diff --git a/cmd/aro/gateway.go b/cmd/aro/gateway.go index fac963aa522..82e9b388f40 100644 --- a/cmd/aro/gateway.go +++ b/cmd/aro/gateway.go @@ -17,7 +17,6 @@ import ( "github.com/Azure/ARO-RP/pkg/metrics/statsd" "github.com/Azure/ARO-RP/pkg/metrics/statsd/golang" utilnet "github.com/Azure/ARO-RP/pkg/util/net" - "github.com/Azure/ARO-RP/pkg/util/service" ) func gateway(ctx context.Context, log *logrus.Entry) error { @@ -35,12 +34,12 @@ func gateway(ctx context.Context, log *logrus.Entry) error { go g.Run() - dbc, err := service.NewDatabaseClient(ctx, _env, log, m, nil) + dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, m, nil) if err != nil { return err } - dbName, err := service.DBName(_env.IsLocalDevelopmentMode()) + dbName, err := env.DBName(_env) if err != nil { return err } diff --git a/cmd/aro/monitor.go b/cmd/aro/monitor.go index 35426cc3b51..44d0c36b8f8 100644 --- a/cmd/aro/monitor.go +++ b/cmd/aro/monitor.go @@ -20,7 +20,7 @@ import ( "github.com/Azure/ARO-RP/pkg/metrics/statsd/k8s" pkgmonitor "github.com/Azure/ARO-RP/pkg/monitor" "github.com/Azure/ARO-RP/pkg/proxy" - "github.com/Azure/ARO-RP/pkg/util/service" + "github.com/Azure/ARO-RP/pkg/util/encryption" ) func monitor(ctx context.Context, log *logrus.Entry) error { @@ -58,17 +58,17 @@ func monitor(ctx context.Context, log *logrus.Entry) error { clusterm := statsd.New(ctx, log.WithField("component", "metrics"), _env, os.Getenv("CLUSTER_MDM_ACCOUNT"), os.Getenv("CLUSTER_MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET")) - aead, err := service.NewAEADWithCore(ctx, _env, env.EncryptionSecretV2Name, env.EncryptionSecretName) + aead, err := encryption.NewAEADWithCore(ctx, _env, env.EncryptionSecretV2Name, env.EncryptionSecretName) if err != nil { return err } - dbc, err := service.NewDatabaseClient(ctx, _env, log, &noop.Noop{}, aead) + dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, &noop.Noop{}, aead) if err != nil { return err } - dbName, err := service.DBName(_env.IsLocalDevelopmentMode()) + dbName, err := env.DBName(_env) if err != nil { return err } diff --git a/cmd/aro/portal.go b/cmd/aro/portal.go index b511db27f7a..d4aa00360fb 100644 --- a/cmd/aro/portal.go +++ b/cmd/aro/portal.go @@ -18,9 +18,9 @@ import ( "github.com/Azure/ARO-RP/pkg/metrics/statsd/golang" pkgportal "github.com/Azure/ARO-RP/pkg/portal" "github.com/Azure/ARO-RP/pkg/proxy" + "github.com/Azure/ARO-RP/pkg/util/encryption" "github.com/Azure/ARO-RP/pkg/util/keyvault" "github.com/Azure/ARO-RP/pkg/util/oidc" - "github.com/Azure/ARO-RP/pkg/util/service" "github.com/Azure/ARO-RP/pkg/util/uuid" ) @@ -69,17 +69,17 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error { go g.Run() - aead, err := service.NewAEADWithCore(ctx, _env, env.EncryptionSecretV2Name, env.EncryptionSecretName) + aead, err := encryption.NewAEADWithCore(ctx, _env, env.EncryptionSecretV2Name, env.EncryptionSecretName) if err != nil { return err } - dbc, err := service.NewDatabaseClient(ctx, _env, log, m, aead) + dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, m, aead) if err != nil { return err } - dbName, err := service.DBName(_env.IsLocalDevelopmentMode()) + dbName, err := env.DBName(_env) if err != nil { return err } @@ -99,7 +99,7 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error { return err } - keyVaultPrefix := os.Getenv(service.KeyVaultPrefix) + keyVaultPrefix := os.Getenv(encryption.KeyVaultPrefix) portalKeyvaultURI := keyvault.URI(_env, env.PortalKeyvaultSuffix, keyVaultPrefix) portalKeyvault := keyvault.NewManager(msiKVAuthorizer, portalKeyvaultURI) diff --git a/cmd/aro/rp.go b/cmd/aro/rp.go index d9c5d9abd4c..8f0cbde9ace 100644 --- a/cmd/aro/rp.go +++ b/cmd/aro/rp.go @@ -38,7 +38,6 @@ import ( "github.com/Azure/ARO-RP/pkg/metrics/statsd/k8s" "github.com/Azure/ARO-RP/pkg/util/clusterdata" "github.com/Azure/ARO-RP/pkg/util/encryption" - "github.com/Azure/ARO-RP/pkg/util/service" ) func rp(ctx context.Context, log, audit *logrus.Entry) error { @@ -101,17 +100,17 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error { clusterm := statsd.New(ctx, log.WithField("component", "metrics"), _env, os.Getenv("CLUSTER_MDM_ACCOUNT"), os.Getenv("CLUSTER_MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET")) - aead, err := encryption.NewMulti(ctx, _env.ServiceKeyvault(), env.EncryptionSecretV2Name, env.EncryptionSecretName) + aead, err := encryption.NewAEADWithCore(ctx, _env, env.EncryptionSecretV2Name, env.EncryptionSecretName) if err != nil { return err } - dbc, err := service.NewDatabaseClient(ctx, _env, log, metrics, aead) + dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, metrics, aead) if err != nil { return err } - dbName, err := service.DBName(_env.IsLocalDevelopmentMode()) + dbName, err := env.DBName(_env) if err != nil { return err } diff --git a/cmd/aro/update_ocp_versions.go b/cmd/aro/update_ocp_versions.go index 2ce7e588648..b5d7eff1924 100644 --- a/cmd/aro/update_ocp_versions.go +++ b/cmd/aro/update_ocp_versions.go @@ -16,7 +16,6 @@ import ( "github.com/Azure/ARO-RP/pkg/database" "github.com/Azure/ARO-RP/pkg/env" "github.com/Azure/ARO-RP/pkg/metrics/statsd" - "github.com/Azure/ARO-RP/pkg/util/service" "github.com/Azure/ARO-RP/pkg/util/version" ) @@ -160,12 +159,12 @@ func getVersionsDatabase(ctx context.Context, log *logrus.Entry) (database.OpenS m := statsd.New(ctx, log.WithField("component", "update-ocp-versions"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET")) - dbc, err := service.NewDatabaseClient(ctx, _env, log, m, nil) + dbc, err := database.NewDatabaseClientFromEnv(ctx, _env, log, m, nil) if err != nil { return nil, fmt.Errorf("failed creating database client: %w", err) } - dbName, err := service.DBName(_env.IsLocalDevelopmentMode()) + dbName, err := env.DBName(_env) if err != nil { return nil, err } diff --git a/cmd/aro/update_role_sets.go b/cmd/aro/update_role_sets.go index 148045441eb..8d0fb094dfb 100644 --- a/cmd/aro/update_role_sets.go +++ b/cmd/aro/update_role_sets.go @@ -16,7 +16,6 @@ import ( "github.com/Azure/ARO-RP/pkg/env" "github.com/Azure/ARO-RP/pkg/metrics/statsd" "github.com/Azure/ARO-RP/pkg/util/encryption" - "github.com/Azure/ARO-RP/pkg/util/keyvault" ) func getRoleSetsFromEnv() ([]api.PlatformWorkloadIdentityRoleSetProperties, error) { @@ -38,26 +37,23 @@ func getPlatformWorkloadIdentityRoleSetDatabase(ctx context.Context, log *logrus return nil, fmt.Errorf("MSI Authorizer failed with: %s", err.Error()) } - msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope) - if err != nil { - return nil, fmt.Errorf("MSI KeyVault Authorizer failed with: %s", err.Error()) - } - m := statsd.New(ctx, log.WithField("component", "update-role-sets"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET")) - keyVaultPrefix := os.Getenv(envKeyVaultPrefix) - serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix) - serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI) + aead, err := encryption.NewAEADWithCore(ctx, _env, env.EncryptionSecretV2Name, env.EncryptionSecretName) + if err != nil { + return nil, err + } - aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName) + dbName, err := env.DBName(_env) if err != nil { return nil, err } - if err := env.ValidateVars(envDatabaseAccountName); err != nil { + dbAccountName, err := env.DBAccountName() + if err != nil { return nil, err } - dbAccountName := os.Getenv(envDatabaseAccountName) + clientOptions := &policy.ClientOptions{ ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions, } @@ -73,11 +69,6 @@ func getPlatformWorkloadIdentityRoleSetDatabase(ctx context.Context, log *logrus return nil, err } - dbName, err := DBName(_env.IsLocalDevelopmentMode()) - if err != nil { - return nil, err - } - return database.NewPlatformWorkloadIdentityRoleSets(ctx, dbc, dbName) } diff --git a/pkg/database/fromenv.go b/pkg/database/fromenv.go new file mode 100644 index 00000000000..5c6ac20a673 --- /dev/null +++ b/pkg/database/fromenv.go @@ -0,0 +1,51 @@ +package database + +// Copyright (c) Microsoft Corporation. +// Licensed under the Apache License 2.0. + +import ( + "context" + "fmt" + + "github.com/sirupsen/logrus" + + "github.com/Azure/ARO-RP/pkg/database/cosmosdb" + "github.com/Azure/ARO-RP/pkg/env" + "github.com/Azure/ARO-RP/pkg/metrics" + "github.com/Azure/ARO-RP/pkg/util/encryption" +) + +// NewDatabaseClient creates a CosmosDB database client from the environment configuration. +func NewDatabaseClientFromEnv(ctx context.Context, _env env.Core, log *logrus.Entry, m metrics.Emitter, aead encryption.AEAD) (cosmosdb.DatabaseClient, error) { + dbAccountName, err := env.DBAccountName() + if err != nil { + return nil, err + } + + msiToken, err := _env.NewMSITokenCredential() + if err != nil { + return nil, err + } + + scope := []string{ + fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope), + } + + logrusEntry := log.WithField("component", "database") + + dbAuthorizer, err := NewTokenAuthorizer( + ctx, logrusEntry, msiToken, dbAccountName, scope, + ) + if err != nil { + return nil, err + } + + dbc, err := NewDatabaseClient( + logrusEntry, _env, dbAuthorizer, m, aead, dbAccountName, + ) + if err != nil { + return nil, err + } + + return dbc, nil +} diff --git a/pkg/env/helpers.go b/pkg/env/helpers.go new file mode 100644 index 00000000000..58c95cac31b --- /dev/null +++ b/pkg/env/helpers.go @@ -0,0 +1,35 @@ +package env + +// Copyright (c) Microsoft Corporation. +// Licensed under the Apache License 2.0. + +import ( + "fmt" + "os" +) + +const ( + EnvDatabaseName = "DATABASE_NAME" + EnvDatabaseAccountName = "DATABASE_ACCOUNT_NAME" +) + +// Fetch the database account name from the environment. +func DBAccountName() (string, error) { + if err := ValidateVars(EnvDatabaseAccountName); err != nil { + return "", err + } + + return os.Getenv(EnvDatabaseAccountName), nil +} + +func DBName(c Core) (string, error) { + if !c.IsLocalDevelopmentMode() { + return "ARO", nil + } + + if err := ValidateVars(EnvDatabaseName); err != nil { + return "", fmt.Errorf("%v (development mode)", err.Error()) + } + + return os.Getenv(EnvDatabaseName), nil +} diff --git a/pkg/util/encryption/azure.go b/pkg/util/encryption/azure.go new file mode 100644 index 00000000000..79cfde3cf7c --- /dev/null +++ b/pkg/util/encryption/azure.go @@ -0,0 +1,34 @@ +package encryption + +// Copyright (c) Microsoft Corporation. +// Licensed under the Apache License 2.0. + +import ( + "context" + "fmt" + "os" + + "github.com/Azure/ARO-RP/pkg/env" + "github.com/Azure/ARO-RP/pkg/util/keyvault" +) + +const ( + KeyVaultPrefix = "KEYVAULT_PREFIX" +) + +// NewAEADWithCore creates an AEAD encryption manager with resources available +// from the Core env object. +func NewAEADWithCore(ctx context.Context, _env env.Core, encryptionSecretV2Name string, encryptionSecretName string) (AEAD, error) { + msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope) + if err != nil { + return nil, fmt.Errorf("MSI KeyVault Authorizer failed with: %s", err.Error()) + } + + keyVaultPrefix := os.Getenv(KeyVaultPrefix) + serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix) + serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI) + + return NewMulti( + ctx, serviceKeyvault, encryptionSecretV2Name, encryptionSecretName, + ) +} diff --git a/pkg/util/service/const.go b/pkg/util/service/const.go deleted file mode 100644 index 0183d581ec1..00000000000 --- a/pkg/util/service/const.go +++ /dev/null @@ -1,10 +0,0 @@ -package service - -// Copyright (c) Microsoft Corporation. -// Licensed under the Apache License 2.0. - -const ( - DatabaseName = "DATABASE_NAME" - DatabaseAccountName = "DATABASE_ACCOUNT_NAME" - KeyVaultPrefix = "KEYVAULT_PREFIX" -) diff --git a/pkg/util/service/database.go b/pkg/util/service/database.go deleted file mode 100644 index b4451ef42c2..00000000000 --- a/pkg/util/service/database.go +++ /dev/null @@ -1,71 +0,0 @@ -package service - -// Copyright (c) Microsoft Corporation. -// Licensed under the Apache License 2.0. - -import ( - "context" - "fmt" - "os" - - "github.com/sirupsen/logrus" - - "github.com/Azure/ARO-RP/pkg/database" - "github.com/Azure/ARO-RP/pkg/database/cosmosdb" - "github.com/Azure/ARO-RP/pkg/env" - "github.com/Azure/ARO-RP/pkg/metrics" - "github.com/Azure/ARO-RP/pkg/util/encryption" - "github.com/Azure/ARO-RP/pkg/util/keyvault" -) - -// NewAEADWithCore creates an AEAD encryption manager with resources available -// from the Core env object. -func NewAEADWithCore(ctx context.Context, _env env.Core, encryptionSecretV2Name string, encryptionSecretName string) (encryption.AEAD, error) { - msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope) - if err != nil { - return nil, err - } - - keyVaultPrefix := os.Getenv(KeyVaultPrefix) - serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix) - serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI) - - return encryption.NewMulti( - ctx, serviceKeyvault, encryptionSecretV2Name, encryptionSecretName, - ) -} - -// NewDatabaseClient creates a CosmosDB database client from the environment configuration. -func NewDatabaseClient(ctx context.Context, _env env.Core, log *logrus.Entry, m metrics.Emitter, aead encryption.AEAD) (cosmosdb.DatabaseClient, error) { - if err := env.ValidateVars(DatabaseAccountName); err != nil { - return nil, err - } - - msiToken, err := _env.NewMSITokenCredential() - if err != nil { - return nil, err - } - - dbAccountName := os.Getenv(DatabaseAccountName) - scope := []string{ - fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope), - } - - logrusEntry := log.WithField("component", "database") - - dbAuthorizer, err := database.NewTokenAuthorizer( - ctx, logrusEntry, msiToken, dbAccountName, scope, - ) - if err != nil { - return nil, err - } - - dbc, err := database.NewDatabaseClient( - logrusEntry, _env, dbAuthorizer, m, aead, dbAccountName, - ) - if err != nil { - return nil, err - } - - return dbc, nil -} diff --git a/pkg/util/service/helpers.go b/pkg/util/service/helpers.go deleted file mode 100644 index 5013849d835..00000000000 --- a/pkg/util/service/helpers.go +++ /dev/null @@ -1,23 +0,0 @@ -package service - -// Copyright (c) Microsoft Corporation. -// Licensed under the Apache License 2.0. - -import ( - "fmt" - "os" - - "github.com/Azure/ARO-RP/pkg/env" -) - -func DBName(isLocalDevelopmentMode bool) (string, error) { - if !isLocalDevelopmentMode { - return "ARO", nil - } - - if err := env.ValidateVars(DatabaseName); err != nil { - return "", fmt.Errorf("%v (development mode)", err.Error()) - } - - return os.Getenv(DatabaseName), nil -}