Try to find and verify existing OIDC providers before we try to create a new one

[codablock]

What type of PR is this?
/kind bug

What this PR does / why we need it:
When moving clusters between management clusters, ControlPlane.Status.OIDCProvider.ARN
is lost. The new management cluster must then pickup the already existing
cluster, as otherwise it tries to create the same provider again and then
fails.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist:

• squashed commits
• includes documentation
• adds unit tests
• adds or updates e2e tests

Release note:

Try to find and verify existing OIDC providers before we try to create a new one

[k8s-ci-robot]

@codablock: This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @codablock. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[randomvariable]

/ok-to-test

[richardcase]

Shame we stored this in the status in the original implementation.

@codablock - do you see any potential issues (i.e. edge cases) with trying to to automatically find the oidc provider?

[codablock]

@richardcase I can't imagine any. I was first thinking that I could also try to update an existing OIDC provider's thumbprint ind client IDs, but then decided that I should not touch them as we can't know for sure WHY they would differ from the expected values...if they do, there is probably a good reason (e.g. manually created provider, for whatever reason).

[codablock]

@richardcase Any update on how to proceed with this PR?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[richardcase]

/lifecycle frozen

This looks good to me. I can't imagine any issues with this myself. @sedefsavas - what do you think?

[k8s-ci-robot]

@richardcase: The lifecycle/frozen label cannot be applied to Pull Requests.

In response to this:

/lifecycle frozen

This looks good to me. I can't imagine any issues with this myself. @sedefsavas - what do you think?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[richardcase]

@codablock - this looks good to me. Do you think there is anyway we can add a test around this functionality?

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[codablock]

Unfortunately I'm a bit overloaded atm and won't find time to add tests.

[richardcase]

/help

[Skarlso]

This is a nightmare to test. :D

After I finally managed to get the HTTPS test server working with proper certs, now I'm in trouble with PatchObject... :D

[Skarlso]

Yesss!! Almost there. :D now trying to reconcile the LAST HURDLE. :D This part:

	if err := s.reconcileTrustPolicy(); err != nil {
		return errors.Wrap(err, "failed to reconcile trust policy in workload cluster")
	}

:D

[Skarlso]

OH. MY. GODS.

I0929 22:29:41.349199   66964 oidc.go:54] "Reconciling EKS OIDC Provider" cluster-name=0xc000200960
--- PASS: TestOIDCReconcile (0.05s)
    --- PASS: TestOIDCReconcile/cluster_create_with_no_OIDC_provider_present_yet_should_create_one (0.05s)
PASS

Edit: NOPE. My Kind test cluster was running and it connected to that. :(

[Skarlso]

Hah! I found a bug! :D :D Testing++++++

[Skarlso]

@richardcase @codablock This was DIFFICULT not gonna lie. :D But I added a test. :) And I found a bug where this was being done:

		if fmt.Sprintf("https://%s", *provider.Url) != issuerURL.String() {
			continue
		}

But the provider url MUST contain https already anyways so this errored. Now, was there a reason for this being there?
I can add a thing like, check if https is there and if not, append it. But the specification is telling me there should be https on the retrieved provider always. 🤷

[Skarlso]

TLS handshake error from 127.0.0.1:36514: remote error: tls: bad certificate

Sh*t. I was afraid of that. :/ The certificate is not installed/recognised by the local environment. So it doesn't like it.

[Skarlso]

Dang it. This won't work. :( I have to find a different approach and mock the http client completely.

[Skarlso]

Sadly, I can't create a legit https service because the certificate is not trusted. So I had to fall back to making the client mockable.

If anyone has a better idea, I'm all ears.

Also, I made this an option to minimise the impact on changing NewService.

[Skarlso]

"Funny" how noctx never noticed "http.Get" but noticed client.Get immediately. Tsk, tsk, tsk.

[Skarlso]

This is now ready for review. :)

[Skarlso]

ping @Ankitasw as Richard is OOO. :))

[Skarlso]

/test ?

[k8s-ci-robot]

@Skarlso: The following commands are available to trigger required jobs:

• /test pull-cluster-api-provider-aws-build
• /test pull-cluster-api-provider-aws-test
• /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

• /test pull-cluster-api-provider-aws-apidiff-main
• /test pull-cluster-api-provider-aws-e2e
• /test pull-cluster-api-provider-aws-e2e-blocking
• /test pull-cluster-api-provider-aws-e2e-clusterclass
• /test pull-cluster-api-provider-aws-e2e-conformance
• /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
• /test pull-cluster-api-provider-aws-e2e-eks

Use /test all to run the following jobs that were automatically triggered:

• pull-cluster-api-provider-aws-apidiff-main
• pull-cluster-api-provider-aws-build
• pull-cluster-api-provider-aws-test
• pull-cluster-api-provider-aws-verify

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Skarlso]

/test pull-cluster-api-provider-aws-e2e-eks

Hmm, hmm, unsure if this passes oidc part. Probably not. But at least it will test that EKS didn't break. :)

[Skarlso]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Skarlso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Skarlso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment