
 			HubClusterArn:     "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
 			ManagedClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1",
@@ -1075,7 +1076,7 @@ func TestAWSIrsaAuthInSingletonMode(t *testing.T) {
 func TestAWSIrsaAuthInNonSingletonMode(t *testing.T) {
 	klusterlet := newKlusterlet("klusterlet", "testns", "cluster1")
 	awsIrsaRegistrationDriver := operatorapiv1.RegistrationDriver{
-		AuthType: AwsIrsaAuthType,
+		AuthType: commonhelpers.AwsIrsaAuthType,
 		AwsIrsa: &operatorapiv1.AwsIrsa{
 			HubClusterArn:     "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
 			ManagedClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/managed-cluster1",

pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go

@@ -64,7 +64,7 @@ func NewHubManagerOptions() *HubManagerOptions {
 		GCResourceList: []string{"addon.open-cluster-management.io/v1alpha1/managedclusteraddons",
 			"work.open-cluster-management.io/v1/manifestworks"},
 		ImportOption:               importeroptions.New(),
-		EnabledRegistrationDrivers: []string{"csr"},
+		EnabledRegistrationDrivers: []string{commonhelpers.CSRAuthType},
 	}
 }
 
@@ -170,7 +170,7 @@ func (m *HubManagerOptions) RunControllerManagerWithInformers(
 	var drivers []register.HubDriver
 	for _, enabledRegistrationDriver := range m.EnabledRegistrationDrivers {
 		switch enabledRegistrationDriver {
-		case "csr":
+		case commonhelpers.CSRAuthType:
 			autoApprovedCSRUsers := m.ClusterAutoApprovalUsers
 			if len(m.AutoApprovedCSRUsers) > 0 {
 				autoApprovedCSRUsers = m.AutoApprovedCSRUsers
@@ -180,7 +180,7 @@ func (m *HubManagerOptions) RunControllerManagerWithInformers(
 				return err
 			}
 			drivers = append(drivers, csrDriver)
-		case "awsirsa":
+		case commonhelpers.AwsIrsaAuthType:
 			awsIRSAHubDriver, err := awsirsa.NewAWSIRSAHubDriver(ctx, m.HubClusterArn, m.AutoApprovedARNPatterns, m.AwsResourceTags)
 			if err != nil {
 				return err

pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller_test.go

@@ -64,7 +64,7 @@ func (c *AWSIRSADriver) BuildKubeConfigFromTemplate(kubeConfig *clientcmdapi.Con
 	kubeConfig.AuthInfos = map[string]*clientcmdapi.AuthInfo{register.DefaultKubeConfigAuth: {
 		Exec: &clientcmdapi.ExecConfig{
 			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Command:    "aws",
+			Command:    "/awscli/dist/aws",
 			Args: []string{
 				"--region",
 				awsRegion,

pkg/registration/hub/manager.go

@@ -58,7 +58,7 @@ func TestBuildKubeconfig(t *testing.T) {
 			server: "https://127.0.0.1:6443",
 			AuthInfoExec: &clientcmdapi.ExecConfig{
 				APIVersion: "client.authentication.k8s.io/v1beta1",
-				Command:    "aws",
+				Command:    "/awscli/dist/aws",
 				Args: []string{
 					"--region",
 					"us-west-2",