fetch audiences outside of main, move label

controllers/dscinitialization/dscinitialization_controller.go

@@ -67,7 +67,6 @@ type DSCInitializationReconciler struct { //nolint:golint,revive // Readability
 	Log                   logr.Logger
 	Recorder              record.EventRecorder
 	ApplicationsNamespace string
-	Audiences             []string
 }
 
 // +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations/status,verbs=get;update;patch;delete

controllers/dscinitialization/servicemesh_setup.go

@@ -1,19 +1,28 @@
 package dscinitialization
 
 import (
+	"context"
+	"fmt"
 	"path"
 	"reflect"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
+	authentication "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	dsciv1 "github.com/opendatahub-io/opendatahub-operator/v2/apis/dscinitialization/v1"
 	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature"
 	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh"
 )
 
-// Default value of audiences for DSCI.SM.auth.
-var defaultAudiences = []string{"https://kubernetes.default.svc"}
+var (
+	// Default value of audiences for DSCI.SM.auth.
+	defaultAudiences = []string{"https://kubernetes.default.svc"}
+	smSetupLog       = ctrl.Log.WithName("setup")
+)
 
 func (r *DSCInitializationReconciler) configureServiceMesh(instance *dsciv1.DSCInitialization) error {
 	switch instance.Spec.ServiceMesh.ManagementState {
@@ -33,7 +42,6 @@ func (r *DSCInitializationReconciler) configureServiceMesh(instance *dsciv1.DSCI
 			return err
 		}
 	}
-
 	return nil
 }
 
@@ -92,7 +100,7 @@ func (r *DSCInitializationReconciler) configureServiceMeshFeatures() feature.Fea
 
 		cfgMapErr := feature.CreateFeature("mesh-shared-configmap").
 			For(handler).
-			WithResources(servicemesh.MeshRefs, servicemesh.AuthRefs(definedAudiencesOrDefault(handler.ServiceMesh.Auth.Audiences, r.Audiences))).
+			WithResources(servicemesh.MeshRefs, servicemesh.AuthRefs(definedAudiencesOrDefault(handler.ServiceMesh.Auth.Audiences))).
 			Load()
 		if cfgMapErr != nil {
 			return cfgMapErr
@@ -140,9 +148,41 @@ func isDefaultAudiences(specAudiences *[]string) bool {
 }
 
 // definedAudiencesOrDefault returns the default audiences if the provided audiences are default, otherwise it returns the provided audiences.
-func definedAudiencesOrDefault(handlerAudiences *[]string, defaultAudiences []string) []string {
-	if isDefaultAudiences(handlerAudiences) {
+func definedAudiencesOrDefault(specAudiences *[]string) []string {
+	if isDefaultAudiences(specAudiences) {
+		return fetchClusterAudiences()
+	}
+	return *specAudiences
+}
+
+func fetchClusterAudiences() []string {
+	restCfg, err := config.GetConfig()
+	if err != nil {
+		smSetupLog.Error(err, "Error getting config, using default audiences")
 		return defaultAudiences
 	}
-	return *handlerAudiences
+
+	tokenReview := &authentication.TokenReview{
+		Spec: authentication.TokenReviewSpec{
+			Token: restCfg.BearerToken,
+		},
+	}
+
+	tokenReviewClient, err := client.New(restCfg, client.Options{})
+	if err != nil {
+		smSetupLog.Error(err, "Error creating client, using default audiences")
+		return defaultAudiences
+	}
+
+	if err = tokenReviewClient.Create(context.Background(), tokenReview, &client.CreateOptions{}); err != nil {
+		smSetupLog.Error(err, "Error creating TokenReview, using default audiences")
+		return defaultAudiences
+	}
+
+	if tokenReview.Status.Error != "" || !tokenReview.Status.Authenticated {
+		smSetupLog.Error(fmt.Errorf(tokenReview.Status.Error), "Error with token review authentication status, using default audiences")
+		return defaultAudiences
+	}
+
+	return tokenReview.Status.Audiences
 }

main.go

@@ -33,7 +33,6 @@ import (
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	admv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
-	authentication "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	netv1 "k8s.io/api/networking/v1"
 	authv1 "k8s.io/api/rbac/v1"
@@ -145,28 +144,12 @@ func main() { //nolint:funlen
 
 	(&webhook.OpenDataHubWebhook{}).SetupWithManager(mgr)
 
-	tokenReview := &authentication.TokenReview{
-		Spec: authentication.TokenReviewSpec{
-			Token: mgr.GetConfig().BearerToken,
-		},
-	}
-
-	var audiences []string
-	if err = mgr.GetClient().Create(context.Background(), tokenReview, &client.CreateOptions{}); err != nil {
-		setupLog.Error(err, "error creating TokenReview, unable to obtain the cluster config")
-	} else if tokenReview.Status.Error != "" || !tokenReview.Status.Authenticated {
-		setupLog.Error(err, "error with token review authentication status")
-	} else {
-		audiences = tokenReview.Status.Audiences
-	}
-
 	if err = (&dscicontr.DSCInitializationReconciler{
 		Client:                mgr.GetClient(),
 		Scheme:                mgr.GetScheme(),
 		Log:                   ctrl.Log.WithName(operatorName).WithName("controllers").WithName("DSCInitialization"),
 		Recorder:              mgr.GetEventRecorderFor("dscinitialization-controller"),
 		ApplicationsNamespace: dscApplicationsNamespace,
-		Audiences:             audiences,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "DSCInitiatlization")
 		os.Exit(1)

pkg/feature/servicemesh/resources.go

@@ -1,6 +1,7 @@
 package servicemesh
 
 import (
+	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/metadata/labels"
 	"strings"
 
 	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster"
@@ -42,7 +43,7 @@ func AuthRefs(audiences []string) feature.Action {
 		data := map[string]string{
 			"AUTH_AUDIENCE":   audiencesList,
 			"AUTH_PROVIDER":   namespace + "-auth-provider",
-			"AUTHORINO_LABEL": "security.opendatahub.io/authorization-group=default",
+			"AUTHORINO_LABEL": labels.ODH.AuthorizationGroup("default"),
 		}
 
 		_, err := cluster.CreateOrUpdateConfigMap(

pkg/metadata/labels/types.go

@@ -1,6 +1,7 @@
 package labels
 
 const ODHAppPrefix = "app.opendatahub.io"
+const ODHSecurityPrefix = "security.opendatahub.io"
 
 // K8SCommon keeps common kubernetes labels [1]
 // used across the project.
@@ -13,11 +14,13 @@ var K8SCommon = struct {
 
 // ODH holds Open Data Hub specific labels grouped by types.
 var ODH = struct {
-	OwnedNamespace string
-	Component      func(string) string
+	OwnedNamespace     string
+	Component          func(string) string
+	AuthorizationGroup func(string) string
 }{
 	OwnedNamespace: "opendatahub.io/generated-namespace",
 	Component: func(name string) string {
 		return ODHAppPrefix + "/" + name
 	},
+	AuthorizationGroup: func(group string) string { return ODHSecurityPrefix + "/authorization-group=" + group },
 }