Remove PSP Tactical fix (#538)

* Remove PSP Tactical fix * Bump go version to 1.21 on gh actions
ministryofjustice · Feb 12, 2024 · ff3c7d5 · ff3c7d5
1 parent 8f7ea7a
commit ff3c7d5
Show file tree

Hide file tree

Showing 9 changed files with 10 additions and 122 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -16,16 +16,16 @@ updates:
     ignore:
       - dependency-name: "k8s.io/kubectl"
         versions:
-          - ">=v0.26.0"
+          - ">=v0.27.0"
       - dependency-name: "k8s.io/client-go"
         versions:
-          - ">=v0.26.0"
+          - ">=v0.27.0"
       - dependency-name: "k8s.io/api"
         versions:
-          - ">=v0.26.0"
+          - ">=v0.27.0"
       - dependency-name: "k8s.io/apimachinery"
         versions:
-          - ">=v0.26.0"
+          - ">=v0.27.0"
     groups:
       go:
         patterns:

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
@@ -12,7 +12,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.19.x"
+          go-version: " 1.21.x"
       - run: go install
         working-directory: ./
       - run: rm -r doc/ && mkdir -p doc

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.19.x"
+          go-version: " 1.21.x"
         id: go
 
       - name: Run GoReleaser

diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml
@@ -22,7 +22,7 @@ jobs:
       # Install Go on the VM running the action.
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.19.x"
+          go-version: " 1.21.x"
 
       # Run tests with nice formatting. Save the original log in /tmp/gotest.log
       - name: Run tests

diff --git a/.github/workflows/go-vet-lint-deps.yaml b/.github/workflows/go-vet-lint-deps.yaml
@@ -18,12 +18,11 @@ jobs:
       # Install Go on the VM running the action.
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.19.x"
+          go-version: " 1.21.x"
 
       - name: Perform staticcheck on codebase
         uses: dominikh/[email protected]
         with:
-          version: "2022.1.3"
           install-go: false
 
       - name: Install gofumpt

diff --git a/pkg/cluster/cluster_test.go b/pkg/cluster/cluster_test.go
@@ -3,9 +3,6 @@ package cluster
 import (
 	"reflect"
 	"testing"
-
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestCluster_NewSnapshot(t *testing.T) {
@@ -31,41 +28,6 @@ func TestCluster_NewSnapshot(t *testing.T) {
 	}
 }
 
-func Test_getClusterName(t *testing.T) {
-	type args struct {
-		nodes []v1.Node
-	}
-	tests := []struct {
-		name string
-		args args
-		want string
-	}{
-		{
-			name: "getClusterName",
-			args: args{
-				nodes: []v1.Node{
-					{
-						ObjectMeta: metav1.ObjectMeta{
-							Name: "node1",
-							Labels: map[string]string{
-								"Cluster": "test",
-							},
-						},
-					},
-				},
-			},
-			want: "test",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := getClusterName(tt.args.nodes); got != tt.want {
-				t.Errorf("getClusterName() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func TestNewAwsCreds(t *testing.T) {
 	type args struct {
 		region string

diff --git a/pkg/cluster/create.go b/pkg/cluster/create.go
@@ -16,8 +16,6 @@ import (
 	"github.com/hashicorp/terraform-exec/tfexec"
 	"github.com/ministryofjustice/cloud-platform-cli/pkg/client"
 	"github.com/ministryofjustice/cloud-platform-cli/pkg/terraform"
-	kubeErr "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -83,16 +81,14 @@ func (c *Cluster) ApplyComponents(tf *terraform.TerraformCLIConfig, awsCreds *cl
 		tf.ApplyVars = append(tf.ApplyVars, tfexec.Var(v))
 	}
 
-	clientset, err := AuthToCluster(tf.Workspace, awsCreds.Eks, kubeconf, awsCreds.Profile)
+	// Auth to the cluster and write the kubeconfig to disk.
+	_, err := AuthToCluster(tf.Workspace, awsCreds.Eks, kubeconf, awsCreds.Profile)
 	if err != nil {
 		return fmt.Errorf("failed to auth to cluster: %w", err)
 	}
 
 	tf.WorkingDir = dir
 
-	if err := applyTacticalPspFix(clientset); err != nil {
-		return err
-	}
 	_, err = terraformApply(tf)
 	if err != nil {
 		return err
@@ -257,38 +253,6 @@ func getVpc(name string, svc ec2iface.EC2API) (*ec2.DescribeVpcsOutput, error) {
 	})
 }
 
-// applyTacticalPspFix deletes the current eks.privileged psp in the cluster.
-// This allows the cluster to be created with a different psp. All pods are recycled
-// so the new psp will be applied.
-func applyTacticalPspFix(clientset kubernetes.Interface) error {
-	// Delete the eks.privileged psp
-	err := clientset.PolicyV1beta1().PodSecurityPolicies().Delete(context.TODO(), "eks.privileged", metav1.DeleteOptions{})
-	// if the psp doesn't exist, we don't need to do anything
-	if kubeErr.IsNotFound(err) {
-		fmt.Println("No eks.privileged psp found, skipping")
-		return nil
-	}
-	if err != nil {
-		return fmt.Errorf("failed to delete eks.privileged psp: %w", err)
-	}
-
-	// Get all pods in the cluster
-	pods, err := clientset.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{})
-	if err != nil {
-		return fmt.Errorf("failed to list pods: %w", err)
-	}
-
-	// Delete all pods in the cluster
-	for _, pod := range pods.Items {
-		err = clientset.CoreV1().Pods(pod.Namespace).Delete(context.TODO(), pod.Name, metav1.DeleteOptions{})
-		if err != nil {
-			return fmt.Errorf("failed to delete pod: %w", err)
-		}
-	}
-
-	return nil
-}
-
 // checkCluster checks the cluster is created and exists.
 func checkCluster(name string, eks eksiface.EKSAPI) error {
 	cluster, err := getCluster(name, eks)

diff --git a/pkg/cluster/create_test.go b/pkg/cluster/create_test.go
@@ -1,7 +1,6 @@
 package cluster
 
 import (
-	"context"
 	"encoding/base64"
 	"errors"
 	"os"
@@ -12,10 +11,6 @@ import (
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
 	"github.com/aws/aws-sdk-go/service/eks"
 	"github.com/aws/aws-sdk-go/service/eks/eksiface"
-	v1 "k8s.io/api/core/v1"
-	"k8s.io/api/policy/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/token"
 )
 
@@ -199,30 +194,3 @@ func TestGetCluster(t *testing.T) {
 		t.Errorf("was expecting an error here. getCluster() error = %v", "expected error")
 	}
 }
-
-func TestApplyTacticalPspFix(t *testing.T) {
-	fakeClientset := fake.NewSimpleClientset(
-		&v1beta1.PodSecurityPolicy{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "eks.privileged",
-			},
-		},
-		// Add pods
-		&v1.Pod{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "FakePod",
-			},
-		},
-	)
-
-	// Good path
-	err := applyTacticalPspFix(fakeClientset)
-	if err != nil {
-		t.Errorf("applyTacticalPspFix() error = %v", err)
-	}
-
-	err = fakeClientset.PolicyV1beta1().PodSecurityPolicies().Delete(context.Background(), "eks.privileged", metav1.DeleteOptions{})
-	if err == nil {
-		t.Errorf("we wanted to delete the eks.privileged psp. applyTacticalPspFix() error = %v", err)
-	}
-}
diff --git a/pkg/cluster/node.go b/pkg/cluster/node.go
@@ -229,8 +229,3 @@ func CheckEc2InstanceTerminated(node v1.Node, awsCreds AwsCredentials) error {
 	}
 	return nil
 }
-
-// getClusterName returns the name of the cluster from a node
-func getClusterName(nodes []v1.Node) string {
-	return nodes[0].Labels["Cluster"]
-}