From 5cdfb5e78892398989fcc6bc3efa7f09030e081c Mon Sep 17 00:00:00 2001 From: Ilias Rinis Date: Thu, 10 Oct 2024 11:25:14 +0200 Subject: [PATCH] configobservation/auth: remove webhook token authenticator when auth type is OIDC --- .../configobservation/auth/webhook_authenticator.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkg/operator/configobservation/auth/webhook_authenticator.go b/pkg/operator/configobservation/auth/webhook_authenticator.go index 48b9e05dd0..baaea5d08f 100644 --- a/pkg/operator/configobservation/auth/webhook_authenticator.go +++ b/pkg/operator/configobservation/auth/webhook_authenticator.go @@ -11,6 +11,7 @@ import ( "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + configv1 "github.com/openshift/api/config/v1" "github.com/openshift/library-go/pkg/operator/configobserver" "github.com/openshift/library-go/pkg/operator/events" "github.com/openshift/library-go/pkg/operator/resourcesynccontroller" @@ -62,7 +63,7 @@ func ObserveWebhookTokenAuthenticator(genericListers configobserver.Listers, rec } observedWebhookConfigured := len(webhookSecretName) > 0 - if observedWebhookConfigured { + if observedWebhookConfigured && auth.Spec.Type != configv1.AuthenticationTypeOIDC { // retrieve the secret from config and validate it, don't proceed on failure kubeconfigSecret, err := listers.ConfigSecretLister().Secrets("openshift-config").Get(webhookSecretName) if err != nil { @@ -87,6 +88,15 @@ func ObserveWebhookTokenAuthenticator(genericListers configobserver.Listers, rec resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName}, ) } else { + if auth.Spec.Type == configv1.AuthenticationTypeOIDC { + if _, err := listers.ConfigmapLister_.ConfigMaps(operatorclient.TargetNamespace).Get(AuthConfigCMName); errors.IsNotFound(err) { + // auth-config does not exist in target namespace yet; do not remove webhook until it's there + return existingConfig, errs + } else if err != nil { + return existingConfig, append(errs, err) + } + } + // don't sync anything and remove whatever we synced resourceSyncer.SyncSecret( resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "webhook-authenticator"},