mirror of
https://gitee.com/rancher/rancher.git
synced 2025-12-06 15:59:37 +08:00
main
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Nicholas Flynt
|
62c39a7964 | Hookup debug logging as a user-selectable option | ||
|
Nicholas Flynt
|
e09f841b11 | Cleanup debug logs, also remove an unused principal function | ||
|
Nicholas Flynt
|
144dc352a2 |
Add GUID unmigration to revert AD modifications in v2.7.5
Squashed commit of the following: commit 5b32df697c26963959bb9ee3089c50192651cd4c Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 17 11:59:35 2023 -0400 Turns out the token.userPrincipal.UID is not normally set commit 064526fbff91245275200ab3cad72c8a7da89c58 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 17 11:12:17 2023 -0400 Pull token fields from the ldap attributes instead of the old user commit e33bba9e11a5c4cb1a2b8bc9507d58a45f3dfc2f Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 17 10:11:57 2023 -0400 Outdent returns to make drone happy commit 6c084dfdf51cf99a1a2ee998e826933a4aa504f2 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 17 09:01:45 2023 -0400 Squashed commit of the following: commit 3db22eb13d5b70335c7543921e062e3feaf343a3 Merge: 80392070c 552fb842b Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 17 08:57:01 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit 80392070cea1a91f808c12bb5a5c16c358945eca Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 17 08:56:53 2023 -0400 tiny, tiny fix to logging commit 552fb842b326d40890a104ee67ebcf2a2fcbd711 Merge: ea685171c 99a1814c4 Author: nflynt <nicholas.flynt@suse.com> Date: Thu Aug 17 07:39:00 2023 -0400 Merge pull request #30 from crobby/migrationreview31 Outdent else blocks to make lint happy commit 99a1814c493b69c87cb73edaca6da968d892d2a8 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 17 05:00:47 2023 -0400 Outdent else blocks to make lint happy commit ea685171c76b1f5e84291124856756ec6d3ed574 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 20:28:14 2023 -0400 Apply exponential retry logic to GRB and Token migrations Also, like *RTBs, these are considered non-fatal if a permanent error of some sort occurs. We continue to migrate the user anyway. commit 4a2ae0b0a95180da4240a7e7002e4face8750b51 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 19:24:42 2023 -0400 For CRTB/PRTBs, rework error handling to gracefully retry In particular, this treats internal errors (usually related to webhook timeouts) as transient, and retries them with a little bit of exponential backoff. Furthermore, after reviewing some scenarios with Michael, we've decided to consider non-internal errors from the webhook as non-fatal in terms of continuing to process the individual user. There are a few situations where old bindings to disabled templates would otherwise block users from migrating, and this permits those to have a better chance of overall success. commit 35d647c5f1c17c3f1c3a12b428d8c09a904a9f98 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 16:58:50 2023 -0400 When merging user tokens, copy over all relevant principal fields These aren't used for anything that I'm aware of, so this is really more just for consistency, since we want the two to be fully paired. commit f3e80946a67bc7f4d96c20b5e93e5411b0ef39d7 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 16:52:15 2023 -0400 Cleanup error handling, consider AD retrieval to be a harder error commit 90f2ec152ec81fcdf9c8321697d01b4e2e23b970 Merge: ffcec58fe b56138bc4 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 16:13:28 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit ffcec58feacbebdae4ea2f86c0c6e6bd33ee8163 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 16:13:10 2023 -0400 ... once. Add the DN-based principal once. commit b56138bc44da4769369965696ef79cc1a05ebfbb Merge: 78a66e023 bfb71760e Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 16 15:47:45 2023 -0400 Merge pull request #29 from crobby/migrationreview25 Store skipped/missing user count in configmap and do not store the actual list on the authconfig object commit 78a66e023d137c9fa4498ac7e650bb96dcce7e5e Merge: edf35359f df507b531 Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 16 15:47:24 2023 -0400 Merge pull request #28 from crobby/migrationreview24 Remove unnecessary json marshal/unmarshal commit edf35359fedb2e41fef609b940a5b60bb6d36265 Merge: b93e6d00c 12020af89 Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 16 15:47:10 2023 -0400 Merge pull request #27 from crobby/migrationreview23 Give the job pod a chance to come up before tailing the log commit b93e6d00c3e7c5af78e250f1ae1ba04fecbcb105 Merge: a2c2acb9d 58a0a1d3e Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 16 15:46:52 2023 -0400 Merge pull request #26 from crobby/migrationreview22 Now using AuthConfig annotation as source of truth to block login during migration commit a2c2acb9defb212a5fd848ec43c19febb085a261 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 15:46:06 2023 -0400 Rework allowed user migration to handle duplicates and missing users commit bfb71760e48bc07dcd52d6984ca1cc0443e023b1 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 16 14:38:22 2023 -0400 Store skipped/missing user count in configmap and do not store the actual list on the authconfig object commit df507b53180582233e492344415cc6162d22c17e Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 16 13:38:39 2023 -0400 Remove unnecessary json marshal/unmarshal commit 12020af89545e0701f118f318fa088b8982ceca7 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 16 13:01:18 2023 -0400 Give the job pod a chance to come up before tailing the log commit 58a0a1d3ebe52bc7d17fa68027c70803aba91cd3 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 16 12:50:57 2023 -0400 Now using AuthConfig annotation as source of truth to block login during migration commit 3ef3fb08eaa3f52184a8e204f89e20a4cce8d886 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 12:27:23 2023 -0400 Wait to do the AuthConfig principals until after updating users This kicks off some rancher-side tasks based on the updated list, and we'd really like to make sure that those user changes have been made in advance just for sanity purposes. commit b29bfb836887f03a68d0a346fe7c646f5ac057b1 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 12:25:30 2023 -0400 When collecting duplicates, we need to track the workunit index commit df0307e26f6e0a0c97788c743217619fb34574a7 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 16 09:23:47 2023 -0400 Have the dry run guard writing new principal IDs This is mostly just to make the code clearer and more obvious. The safety is redundant, as the dry run also blocks making changes to the user object later. commit 59bafdf71ea68c8d9c6b2e0bacb39afed46570ea Merge: 2dd525070 2473062c2 Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 16 09:12:08 2023 -0400 Merge pull request #25 from crobby/migrationreview21 Append copy of user rather than pointer to duplicate list commit 2473062c25d2faa29f06f4e1e95151537dddc631 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 16 08:00:41 2023 -0400 append copy of user rather than pointer to duplicate list commit 2dd525070ae2ad81b1c5fe53d87f92f464f7c5ca Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 16:48:34 2023 -0400 Explicitly check to see if AD is disabled, and exit success in this case commit 4a3aa8031c1b32ee81fe0096d0a3125edbbfb2bc Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 16:00:25 2023 -0400 Actually *use* the final migration status commit 255ef6856d026ce0499656a9f5838602ee4227d9 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 15:36:19 2023 -0400 Add uuid-unmigration script, prevent AD logins during execution Squashed commit of the following: commit c2bb101b0b5ff0c62ad83033dc6a2d23b5fbc1df Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 15:13:12 2023 -0400 Add a generic failure status, defer restoring logins on failure states commit f9c039835df885c3268ee3fbe2f5e11213a3d690 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 13:21:29 2023 -0400 Permit retries (with backoff) when opening the LDAP connection Previously we were considering a failure during open (initial or otherwise) to be a hard, script-ending, permanent failure. That's frankly a bit silly, networks can be tempermental, so this fixes that somewhat. Notably, I can't seem to find any way to check the status of the connection on the lConn object, so we're tracking that manually using a tiny little state object. If there's a cleaner way to inspect this state I am all ears, but I don't think it's a majorly big deal. (Elsewhere in Rancher we don't try to share the ldap connection generally, but here it is a big performance boost, so it is worth the extra trouble.) commit b293d6216fc6d05fbdc0becb802519c488178f36 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 12:54:43 2023 -0400 Rework token logic to mirror *RTBs This both collects and processes tokens that the old logic would have missed, and is also considerably more efficient, now needing to scan the list of workunits and the list of tokens just once. commit fcd2b34c0a8659a14e80578046d3d7f971249489 Merge: 005f10225 3bdea128a Author: nflynt <nicholas.flynt@suse.com> Date: Tue Aug 15 12:12:36 2023 -0400 Merge pull request #24 from crobby/migrationreview17 Fixing names to make ci happy commit 3bdea128ad265845b7e657c8905c2011aa4e805e Author: Chad Roberts <chad.roberts@suse.com> Date: Tue Aug 15 12:09:22 2023 -0400 Fixing names to make ci happy commit 005f1022591610be06dd87bae09c24ea4981a801 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 12:01:31 2023 -0400 Missing users are Infof, not Errorf commit 540e49406103681e311250f06f1b161db099a4b1 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 11:10:27 2023 -0400 Don't create/update the configmap object in dry run mode What part of "dry run" did we forget, hrm? commit 9ced565d36cbffb2745e82c3264a74f76554a131 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 11:00:51 2023 -0400 If the config map is not found, it's fine. (Panic otherwise.) commit 80ea8488208594cd9b1e5089c65d18cc71588f3b Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 10:53:30 2023 -0400 Add logic to migrate list of allowed users commit c12dcef87e974546ea86203de12e34874985b7ee Merge: 33f494aa2 ce1feb40a Author: nflynt <nicholas.flynt@suse.com> Date: Tue Aug 15 09:25:53 2023 -0400 Merge pull request #23 from crobby/migrationreview14 Another round of updates commit 33f494aa26acd918d6f2dc68d79d14f4abd7cbfc Merge: b897e47d6 e944b5724 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 09:13:15 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit b897e47d6ee5d2197f5a9e0635bdc5c14ca7de6e Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 15 09:12:51 2023 -0400 Rework CRTB,PRTB collection, add GRB migration logic commit ce1feb40ae67a3776baf5c464bcfcfe7a1c50e82 Author: Chad Roberts <chad.roberts@suse.com> Date: Tue Aug 15 07:15:24 2023 -0400 Echoing the set options at the end of the banner commit 089412c12a63ffecba0460d39b49b45288d364e1 Author: Chad Roberts <chad.roberts@suse.com> Date: Tue Aug 15 06:44:43 2023 -0400 Adding additional information to README commit a7c94846ff543aeb210de2cf75fca30f580dd9ef Author: Chad Roberts <chad.roberts@suse.com> Date: Tue Aug 15 06:38:19 2023 -0400 Include agent image location in banner commit 8854263d35fa0a09360b4a34fec1fbd6791e81b2 Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Aug 14 16:31:44 2023 -0400 Mirror script status to authconfig commit 5bc29d50d1d7297fd7f2b6fb0979ba602f32865d Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Aug 14 12:50:13 2023 -0400 Update script status codes commit e944b5724739d750c13b4b3e7dadba24dabf5045 Merge: 14c5f7254 80e928b78 Author: nflynt <nicholas.flynt@suse.com> Date: Mon Aug 14 11:36:58 2023 -0400 Merge pull request #22 from crobby/migrationreview13 More updates commit 14c5f7254ad9e2ce553507de2d5f2a560a0e53c4 Merge: a3e85deae 516bdeb98 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 14 11:36:03 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit a3e85deae0b0ce26c1a447f9c3b0cdc4dc5b7401 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 14 11:35:46 2023 -0400 Break out migration logic into a bunch of smaller files commit 80e928b7823e9de4b3094e25b71c303c53b4d9f6 Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Aug 14 10:51:39 2023 -0400 Use configmap cache instead of client commit 516bdeb9875c537d76e99feef1cd2105b6d8eb0f Merge: a89977922 f8369c8f5 Author: nflynt <nicholas.flynt@suse.com> Date: Mon Aug 14 10:13:56 2023 -0400 Merge pull request #21 from crobby/migrationreview12 Display banner before doing version check commit f8369c8f5aa85e4ca37359ff2f0d54e26ce07301 Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Aug 14 10:12:31 2023 -0400 Display banner before doing version check commit a89977922b7c1f957ed0fc932a8f90d7d525ea70 Author: nflynt <nicholas.flynt@suse.com> Date: Mon Aug 14 10:08:24 2023 -0400 Update cleanup/ad-guid-README.md Co-authored-by: Michael Bolot <michael.bolot@suse.com> commit 4d09212e9e993ec8a683af332cd5867f4ebe6377 Merge: c110ae981 92483fa68 Author: nflynt <nicholas.flynt@suse.com> Date: Mon Aug 14 09:58:56 2023 -0400 Merge pull request #19 from crobby/migrationreview9 Removing unused error type check commit 92483fa68cad8c3d4972c088093511a5f52bd46a Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Aug 14 09:51:18 2023 -0400 Removing unused error type check commit c110ae9813b27b6411e806f375b177c9040025ab Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 19:51:16 2023 -0400 goimports the things commit 769114669b52aa8009ccfbc0afda3bfade78a41c Merge: 44d2375b4 645348486 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 19:19:39 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit 64534848693db9a923c29f16d27f0e9772902b3f Merge: baf84bf12 50286a2c8 Author: nflynt <nicholas.flynt@suse.com> Date: Thu Aug 10 19:19:32 2023 -0400 Merge pull request #18 from crobby/migrationreview7 Fixing error checking commit 44d2375b49267dac90300b7c8998195e8b778866 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 19:13:58 2023 -0400 Use wait's exponential backoff primitive instead of manual sleeps commit 50286a2c8eafec2d0e9efa32e4a5e782c2644b39 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 16:27:48 2023 -0400 Fixing error checking commit baf84bf12ecda8e7ac03dfc8a6667f77a8941afe Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 15:39:13 2023 -0400 Only yell if the user is doing a non-dry-run on v2.7.5 commit eed1416a4091badfa785c05128fd4170644671ea Merge: 9a71e3870 ad00983a0 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 15:36:53 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit 9a71e38706a925422793e951f23be75da2cdaba5 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 15:36:08 2023 -0400 Cleanup timeout messaging, lower job start timeout to 5 minutes I misunderstood the bash logic when I first extended that to one hour. 5 minutes for an agent download is somewhat more sensible. commit ad00983a0234e98553875227fd912ae061023543 Merge: 4e18baa91 344a05d59 Author: nflynt <nicholas.flynt@suse.com> Date: Thu Aug 10 15:34:29 2023 -0400 Merge pull request #17 from crobby/migrationreview6 Additional changes after review commit 344a05d59413d45e50bf7822c4411d15507dab73 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 14:16:55 2023 -0400 Adding version check for v2.7.5 before doing anything commit 682444d9633ed666d7d25c12aca766e6096a5866 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 13:50:05 2023 -0400 Fix-up README for updated usage commit 4e18baa912981ed26d3d01d5ac772c6134e680fc Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 14:54:15 2023 -0400 Spawn relevant resources in the cattle-system namespace commit f96eb3acf845a63172a7fc89bdab6ccc8dedd79f Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 10 14:12:33 2023 -0400 Move the YAML configuration file into the bash script This dodges the whole "fetch it from a weird URL" thing, and also makes the script a self-contained single file, which is much nicer for support to deal with. commit 275f42b42b4771a1041331f3b34516acde785303 Merge: 4c9876465 b99cab403 Author: nflynt <nicholas.flynt@suse.com> Date: Thu Aug 10 11:16:41 2023 -0400 Merge pull request #16 from crobby/migrationreview5 More post review updates commit b99cab403b41bbece5ab18165e113faa6e998853 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 09:53:57 2023 -0400 Fixing up handling of command line options and args commit 4f6da400deac8d56e4630aa42b25e0b21040266c Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 07:49:20 2023 -0400 Fixing up LdapFoundDuplicateGUID name commit 9f577f6ccfd10d17cca0b0e3f2a5ce20863ffb69 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 07:31:20 2023 -0400 Adding percentage done indicator to status config map commit 43f19e40cdedcdf7b550c2ea1f6df47b9ab50334 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 07:06:02 2023 -0400 Adding lists of special status users to configmap commit fa9979e1c81469c998d47f60433b4aac9dcd869b Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 10 06:33:46 2023 -0400 Adding rancher-cleanup label to all cleanup objects commit 4c9876465443048c80e161c31f4d2aef6485978f Merge: 2d59ac671 c30130365 Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 9 17:38:29 2023 -0400 Merge pull request #15 from crobby/migrationreview4 Post review updates commit c301303651a4c5d4e291ce864ecdf183ba7dd0da Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 9 17:33:39 2023 -0400 Updated isGUID function commit 2d59ac6715ce9e94f8bb3c8da8e9286990cab0ce Merge: c0cdc07e9 86330c6e9 Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 9 17:14:48 2023 -0400 Merge pull request #14 from crobby/migrationreview3 Migration review updates 3 commit c0cdc07e95857796f4248c0e03ad484cb061d42e Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 17:12:22 2023 -0400 Log if we need to skip a CRTB/PRTB due to the user not existing This feels like the safer option versus applying permissions that none of the users we've collected actually have, even with the GUID/DN matching. This situation should be relatively uncommon, as Rancher usually cleans these up when users are deleted, but with the GUID duplicate bug I'm not sure how successful that will have been in practice. Best to be safe (and noisy) commit 86330c6e96d90aae20211736dac9fb5040e9c40e Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 9 17:09:05 2023 -0400 Updating SA permissions for nonResourceURLs commit 4ae2d58c6326299ac04ef1d45c5fe20b813ba09d Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 9 12:12:19 2023 -0400 Seeding README, adding script banner commit f8c941bc91ef7d2ba86258b4edb596ddea29da69 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 9 11:20:10 2023 -0400 Token collection checking userID and now setting userID and label for token updates commit e742102bb4bf47a17c2da30a811eba4da03453b6 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 9 11:03:04 2023 -0400 Adding additional dry-run logging information commit dc461146039b89e0e42e7f816cf17398ba24418d Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 16:57:02 2023 -0400 Rework CRTB/PRTB collection to check usernames, run through list once There are still nested for loops in here, but they are a bit more hidden :P commit ad32ccde3310df0f6ed3978ee197829813c8246e Merge: ccb0b846d cb98c12fa Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 12:52:25 2023 -0400 Merge branch 'uuid-unmigration' of github.com:nflynt/rancher into uuid-unmigration commit ccb0b846d282c52bf10fc47a194b2ba330e3d548 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 12:50:27 2023 -0400 Break out the user modification flow into separate functions This mostly cleans up the main loop, but it also separates concerns and makes the smaller bits of logic easier to find and follow. commit aa418938d78fc118465e0fd7716712a6cfc530a4 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 12:19:08 2023 -0400 Move user principal printing into its respective utility function commit ef909ab7c2b20ba2ae271bde36e4f5d808e089aa Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 12:12:05 2023 -0400 Respect the adConfig's UserObjectClass when performing a GUID lookup This is for parity with the auth provider; most AD configurations shouldn't have changed this from the default. commit 396320570bb7e788b75ec4f62af28e2c6f79ee77 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 11:44:10 2023 -0400 Consider multiple users with the same GUID as a hard error This shouldn't be possible in practice, so it almost certainly indicates either a configuration error, or something wrong on the AD side of things. Either way we will refuse to process any user that trips this logic, and complain about it quite loudly. commit 0cebb89e2fae4c8e1937778fea036e983aef27b3 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 11:27:24 2023 -0400 We don't need the scope, so simplify -> getExternalId commit da7ef2280e6480e34cbb22d77bd5f3c3d89398dc Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 11:11:41 2023 -0400 Start the scaledContext. Don't give it managers it doesn't need commit a60b14480f11a81f19277cd77b4ac8597ddf818e Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 10:34:25 2023 -0400 Remove the ratelimiting exception. Prefer safety over speed We need to check the performance ramifications of this during testing, but considering that we will almost certainly be iterating over hundreds of users, we should probably let k8s itself rate limit us so we don't overwhelm whatever is running the control plane. That might otherwise be a nasty situation, especially for stuff like AKS and GKE. commit 16715df42475c07bef66e3982dee5f9905b08ec3 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Wed Aug 9 10:32:57 2023 -0400 For bonus safety, redundantly check for dryRun here The logic up top should make this check unnecessary, but we want to be extra certain that in dryRun mode no changes are made, so we'll explicitly guard on it every time. This protects the code less from itself, and more from future modifications. commit cb98c12fac2205803284dbd975e785d283f002fa Merge: e17d56fe3 4d2f73520 Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 9 10:20:06 2023 -0400 Merge pull request #13 from crobby/migrationreview2 More updates based on review comments commit 4d2f7352085d3b03739245d5a0e3c32c6c2a85aa Author: Chad Roberts <chad.roberts@suse.com> Date: Tue Aug 8 10:17:38 2023 -0400 More updates based on review comments commit e17d56fe37605bdeb0fa6afb4f20e740d4658f0c Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 7 16:38:59 2023 -0400 EscapeUUID -> escapeUUID commit 139ce3c900d8d99c30cfbccd9d71747c81fcc7b8 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 7 16:37:34 2023 -0400 Relocate environment variable use to the agent-specific code path commit 795c94b0ec2c6511e06648e8923ed5d776f69f7d Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 7 16:33:13 2023 -0400 Remove unnecessary namespace from cluster role definitions commit 01ea868d7dc62c814419cad4fc2394d7bf1fdc5b Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 7 16:30:53 2023 -0400 One minute is *awfully optimistic.* Let's be more realistic commit b9d4487fe77eb1537eeb5420eba3e1dd1bc25c3f Merge: 17250dab5 0efbb02fd Author: nflynt <nicholas.flynt@suse.com> Date: Mon Aug 7 16:21:42 2023 -0400 Merge pull request #12 from crobby/migrationreview Update based on review comments commit 0efbb02fd7a22c00b9a21553018bc4020608cd40 Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Aug 7 15:55:46 2023 -0400 Update based on review comments commit 17250dab59307dd085d927288f52dc0e0996ab24 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Aug 7 10:29:05 2023 -0400 Don't hide the migration script from windows agents ... which in hindsight are probably somewhat likely to be using the Active Directory auth provider. commit cadf021ca147526dc0da1b048b41231759f49376 Merge: 9b8fd58a3 3926f7bfb Author: nflynt <nicholas.flynt@suse.com> Date: Mon Aug 7 08:18:10 2023 -0400 Merge pull request #11 from crobby/migrateimports Fixing imports commit 3926f7bfba954e143cdbff79eb31e6fe5a687693 Author: Chad Roberts <chad.roberts@suse.com> Date: Sat Aug 5 07:45:25 2023 -0400 Fixing imports commit 9b8fd58a344115517336ed44f6a20ae5599d7144 Merge: de38ffed6 26dd50503 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 17:10:43 2023 -0400 Merge pull request #10 from crobby/dntokens Fix tokens going to local principal commit 26dd50503d661ceb95c56a4772a166d5c1f9be96 Author: Chad Roberts <chad.roberts@suse.com> Date: Fri Aug 4 17:08:20 2023 -0400 Fix tokens going to local principal commit de38ffed69832f9b46472369bdbe729ab4561758 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Fri Aug 4 15:36:12 2023 -0400 Cleanup debug/info logs somewhat commit 1581b5d82163ddd3737673b95339f63e4eee048e Merge: 5dfcda078 29c87eb70 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 14:56:22 2023 -0400 Merge pull request #9 from crobby/linter2 More cleaning up lint commit 29c87eb706ea758d88d6a3d76507d4453e8170be Author: Chad Roberts <chad.roberts@suse.com> Date: Fri Aug 4 14:54:40 2023 -0400 More cleaning up lint commit 5dfcda078903ec53137053c93d0544b85c1ced30 Merge: a1196635c d37ef2fc8 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 14:49:55 2023 -0400 Merge pull request #8 from crobby/linter Cleaning up lint commit d37ef2fc8ffc5a3d1366b60f8f5980117eb2999c Author: Chad Roberts <chad.roberts@suse.com> Date: Fri Aug 4 14:47:44 2023 -0400 Cleaning up lint commit a1196635cbc212163cd09c7d932d9ebc4dda34b3 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Fri Aug 4 14:38:46 2023 -0400 Add an option to automatically delete missing-guid users This is only available when running the standalone script. At Rancher startup this option is set to false, so missing users will be logged instead and require manual intervention. commit 60f31f8a40b209c9e47322a6f858782e9f04924c Merge: 7e620d5b3 9d8257882 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 13:22:56 2023 -0400 Merge pull request #7 from crobby/0805-migration Update migration start logic so an automated run will only happen if another run has not completed commit 9d825788206591e55a5b162d480897d95e1ec0c5 Author: Chad Roberts <chad.roberts@suse.com> Date: Fri Aug 4 12:12:56 2023 -0400 Update migration start logic so an automated run will only happen if another run has not completed commit 7e620d5b36e3ab28ae5e136ab20dd489e3d959c0 Merge: 30c9f640b 6c352a588 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 11:26:52 2023 -0400 Merge pull request #4 from crobby/migrateatstart Add guid migration to rancher startup commit 30c9f640bcb75f50e6205303d7e48e6e039dc148 Merge: b9aa3920f 72895b416 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 11:10:58 2023 -0400 Merge pull request #5 from crobby/0803-migration Make sure annotations/labels are not nil commit 72895b4167ee27c180b80430ffa0e0b7b215fd62 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 3 16:58:56 2023 -0400 Make sure annotations/labels are not nil commit b9aa3920fcfe48fcddd69354ab9db91cd0ca4bb2 Merge: 79762cb21 7546cdf42 Author: nflynt <nicholas.flynt@suse.com> Date: Fri Aug 4 10:43:30 2023 -0400 Merge pull request #6 from crobby/0804-migration Fix crtb, prtb collection and add token collection/migration commit 7546cdf428f85e7e6d138d5ec2fd6ecd7cc8f900 Author: Chad Roberts <chad.roberts@suse.com> Date: Fri Aug 4 08:59:54 2023 -0400 Fix crtb, prtb collection and add token collection/migration commit 79762cb21b7f313b4839ccf2a9563a756b482523 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Thu Aug 3 18:00:53 2023 -0400 Collect CRTBs and PRTBs in a single pass commit b6b6085cb8caf372002fa9665768a46715022cc2 Merge: 3de5aa34b b3acab974 Author: nflynt <nicholas.flynt@suse.com> Date: Thu Aug 3 11:44:13 2023 -0400 Merge pull request #3 from crobby/0802-2migration Adding annotation/labels for migrated objects also blocking login while migration is active commit b3acab9740b3a4a10285548689d1584044bc5ad1 Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 3 11:37:16 2023 -0400 Update role for SA commit 673e765a181a8620554a2fb2236bf7f1233b35ad Author: Chad Roberts <chad.roberts@suse.com> Date: Thu Aug 3 09:33:45 2023 -0400 Blocking login while migration is running commit 6c352a588f90364983b3fa27a73fe947c92b156a Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 2 13:42:33 2023 -0400 Add guid migration to rancher startup commit 840c5a7a5d9022c69a03f383b4763d424baac216 Author: Chad Roberts <chad.roberts@suse.com> Date: Wed Aug 2 12:20:41 2023 -0400 Adding annotation/labels for migrated objects commit 3de5aa34bcfad440ae50b0fd272325cd62d65f45 Merge: 5dc7bd729 04ea1ce7d Author: nflynt <nicholas.flynt@suse.com> Date: Wed Aug 2 09:57:48 2023 -0400 Merge pull request #2 from crobby/0802migration Fix status function and use user copies in workUnit slices commit 04ea1ce7d83f32abda962a10ccbcc80b64cb4ada Author: Chad Roberts <chad.roberts@suse.com> Date: Tue Aug 1 18:02:19 2023 -0400 Fixing status function and using copies of users in workUnit slices commit 5dc7bd7292621492deb96f417bb2b106c23ae09e Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 1 16:29:15 2023 -0400 Skip over configmap updates for now, just to get the script running commit ac3afe600a1f59b7d8648c3efe0d9a4c1b9fa746 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Tue Aug 1 16:19:52 2023 -0400 Massively overhaul main loop, check for and handle duplicate users This is largely untested because I'm having some trouble with the configmaps code, but I wanted to get this committed before I start troubleshooting commit 5295f8f4d16e87390cc6e8f2bbd2db3558a58447 Merge: 29f93328f 552e73f89 Author: nflynt <nicholas.flynt@suse.com> Date: Tue Aug 1 08:58:41 2023 -0400 Merge pull request #1 from crobby/tokenunmigrate Additional unmigration functionality commit 552e73f89e9ff1c71f965ea1129e2c2a59fb85cf Author: Chad Roberts <chad.roberts@suse.com> Date: Mon Jul 31 13:22:26 2023 -0400 Additional unmigration functionality commit 29f93328f1ee2e8edbcda3f2538dda43b5c9e07c Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Jul 31 17:30:10 2023 -0400 Actually perform the GUID -> DN migration on the happy path And it works too! Thank goodness. Now we mostly need to clean up the logic and handle a few dozen edge cases. commit 62a6747beeaf13b818b7dadfe12d43975647fff1 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Jul 31 12:53:43 2023 -0400 Cleanup the logs a bit, flatten the central logic with early exits commit ac20a2cdb4f1ed66f96949bebb8cbc85a4c32377 Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Mon Jul 31 09:58:54 2023 -0400 Switch to using the scaledContext for everything Since it can do all the lookups we need, it seems silly to setup and use two different interfaces to the same underlying datastore. The UnstructuredClient is the only way we can read AD configuration right now, and we need that info, so let's stick to that method. commit 18b39d38e68791465d31fb507bcf26c78a4e7c7e Author: Nicholas Flynt <nicholas.flynt@suse.com> Date: Fri Jul 28 17:38:27 2023 -0400 First pass at migration scaffolding, enough to do GUID -> DN lookups There is still much work to do, but at the very least we can read the relevant auth configuration details from k8s and use those details to make LDAP queries, and that's nearly all of what we need to perform the migration. |