Add doc for instance principal based e2e and fix empty subnet cidr bug (#93)

shyamradhakrishnan · web-flow · commit 527ed0637bd2 · 2022-05-23T19:50:17.000+05:30
diff --git a/api/v1beta1/ocicluster_webhook_test.go b/api/v1beta1/ocicluster_webhook_test.go
@@ -43,6 +43,12 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			CIDR: "10.1.0.0/16",
 		},
 	}
+	emptySubnetCidr := []*Subnet{
+		&Subnet{
+			Role: ControlPlaneRole,
+			Name: "test-subnet",
+		},
+	}
 	badSubnetCidrFormat := []*Subnet{
 		&Subnet{
 			Name: "test-subnet",
@@ -59,10 +65,11 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			CIDR: "10.0.0.0/16",
 		},
 	}
-	badSubnetName := []*Subnet{
+	emptySubnetName := []*Subnet{
 		&Subnet{
 			Name: "",
 			CIDR: "10.0.0.0/16",
+			Role: ControlPlaneEndpointRole,
 		},
 	}
 	badSubnetRole := []*Subnet{
@@ -150,6 +157,23 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "cidr",
 			expectErr:             true,
 		},
+		{
+			name: "should allow empty subnet cidr",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							CIDR:    "10.0.0.0/16",
+							Subnets: emptySubnetCidr,
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
 		{
 			name: "shouldn't allow subnet bad cidr format",
 			c: &OCICluster{
@@ -199,20 +223,21 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			expectErr:             true,
 		},
 		{
-			name: "shouldn't allow invalid subnet name",
+			name: "should allow empty subnet name",
 			c: &OCICluster{
 				ObjectMeta: metav1.ObjectMeta{},
 				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
 					NetworkSpec: NetworkSpec{
 						Vcn: VCN{
 							CIDR:    "10.0.0.0/16",
-							Subnets: badSubnetName,
+							Subnets: emptySubnetName,
 						},
 					},
 				},
 			},
-			errorMgsShouldContain: "subnet name invalid",
-			expectErr:             true,
+			expectErr: false,
 		},
 		{
 			name: "shouldn't allow bad NSG egress cidr",
diff --git a/api/v1beta1/validator.go b/api/v1beta1/validator.go
@@ -97,28 +97,30 @@ func validateVCNCIDR(vncCIDR string, fldPath *field.Path) field.ErrorList {
 func validateSubnetCIDR(subnetCidr string, vcnCidr string, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 
-	subnetCidrIP, _, err := net.ParseCIDR(subnetCidr)
-	if err != nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, subnetCidr, "invalid CIDR format"))
-	}
-
-	// Check subnet is in vcnCidr if vcnCidr is set
-	if len(vcnCidr) > 0 {
-		var vcnNetwork *net.IPNet
-		if _, parseNetwork, err := net.ParseCIDR(vcnCidr); err == nil {
-			vcnNetwork = parseNetwork
+	if len(subnetCidr) > 0 {
+		subnetCidrIP, _, err := net.ParseCIDR(subnetCidr)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, subnetCidr, "invalid CIDR format"))
 		}
 
-		var found bool
-		if vcnNetwork != nil && vcnNetwork.Contains(subnetCidrIP) {
-			found = true
-		}
+		// Check subnet is in vcnCidr if vcnCidr is set
+		if len(vcnCidr) > 0 {
+			var vcnNetwork *net.IPNet
+			if _, parseNetwork, err := net.ParseCIDR(vcnCidr); err == nil {
+				vcnNetwork = parseNetwork
+			}
+
+			var found bool
+			if vcnNetwork != nil && vcnNetwork.Contains(subnetCidrIP) {
+				found = true
+			}
 
-		if !found {
-			allErrs = append(allErrs, field.Invalid(fldPath, subnetCidr, fmt.Sprintf("subnet CIDR not in VCN address space: %s", vcnCidr)))
+			if !found {
+				allErrs = append(allErrs, field.Invalid(fldPath, subnetCidr, fmt.Sprintf("subnet CIDR not in VCN address space: %s", vcnCidr)))
+			}
 		}
-	}
 
+	}
 	return allErrs
 }
 
@@ -180,10 +182,12 @@ func validateSubnets(subnets []*Subnet, vcn VCN, fldPath *field.Path) field.Erro
 		if err := validateSubnetName(subnet.Name, fldPath.Index(i).Child("name")); err != nil {
 			allErrs = append(allErrs, err)
 		}
-		if _, ok := subnetNames[subnet.Name]; ok {
-			allErrs = append(allErrs, field.Duplicate(fldPath, subnet.Name))
+		if len(subnet.Name) > 0 {
+			if _, ok := subnetNames[subnet.Name]; ok {
+				allErrs = append(allErrs, field.Duplicate(fldPath, subnet.Name))
+			}
+			subnetNames[subnet.Name] = true
 		}
-		subnetNames[subnet.Name] = true
 
 		if err := validateRole(subnet.Role, fldPath.Index(i).Child("role"), "subnet role invalid"); err != nil {
 			allErrs = append(allErrs, err)
@@ -197,9 +201,12 @@ func validateSubnets(subnets []*Subnet, vcn VCN, fldPath *field.Path) field.Erro
 
 // validateSubnetName validates the Name of a Subnet.
 func validateSubnetName(name string, fldPath *field.Path) *field.Error {
-	if invalidNameRegex.Match([]byte(name)) || name == "" {
-		return field.Invalid(fldPath, name,
-			fmt.Sprintf("subnet name invalid"))
+	// subnet name can be empty
+	if len(name) > 0 {
+		if invalidNameRegex.Match([]byte(name)) || name == "" {
+			return field.Invalid(fldPath, name,
+				fmt.Sprintf("subnet name invalid"))
+		}
 	}
 	return nil
 }
diff --git a/cloud/scope/subnet_reconciler.go b/cloud/scope/subnet_reconciler.go
@@ -252,21 +252,26 @@ func (s *ClusterScope) GetSubnetsSpec() []*infrastructurev1beta1.Subnet {
 func (s *ClusterScope) SubnetSpec() ([]*infrastructurev1beta1.Subnet, error) {
 	var subnets []*infrastructurev1beta1.Subnet
 	var cidr string
+	var name string
 	var subnetType infrastructurev1beta1.SubnetType
 	for _, subnet := range s.GetSubnetsSpec() {
 		switch subnet.Role {
 		case infrastructurev1beta1.ControlPlaneEndpointRole:
 			subnetType = infrastructurev1beta1.Public
 			cidr = ControlPlaneEndpointSubnetDefaultCIDR
+			name = ControlPlaneEndpointDefaultName
 		case infrastructurev1beta1.ControlPlaneRole:
 			subnetType = infrastructurev1beta1.Private
 			cidr = ControlPlaneMachineSubnetDefaultCIDR
+			name = ControlPlaneDefaultName
 		case infrastructurev1beta1.ServiceLoadBalancerRole:
 			subnetType = infrastructurev1beta1.Public
 			cidr = ServiceLoadBalancerDefaultCIDR
+			name = ServiceLBDefaultName
 		case infrastructurev1beta1.WorkerRole:
 			subnetType = infrastructurev1beta1.Private
 			cidr = WorkerSubnetDefaultCIDR
+			name = WorkerDefaultName
 		default:
 			return nil, errors.New("invalid subnet role")
 		}
@@ -276,9 +281,12 @@ func (s *ClusterScope) SubnetSpec() ([]*infrastructurev1beta1.Subnet, error) {
 		if subnet.Type != "" {
 			subnetType = subnet.Type
 		}
+		if subnet.Name != "" {
+			name = subnet.Name
+		}
 		subnets = append(subnets, &infrastructurev1beta1.Subnet{
 			Role:         subnet.Role,
-			Name:         subnet.Name,
+			Name:         name,
 			CIDR:         cidr,
 			Type:         subnetType,
 			SecurityList: subnet.SecurityList,
diff --git a/cloud/scope/subnet_reconciler_test.go b/cloud/scope/subnet_reconciler_test.go
@@ -300,6 +300,56 @@ func TestClusterScope_SubnetSpec(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:    "default names",
+			wantErr: false,
+			spec: infrastructurev1beta1.OCIClusterSpec{
+				NetworkSpec: infrastructurev1beta1.NetworkSpec{
+					Vcn: infrastructurev1beta1.VCN{
+						Subnets: []*infrastructurev1beta1.Subnet{
+							{
+								Role: infrastructurev1beta1.ControlPlaneRole,
+							},
+							{
+								Role: infrastructurev1beta1.WorkerRole,
+							},
+							{
+								Role: infrastructurev1beta1.ServiceLoadBalancerRole,
+							},
+							{
+								Role: infrastructurev1beta1.ControlPlaneEndpointRole,
+							},
+						},
+					},
+				},
+			},
+			want: []*infrastructurev1beta1.Subnet{
+				{
+					Role: infrastructurev1beta1.ControlPlaneEndpointRole,
+					Name: ControlPlaneEndpointDefaultName,
+					CIDR: ControlPlaneEndpointSubnetDefaultCIDR,
+					Type: infrastructurev1beta1.Public,
+				},
+				{
+					Role: infrastructurev1beta1.ControlPlaneRole,
+					Name: ControlPlaneDefaultName,
+					CIDR: ControlPlaneMachineSubnetDefaultCIDR,
+					Type: infrastructurev1beta1.Private,
+				},
+				{
+					Role: infrastructurev1beta1.WorkerRole,
+					Name: WorkerDefaultName,
+					CIDR: WorkerSubnetDefaultCIDR,
+					Type: infrastructurev1beta1.Private,
+				},
+				{
+					Role: infrastructurev1beta1.ServiceLoadBalancerRole,
+					Name: ServiceLBDefaultName,
+					CIDR: ServiceLoadBalancerDefaultCIDR,
+					Type: infrastructurev1beta1.Public,
+				},
+			},
+		},
 	}
 	l := log.FromContext(context.Background())
 	for _, tt := range tests {
diff --git a/test/README.md b/test/README.md
@@ -3,7 +3,7 @@
 - Install `kustomize`
 - If you have a running `kind` cluster, please delete the `kind` cluster
 
-# Export the following auth settings
+# Export the following auth settings if user principal is used as credential
    ```bash
    export OCI_TENANCY_ID=<tenancy-id>
    export OCI_USER_ID=<use-id>
@@ -17,10 +17,16 @@
    export OCI_REGION_B64="$(echo -n "$OCI_REGION" | base64 | tr -d '\n')"
    export OCI_CREDENTIALS_KEY_B64=$( cat <path-to-api-private-key-file> | base64 | tr -d '\n' )
    # if Passphrase is present
-   export OCI_CREDENTIALS_PASSPHRASE_B64="$(echo -n "OCI_CREDENTIALS_PASSPHRASE" | base64 | tr -d '\n')"
+   export OCI_CREDENTIALS_PASSPHRASE_B64="$(echo -n "$OCI_CREDENTIALS_PASSPHRASE" | base64 | tr -d '\n')"
+   ```
 
+# Export the following auth settings if instance principal has to be used
+   ```bash
+   export USE_INSTANCE_PRINCIPAL_B64="$(echo -n "true" | base64 | tr -d '\n')"
    ```
 
+
+
 # Export the following test settings
    ```bash
   export OCI_COMPARTMENT_ID=<>
diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go
@@ -26,6 +26,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 
@@ -183,34 +184,55 @@ var _ = SynchronizedBeforeSuite(func() []byte {
 	e2eConfig = loadE2EConfig(configPath)
 	bootstrapClusterProxy = NewOCIClusterProxy("bootstrap", kubeconfigPath, initScheme())
 
-	tenancyId, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_TENANCY_ID_B64"))
-	Expect(err).NotTo(HaveOccurred())
-	userId, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_USER_ID_B64"))
-	Expect(err).NotTo(HaveOccurred())
-	passphrase, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_CREDENTIALS_PASSPHRASE_B64"))
-	Expect(err).NotTo(HaveOccurred())
-	key, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_CREDENTIALS_KEY_B64"))
-	Expect(err).NotTo(HaveOccurred())
-	fingerprint, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_CREDENTIALS_FINGERPRINT_B64"))
-	Expect(err).NotTo(HaveOccurred())
-	region, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_REGION_B64"))
-	Expect(err).NotTo(HaveOccurred())
-
-	ociAuthConfigProvider, err := oci_config.NewConfigurationProvider(&oci_config.AuthConfig{
-		Region:                string(region),
-		TenancyID:             string(tenancyId),
-		UserID:                string(userId),
-		PrivateKey:            string(key),
-		Fingerprint:           string(fingerprint),
-		Passphrase:            string(passphrase),
-		UseInstancePrincipals: false,
-	})
-	Expect(err).NotTo(HaveOccurred())
+	s, useInstancePrincipalFlagSet := os.LookupEnv("USE_INSTANCE_PRINCIPAL_B64")
+	useInstanePrincipal := false
+	if useInstancePrincipalFlagSet {
+		useInstanePrincipalStr, err := base64.StdEncoding.DecodeString(s)
+		Expect(err).NotTo(HaveOccurred())
+		useInstanePrincipal, err = strconv.ParseBool(string(useInstanePrincipalStr))
+		Expect(err).NotTo(HaveOccurred())
+	}
+	var ociAuthConfigProvider common.ConfigurationProvider
+	var err error
+	if useInstanePrincipal {
+		ociAuthConfigProvider, err = oci_config.NewConfigurationProvider(&oci_config.AuthConfig{
+			UseInstancePrincipals: true,
+		})
+		Expect(err).NotTo(HaveOccurred())
+		By("Using instance principal as auth provider")
+	} else {
+		tenancyId, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_TENANCY_ID_B64"))
+		Expect(err).NotTo(HaveOccurred())
+		userId, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_USER_ID_B64"))
+		Expect(err).NotTo(HaveOccurred())
+		passphrase, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_CREDENTIALS_PASSPHRASE_B64"))
+		Expect(err).NotTo(HaveOccurred())
+		key, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_CREDENTIALS_KEY_B64"))
+		Expect(err).NotTo(HaveOccurred())
+		fingerprint, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_CREDENTIALS_FINGERPRINT_B64"))
+		Expect(err).NotTo(HaveOccurred())
+		region, err := base64.StdEncoding.DecodeString(os.Getenv("OCI_REGION_B64"))
+		Expect(err).NotTo(HaveOccurred())
+
+		ociAuthConfigProvider, err = oci_config.NewConfigurationProvider(&oci_config.AuthConfig{
+			Region:                string(region),
+			TenancyID:             string(tenancyId),
+			UserID:                string(userId),
+			PrivateKey:            string(key),
+			Fingerprint:           string(fingerprint),
+			Passphrase:            string(passphrase),
+			UseInstancePrincipals: false,
+		})
+		Expect(err).NotTo(HaveOccurred())
+		By("Using user principal as auth provider")
+	}
 
 	clientProvider, err := scope.NewClientProvider(ociAuthConfigProvider)
 	Expect(err).NotTo(HaveOccurred())
 
-	ociClients, err := clientProvider.GetOrBuildClient(string(region))
+	region, err := ociAuthConfigProvider.Region()
+	Expect(err).NotTo(HaveOccurred())
+	ociClients, err := clientProvider.GetOrBuildClient(region)
 	Expect(err).NotTo(HaveOccurred())
 
 	computeClient = ociClients.ComputeClient
