Merge pull request #773 from benluddy/oauth-apiserver-feature-gate-configobserver

CNTRLPLANE-5: Wire a feature-gates config observer for oauth-apiserver.

Author: openshift-merge-bot[bot]

pkg/operator/configobservation/configobservercontroller/config_observer_controller.go

@@ -1,18 +1,21 @@
 package configobservation
 
 import (
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/tools/cache"
 
 	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/configobserver"
 	"github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
 	libgoetcd "github.com/openshift/library-go/pkg/operator/configobserver/etcd"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	encryptobserver "github.com/openshift/library-go/pkg/operator/encryption/observer"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/cluster-authentication-operator/pkg/operator/configobservation"
 	observeauthentication "github.com/openshift/cluster-authentication-operator/pkg/operator/configobservation/authentication"
 	observeoauth "github.com/openshift/cluster-authentication-operator/pkg/operator/configobservation/oauth"
@@ -28,6 +31,7 @@ func NewConfigObserverController(
 	configInformer configinformers.SharedInformerFactory,
 	resourceSyncer resourcesynccontroller.ResourceSyncer,
 	eventRecorder events.Recorder,
+	featureGateAccessor featuregates.FeatureGateAccess,
 ) factory.Controller {
 
 	preRunCacheSynced := []cache.InformerSynced{
@@ -70,6 +74,16 @@ func NewConfigObserverController(
 		observeoauth.ObserveAccessTokenInactivityTimeout,
 		libgoetcd.ObserveStorageURLsToArguments,
 		encryptobserver.NewEncryptionConfigObserver("openshift-oauth-apiserver", "/var/run/secrets/encryption-config/encryption-config"),
+		featuregates.NewObserveFeatureFlagsFunc(
+			sets.New(
+				configv1.FeatureGateName("CBORServingAndStorage"),
+				configv1.FeatureGateName("ClientsAllowCBOR"),
+				configv1.FeatureGateName("ClientsPreferCBOR"),
+			),
+			nil,
+			[]string{"apiServerArguments", "feature-gates"},
+			featureGateAccessor,
+		),
 	} {
 		observers = append(observers,
 			configobserver.WithPrefix(o, OAuthAPIServerConfigPrefix))

pkg/operator/replacement_starter.go

@@ -343,9 +343,9 @@ func CreateOperatorStarter(ctx context.Context, authOperatorInput *authenticatio
 	return ret, nil
 }
 
-type featureGateAccessorFunc func(ctx context.Context, authOperatorInput *authenticationOperatorInput, informerFactories authenticationOperatorInformerFactories) (featuregates.FeatureGate, error)
+type featureGateAccessorFunc func(ctx context.Context, authOperatorInput *authenticationOperatorInput, informerFactories authenticationOperatorInformerFactories) (featuregates.FeatureGateAccess, error)
 
-func defaultFeatureGateAccessor(ctx context.Context, authOperatorInput *authenticationOperatorInput, informerFactories authenticationOperatorInformerFactories) (featuregates.FeatureGate, error) {
+func defaultFeatureGateAccessor(ctx context.Context, authOperatorInput *authenticationOperatorInput, informerFactories authenticationOperatorInformerFactories) (featuregates.FeatureGateAccess, error) {
 	// By default, this will exit(0) if the featuregates change
 	featureGateAccessor := featuregates.NewFeatureGateAccess(
 		status.VersionForOperatorFromEnv(), "0.0.1-snapshot",
@@ -356,19 +356,12 @@ func defaultFeatureGateAccessor(ctx context.Context, authOperatorInput *authenti
 	go featureGateAccessor.Run(ctx)
 	go informerFactories.operatorConfigInformer.Start(ctx.Done())
 
-	var featureGates featuregates.FeatureGate
-	select {
-	case <-featureGateAccessor.InitialFeatureGatesObserved():
-		featureGates, _ = featureGateAccessor.CurrentFeatureGates()
-	case <-time.After(1 * time.Minute):
-		return nil, fmt.Errorf("timed out waiting for FeatureGate detection")
-	}
-	return featureGates, nil
+	return featureGateAccessor, nil
 }
 
 // staticFeatureGateAccessor is primarly used during testing to statically enable or disable features.
 func staticFeatureGateAccessor(enabled, disabled []ocpconfigv1.FeatureGateName) featureGateAccessorFunc {
-	return func(_ context.Context, _ *authenticationOperatorInput, _ authenticationOperatorInformerFactories) (featuregates.FeatureGate, error) {
-		return featuregates.NewFeatureGate(enabled, disabled), nil
+	return func(_ context.Context, _ *authenticationOperatorInput, _ authenticationOperatorInformerFactories) (featuregates.FeatureGateAccess, error) {
+		return featuregates.NewHardcodedFeatureGateAccess(enabled, disabled), nil
 	}
 }

pkg/operator/starter.go

@@ -41,6 +41,7 @@ import (
 	workloadcontroller "github.com/openshift/library-go/pkg/operator/apiserver/controller/workload"
 	apiservercontrollerset "github.com/openshift/library-go/pkg/operator/apiserver/controllerset"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/csr"
 	"github.com/openshift/library-go/pkg/operator/encryption"
 	"github.com/openshift/library-go/pkg/operator/encryption/controllers/migrators"
@@ -639,12 +640,18 @@ func prepareOauthAPIServerOperator(
 		return nil, nil, err
 	}
 
+	featureGateAccessor, err := authOperatorInput.featureGateAccessor(ctx, authOperatorInput, informerFactories)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	configObserver := oauthapiconfigobservercontroller.NewConfigObserverController(
 		authOperatorInput.authenticationOperatorClient,
 		informerFactories.kubeInformersForNamespaces,
 		informerFactories.operatorConfigInformer,
 		resourceSyncController,
 		authOperatorInput.eventRecorder,
+		featureGateAccessor,
 	)
 
 	webhookAuthController := webhookauthenticator.NewWebhookAuthenticatorController(
@@ -734,11 +741,19 @@ func prepareExternalOIDC(
 	informerFactories authenticationOperatorInformerFactories,
 ) ([]libraryapplyconfiguration.NamedRunOnce, []libraryapplyconfiguration.RunFunc, error) {
 
-	featureGates, err := authOperatorInput.featureGateAccessor(ctx, authOperatorInput, informerFactories)
+	featureGateAccessor, err := authOperatorInput.featureGateAccessor(ctx, authOperatorInput, informerFactories)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	var featureGates featuregates.FeatureGate
+	select {
+	case <-featureGateAccessor.InitialFeatureGatesObserved():
+		featureGates, _ = featureGateAccessor.CurrentFeatureGates()
+	case <-time.After(1 * time.Minute):
+		return nil, nil, fmt.Errorf("timed out waiting for FeatureGate detection")
+	}
+
 	if !(featureGates.Enabled(features.FeatureGateExternalOIDC) || featureGates.Enabled(features.FeatureGateExternalOIDCWithAdditionalClaimMappings)) {
 		return nil, nil, nil
 	}

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/0f09-body-cluster.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+count: 1
+eventTime: null
+firstTimestamp: "2024-10-14T22:38:20Z"
+involvedObject:
+  kind: Deployment
+  name: authentication-operator
+  namespace: openshift-authentication-operator
+kind: Event
+lastTimestamp: "2024-10-14T22:38:20Z"
+message: 'Writing updated section ("oauthServer") of observed config: "\u00a0\u00a0map[string]any(\n-\u00a0\tnil,\n+\u00a0\t{\n+\u00a0\t\t\"corsAllowedOrigins\":
+  []any{string(`//127\\.0\\.0\\.1(:|$)`), string(\"//localhost(:|$)\")},\n+\u00a0\t\t\"oauthConfig\":
+  map[string]any{\n+\u00a0\t\t\t\"loginURL\": string(\"https://api.ostest.test.metalkube.org:6443\"),\n+\u00a0\t\t\t\"tokenConfig\":
+  map[string]any{\n+\u00a0\t\t\t\t\"accessTokenMaxAgeSeconds\":    float64(86400),\n+\u00a0\t\t\t\t\"authorizeTokenMaxAgeSeconds\":
+  float64(300),\n+\u00a0\t\t\t},\n+\u00a0\t\t},\n+\u00a0\t\t\"serverArguments\": map[string]any{\n+\u00a0\t\t\t\"audit-log-format\":    []any{string(\"json\")},\n+\u00a0\t\t\t\"audit-log-maxbackup\":
+  []any{string(\"10\")},\n+\u00a0\t\t\t\"audit-log-maxsize\":   []any{string(\"100\")},\n+\u00a0\t\t\t\"audit-log-path\":      []any{string(\"/var/log/oauth-server/audit.log\")},\n+\u00a0\t\t\t\"audit-policy-file\":   []any{string(\"/var/run/configmaps/audit/audit.\"...)},\n+\u00a0\t\t},\n+\u00a0\t\t\"servingInfo\":
+  map[string]any{\n+\u00a0\t\t\t\"cipherSuites\": []any{\n+\u00a0\t\t\t\tstring(\"TLS_AES_128_GCM_SHA256\"),
+  string(\"TLS_AES_256_GCM_SHA384\"),\n+\u00a0\t\t\t\tstring(\"TLS_CHACHA20_POLY1305_SHA256\"),\n+\u00a0\t\t\t\tstring(\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM\"...),
+  ...,\n+\u00a0\t\t\t},\n+\u00a0\t\t\t\"minTLSVersion\": string(\"VersionTLS12\"),\n+\u00a0\t\t},\n+\u00a0\t},\n\u00a0\u00a0)\n"'
+metadata:
+  creationTimestamp: null
+  name: authentication-operator.17fe72c59b829800.b2cdb588
+  namespace: openshift-authentication-operator
+reason: ObservedConfigChanged
+reportingComponent: ""
+reportingInstance: ""
+source:
+  component: cluster-authentication-operator-run-once-sync-context
+type: Normal

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/0f09-metadata-cluster.yaml

@@ -1,7 +1,7 @@
 action: Create
 controllerInstanceName: ""
 generateName: ""
-mame: authentication-operator.17fe72c59b829800.57eb8535
+mame: authentication-operator.17fe72c59b829800.b2cdb588
 namespace: openshift-authentication-operator
 resourceType:
   Group: ""

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/0f09-options-cluster.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+count: 1
+eventTime: null
+firstTimestamp: "2024-10-14T22:38:20Z"
+involvedObject:
+  kind: Deployment
+  name: authentication-operator
+  namespace: openshift-authentication-operator
+kind: Event
+lastTimestamp: "2024-10-14T22:38:20Z"
+message: 'Updated apiServerArguments.feature-gates to '
+metadata:
+  creationTimestamp: null
+  name: authentication-operator.17fe72c59b829800.7cfd43de
+  namespace: openshift-authentication-operator
+reason: ObserveFeatureFlagsUpdated
+reportingComponent: ""
+reportingInstance: ""
+source:
+  component: cluster-authentication-operator-run-once-sync-context
+type: Normal