configobservation/auth: remove webhook token authenticator when auth type is OIDC

liouk · liouk · commit 4d75af9fb947 · 2025-02-28T13:42:09.000+01:00
diff --git a/pkg/operator/configobservation/auth/webhook_authenticator.go b/pkg/operator/configobservation/auth/webhook_authenticator.go
@@ -11,6 +11,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/library-go/pkg/operator/configobserver"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
@@ -51,6 +52,7 @@ func ObserveWebhookTokenAuthenticator(genericListers configobserver.Listers, rec
 
 	auth, err := listers.AuthConfigLister.Get("cluster")
 	if errors.IsNotFound(err) {
+		recorder.Eventf("ObserveWebhookTokenAuthenticator", "authentications.config.openshift.io/cluster: not found")
 		return observedConfig, nil
 	} else if err != nil {
 		return existingConfig, append(errs, err)
@@ -62,7 +64,7 @@ func ObserveWebhookTokenAuthenticator(genericListers configobserver.Listers, rec
 	}
 
 	observedWebhookConfigured := len(webhookSecretName) > 0
-	if observedWebhookConfigured {
+	if observedWebhookConfigured && auth.Spec.Type != configv1.AuthenticationTypeOIDC {
 		// retrieve the secret from config and validate it, don't proceed on failure
 		kubeconfigSecret, err := listers.ConfigSecretLister().Secrets("openshift-config").Get(webhookSecretName)
 		if err != nil {
@@ -87,6 +89,15 @@ func ObserveWebhookTokenAuthenticator(genericListers configobserver.Listers, rec
 			resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName},
 		)
 	} else {
+		if auth.Spec.Type == configv1.AuthenticationTypeOIDC {
+			if _, err := listers.ConfigmapLister_.ConfigMaps(operatorclient.TargetNamespace).Get(AuthConfigCMName); errors.IsNotFound(err) {
+				// auth-config does not exist in target namespace yet; do not remove webhook until it's there
+				return existingConfig, errs
+			} else if err != nil {
+				return existingConfig, append(errs, err)
+			}
+		}
+
 		// don't sync anything and remove whatever we synced
 		resourceSyncer.SyncSecret(
 			resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "webhook-authenticator"},
diff --git a/pkg/operator/configobservation/auth/webhook_authenticator_test.go b/pkg/operator/configobservation/auth/webhook_authenticator_test.go
@@ -74,7 +74,8 @@ func TestObserveWebhookTokenAuthenticator(t *testing.T) {
 		expectedConfig    map[string]interface{}
 	}{
 		{
-			name: "empty config",
+			name:         "empty config",
+			expectEvents: true,
 		},
 		{
 			name: "referenced secret missing",

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,8 @@ func TestObserveWebhookTokenAuthenticator(t *testing.T) {`
`74`	`74`	`expectedConfig map[string]interface{}`
`75`	`75`	`}{`
`76`	`76`	`{`
`77`		`- name: "empty config",`
	`77`	`+ name: "empty config",`
	`78`	`+ expectEvents: true,`
`78`	`79`	`},`
`79`	`80`	`{`
`80`	`81`	`name: "referenced secret missing",`