oauthclientsecrets: further split the clientSecret logic separately

stlaz · stlaz · commit 7a8af70b2983 · 2024-02-12T13:55:08.000+01:00
diff --git a/pkg/console/controllers/oauthclients/oauthclients.go b/pkg/console/controllers/oauthclients/oauthclients.go
@@ -6,18 +6,15 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	corev1informers "k8s.io/client-go/informers/core/v1"
-	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
-	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	configv1informers "github.com/openshift/client-go/config/informers/externalversions/config/v1"
 	configv1lister "github.com/openshift/client-go/config/listers/config/v1"
 	oauthclient "github.com/openshift/client-go/oauth/clientset/versioned"
@@ -29,7 +26,6 @@ import (
 	routev1listers "github.com/openshift/client-go/route/listers/route/v1"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
-	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
 	"github.com/openshift/console-operator/pkg/api"
@@ -38,17 +34,14 @@ import (
 	oauthsub "github.com/openshift/console-operator/pkg/console/subresource/oauthclient"
 	routesub "github.com/openshift/console-operator/pkg/console/subresource/route"
 	secretsub "github.com/openshift/console-operator/pkg/console/subresource/secret"
-	"github.com/openshift/console-operator/pkg/crypto"
 )
 
 type oauthClientsController struct {
 	oauthClient    oauthv1client.OAuthClientsGetter
 	operatorClient v1helpers.OperatorClient
-	secretsClient  corev1client.SecretsGetter
 
 	oauthClientLister           oauthv1lister.OAuthClientLister
 	oauthClientSwitchedInformer *util.InformerWithSwitch
-	authentication              configv1client.AuthenticationInterface
 	authnLister                 configv1lister.AuthenticationLister
 	consoleOperatorLister       operatorv1listers.ConsoleLister
 	routesLister                routev1listers.RouteLister
@@ -61,8 +54,6 @@ type oauthClientsController struct {
 func NewOAuthClientsController(
 	operatorClient v1helpers.OperatorClient,
 	oauthClient oauthclient.Interface,
-	secretsClient corev1client.SecretsGetter,
-	authentication configv1client.AuthenticationInterface,
 	authnInformer configv1informers.AuthenticationInformer,
 	consoleOperatorInformer operatorv1informers.ConsoleInformer,
 	routeInformer routev1informers.RouteInformer,
@@ -74,18 +65,14 @@ func NewOAuthClientsController(
 	c := oauthClientsController{
 		oauthClient:    oauthClient.OauthV1(),
 		operatorClient: operatorClient,
-		secretsClient:  secretsClient,
 
 		oauthClientLister:           oauthClientSwitchedInformer.Lister(),
 		oauthClientSwitchedInformer: oauthClientSwitchedInformer,
-		authentication:              authentication,
 		authnLister:                 authnInformer.Lister(),
 		consoleOperatorLister:       consoleOperatorInformer.Lister(),
 		routesLister:                routeInformer.Lister(),
 		ingressConfigLister:         ingressConfigInformer.Lister(),
 		targetNSSecretsLister:       targetNSsecretsInformer.Lister(),
-
-		authStatusHandler: status.NewAuthStatusHandler(authentication, api.OpenShiftConsoleName, api.TargetNamespace, api.OpenShiftConsoleOperator),
 	}
 
 	return factory.New().
@@ -156,10 +143,9 @@ func (c *oauthClientsController) sync(ctx context.Context, controllerContext fac
 		return statusHandler.FlushAndReturn(fmt.Errorf("timed out waiting for OAuthClients cache sync"))
 	}
 
-	clientSecret, err := c.syncSecret(ctx, operatorConfig, controllerContext.Recorder())
-	statusHandler.AddConditions(status.HandleProgressingOrDegraded("OAuthClientSecretSync", "FailedApply", err))
+	clientSecret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get("console-oauth-config")
 	if err != nil {
-		return statusHandler.FlushAndReturn(err)
+		return err
 	}
 
 	oauthErrReason, err := c.syncOAuthClient(ctx, clientSecret, consoleURL.String())
@@ -195,15 +181,6 @@ func (c *oauthClientsController) handleManaged(ctx context.Context) (bool, error
 	}
 }
 
-func (c *oauthClientsController) syncSecret(ctx context.Context, operatorConfig *operatorv1.Console, recorder events.Recorder) (*corev1.Secret, error) {
-	secret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get(secretsub.Stub().Name)
-	if apierrors.IsNotFound(err) || secretsub.GetSecretString(secret) == "" {
-		secret, _, err = resourceapply.ApplySecret(ctx, c.secretsClient, recorder, secretsub.DefaultSecret(operatorConfig, crypto.Random256BitsString()))
-	}
-	// any error should be returned & kill the sync loop
-	return secret, err
-}
-
 // applies changes to the oauthclient
 // should not be called until route & secret dependencies are verified
 func (c *oauthClientsController) syncOAuthClient(
diff --git a/pkg/console/controllers/oauthclientsecret/oauthclientsecret.go b/pkg/console/controllers/oauthclientsecret/oauthclientsecret.go
@@ -0,0 +1,179 @@
+package oauthclientsecret
+
+import (
+	"context"
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	corev1informers "k8s.io/client-go/informers/core/v1"
+	corev1clients "k8s.io/client-go/kubernetes/typed/core/v1"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/klog/v2"
+
+	configv1 "github.com/openshift/api/config/v1"
+	operatorv1 "github.com/openshift/api/operator/v1"
+	configv1informers "github.com/openshift/client-go/config/informers/externalversions/config/v1"
+	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
+	operatorv1informers "github.com/openshift/client-go/operator/informers/externalversions/operator/v1"
+	operatorv1listers "github.com/openshift/client-go/operator/listers/operator/v1"
+	"github.com/openshift/console-operator/pkg/api"
+	"github.com/openshift/console-operator/pkg/console/status"
+	"github.com/openshift/console-operator/pkg/crypto"
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
+	v1helpers "github.com/openshift/library-go/pkg/operator/v1helpers"
+
+	secretsub "github.com/openshift/console-operator/pkg/console/subresource/secret"
+	utilsub "github.com/openshift/console-operator/pkg/console/subresource/util"
+)
+
+// oauthClientSecretController behaves differently based on authentication/cluster .spec.type:
+//
+//   - IntegratedOAuth - self-manage the client secret string
+//   - OIDC - lookup our client in the authentication/cluster .spec.oidcProviders[x].oidcClients
+//     slice and use the 'clientSecret' from the secret referred to by .clientSecret.name
+//   - None - do nothing
+//
+// The secret written is 'openshift-console/console-oauth-config' in .Data['clientSecret']
+type oauthClientSecretController struct {
+	operatorClient v1helpers.OperatorClient
+	secretsClient  corev1clients.SecretsGetter
+
+	authConfigLister      configv1listers.AuthenticationLister
+	consoleOperatorLister operatorv1listers.ConsoleLister
+	configSecretsLister   corev1listers.SecretLister
+	targetNSSecretsLister corev1listers.SecretLister
+}
+
+func NewOAuthClientSecretController(
+	operatorClient v1helpers.OperatorClient,
+	secretsClient corev1clients.SecretsGetter,
+	authnInformer configv1informers.AuthenticationInformer,
+	consoleOperatorInformer operatorv1informers.ConsoleInformer,
+	configSecretsInformer corev1informers.SecretInformer,
+	targetNSsecretsInformer corev1informers.SecretInformer,
+	recorder events.Recorder,
+) factory.Controller {
+	c := &oauthClientSecretController{
+		operatorClient: operatorClient,
+		secretsClient:  secretsClient,
+
+		authConfigLister:      authnInformer.Lister(),
+		consoleOperatorLister: consoleOperatorInformer.Lister(),
+		configSecretsLister:   configSecretsInformer.Lister(),
+		targetNSSecretsLister: targetNSsecretsInformer.Lister(),
+	}
+
+	return factory.New().
+		WithSync(c.sync).
+		WithInformers(
+			authnInformer.Informer(),
+			consoleOperatorInformer.Informer(),
+			configSecretsInformer.Informer(),
+		).
+		WithFilteredEventsInformers(
+			factory.NamesFilter("console-oauth-config"), targetNSsecretsInformer.Informer(),
+		).
+		ToController("OAuthClientSecretController", recorder.WithComponentSuffix("oauthclient-secret-controller"))
+}
+
+func (c *oauthClientSecretController) sync(ctx context.Context, syncCtx factory.SyncContext) error {
+	if shouldSync, err := c.handleManaged(ctx); err != nil {
+		return err
+	} else if !shouldSync {
+		return nil
+	}
+
+	statusHandler := status.NewStatusHandler(c.operatorClient)
+
+	clientSecret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get("console-oauth-config")
+	if err != nil && !apierrors.IsNotFound(err) {
+		return err
+	}
+
+	authConfig, err := c.authConfigLister.Get("cluster")
+	if err != nil {
+		return fmt.Errorf("failed to retrieve authentication config: %w", err)
+	}
+
+	var secretString string
+	switch authConfig.Spec.Type {
+	case "", configv1.AuthenticationTypeIntegratedOAuth:
+		// in OpenShift controlled world, we generate the client secret ourselves
+		if clientSecret != nil {
+			secretString = secretsub.GetSecretString(clientSecret)
+		}
+		if len(secretString) == 0 {
+			secretString = crypto.Random256BitsString()
+		}
+	case configv1.AuthenticationTypeOIDC:
+		clientConfig := utilsub.GetOIDCClientConfig(authConfig)
+		if clientConfig == nil {
+			// no config, flush the condition and return
+			statusHandler.AddConditions(status.HandleProgressingOrDegraded("OAuthClientSecretSync", "", nil))
+			return statusHandler.FlushAndReturn(nil)
+		}
+
+		if len(clientConfig.ClientSecret.Name) == 0 {
+			statusHandler.AddConditions(status.HandleProgressingOrDegraded("OAuthClientSecretSync", "MissingClientSecretConfig", fmt.Errorf("missing client secret name reference in config")))
+			return statusHandler.FlushAndReturn(nil)
+		}
+
+		conficClientSecret, err := c.configSecretsLister.Secrets(api.OpenShiftConfigNamespace).Get(clientConfig.ClientSecret.Name)
+		if err != nil {
+			statusHandler.AddConditions(status.HandleProgressingOrDegraded("OAuthClientSecretSync", "FailedClientSecretGet", err))
+			return statusHandler.FlushAndReturn(err)
+		}
+
+		secretString = secretsub.GetSecretString(conficClientSecret)
+		if len(secretString) == 0 {
+			statusHandler.AddConditions(status.HandleProgressingOrDegraded("OAuthClientSecretSync", "ClientSecretKeyMissing", fmt.Errorf("missing the 'clientSecret' key in the client secret secret %q", clientConfig.ClientSecret.Name)))
+			return statusHandler.FlushAndReturn(nil)
+		}
+	default:
+		klog.V(2).Infof("unknown authentication type: %s", authConfig.Spec.Type)
+		return nil
+	}
+
+	err = c.syncSecret(ctx, secretString, syncCtx.Recorder())
+	statusHandler.AddConditions(status.HandleProgressingOrDegraded("OAuthClientSecretSync", "FailedApply", err))
+	return statusHandler.FlushAndReturn(err)
+}
+
+func (c *oauthClientSecretController) syncSecret(ctx context.Context, clientSecret string, recorder events.Recorder) error {
+	operatorConfig, err := c.consoleOperatorLister.Get(api.ConfigResourceName)
+	if err != nil {
+		return err
+	}
+
+	secret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get("console-oauth-config")
+	if apierrors.IsNotFound(err) || secretsub.GetSecretString(secret) == clientSecret {
+		_, _, err = resourceapply.ApplySecret(ctx, c.secretsClient, recorder, secretsub.DefaultSecret(operatorConfig, clientSecret))
+	}
+	return err
+}
+
+// handleStatus returns whether sync should happen and any error encountering
+// determining the operator's management state
+// TODO: extract this logic to where it can be used for all controllers
+func (c *oauthClientSecretController) handleManaged(ctx context.Context) (bool, error) {
+	operatorSpec, _, _, err := c.operatorClient.GetOperatorState()
+	if err != nil {
+		return false, fmt.Errorf("failed to retrieve operator config: %w", err)
+	}
+
+	switch managementState := operatorSpec.ManagementState; managementState {
+	case operatorv1.Managed:
+		klog.V(4).Infoln("console is in a managed state.")
+		return true, nil
+	case operatorv1.Unmanaged:
+		klog.V(4).Infoln("console is in an unmanaged state.")
+		return false, nil
+	case operatorv1.Removed:
+		klog.V(4).Infoln("console has been removed.")
+		return false, nil
+	default:
+		return false, fmt.Errorf("console is in an unknown state: %v", managementState)
+	}
+}
diff --git a/pkg/console/controllers/oidcsetup/oidcsetup.go b/pkg/console/controllers/oidcsetup/oidcsetup.go
@@ -10,11 +10,9 @@ import (
 	apiexensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiexensionsv1informers "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1"
 	apiexensionsv1listers "k8s.io/apiextensions-apiserver/pkg/client/listers/apiextensions/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/util/wait"
 	appsv1informers "k8s.io/client-go/informers/apps/v1"
 	corev1informers "k8s.io/client-go/informers/core/v1"
-	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	appsv1listers "k8s.io/client-go/listers/apps/v1"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/klog/v2"
@@ -29,20 +27,16 @@ import (
 	"github.com/openshift/console-operator/pkg/console/status"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
-	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
 	deploymentsub "github.com/openshift/console-operator/pkg/console/subresource/deployment"
-	secretsub "github.com/openshift/console-operator/pkg/console/subresource/secret"
 	utilsub "github.com/openshift/console-operator/pkg/console/subresource/util"
 )
 
 type oidcSetupController struct {
 	operatorClient v1helpers.OperatorClient
-	secretsClient  corev1client.SecretsGetter
 
 	authnLister               configv1listers.AuthenticationLister
-	configNSSecretsLister     corev1listers.SecretLister
 	crdLister                 apiexensionsv1listers.CustomResourceDefinitionLister
 	consoleOperatorLister     operatorv1listers.ConsoleLister
 	targetNSSecretsLister     corev1listers.SecretLister
@@ -54,24 +48,20 @@ type oidcSetupController struct {
 
 func NewOIDCSetupController(
 	operatorClient v1helpers.OperatorClient,
-	secretsClient corev1client.SecretsGetter,
 	authnInformer configv1informers.AuthenticationInformer,
 	authenticationClient configv1client.AuthenticationInterface,
 	consoleOperatorInformer operatorv1informers.ConsoleInformer,
 	crdInformer apiexensionsv1informers.CustomResourceDefinitionInformer,
-	configNSSecretsInformer corev1informers.SecretInformer,
 	targetNSsecretsInformer corev1informers.SecretInformer,
 	targetNSConfigMapInformer corev1informers.ConfigMapInformer,
 	targetNSDeploymentsInformer appsv1informers.DeploymentInformer,
 	recorder events.Recorder,
 ) factory.Controller {
 	c := &oidcSetupController{
 		operatorClient: operatorClient,
-		secretsClient:  secretsClient,
 
 		authnLister:               authnInformer.Lister(),
 		consoleOperatorLister:     consoleOperatorInformer.Lister(),
-		configNSSecretsLister:     configNSSecretsInformer.Lister(),
 		crdLister:                 crdInformer.Lister(),
 		targetNSSecretsLister:     targetNSsecretsInformer.Lister(),
 		targetNSDeploymentsLister: targetNSDeploymentsInformer.Lister(),
@@ -90,7 +80,6 @@ func NewOIDCSetupController(
 			authnInformer.Informer(),
 			consoleOperatorInformer.Informer(),
 			targetNSsecretsInformer.Informer(),
-			configNSSecretsInformer.Informer(),
 			targetNSDeploymentsInformer.Informer(),
 			targetNSConfigMapInformer.Informer(),
 		).
@@ -166,23 +155,13 @@ func (c *oidcSetupController) syncAuthTypeOIDC(
 		return nil
 	}
 
-	clientSecret, err := c.configNSSecretsLister.Secrets(api.OpenShiftConfigNamespace).Get(clientConfig.ClientSecret.Name)
+	clientSecret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get("console-oauth-config")
 	if err != nil {
 		c.authStatusHandler.Degraded("OIDCClientSecretGet", err.Error())
 		return err
 	}
 
-	secret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get(secretsub.Stub().Name)
-	expectedClientSecret := secretsub.GetSecretString(clientSecret)
-	if apierrors.IsNotFound(err) || secretsub.GetSecretString(secret) != expectedClientSecret {
-		secret, _, err = resourceapply.ApplySecret(ctx, c.secretsClient, controllerContext.Recorder(), secretsub.DefaultSecret(operatorConfig, expectedClientSecret))
-		if err != nil {
-			statusHandler.AddConditions(status.HandleProgressingOrDegraded("OIDCClientSecretSync", "FailedApply", err))
-			return err
-		}
-	}
-
-	if valid, msg, err := c.checkClientConfigStatus(authnConfig, secret); err != nil {
+	if valid, msg, err := c.checkClientConfigStatus(authnConfig, clientSecret); err != nil {
 		c.authStatusHandler.Degraded("DeploymentOIDCConfig", err.Error())
 		return err
 
diff --git a/pkg/console/starter/starter.go b/pkg/console/starter/starter.go
