OADP-5973, OADP-3340, OADP-6212: AWS, GCP, Azure Standardized Flow Implementation (#1712)

* AWS, GCP, Azure Standardized Flow Secret Creation

Signed-off-by: Tiger Kaovilai <[email protected]>

Add make targets sts-flow testing

Signed-off-by: Tiger Kaovilai <[email protected]>

* Add BSL-specific patching for STS secrets

- Label STS-created secrets with "oadp.openshift.io/secret-type": "sts-credentials"
- Implement automatic region patching for AWS STS secrets from BSL configuration
- Implement automatic resource group patching for Azure STS secrets from BSL configuration
- Ensure only STS-created secrets are patched by checking for specific keys:
  - AWS: "credentials" key with role_arn and web_identity_token_file content
  - Azure: "azurekey" key with AZURE_CLIENT_ID but no AZURE_CLIENT_SECRET
- Add comprehensive test coverage for all patching scenarios
- Update documentation to reflect dynamic configuration capabilities

This enhancement allows the first BSL to automatically configure region (AWS) or
resource group (Azure) in STS secrets, eliminating manual configuration needs.

* Fix STS secret updates to preserve BSL patches                                                │

The BSL controller patches AWS secrets with region information by
modifying the Data field directly, but the STS flow was completely
replacing StringData which caused region patches to be overridden.

This change preserves existing Data when updating STS secrets by
only updating specific StringData fields rather than clearing all
existing data.

* Add Azure workload identity support for Velero deployment and service account annotation

Signed-off-by: Tiger Kaovilai <[email protected]>

* Add Azure workload identity support to Velero deployment and tests

Signed-off-by: Tiger Kaovilai <[email protected]>

* Refactor Azure workload identity implementation in Velero: comment out label and annotation handling, update environment variable checks in tests

Signed-off-by: Tiger Kaovilai <[email protected]>

* fmt

Signed-off-by: Tiger Kaovilai <[email protected]>

* Remove Azure workload identity label handling from Velero deployment and tests

Signed-off-by: Tiger Kaovilai <[email protected]>

* Remove commented-out Azure workload identity annotations and clean up related tests

Signed-off-by: Tiger Kaovilai <[email protected]>

* Add Azure workload identity environment variable support to NodeAgent DaemonSet and corresponding tests

Signed-off-by: Tiger Kaovilai <[email protected]>

* Implement Azure workload identity secret management in DataProtectionApplication reconciler

Signed-off-by: Tiger Kaovilai <[email protected]>

* Enhance Azure workload identity secret reconciliation by adding tenant ID handling and updating related tests

Signed-off-by: Tiger Kaovilai <[email protected]>

* Remove unnecessary blank line in noDefaultCredentials function

Signed-off-by: Tiger Kaovilai <[email protected]>

* Apply suggestion from @Copilot

Co-authored-by: Copilot <[email protected]>

* Update pkg/bucket/client.go

Co-authored-by: Copilot <[email protected]>

---------

Signed-off-by: Tiger Kaovilai <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: kaovilai

Makefile

@@ -462,7 +462,162 @@ deploy-olm: undeploy-olm ## Build current branch operator image, bundle image, p
 undeploy-olm: login-required operator-sdk ## Uninstall current branch operator via OLM
 	$(OC_CLI) whoami # Check if logged in
 	$(OC_CLI) create namespace $(OADP_TEST_NAMESPACE) || true
-	$(OPERATOR_SDK) cleanup oadp-operator --namespace $(OADP_TEST_NAMESPACE)
+	-$(OPERATOR_SDK) cleanup oadp-operator --namespace $(OADP_TEST_NAMESPACE) || true
+	# Also try to clean up any leftover resources
+	-$(OC_CLI) delete subscription oadp-operator -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) get subscription -n $(OADP_TEST_NAMESPACE) -o name | xargs -I {} $(OC_CLI) get {} -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.metadata.name}{"\t"}{.spec.source}{"\n"}' | grep "oadp-operator-catalog" | cut -f1 | xargs -I {} $(OC_CLI) delete subscription {} -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) delete csv -l operators.coreos.com/oadp-operator.$(OADP_TEST_NAMESPACE) -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) delete catalogsource oadp-operator-catalog -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+
+# Create subscription YAML helper function
+# Parameters:
+#   $(1) - Path to the subscription YAML file to create (e.g., /tmp/oadp-gcp-subscription.yaml)
+create-sts-subscription = \
+	echo "apiVersion: operators.coreos.com/v1alpha1" > $(1) && \
+	echo "kind: Subscription" >> $(1) && \
+	echo "metadata:" >> $(1) && \
+	echo "  name: oadp-operator" >> $(1) && \
+	echo "  namespace: $(OADP_TEST_NAMESPACE)" >> $(1) && \
+	echo "spec:" >> $(1) && \
+	echo "  channel: operator-sdk-run-bundle" >> $(1) && \
+	echo "  name: oadp-operator" >> $(1) && \
+	echo "  source: oadp-operator-catalog" >> $(1) && \
+	echo "  sourceNamespace: $(OADP_TEST_NAMESPACE)" >> $(1) && \
+	echo "  installPlanApproval: Automatic" >> $(1) && \
+	echo "  config:" >> $(1) && \
+	echo "    env:" >> $(1)
+
+# Apply subscription and wait for ready helper function
+# Parameters:
+#   $(1) - Path to the subscription YAML file to apply (e.g., /tmp/oadp-gcp-subscription.yaml)
+#   $(2) - Cloud provider descriptive name for status messages (e.g., "GCP WIF", "AWS STS", "Azure Workload Identity")
+apply-sts-subscription = \
+	$(OC_CLI) apply -f $(1) && \
+	rm -f $(1) && \
+	echo "" && \
+	echo "Subscription created with $(2) environment variables." && \
+	echo "Waiting for operator to be ready..." && \
+	echo "Waiting for InstallPlan to be created..." && \
+	timeout=60; \
+	while [ $$timeout -gt 0 ]; do \
+		INSTALL_PLAN=$$($(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.status.installPlanRef.name}' 2>/dev/null); \
+		if [ -n "$$INSTALL_PLAN" ]; then \
+			echo "InstallPlan $$INSTALL_PLAN found"; \
+			break; \
+		fi; \
+		echo -n "."; \
+		sleep 2; \
+		timeout=$$((timeout-2)); \
+	done; \
+	if [ $$timeout -le 0 ]; then \
+		echo "Timeout waiting for InstallPlan"; \
+		exit 1; \
+	fi; \
+	echo "Waiting for CSV to exist..."; \
+	timeout=120; \
+	while [ $$timeout -gt 0 ]; do \
+		CSV_NAME=$$($(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.status.currentCSV}' 2>/dev/null); \
+		if [ -n "$$CSV_NAME" ]; then \
+			if $(OC_CLI) get csv/$$CSV_NAME -n $(OADP_TEST_NAMESPACE) >/dev/null 2>&1; then \
+				echo "CSV $$CSV_NAME found"; \
+				break; \
+			fi; \
+		fi; \
+		echo -n "."; \
+		sleep 2; \
+		timeout=$$((timeout-2)); \
+	done; \
+	if [ $$timeout -le 0 ]; then \
+		echo "Timeout waiting for CSV to exist"; \
+		exit 1; \
+	fi; \
+	echo "Waiting for CSV to be ready..."; \
+	if [ -n "$$CSV_NAME" ]; then \
+		$(OC_CLI) wait --for=jsonpath='{.status.phase}'=Succeeded csv/$$CSV_NAME -n $(OADP_TEST_NAMESPACE) --timeout=300s; \
+	fi; \
+	echo "Operator is ready!"; \
+	$(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE); \
+	$(OC_CLI) get csv -n $(OADP_TEST_NAMESPACE)
+
+.PHONY: deploy-olm-stsflow
+deploy-olm-stsflow: deploy-olm ## Deploy via OLM then uninstall CSV/Subscription and provide console URL for standardized flow
+	@echo "Uninstalling CSV and Subscription to trigger standardized flow UI..."
+	-$(OC_CLI) get subscription -n $(OADP_TEST_NAMESPACE) -o name | xargs -I {} $(OC_CLI) get {} -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.metadata.name}{"\t"}{.spec.source}{"\n"}' | grep "oadp-operator-catalog" | cut -f1 | xargs -I {} $(OC_CLI) delete subscription {} -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) delete csv oadp-operator.v$(VERSION) -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	@echo ""
+	@echo "==========================================================================="
+	@echo "Open the following URL in your browser to trigger the standardized flow UI:"
+	@echo ""
+	@CONSOLE_URL=$$($(OC_CLI) get route console -n openshift-console -o jsonpath='{.spec.host}'); \
+	echo "https://$$CONSOLE_URL/operatorhub/ns/$(OADP_TEST_NAMESPACE)?keyword=oadp-operator&details-item=oadp-operator-oadp-operator-catalog-$(OADP_TEST_NAMESPACE)&channel=operator-sdk-run-bundle&version=$(VERSION)"
+	@echo ""
+	@echo "==========================================================================="
+
+.PHONY: deploy-olm-stsflow-gcp
+deploy-olm-stsflow-gcp: deploy-olm-stsflow ## Deploy via OLM with GCP WIF standardized flow and create subscription with GCP env vars
+	@if [ -n "$(GCP_PROJECT_NUM)" ] && [ -n "$(GCP_POOL_ID)" ] && [ -n "$(GCP_PROVIDER_ID)" ] && [ -n "$(GCP_SA_EMAIL)" ]; then \
+		echo "Creating subscription with GCP WIF environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-gcp-subscription.yaml); \
+		echo "    - name: PROJECT_NUMBER" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_PROJECT_NUM)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "    - name: POOL_ID" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_POOL_ID)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "    - name: PROVIDER_ID" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_PROVIDER_ID)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "    - name: SERVICE_ACCOUNT_EMAIL" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_SA_EMAIL)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-gcp-subscription.yaml,GCP WIF); \
+	else \
+		echo ""; \
+		echo "GCP WIF environment variables not set. Please set all of the following:"; \
+		echo "  GCP_PROJECT_NUM"; \
+		echo "  GCP_POOL_ID"; \
+		echo "  GCP_PROVIDER_ID"; \
+		echo "  GCP_SA_EMAIL"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-gcp GCP_PROJECT_NUM=123456789 GCP_POOL_ID=my-pool GCP_PROVIDER_ID=my-provider [email protected]"; \
+	fi
+
+.PHONY: deploy-olm-stsflow-aws
+deploy-olm-stsflow-aws: deploy-olm-stsflow ## Deploy via OLM with AWS STS standardized flow and create subscription with AWS env vars
+	@if [ -n "$(AWS_ROLE_ARN)" ]; then \
+		echo "Creating subscription with AWS STS environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-aws-subscription.yaml); \
+		echo "    - name: ROLEARN" >> /tmp/oadp-aws-subscription.yaml; \
+		echo "      value: \"$(AWS_ROLE_ARN)\"" >> /tmp/oadp-aws-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-aws-subscription.yaml,AWS STS); \
+	else \
+		echo ""; \
+		echo "AWS STS environment variable not set. Please set:"; \
+		echo "  AWS_ROLE_ARN"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-aws AWS_ROLE_ARN=arn:aws:iam::123456789012:role/my-oadp-role"; \
+	fi
+
+.PHONY: deploy-olm-stsflow-azure
+deploy-olm-stsflow-azure: deploy-olm-stsflow ## Deploy via OLM with Azure Workload Identity standardized flow and create subscription with Azure env vars
+	@if [ -n "$(AZURE_CLIENT_ID)" ] && [ -n "$(AZURE_TENANT_ID)" ] && [ -n "$(AZURE_SUBSCRIPTION_ID)" ]; then \
+		echo "Creating subscription with Azure Workload Identity environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-azure-subscription.yaml); \
+		echo "    - name: CLIENTID" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "      value: \"$(AZURE_CLIENT_ID)\"" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "    - name: TENANTID" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "      value: \"$(AZURE_TENANT_ID)\"" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "    - name: SUBSCRIPTIONID" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "      value: \"$(AZURE_SUBSCRIPTION_ID)\"" >> /tmp/oadp-azure-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-azure-subscription.yaml,Azure Workload Identity); \
+	else \
+		echo ""; \
+		echo "Azure Workload Identity environment variables not set. Please set all of the following:"; \
+		echo "  AZURE_CLIENT_ID"; \
+		echo "  AZURE_TENANT_ID"; \
+		echo "  AZURE_SUBSCRIPTION_ID"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-azure AZURE_CLIENT_ID=12345678-1234-1234-1234-123456789012 AZURE_TENANT_ID=87654321-4321-4321-4321-210987654321 AZURE_SUBSCRIPTION_ID=abcdef12-3456-7890-abcd-ef1234567890"; \
+	fi
 
 # A valid Git branch from https://github.com/openshift/oadp-operator
 PREVIOUS_CHANNEL ?= oadp-1.5

bundle/manifests/oadp-operator.clusterserviceversion.yaml

@@ -279,8 +279,8 @@ metadata:
     features.operators.openshift.io/proxy-aware: "true"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "true"
-    features.operators.openshift.io/token-auth-azure: "false"
-    features.operators.openshift.io/token-auth-gcp: "false"
+    features.operators.openshift.io/token-auth-azure: "true"
+    features.operators.openshift.io/token-auth-gcp: "true"
     olm.skipRange: '>=0.0.0 <99.0.0'
     operatorframework.io/suggested-namespace: openshift-adp
     operators.openshift.io/infrastructure-features: '["Disconnected"]'

cmd/main.go

@@ -31,10 +31,8 @@ import (
 	monitor "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	appsv1 "k8s.io/api/apps/v1"
-	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -55,8 +53,9 @@ import (
 
 	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
 	"github.com/openshift/oadp-operator/internal/controller"
+	pkgclient "github.com/openshift/oadp-operator/pkg/client"
 	//+kubebuilder:scaffold:imports
-	"github.com/openshift/oadp-operator/pkg/common"
+	"github.com/openshift/oadp-operator/pkg/credentials/stsflow"
 	"github.com/openshift/oadp-operator/pkg/leaderelection"
 )
 
@@ -66,8 +65,6 @@ var (
 )
 
 const (
-	// WebIdentityTokenPath mount present on operator CSV
-	WebIdentityTokenPath = "/var/run/secrets/openshift/serviceaccount/token"
 
 	// CloudCredentials API constants
 	CloudCredentialGroupVersion = "cloudcredential.openshift.io/v1"
@@ -113,7 +110,7 @@ func main() {
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	kubeconf := ctrl.GetConfigOrDie()
-
+	pkgclient.SetKubeconf(kubeconf)
 	// Get LeaderElection configs
 	leConfig := leaderelection.GetLeaderElectionConfig(kubeconf, enableLeaderElection)
 
@@ -136,31 +133,10 @@ func main() {
 		os.Exit(1)
 	}
 
-	// check if this is standardized STS workflow via OLM and CCO
-	if common.CCOWorkflow() {
-		setupLog.Info("AWS Role ARN specified by the user, following standardized STS workflow")
-		// ROLEARN env var is set via operator subscription
-		roleARN := os.Getenv("ROLEARN")
-		setupLog.Info("getting role ARN", "role ARN =", roleARN)
-
-		// check if cred request API exists in the cluster before creating a cred request
-		setupLog.Info("Checking if credentialsrequest CRD exists in the cluster")
-		credReqCRDExists, err := DoesCRDExist(CloudCredentialGroupVersion, CloudCredentialsCRDName, kubeconf)
-		if err != nil {
-			setupLog.Error(err, "problem checking the existence of CredentialRequests CRD")
-			os.Exit(1)
-		}
-
-		if credReqCRDExists {
-			// create cred request
-			setupLog.Info(fmt.Sprintf("Creating credentials request for role: %s, and WebIdentityTokenPath: %s", roleARN, WebIdentityTokenPath))
-			if err := CreateOrUpdateCredRequest(roleARN, WebIdentityTokenPath, watchNamespace, kubeconf); err != nil {
-				if !errors.IsAlreadyExists(err) {
-					setupLog.Error(err, "unable to create credRequest")
-					os.Exit(1)
-				}
-			}
-		}
+	// Create Secret and wait for STS cred to exists
+	if _, err := stsflow.STSStandardizedFlow(); err != nil {
+		setupLog.Error(err, "error setting up STS Standardized Flow")
+		os.Exit(1)
 	}
 
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
@@ -234,7 +210,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err := v1.AddToScheme(mgr.GetScheme()); err != nil {
+	if err := apiextensionsv1.AddToScheme(mgr.GetScheme()); err != nil {
 		setupLog.Error(err, "unable to add Kubernetes API extensions to scheme")
 		os.Exit(1)
 	}
@@ -371,80 +347,4 @@ func DoesCRDExist(CRDGroupVersion, CRDName string, kubeconf *rest.Config) (bool,
 		}
 	}
 	return discoveryResult, nil
-
-}
-
-// CreateCredRequest WITP : WebIdentityTokenPath
-func CreateOrUpdateCredRequest(roleARN string, WITP string, secretNS string, kubeconf *rest.Config) error {
-	clientInstance, err := client.New(kubeconf, client.Options{})
-	if err != nil {
-		setupLog.Error(err, "unable to create client")
-	}
-
-	// Extra deps were getting added and existing ones were getting upgraded when the CloudCredentials API was imported
-	// This caused updates to go.mod and started resulting in operator build failures due to incompatibility with the existing velero deps
-	// Hence for now going via the unstructured route
-	credRequest := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "cloudcredential.openshift.io/v1",
-			"kind":       "CredentialsRequest",
-			"metadata": map[string]interface{}{
-				"name":      "oadp-aws-credentials-request",
-				"namespace": "openshift-cloud-credential-operator",
-			},
-			"spec": map[string]interface{}{
-				"secretRef": map[string]interface{}{
-					"name":      "cloud-credentials",
-					"namespace": secretNS,
-				},
-				"serviceAccountNames": []interface{}{
-					common.OADPOperatorServiceAccount,
-				},
-				"providerSpec": map[string]interface{}{
-					"apiVersion": "cloudcredential.openshift.io/v1",
-					"kind":       "AWSProviderSpec",
-					"statementEntries": []interface{}{
-						map[string]interface{}{
-							"effect": "Allow",
-							"action": []interface{}{
-								"s3:*",
-							},
-							"resource": "arn:aws:s3:*:*:*",
-						},
-					},
-					"stsIAMRoleARN": roleARN,
-				},
-				"cloudTokenPath": WITP,
-			},
-		},
-	}
-	verb := "created"
-	if err := clientInstance.Create(context.Background(), credRequest); err != nil {
-		if errors.IsAlreadyExists(err) {
-			verb = "updated"
-			setupLog.Info("CredentialsRequest already exists, updating")
-			fromCluster := &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"apiVersion": "cloudcredential.openshift.io/v1",
-					"kind":       "CredentialsRequest",
-				},
-			}
-			err = clientInstance.Get(context.Background(), types.NamespacedName{Name: "oadp-aws-credentials-request", Namespace: "openshift-cloud-credential-operator"}, fromCluster)
-			if err != nil {
-				setupLog.Error(err, "unable to get existing credentials request resource")
-				return err
-			}
-			// update spec
-			fromCluster.Object["spec"] = credRequest.Object["spec"]
-			if err := clientInstance.Update(context.Background(), fromCluster); err != nil {
-				setupLog.Error(err, fmt.Sprintf("unable to update credentials request resource, %v, %+v", err, fromCluster.Object))
-				return err
-			}
-		} else {
-			setupLog.Error(err, "unable to create credentials request resource")
-			return err
-		}
-	}
-	setupLog.Info("Custom resource credentialsrequest " + verb + " successfully")
-	return nil
 }

config/manifests/bases/oadp-operator.clusterserviceversion.yaml

@@ -18,8 +18,8 @@ metadata:
     features.operators.openshift.io/proxy-aware: "true"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "true"
-    features.operators.openshift.io/token-auth-azure: "false"
-    features.operators.openshift.io/token-auth-gcp: "false"
+    features.operators.openshift.io/token-auth-azure: "true"
+    features.operators.openshift.io/token-auth-gcp: "true"
     olm.skipRange: '>=0.0.0 <99.0.0'
     operatorframework.io/suggested-namespace: openshift-adp
     operators.openshift.io/infrastructure-features: '["Disconnected"]'