Clean up roles of deleted tenants

author: Ola Aunrønning <olaa@verizonmedia.com> 2022-08-10 11:40:39 +0200
committer: Ola Aunrønning <olaa@verizonmedia.com> 2022-08-10 11:42:50 +0200
commit: 18d53a9e3b97bd034ab3ea9d82262a7dd46e6e94 (patch)
tree: cbfe4277bd4695e14880ab6bb797b44c430ec8a8
parent: 2e39740349f23b96307c504fd90312ff607517b1 (diff)
7 files changed, 35 insertions, 13 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 53e2592e0a6..7539f7b4cf2 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -274,6 +274,11 @@ public class ZmsClientMock implements ZmsClient {
     }
 
     @Override
+    public void deleteSubdomain(AthenzDomain parent, String name) {
+        athenz.domains.remove(new AthenzDomain(parent.getName() + "." + name));
+    }
+
+    @Override
     public void close() {}
 
     private static AthenzDomain getTenantDomain(AthenzResourceName resource) {
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
index 541eb3dbe90..1ef1bc5106c 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
@@ -35,4 +35,9 @@ public class NoopRoleService implements RoleService {
 
     @Override
     public void maintainRoles(List<TenantName> tenants) { }
+
+    @Override
+    public void cleanupRoles(List<TenantName> tenants) {
+
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
index bc661077537..0a35893a7c4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
@@ -27,4 +27,6 @@ public interface RoleService {
      * Maintain roles for the tenants in the system. Create missing roles, update trust.
      */
     void maintainRoles(List<TenantName> tenants);
+
+    void cleanupRoles(List<TenantName> deletedTenants);
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
index dad836ca2de..820c67f2d44 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
@@ -33,21 +33,15 @@ public class TenantRoleMaintainer extends ControllerMaintainer {
                 .map(Tenant::name)
                 .collect(Collectors.toList());
         roleService.maintainRoles(tenantsWithRoles);
+
+        var deletedTenants = controller().tenants().asList(true).stream()
+                .filter(tenant -> tenant.type() == Tenant.Type.deleted)
+                .map(Tenant::name)
+                .toList();
+        roleService.cleanupRoles(deletedTenants);
+
         return 1.0;
     }
 
-    private boolean hasProductionDeployment(TenantName tenant) {
-        return controller().applications().asList(tenant).stream()
-                .map(Application::productionInstances)
-                .anyMatch(Predicate.not(Map::isEmpty));
-    }
 
-    private boolean hasPerfDeployment(TenantName tenant) {
-        List<ZoneId> perfZones = controller().zoneRegistry().zones().controllerUpgraded().in(Environment.perf).ids();
-        return controller().applications().asList(tenant).stream()
-                .map(Application::instances)
-                .flatMap(instances -> instances.values().stream())
-                .flatMap(instance -> instance.deployments().values().stream())
-                .anyMatch(x -> perfZones.contains(x.zone()));
-    }
 }
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index 51c4c893401..8e06cde420e 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -472,6 +472,13 @@ public class Flags {
             APPLICATION_ID,HOSTNAME,NODE_TYPE,TENANT_ID,VESPA_VERSION
     );
 
+    public static final UnboundBooleanFlag CLEANUP_TENANT_ROLES = defineFeatureFlag(
+            "cleanup-tenant-roles", false,
+            List.of("olaa"), "2022-08-10", "2022-10-01",
+            "Determines whether old tenant roles should be deleted",
+            "Takes effect next maintenance run"
+    );
+
     /** WARNING: public for testing: All flags should be defined in {@link Flags}. */
     public static UnboundBooleanFlag defineFeatureFlag(String flagId, boolean defaultValue, List<String> owners,
                                                        String createdAt, String expiresAt, String description,
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index d7ef20c31c8..fb0e79b6695 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -436,6 +436,13 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
         return QuotaUsage.calculateUsage(usageEntity, quotaEntity);
     }
 
+    @Override
+    public void deleteSubdomain(AthenzDomain parent, String name) {
+        URI uri = zmsUrl.resolve(String.format("subdomain/%s/%s", parent.getName(), name));
+        HttpUriRequest request = RequestBuilder.delete(uri).build();
+        execute(request, response -> readEntity(response, Void.class));
+    }
+
     public AthenzRoleInformation getFullRoleInformation(AthenzRole role) {
         var uri = zmsUrl.resolve(String.format("domain/%s/role/%s?pending=true&auditLog=true", role.domain().getName(), role.roleName()));
         var request = RequestBuilder.get(uri).build();
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index e15af58cb76..983924eca6b 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -89,5 +89,7 @@ public interface ZmsClient extends Closeable {
 
     QuotaUsage getQuotaUsage();
 
+    void deleteSubdomain(AthenzDomain parent, String name);
+
     void close();
 }
author	Ola Aunrønning <olaa@verizonmedia.com>	2022-08-10 11:40:39 +0200
committer	Ola Aunrønning <olaa@verizonmedia.com>	2022-08-10 11:42:50 +0200
commit	18d53a9e3b97bd034ab3ea9d82262a7dd46e6e94 (patch)
tree	cbfe4277bd4695e14880ab6bb797b44c430ec8a8
parent	2e39740349f23b96307c504fd90312ff607517b1 (diff)