From 18d53a9e3b97bd034ab3ea9d82262a7dd46e6e94 Mon Sep 17 00:00:00 2001
From: Ola Aunrønning <olaa@verizonmedia.com>
Date: Wed, 10 Aug 2022 11:40:39 +0200
Subject: Clean up roles of deleted tenants

---
 .../api/integration/athenz/ZmsClientMock.java        |  5 +++++
 .../api/integration/aws/NoopRoleService.java         |  5 +++++
 .../controller/api/integration/aws/RoleService.java  |  2 ++
 .../controller/maintenance/TenantRoleMaintainer.java | 20 +++++++-------------
 flags/src/main/java/com/yahoo/vespa/flags/Flags.java |  7 +++++++
 .../vespa/athenz/client/zms/DefaultZmsClient.java    |  7 +++++++
 .../com/yahoo/vespa/athenz/client/zms/ZmsClient.java |  2 ++
 7 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index 53e2592e0a6..7539f7b4cf2 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -273,6 +273,11 @@ public class ZmsClientMock implements ZmsClient {
         return new QuotaUsage(0.1, 0.2, 0.3, 0.4, 0.5);
     }
 
+    @Override
+    public void deleteSubdomain(AthenzDomain parent, String name) {
+        athenz.domains.remove(new AthenzDomain(parent.getName() + "." + name));
+    }
+
     @Override
     public void close() {}
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
index 541eb3dbe90..1ef1bc5106c 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
@@ -35,4 +35,9 @@ public class NoopRoleService implements RoleService {
 
     @Override
     public void maintainRoles(List<TenantName> tenants) { }
+
+    @Override
+    public void cleanupRoles(List<TenantName> tenants) {
+
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
index bc661077537..0a35893a7c4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
@@ -27,4 +27,6 @@ public interface RoleService {
      * Maintain roles for the tenants in the system. Create missing roles, update trust.
      */
     void maintainRoles(List<TenantName> tenants);
+
+    void cleanupRoles(List<TenantName> deletedTenants);
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
index dad836ca2de..820c67f2d44 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
@@ -33,21 +33,15 @@ public class TenantRoleMaintainer extends ControllerMaintainer {
                 .map(Tenant::name)
                 .collect(Collectors.toList());
         roleService.maintainRoles(tenantsWithRoles);
+
+        var deletedTenants = controller().tenants().asList(true).stream()
+                .filter(tenant -> tenant.type() == Tenant.Type.deleted)
+                .map(Tenant::name)
+                .toList();
+        roleService.cleanupRoles(deletedTenants);
+
         return 1.0;
     }
 
-    private boolean hasProductionDeployment(TenantName tenant) {
-        return controller().applications().asList(tenant).stream()
-                .map(Application::productionInstances)
-                .anyMatch(Predicate.not(Map::isEmpty));
-    }
 
-    private boolean hasPerfDeployment(TenantName tenant) {
-        List<ZoneId> perfZones = controller().zoneRegistry().zones().controllerUpgraded().in(Environment.perf).ids();
-        return controller().applications().asList(tenant).stream()
-                .map(Application::instances)
-                .flatMap(instances -> instances.values().stream())
-                .flatMap(instance -> instance.deployments().values().stream())
-                .anyMatch(x -> perfZones.contains(x.zone()));
-    }
 }
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index 51c4c893401..8e06cde420e 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -472,6 +472,13 @@ public class Flags {
             APPLICATION_ID,HOSTNAME,NODE_TYPE,TENANT_ID,VESPA_VERSION
     );
 
+    public static final UnboundBooleanFlag CLEANUP_TENANT_ROLES = defineFeatureFlag(
+            "cleanup-tenant-roles", false,
+            List.of("olaa"), "2022-08-10", "2022-10-01",
+            "Determines whether old tenant roles should be deleted",
+            "Takes effect next maintenance run"
+    );
+
     /** WARNING: public for testing: All flags should be defined in {@link Flags}. */
     public static UnboundBooleanFlag defineFeatureFlag(String flagId, boolean defaultValue, List<String> owners,
                                                        String createdAt, String expiresAt, String description,
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index d7ef20c31c8..fb0e79b6695 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -436,6 +436,13 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
         return QuotaUsage.calculateUsage(usageEntity, quotaEntity);
     }
 
+    @Override
+    public void deleteSubdomain(AthenzDomain parent, String name) {
+        URI uri = zmsUrl.resolve(String.format("subdomain/%s/%s", parent.getName(), name));
+        HttpUriRequest request = RequestBuilder.delete(uri).build();
+        execute(request, response -> readEntity(response, Void.class));
+    }
+
     public AthenzRoleInformation getFullRoleInformation(AthenzRole role) {
         var uri = zmsUrl.resolve(String.format("domain/%s/role/%s?pending=true&auditLog=true", role.domain().getName(), role.roleName()));
         var request = RequestBuilder.get(uri).build();
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index e15af58cb76..983924eca6b 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -89,5 +89,7 @@ public interface ZmsClient extends Closeable {
 
     QuotaUsage getQuotaUsage();
 
+    void deleteSubdomain(AthenzDomain parent, String name);
+
     void close();
 }
-- 
cgit v1.2.3