Skip to content

OCPBUGS-77000, OCPBUGS-77013: OLM prompts for GCP Workload Identity parameters during Kiali Operato… #16051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cajieh wants to merge 1 commit into
base: main
Choose a base branch
from
+101 −3
Open

OCPBUGS-77000, OCPBUGS-77013: OLM prompts for GCP Workload Identity parameters during Kiali Operato… #16051

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions ...erator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-utils.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,7 @@ describe('getInfrastructureFeatures', () => {
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["tokenAuth"]',
[OLMAnnotation.TokenAuthAWS]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
Expand All @@ -493,6 +494,7 @@ describe('getInfrastructureFeatures', () => {
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["TokenAuth"]',
[OLMAnnotation.TokenAuthAWS]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
Expand All @@ -505,6 +507,7 @@ describe('getInfrastructureFeatures', () => {
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["tokenAuth"]',
[OLMAnnotation.TokenAuthAzure]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
Expand All @@ -517,6 +520,7 @@ describe('getInfrastructureFeatures', () => {
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["TokenAuth"]',
[OLMAnnotation.TokenAuthAzure]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
Expand All @@ -541,6 +545,7 @@ describe('getInfrastructureFeatures', () => {
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["tokenAuthGCP"]',
[OLMAnnotation.TokenAuthGCP]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
Expand All @@ -553,6 +558,7 @@ describe('getInfrastructureFeatures', () => {
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["TokenAuthGCP"]',
[OLMAnnotation.TokenAuthGCP]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
Expand All @@ -570,6 +576,96 @@ describe('getInfrastructureFeatures', () => {
);
expect(result).toEqual([]);
});
it(`excludes token auth GCP feature when annotation is explicitly set to false`, () => {
const clusterIsAWSSTS = false;
const clusterIsAzureWIF = false;
const clusterIsGCPWIF = true;
const result = getInfrastructureFeatures(
{
[OLMAnnotation.TokenAuthGCP]: 'false',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(result).toEqual([]);
});
it(`excludes legacy token auth GCP feature when annotation is explicitly set to false on GCP WIF cluster`, () => {
const clusterIsAWSSTS = false;
const clusterIsAzureWIF = false;
const clusterIsGCPWIF = true;
const result = getInfrastructureFeatures(
{
[OLMAnnotation.InfrastructureFeatures]: '["TokenAuthGCP"]',
[OLMAnnotation.TokenAuthGCP]: 'false',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(result).toEqual([]);
});
it(`excludes token auth AWS feature when annotation is not present on AWS STS cluster`, () => {
const clusterIsAWSSTS = true;
const clusterIsAzureWIF = false;
const clusterIsGCPWIF = false;
const result = getInfrastructureFeatures(
{}, // No TokenAuthAWS annotation
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(result).toEqual([]);
expect(result).not.toContain(InfrastructureFeature.TokenAuth);
});
it(`excludes token auth Azure feature when annotation is not present on Azure WIF cluster`, () => {
const clusterIsAWSSTS = false;
const clusterIsAzureWIF = true;
const clusterIsGCPWIF = false;
const result = getInfrastructureFeatures(
{}, // No TokenAuthAzure annotation
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(result).toEqual([]);
expect(result).not.toContain(InfrastructureFeature.TokenAuth);
});
it(`excludes token auth GCP feature when annotation is not present on GCP WIF cluster`, () => {
const clusterIsAWSSTS = false;
const clusterIsAzureWIF = false;
const clusterIsGCPWIF = true;
const result = getInfrastructureFeatures(
{}, // No TokenAuthGCP annotation
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(result).toEqual([]);
expect(result).not.toContain(InfrastructureFeature.TokenAuthGCP);
});
it(`requires explicit true annotation for all token auth providers (opt-in behavior)`, () => {
const clusterIsAWSSTS = true;
const clusterIsAzureWIF = true;
const clusterIsGCPWIF = true;
// Test with annotations missing
const resultMissing = getInfrastructureFeatures(
{},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(resultMissing).toEqual([]);
// Test with annotations set to 'false'
const resultFalse = getInfrastructureFeatures(
{
[OLMAnnotation.TokenAuthAWS]: 'false',
[OLMAnnotation.TokenAuthAzure]: 'false',
[OLMAnnotation.TokenAuthGCP]: 'false',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(resultFalse).toEqual([]);
// Test with annotations set to 'true' - only this should include features
const resultTrue = getInfrastructureFeatures(
{
[OLMAnnotation.TokenAuthAWS]: 'true',
[OLMAnnotation.TokenAuthAzure]: 'true',
[OLMAnnotation.TokenAuthGCP]: 'true',
},
{ clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
);
expect(resultTrue).toContain(InfrastructureFeature.TokenAuth);
expect(resultTrue).toContain(InfrastructureFeature.TokenAuthGCP);
});
it(`includes features defined by latest annotation format`, () => {
const clusterIsAWSSTS = true;
const clusterIsAzureWIF = true;
Expand Down
8 changes: 5 additions & 3 deletions ...end/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,9 +222,11 @@ export const getInfrastructureFeatures: AnnotationParser<
onError,
});
const azureTokenAuthIsSupported =
clusterIsAzureWIF && annotations[OLMAnnotation.TokenAuthAzure] !== 'false';
clusterIsAzureWIF && annotations[OLMAnnotation.TokenAuthAzure] === 'true';
const awsTokenAuthIsSupported =
clusterIsAWSSTS && annotations[OLMAnnotation.TokenAuthAWS] !== 'false';
clusterIsAWSSTS && annotations[OLMAnnotation.TokenAuthAWS] === 'true';
const gcpTokenAuthIsSupported =
clusterIsGCPWIF && annotations[OLMAnnotation.TokenAuthGCP] === 'true';
return [...parsedInfrastructureFeatures, ...Object.keys(annotations ?? {})].reduce(
(supportedFeatures, key) => {
const feature = infrastructureFeatureMap[key];
Expand All @@ -249,7 +251,7 @@ export const getInfrastructureFeatures: AnnotationParser<
return tokenAuthIsSupported ? includeFeature() : excludeFeature();
};
const resolveTokenAuthGCPFeature = () => {
return clusterIsGCPWIF ? includeFeature() : excludeFeature();
return gcpTokenAuthIsSupported ? includeFeature() : excludeFeature();
};

switch (feature) {
Expand Down