Merge pull request #245 from AlexVulaj/fallback-isolated-flow-failure

fall back to old flow if new flow fails

cmd/ocm-backplane/cloud/console.go

@@ -147,19 +147,25 @@ func runConsole(cmd *cobra.Command, argv []string) (err error) {
 	if isolatedBackplane {
 		targetCredentials, err := getIsolatedCredentials(clusterID)
 		if err != nil {
-			return fmt.Errorf("failed to get cloud credentials for cluster %v: %w", clusterID, err)
-		}
-
-		resp, err := awsutil.GetSigninToken(targetCredentials, cluster.Region().ID())
-		if err != nil {
-			return fmt.Errorf("failed to get signin token: %w", err)
-		}
-
-		signinFederationURL, err := awsutil.GetConsoleURL(resp.SigninToken, cluster.Region().ID())
-		if err != nil {
-			return fmt.Errorf("failed to generate console url: %w", err)
+			// itn-2023-00143 handle case where customer's org is on the isolated flow,
+			// but they have not yet migrated their account roles
+			fmt.Println("Cluster's org is using new flow but cluster has not migrated to new account roles. Trying old flow...")
+			consoleResponse, err = getCloudConsole(bpURL, clusterID)
+			if err != nil {
+				return err
+			}
+		} else {
+			resp, err := awsutil.GetSigninToken(targetCredentials, cluster.Region().ID())
+			if err != nil {
+				return fmt.Errorf("failed to get signin token: %w", err)
+			}
+
+			signinFederationURL, err := awsutil.GetConsoleURL(resp.SigninToken, cluster.Region().ID())
+			if err != nil {
+				return fmt.Errorf("failed to generate console url: %w", err)
+			}
+			consoleResponse = &ConsoleResponse{ConsoleLink: signinFederationURL.String()}
 		}
-		consoleResponse = &ConsoleResponse{ConsoleLink: signinFederationURL.String()}
 	} else {
 		consoleResponse, err = getCloudConsole(bpURL, clusterID)
 		if err != nil {

cmd/ocm-backplane/cloud/credentials.go

@@ -119,22 +119,32 @@ func runCredentials(cmd *cobra.Command, argv []string) error {
 	if isolatedBackplane {
 		targetCredentials, err := getIsolatedCredentials(clusterID)
 		if err != nil {
-			return fmt.Errorf("failed to get cloud credentials for cluster %v: %w", clusterID, err)
-		}
-
-		bpCreds := &bpCredentials.AWSCredentialsResponse{
-			AccessKeyID:     targetCredentials.AccessKeyID,
-			SecretAccessKey: targetCredentials.SecretAccessKey,
-			SessionToken:    targetCredentials.SessionToken,
-			Expiration:      targetCredentials.Expires.String(),
-		}
-		if region, ok := cluster.GetRegion(); ok {
-			bpCreds.Region = region.ID()
-		}
-
-		output, err = renderCloudCredentials(credentialArgs.output, bpCreds)
-		if err != nil {
-			return fmt.Errorf("failed to render credentials: %w", err)
+			// itn-2023-00143 handle case where customer's org is on the isolated flow,
+			// but they have not yet migrated their account roles
+			fmt.Println("Cluster's org is using new flow but cluster has not migrated to new account roles. Trying old flow...")
+			credsResp, err := getCloudCredential(bpURL, clusterID)
+			if err != nil {
+				return fmt.Errorf("failed to get cloud credentials for cluster %v: %w", clusterID, err)
+			}
+			output, err = renderCredentials(credsResp.JSON200.Credentials, credsResp.JSON200.Region, cloudProvider)
+			if err != nil {
+				return err
+			}
+		} else {
+			bpCreds := &bpCredentials.AWSCredentialsResponse{
+				AccessKeyID:     targetCredentials.AccessKeyID,
+				SecretAccessKey: targetCredentials.SecretAccessKey,
+				SessionToken:    targetCredentials.SessionToken,
+				Expiration:      targetCredentials.Expires.String(),
+			}
+			if region, ok := cluster.GetRegion(); ok {
+				bpCreds.Region = region.ID()
+			}
+
+			output, err = renderCloudCredentials(credentialArgs.output, bpCreds)
+			if err != nil {
+				return fmt.Errorf("failed to render credentials: %w", err)
+			}
 		}
 	} else {
 		credsResp, err := getCloudCredential(bpURL, clusterID)

pkg/awsutil/sts.go

@@ -22,7 +22,7 @@ const (
 	AwsConsoleURL                      = "https://console.aws.amazon.com/"
 	DefaultIssuer                      = "Red Hat SRE"
 
-	assumeRoleMaxRetries   = 5
+	assumeRoleMaxRetries   = 3
 	assumeRoleRetryBackoff = 5 * time.Second
 )