[VCDA-3509] Tkgm cluster create fix for vapp view forbidden error

[sakthisunda]

• Fix for Error:Status code: 403/ACCESS_TO_RESOURCE_IS_FORBIDDEN, [ dd88ceaa-47f2-46c1-a158-0fb9072d28ad ] Either you need some or all of the following rights [Base] to perform operations [VAPP_VIEW] for 75b5b162-35a4-444b-bdab-faab5d71cd6b or the target entity is invalid. (request id: dd88ceaa-47f2-46c1-a158-0fb9072d28ad)

• Power on operation on a vm is a special operation where authorization check to access the vm is done multiple times. Since in our case the security context is getting wiped out during the power on operation, the secondary authorization checks are failing and that results in the 403 error.

• Fix description: CSE service account to its absolute minimum during cluster deployment. Use service account client and vapp only for accessing and updating extra config for post boot customization.

• Cluster create with control plane and worker node tested

• Cluster resize with worker node scale up tested

• Tested as Cluster Admin (Clone of Org admin + special rights)

• Tested as Cluster Author (Clone of vApp Author + special rights )

• Resize tested thru UI plugin and CLI

---

This change is 

[rocknes]

Looks good to me once the comments are addressed.

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @sakthisunda)

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 834 at r1 (raw file):

                    f"Error while creating vApp: {err}")
            client_v36.get_task_monitor().wait_for_status(vapp_resource.Tasks.Task[0])  # noqa: E501

Please create the vapp and admin_vapp objects here.

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 858 at r1 (raw file):

                                 href=vapp_resource.get('href'))
            admin_vapp = vcd_vapp.VApp(sysadmin_client_v36, href=vapp_resource.get('href'))
            task = vapp.set_multiple_metadata(tags)

The metadata should be set as sys admin client. The metadata is hidden from normal user ( the name space used is SYSTEM), so I think if a normal user tries to write the metadata it will fail.

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 2493 at r1 (raw file):

                task,
                callback=wait_for_vm_power_on
            )

please reload the nomral vapp object too, power on will change it's state 9specially the links)

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 2717 at r1 (raw file):

                callback=wait_for_vm_power_on
            )
            admin_vapp.reload()

please reload normal vapp after the power on operation.

[sakthisunda]

Reviewable status: 0 of 1 files reviewed, 4 unresolved discussions (waiting on @rocknes)

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 834 at r1 (raw file):

Previously, rocknes wrote…

Please create the vapp and admin_vapp objects here.

Done.

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 858 at r1 (raw file):

Previously, rocknes wrote…

The metadata should be set as sys admin client. The metadata is hidden from normal user ( the name space used is SYSTEM), so I think if a normal user tries to write the metadata it will fail.

Verified with both cluster admin and author : metadata update goes thru succesfully with just minimal previlege. So, as per the mandatory requirement, not elevating the previlege to admin.

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 2493 at r1 (raw file):

Previously, rocknes wrote…

please reload the nomral vapp object too, power on will change it's state 9specially the links)

Done.

---

container_service_extension/rde/backend/cluster_service_2_x_tkgm.py line 2717 at r1 (raw file):

Previously, rocknes wrote…

please reload normal vapp after the power on operation.

Done.

[sakthisunda]

#1360 covers this on master. Closing this.