Skip to content

Late Initialize OpenID Connect Provider Thumbprints #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 3, 2025
Merged

Late Initialize OpenID Connect Provider Thumbprints #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
eee2d58
Add .vscode folder to .gitignore
knottnt Sep 30, 2025
b41855a
Apply late_initialize to OIDC Provider ThumbPrints
knottnt Oct 1, 2025
e23b8fe
Add e2e test verifying late initialize behavior
knottnt Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
*.swp
*~
.idea
.vscode
/docs/site
bin
build
10 changes: 5 additions & 5 deletions apis/v1alpha1/ack-generate-metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
ack_generate_info:
build_date: "2025-09-19T16:50:59Z"
build_hash: 6b4211163dcc34776b01da9a18217bac0f4103fd
go_version: go1.24.6
version: v0.52.0
build_date: "2025-09-30T23:38:44Z"
build_hash: 37562000612658e62686882f1b4b924049d1e38c
go_version: go1.25.0
version: v0.52.0-5-g3756200
api_directory_checksum: fcb205ac280ed1b0f107a291e5ea43d93c0991e9
api_version: v1alpha1
aws_sdk_go_version: v1.32.6
generator_config_info:
file_checksum: 9e30795ffa094ac7b68fe2bcb6913b0a2d7bccba
file_checksum: ceef3af34f41f300f4d827886f35d272f50cb38c
original_file_name: generator.yaml
last_modification:
reason: API generation
2 changes: 2 additions & 0 deletions apis/v1alpha1/generator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,8 @@ resources:
is_immutable: true
compare:
is_ignored: true
Thumbprints:
late_initialize: {}
Tags:
compare:
is_ignored: true
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_groups.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: groups.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_instanceprofiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: instanceprofiles.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_openidconnectproviders.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: openidconnectproviders.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: policies.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: roles.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_servicelinkedroles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: servicelinkedroles.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion config/crd/bases/iam.services.k8s.aws_users.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: users.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 2 additions & 0 deletions generator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,8 @@ resources:
is_immutable: true
compare:
is_ignored: true
Thumbprints:
late_initialize: {}
Tags:
compare:
is_ignored: true
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_groups.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: groups.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_instanceprofiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: instanceprofiles.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_openidconnectproviders.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: openidconnectproviders.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: policies.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_roles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: roles.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_servicelinkedroles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: servicelinkedroles.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/iam.services.k8s.aws_users.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: users.iam.services.k8s.aws
spec:
group: iam.services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/services.k8s.aws_adoptedresources.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: adoptedresources.services.k8s.aws
spec:
group: services.k8s.aws
Expand Down
2 changes: 1 addition & 1 deletion helm/crds/services.k8s.aws_fieldexports.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.2
controller-gen.kubebuilder.io/version: v0.19.0
name: fieldexports.services.k8s.aws
spec:
group: services.k8s.aws
Expand Down
13 changes: 11 additions & 2 deletions pkg/resource/open_id_connect_provider/manager.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions test/e2e/bootstrap_resources.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,14 @@
from dataclasses import dataclass
from acktest.bootstrapping import Resources
from acktest.bootstrapping.iam import UserPolicies, Role
from acktest.bootstrapping.cognito_identity import UserPool
from e2e import bootstrap_directory

@dataclass
class BootstrapResources(Resources):
AdoptedPolicy: UserPolicies
AdoptedRole: Role
OIDCProviderUserPool: UserPool
_bootstrap_resources = None

def get_bootstrap_resources(bootstrap_file_name: str = "bootstrap.pkl") -> BootstrapResources:
Expand Down
12 changes: 12 additions & 0 deletions test/e2e/resources/open_id_connect_provider_no_thumbprint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: iam.services.k8s.aws/v1alpha1
kind: OpenIDConnectProvider
metadata:
name: $OPEN_ID_CONNECT_PROVIDER_NAME
spec:
url: $URL
clientIDs:
- $CLIENT_ID
tags:
- key: $TAG_KEY
value: $TAG_VALUE

4 changes: 3 additions & 1 deletion test/e2e/service_bootstrap.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

from acktest.bootstrapping import Resources, BootstrapFailureException
from acktest.bootstrapping.iam import UserPolicies, Role
from acktest.bootstrapping.cognito_identity import UserPool
from e2e import bootstrap_directory
from e2e.bootstrap_resources import BootstrapResources

Expand All @@ -38,7 +39,8 @@ def service_bootstrap() -> Resources:
})
resources = BootstrapResources(
AdoptedPolicy=UserPolicies("adopted-policies", policy_documents=[sample_policy]),
AdoptedRole=Role("adopted-role", "eks.amazonaws.com", managed_policies=["arn:aws:iam::aws:policy/AmazonSQSFullAccess", "arn:aws:iam::aws:policy/AmazonEC2FullAccess"])
AdoptedRole=Role("adopted-role", "eks.amazonaws.com", managed_policies=["arn:aws:iam::aws:policy/AmazonSQSFullAccess", "arn:aws:iam::aws:policy/AmazonEC2FullAccess"]),
OIDCProviderUserPool=UserPool(name_prefix="oidc-test-pool")
)

try:
Expand Down
87 changes: 87 additions & 0 deletions test/e2e/tests/test_open_id_connect_provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@

import logging
import time
import boto3

import pytest

Expand All @@ -25,6 +26,7 @@
from e2e.replacement_values import REPLACEMENT_VALUES
from e2e import open_id_connect_provider
from e2e import tag
from e2e.bootstrap_resources import get_bootstrap_resources

RESOURCE_PLURAL = "openidconnectproviders"

Expand All @@ -33,6 +35,12 @@
MODIFY_WAIT_AFTER_SECONDS = 10


def get_cognito_user_pool_well_known_url(region: str, user_pool_id: str):
"""Returns the JWKS URL for token verification."""
return f"https://cognito-idp.{region}.amazonaws.com/{user_pool_id}"



@pytest.fixture
def oidc_provider():
# required:
Expand Down Expand Up @@ -79,6 +87,45 @@ def oidc_provider():
except:
pass

@pytest.fixture
def oidc_provider_no_thumbprint(iam_client):
oidc_provider_name = random_suffix_name("oidc-provider-ack-test", 24)

replacements = REPLACEMENT_VALUES.copy()
replacements["OPEN_ID_CONNECT_PROVIDER_NAME"] = oidc_provider_name

region = boto3.Session().region_name
cognito_user_pool_id = get_bootstrap_resources().OIDCProviderUserPool.user_pool_id
replacements["URL"] = get_cognito_user_pool_well_known_url(region, cognito_user_pool_id)

replacements["CLIENT_ID"] = "phippy"
replacements["TAG_KEY"] = "tag1"
replacements["TAG_VALUE"] = "val1"

resource_data = load_resource(
"open_id_connect_provider_no_thumbprint",
additional_replacements=replacements,
)

ref = k8s.CustomResourceReference(
CRD_GROUP,
CRD_VERSION,
RESOURCE_PLURAL,
oidc_provider_name,
namespace="default",
)
k8s.create_custom_resource(ref, resource_data)
cr = k8s.wait_resource_consumed_by_controller(ref)

yield (ref, cr)

# Delete the OIDC provider when tests complete
try:
_, deleted = k8s.delete_custom_resource(ref, 3, 10)
assert deleted
except:
pass


def assert_url_equals_ignore_prefix(url, match):
if url.startswith("https://"):
Expand All @@ -90,6 +137,46 @@ def assert_url_equals_ignore_prefix(url, match):
@service_marker
@pytest.mark.canary
class TestOpenIdConnectProvider:

def test_without_thumbprint(self, oidc_provider_no_thumbprint):
(ref, cr) = oidc_provider_no_thumbprint

k8s.wait_on_condition(ref, condition.CONDITION_TYPE_RESOURCE_SYNCED, "True")
cr = k8s.get_resource(ref)
condition.assert_synced(ref)

cr = k8s.get_resource(ref)
assert cr is not None
assert "thumbprints" in cr["spec"]
assert len(cr["spec"]["thumbprints"]) > 0


assert "status" in cr
assert "ackResourceMetadata" in cr["status"]
assert "arn" in cr["status"]["ackResourceMetadata"]
oidc_provider_arn = cr["status"]["ackResourceMetadata"]["arn"]

latest_oidcp_boto3 = open_id_connect_provider.get(oidc_provider_arn)
assert latest_oidcp_boto3 is not None
assert len(latest_oidcp_boto3["ThumbprintList"]) == len(cr["spec"]["thumbprints"])
assert set(latest_oidcp_boto3["ThumbprintList"]) == set(cr["spec"]["thumbprints"])

# Trigger reconcile with an update to tags.
updates = {
"spec": {
"tags": [{"key": "key2", "value": "val2"}],
},
}

k8s.patch_custom_resource(ref, updates)
time.sleep(MODIFY_WAIT_AFTER_SECONDS)
k8s.wait_on_condition(ref, condition.CONDITION_TYPE_RESOURCE_SYNCED, "True")
condition.assert_synced(ref)

after_update_expected_tags = [{"Key": "key2", "Value": "val2"}]
latest_tags = open_id_connect_provider.get_tags(oidc_provider_arn)
assert tag.cleaned(latest_tags) == after_update_expected_tags

def test_crud(self, oidc_provider):
(ref, cr) = oidc_provider

Expand Down