Merge pull request #7987 from cjschaef/ocpbugs-28870

OCPBUGS-28870: IBMCloud: Restrict CIS and DNS Service lookup
2026-02-05 06:46:36 +01:00 · 2024-03-20 04:10:09 +00:00
parent 6c90567fea ac2d5fe8ab
commit 6ca6a89cb5
2 changed files with 14 additions and 3 deletions
--- a/pkg/asset/installconfig/ibmcloud/metadata.go
+++ b/pkg/asset/installconfig/ibmcloud/metadata.go
@@ -27,6 +27,7 @@ type Metadata struct {
 	computeSubnets      map[string]Subnet
 	controlPlaneSubnets map[string]Subnet
 	dnsInstance         *DNSInstance
+	publishStrategy     types.PublishingStrategy
 	serviceEndpoints    []configv1.IBMCloudServiceEndpoint

 	mutex       sync.Mutex
@@ -46,6 +47,7 @@ func NewMetadata(config *types.InstallConfig) *Metadata {
 		BaseDomain:              config.BaseDomain,
 		ComputeSubnetNames:      config.Platform.IBMCloud.ComputeSubnets,
 		ControlPlaneSubnetNames: config.Platform.IBMCloud.ControlPlaneSubnets,
+		publishStrategy:         config.Publish,
 		Region:                  config.Platform.IBMCloud.Region,
 		serviceEndpoints:        config.Platform.IBMCloud.ServiceEndpoints,
 	}
@@ -79,7 +81,8 @@ func (m *Metadata) CISInstanceCRN(ctx context.Context) (string, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if m.cisInstanceCRN == "" {
+	// Only attempt to find the CIS instance if using ExternalPublishingStrategy and we have not collected it already
+	if m.publishStrategy == types.ExternalPublishingStrategy && m.cisInstanceCRN == "" {
 		client, err := m.Client()
 		if err != nil {
 			return "", err
@@ -111,8 +114,9 @@ func (m *Metadata) DNSInstance(ctx context.Context) (*DNSInstance, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	// Prevent multiple attempts to retrieve (set) the dnsInstance if it hasn't been set (multiple threads reach mutex concurrently)
-	if m.dnsInstance == nil {
+	// Only attempt to find the DNS Services instance if using InternalPublishingStrategy and also
+	// prevent multiple attempts to retrieve (set) the dnsInstance if it hasn't been set (multiple threads reach mutex concurrently)
+	if m.publishStrategy == types.InternalPublishingStrategy && m.dnsInstance == nil {
 		client, err := m.Client()
 		if err != nil {
 			return nil, err
--- a/pkg/asset/installconfig/ibmcloud/metadata_test.go
+++ b/pkg/asset/installconfig/ibmcloud/metadata_test.go
@@ -178,9 +178,14 @@ func baseMetadata() *Metadata {
 				Region: region,
 			},
 		},
+		Publish: types.ExternalPublishingStrategy,
 	})
 }

+func setInternalPublishingStrategy(m *Metadata) {
+	m.publishStrategy = types.InternalPublishingStrategy
+}
+
 func TestAccountID(t *testing.T) {
 	testCases := []struct {
 		name          string
@@ -406,6 +411,7 @@ func TestDNSInstance(t *testing.T) {
 	for _, tCase := range testCases {
 		t.Run(tCase.name, func(t *testing.T) {
 			metadata := baseMetadata()
+			setInternalPublishingStrategy(metadata)
 			metadata.client = ibmcloudClient
 			for _, edit := range tCase.edits {
 				edit(metadata)
@@ -438,6 +444,7 @@ func TestSetDNSInstance(t *testing.T) {
 	for _, tCase := range testCases {
 		t.Run(tCase.name, func(t *testing.T) {
 			metadata := baseMetadata()
+			setInternalPublishingStrategy(metadata)

 			metadata.dnsInstance = &DNSInstance{
 				ID:  tCase.dnsID,