Protect platform-auth-idp from upgrade clobber (#1033)

Originating issue: [IBMPrivateCloud/roadmap#66581](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/66581)

Also:

* Avoid status conflicts in deferred func

Signed-off-by: Rob Hundley <[email protected]>

Author: rwhundley

controllers/bootstrap/authentication_bootstrap_controller.go

@@ -0,0 +1,176 @@
+/*
+Copyright 2025 IBM Corporation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+
+	operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1"
+	ctrlcommon "github.com/IBM/ibm-iam-operator/controllers/common"
+	"github.com/IBM/ibm-iam-operator/version"
+	"github.com/opdev/subreconciler"
+	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+)
+
+// BootStrapReconciler handles modifications to the Authentication CR before it is reconciled by the
+// main Authentication controller
+type BootstrapReconciler struct {
+	client.Client
+}
+
+func (r *BootstrapReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
+	log := logf.FromContext(ctx).WithName("controller_authentication_bootstrap")
+	subCtx := logf.IntoContext(ctx, log)
+	if subResult, err := r.makeAuthenticationCorrections(subCtx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		if err != nil {
+			log.Error(err, "An error was encountered during Authentication bootstrap")
+		} else {
+			log.Info("Needed to requeue during Authentication bootstrap")
+		}
+		return subreconciler.Evaluate(subResult, err)
+	}
+	log.Info("Authentication bootstrap successful")
+	return
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *BootstrapReconciler) SetupWithManager(mgr ctrl.Manager) error {
+
+	authCtrl := ctrl.NewControllerManagedBy(mgr)
+
+	bootstrapPred := predicate.NewPredicateFuncs(func(o client.Object) bool {
+		return o.GetLabels()[ctrlcommon.ManagerVersionLabel] != version.Version
+	})
+
+	authCtrl.Watches(&operatorv1alpha1.Authentication{}, &handler.EnqueueRequestForObject{}, builder.WithPredicates(bootstrapPred))
+	return authCtrl.Named("controller_authentication_bootstrap").Complete(r)
+}
+
+// makeAuthenticationCorrections handles changes that need to happen to the Authentication CR for compatibility reasons.
+func (r *BootstrapReconciler) makeAuthenticationCorrections(ctx context.Context, req ctrl.Request) (result *ctrl.Result, err error) {
+	log := logf.FromContext(ctx)
+	authCR := &operatorv1alpha1.Authentication{}
+	if result, err = r.getLatestAuthentication(ctx, req, authCR); subreconciler.ShouldHaltOrRequeue(result, err) {
+		return
+	}
+	if authCR.Labels[ctrlcommon.ManagerVersionLabel] == version.Version {
+		return subreconciler.ContinueReconciling()
+	}
+
+	if needsAuditServiceDummyDataReset(authCR) {
+		authCR.SetRequiredDummyData()
+	}
+
+	if err = r.writeConfigurationsToAuthenticationCR(ctx, authCR); err != nil {
+		log.Error(err, "Failed to update the Authentication")
+		return subreconciler.RequeueWithError(err)
+	}
+
+	authCR.Labels[ctrlcommon.ManagerVersionLabel] = version.Version
+
+	err = r.Update(ctx, authCR)
+	if err != nil {
+		log.Error(err, "Failed to update the Authentication")
+		return subreconciler.RequeueWithError(err)
+	}
+	log.Info("Performed bootstrap update to Authentication successfully")
+
+	return subreconciler.ContinueReconciling()
+}
+
+// writeConfigurationsToAuthenticationCR copies values from the
+// platform-auth-idp ConfigMap to the Authentication CR.
+func (r *BootstrapReconciler) writeConfigurationsToAuthenticationCR(ctx context.Context, authCR *operatorv1alpha1.Authentication) (err error) {
+	platformAuthIDPCM := &corev1.ConfigMap{}
+	if err = r.Get(ctx, types.NamespacedName{Name: "platform-auth-idp", Namespace: authCR.Namespace}, platformAuthIDPCM); k8sErrors.IsNotFound(err) {
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to get ConfigMap: %w", err)
+	}
+	keys := map[string]any{
+		"ROKS_URL":                 &authCR.Spec.Config.ROKSURL,
+		"ROKS_USER_PREFIX":         &authCR.Spec.Config.ROKSUserPrefix,
+		"ROKS_ENABLED":             &authCR.Spec.Config.ROKSEnabled,
+		"BOOTSTRAP_USERID":         &authCR.Spec.Config.BootstrapUserId,
+		"CLAIMS_SUPPORTED":         &authCR.Spec.Config.ClaimsSupported,
+		"CLAIMS_MAP":               &authCR.Spec.Config.ClaimsMap,
+		"DEFAULT_LOGIN":            &authCR.Spec.Config.DefaultLogin,
+		"SCOPE_CLAIM":              &authCR.Spec.Config.ScopeClaim,
+		"NONCE_ENABLED":            &authCR.Spec.Config.NONCEEnabled,
+		"PREFERRED_LOGIN":          &authCR.Spec.Config.PreferredLogin,
+		"OIDC_ISSUER_URL":          &authCR.Spec.Config.OIDCIssuerURL,
+		"PROVIDER_ISSUER_URL":      &authCR.Spec.Config.ProviderIssuerURL,
+		"CLUSTER_NAME":             &authCR.Spec.Config.ClusterName,
+		"FIPS_ENABLED":             &authCR.Spec.Config.FIPSEnabled,
+		"IBM_CLOUD_SAAS":           &authCR.Spec.Config.IBMCloudSaas,
+		"SAAS_CLIENT_REDIRECT_URL": &authCR.Spec.Config.SaasClientRedirectUrl,
+		"ATTR_MAPPING_FROM_CONFIG": &authCR.Spec.Config.AttrMappingFromConfig,
+	}
+
+	for key, crField := range keys {
+		cmValue, ok := platformAuthIDPCM.Data[key]
+		if !ok {
+			continue
+		}
+		switch crValue := crField.(type) {
+		case *string:
+			if *crValue != cmValue {
+				*crValue = cmValue
+			}
+		case *bool:
+			cmValueBool, _ := strconv.ParseBool(cmValue)
+			if *crValue != cmValueBool {
+				*crValue = cmValueBool
+			}
+		}
+	}
+
+	return
+}
+
+// needsAuditServiceDummyDataReset compares the state in an Authentication's .spec.auditService and returns whether it
+// needs to be overwritten with dummy data.
+func needsAuditServiceDummyDataReset(a *operatorv1alpha1.Authentication) bool {
+	return a.Spec.AuditService.ImageName != operatorv1alpha1.AuditServiceIgnoreString ||
+		a.Spec.AuditService.ImageRegistry != operatorv1alpha1.AuditServiceIgnoreString ||
+		a.Spec.AuditService.ImageTag != operatorv1alpha1.AuditServiceIgnoreString ||
+		a.Spec.AuditService.SyslogTlsPath != "" ||
+		a.Spec.AuditService.Resources != nil
+}
+
+func (r *BootstrapReconciler) getLatestAuthentication(ctx context.Context, req ctrl.Request, authentication *operatorv1alpha1.Authentication) (result *ctrl.Result, err error) {
+	reqLogger := logf.FromContext(ctx)
+	if err := r.Get(ctx, req.NamespacedName, authentication); err != nil {
+		if k8sErrors.IsNotFound(err) {
+			reqLogger.Info("Authentication not found; skipping reconciliation")
+			return subreconciler.DoNotRequeue()
+		}
+		reqLogger.Error(err, "Failed to get Authentication")
+		return subreconciler.RequeueWithError(err)
+	}
+	return subreconciler.ContinueReconciling()
+}

controllers/common/constants.go

@@ -45,3 +45,5 @@ const (
 	PlatformIdentityManagement DeploymentName = "platform-identity-management"
 	PlatformAuthService        DeploymentName = "platform-auth-service"
 )
+
+const ManagerVersionLabel string = "authentication.operator.ibm.com/manager-version"

controllers/common/utils.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 	"time"
@@ -67,7 +66,7 @@ var _ fmt.Stringer = OpenShift
 
 // GetClusterType attempts to determine whether the Operator is running on Openshift versus a CNCF cluster. Exits in the
 // event that the cluster config can't be obtained to make queries or if the watch namespace can't be obtained.
-func GetClusterType(ctx context.Context, k8sClient *client.Client, cmName string) (clusterType ClusterType, err error) {
+func GetClusterType(ctx context.Context, k8sClient client.Client, cmName string) (clusterType ClusterType, err error) {
 	logger := logf.FromContext(ctx)
 	logger.Info("Get cluster config")
 
@@ -101,7 +100,7 @@ func GetClusterType(ctx context.Context, k8sClient *client.Client, cmName string
 	cm := &corev1.ConfigMap{}
 	for _, namespace := range namespaces {
 		logger.Info("Try to find ConfigMap", "name", cmName, "namespace", namespace)
-		err = (*k8sClient).Get(ctx, types.NamespacedName{Name: cmName, Namespace: namespace}, cm)
+		err = k8sClient.Get(ctx, types.NamespacedName{Name: cmName, Namespace: namespace}, cm)
 		if err != nil {
 			logger.Error(err, "Failed to get ConfigMap")
 			logger.Info("Did not find it", "namespace", namespace)
@@ -265,7 +264,7 @@ func GetOperatorNamespace() (string, error) {
 	} else if isRunModeLocal() {
 		return "", ErrRunLocal
 	}
-	nsBytes, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	nsBytes, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
 	if err != nil {
 		if os.IsNotExist(err) {
 			return "", ErrNoNamespace
@@ -283,22 +282,38 @@ func GetOperatorNamespace() (string, error) {
 // Authentication CR for a given IM Operator instance, so wherever that one Authentication CR is found is assumed to be
 // where the other Operands are. If no or more than one Authentication CR is found, an error is reported as this is an
 // unsupported usage of the CR.
-func GetAuthentication(ctx context.Context, k8sClient *client.Client) (authCR *operatorv1alpha1.Authentication, err error) {
-	authenticationList := &operatorv1alpha1.AuthenticationList{}
-	err = (*k8sClient).List(ctx, authenticationList)
-	if err != nil {
-		return
+func GetAuthentication(ctx context.Context, k8sClient client.Client, namespaces ...string) (authCR *operatorv1alpha1.Authentication, err error) {
+	if len(namespaces) == 0 {
+		authenticationList := &operatorv1alpha1.AuthenticationList{}
+		err = k8sClient.List(ctx, authenticationList)
+		if err != nil {
+			return
+		}
+		if len(authenticationList.Items) != 1 {
+			err = fmt.Errorf("expected to find 1 Authentication but found %d", len(authenticationList.Items))
+			return
+		}
+		return &authenticationList.Items[0], nil
 	}
-	if len(authenticationList.Items) != 1 {
-		err = fmt.Errorf("expected to find 1 Authentication but found %d", len(authenticationList.Items))
-		return
+
+	var errs error = nil
+	authCR = &operatorv1alpha1.Authentication{}
+	for _, namespace := range namespaces {
+		err = k8sClient.Get(ctx, types.NamespacedName{Name: "example-authentication", Namespace: namespace}, authCR)
+		if k8sErrors.IsNotFound(err) {
+			continue
+		} else if err == nil {
+			return
+		}
+		errs = errors.Join(errs, err)
 	}
-	return &authenticationList.Items[0], nil
+
+	return nil, errs
 }
 
 // GetServicesNamespace finds the namespace that contains the shared services deriving from the Authentication CR for
 // this IM install. Returns an error when
-func GetServicesNamespace(ctx context.Context, k8sClient *client.Client) (namespace string, err error) {
+func GetServicesNamespace(ctx context.Context, k8sClient client.Client) (namespace string, err error) {
 	authCR, err := GetAuthentication(ctx, k8sClient)
 	if err != nil {
 		return

controllers/oidc.security/client_controller.go

@@ -127,7 +127,7 @@ func (r *ClientReconciler) confirmAuthenticationIsReady(ctx context.Context, req
 	reqLogger.Info("Confirm that Authentication CR for IM is ready before reconciling Client")
 
 	var authCR *operatorv1alpha1.Authentication
-	if authCR, err = common.GetAuthentication(ctx, &r.Client); err != nil {
+	if authCR, err = common.GetAuthentication(ctx, r.Client); err != nil {
 		reqLogger.Info("Failed to get the Authentication for this install of IM", "reason", err.Error())
 		return subreconciler.RequeueWithDelay(wait.Jitter(baseAuthenticationWaitTime, 1.0))
 	}
@@ -429,7 +429,7 @@ func (r *ClientReconciler) annotateServiceAccount(ctx context.Context, req ctrl.
 	}
 
 	sAccName := "ibm-iam-operand-restricted"
-	sAccNamespace, err := common.GetServicesNamespace(ctx, &r.Client)
+	sAccNamespace, err := common.GetServicesNamespace(ctx, r.Client)
 	if err != nil {
 		return subreconciler.RequeueWithError(err)
 	}
@@ -824,7 +824,7 @@ func (r *ClientReconciler) removeAnnotationFromSA(ctx context.Context, req ctrl.
 	}
 
 	sAccName := "ibm-iam-operand-restricted"
-	sAccNamespace, err := common.GetServicesNamespace(ctx, &r.Client)
+	sAccNamespace, err := common.GetServicesNamespace(ctx, r.Client)
 	if err != nil {
 		reqLogger.Error(err, "Failed to get services namespace")
 		return subreconciler.RequeueWithError(err)

controllers/oidc.security/client_controller_config.go

@@ -280,7 +280,7 @@ func (c AuthenticationConfig) GetCSCATLSKey() (value []byte, err error) {
 }
 
 func GetConfig(ctx context.Context, r *ClientReconciler, config *AuthenticationConfig) (err error) {
-	servicesNamespace, err := ctrlCommon.GetServicesNamespace(ctx, &r.Client)
+	servicesNamespace, err := ctrlCommon.GetServicesNamespace(ctx, r.Client)
 	if err != nil {
 		return fmt.Errorf("failed to get ConfigMap: %w", err)
 	}

controllers/oidc.security/clientreg.go

@@ -232,7 +232,7 @@ func (r *ClientReconciler) invokeClientRegistrationAPI(ctx context.Context, clie
 // return whatever matching Secret exists in the cluster and cache it for future use.
 func (r *ClientReconciler) getCSCACertificateSecret(ctx context.Context) (secret *corev1.Secret, err error) {
 	secret = &corev1.Secret{}
-	servicesNamespace, err := common.GetServicesNamespace(ctx, &r.Client)
+	servicesNamespace, err := common.GetServicesNamespace(ctx, r.Client)
 	if err != nil {
 		return
 	}