*: stop checking for the STS feature gate

Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
openshift · Jul 24, 2023 · 87d5310 · 87d5310
1 parent 1f37b78
commit 87d5310
Show file tree

Hide file tree

Showing 13 changed files with 29 additions and 167 deletions.
diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go
@@ -69,23 +69,21 @@ var _ actuatoriface.Actuator = (*AWSActuator)(nil)
 
 // AWSActuator implements the CredentialsRequest Actuator interface to create credentials in AWS.
 type AWSActuator struct {
-	Client                             client.Client
-	RootCredClient                     client.Client
-	LiveClient                         client.Client
-	AWSClientBuilder                   func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error)
-	Scheme                             *runtime.Scheme
-	AWSSecurityTokenServiceGateEnabled bool
+	Client           client.Client
+	RootCredClient   client.Client
+	LiveClient       client.Client
+	AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error)
+	Scheme           *runtime.Scheme
 }
 
 // NewAWSActuator creates a new AWSActuator.
-func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme, awsSecurityTokenServiceGateEnabled bool) (*AWSActuator, error) {
+func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) {
 	return &AWSActuator{
-		Client:                             client,
-		LiveClient:                         liveClient,
-		RootCredClient:                     rootCredClient,
-		AWSClientBuilder:                   awsutils.ClientBuilder,
-		Scheme:                             scheme,
-		AWSSecurityTokenServiceGateEnabled: awsSecurityTokenServiceGateEnabled,
+		Client:           client,
+		LiveClient:       liveClient,
+		RootCredClient:   rootCredClient,
+		AWSClientBuilder: awsutils.ClientBuilder,
+		Scheme:           scheme,
 	}, nil
 }
 
@@ -116,10 +114,6 @@ func DecodeProviderSpec(codec *minterv1.ProviderCodec, cr *minterv1.CredentialsR
 	return nil, fmt.Errorf("no providerSpec defined")
 }
 
-func (a *AWSActuator) STSFeatureGateEnabled() bool {
-	return a.AWSSecurityTokenServiceGateEnabled
-}
-
 // Checks if the credentials currently exist.
 //
 // To do this we will check if the target secret exists. This call is only used to determine
@@ -334,17 +328,12 @@ func (a *AWSActuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest)
 		logger.Debug("credentials already up to date")
 		return nil
 	}
-	stsDetected := false
-	stsFeatureGateEnabled := a.STSFeatureGateEnabled()
-	if stsFeatureGateEnabled {
-		stsDetected, err = utils.IsTimedTokenCluster(a.Client, ctx, logger)
-		if err != nil {
-			return err
-		}
+	stsDetected, err := utils.IsTimedTokenCluster(a.Client, ctx, logger)
+	if err != nil {
+		return err
 	}
-	logger.Infof("stsFeatureGateEnabled: %v", stsFeatureGateEnabled)
 	logger.Infof("stsDetected: %v", stsDetected)
-	if stsFeatureGateEnabled && stsDetected {
+	if stsDetected {
 		logger.Debug("actuator detected STS enabled cluster, enabling STS secret brokering for CredentialsRequests providing an IAM Role ARN")
 		awsSTSIAMRoleARN, err := awsSTSIAMRoleARN(minterv1.Codec, cr)
 		if err != nil {

diff --git a/pkg/aws/actuator/actuator_test.go b/pkg/aws/actuator/actuator_test.go
@@ -577,7 +577,6 @@ func TestDetectSTS(t *testing.T) {
 		wantErr            assert.ErrorAssertionFunc
 		CredentialsRequest *minterv1.CredentialsRequest
 		issuer             string
-		stsEnabled         bool
 	}{
 		{
 			name: "empty ServiceAccountIssuer on AWS STS-enabled CCO in Manual mode should error",
@@ -614,9 +613,8 @@ func TestDetectSTS(t *testing.T) {
 				}
 				return cr
 			}(),
-			issuer:     "non-empty",
-			stsEnabled: true,
-			wantErr:    assert.NoError,
+			issuer:  "non-empty",
+			wantErr: assert.NoError,
 		},
 		{
 			name: "STS mode and with a CloudTokenString and CloudTokenPath set in CredentialsRequest should create Secret & not error",
@@ -634,9 +632,8 @@ func TestDetectSTS(t *testing.T) {
 				cr.Spec.CloudTokenPath = "/var/token"
 				return cr
 			}(),
-			issuer:     "non-empty",
-			stsEnabled: true,
-			wantErr:    assert.NoError,
+			issuer:  "non-empty",
+			wantErr: assert.NoError,
 		},
 	}
 	for _, test := range tests {
@@ -651,9 +648,8 @@ func TestDetectSTS(t *testing.T) {
 				panic(err)
 			}
 			a := &AWSActuator{
-				Client:                             fakeClient,
-				RootCredClient:                     fakeAdminClient,
-				AWSSecurityTokenServiceGateEnabled: test.stsEnabled,
+				Client:         fakeClient,
+				RootCredClient: fakeAdminClient,
 			}
 			test.wantErr(t, a.sync(context.Background(), test.CredentialsRequest), fmt.Sprintf("sync(%v)", test.CredentialsRequest))
 		})

diff --git a/pkg/azure/actuator.go b/pkg/azure/actuator.go
@@ -49,10 +49,6 @@ type Actuator struct {
 	credentialMinterBuilder credentialMinterBuilder
 }
 
-func (a *Actuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 func NewActuator(c, rootCredClient client.Client, cloudName configv1.AzureCloudEnvironment) (*Actuator, error) {
 	client := newClientWrapper(c, rootCredClient)
 	return &Actuator{

diff --git a/pkg/cmd/operator/cmd.go b/pkg/cmd/operator/cmd.go
@@ -106,12 +106,6 @@ func NewOperator() *cobra.Command {
 				ctrlruntimelog.SetLogger(logr.New(ctrlruntimelog.NullLogSink{}))
 
 				log.Info("checking prerequisites")
-				featureGates, err := platform.GetFeatureGates(ctx)
-				if err != nil {
-					log.WithError(err).Fatal("unable to read feature gates")
-				}
-				awsSecurityTokenServiceGateEnabled := featureGates.Enabled(configv1.FeatureGateAWSSecurityTokenService)
-
 				kubeconfigCommandLinePath := cmd.PersistentFlags().Lookup("kubeconfig").Value.String()
 				rules := clientcmd.NewDefaultClientConfigLoadingRules()
 				rules.ExplicitPath = kubeconfigCommandLinePath
@@ -213,7 +207,7 @@ func NewOperator() *cobra.Command {
 
 				// Setup all Controllers
 				log.Info("setting up controllers")
-				if err := controller.AddToManager(mgr, rootMgr, kubeconfigCommandLinePath, coreClient, awsSecurityTokenServiceGateEnabled); err != nil {
+				if err := controller.AddToManager(mgr, rootMgr, kubeconfigCommandLinePath, coreClient); err != nil {
 					log.WithError(err).Fatal("unable to register controllers to the manager")
 				}
 

diff --git a/pkg/gcp/actuator/actuator.go b/pkg/gcp/actuator/actuator.go
@@ -65,10 +65,6 @@ type Actuator struct {
 	GCPClientBuilder func(string, []byte) (ccgcp.Client, error)
 }
 
-func (a *Actuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 // NewActuator initializes and returns a new Actuator for GCP.
 func NewActuator(c, rootCredClient client.Client, projectName string) (*Actuator, error) {
 	return &Actuator{

diff --git a/pkg/kubevirt/actuator.go b/pkg/kubevirt/actuator.go
@@ -41,10 +41,6 @@ type KubevirtActuator struct {
 	RootCredClient client.Client
 }
 
-func (a *KubevirtActuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 const (
 	KubevirtCredentialsSecretKey = "kubeconfig"
 )

diff --git a/pkg/openstack/actuator.go b/pkg/openstack/actuator.go
@@ -42,10 +42,6 @@ type OpenStackActuator struct {
 	RootCredClient client.Client
 }
 
-func (a *OpenStackActuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 // NewOpenStackActuator creates a new OpenStack actuator.
 func NewOpenStackActuator(client, rootCredClient client.Client) (*OpenStackActuator, error) {
 	return &OpenStackActuator{

diff --git a/pkg/operator/controller.go b/pkg/operator/controller.go
@@ -66,7 +66,7 @@ var AddToManagerFuncs []func(manager.Manager, manager.Manager, string) error
 var AddToManagerWithActuatorFuncs []func(manager.Manager, manager.Manager, actuator.Actuator, configv1.PlatformType, corev1client.CoreV1Interface) error
 
 // AddToManager adds all Controllers to the Manager
-func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClient corev1client.CoreV1Interface, awsSecurityTokenServiceGateEnabled bool) error {
+func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClient corev1client.CoreV1Interface) error {
 	for _, f := range AddToManagerFuncs {
 		if err := f(m, rootM, explicitKubeconfig); err != nil {
 			return err
@@ -86,7 +86,7 @@ func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClien
 		switch platformType {
 		case configv1.AWSPlatformType:
 			log.Info("initializing AWS actuator")
-			a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme(), awsSecurityTokenServiceGateEnabled)
+			a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme())
 			if err != nil {
 				return err
 			}

diff --git a/pkg/operator/credentialsrequest/actuator/actuator.go b/pkg/operator/credentialsrequest/actuator/actuator.go
@@ -46,8 +46,6 @@ type Actuator interface {
 	Upgradeable(operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition
 	// GetCredentialsRootSecret returns the credentials root secret.
 	GetCredentialsRootSecret(ctx context.Context, cr *minterv1.CredentialsRequest) (*corev1.Secret, error)
-	// Query STSFeatureGateEnabled.
-	STSFeatureGateEnabled() bool
 }
 
 type DummyActuator struct {
@@ -86,10 +84,6 @@ func (a *DummyActuator) GetCredentialsRootSecret(ctx context.Context, cr *minter
 	return nil, nil
 }
 
-func (a *DummyActuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 type ActuatorError struct {
 	ErrReason minterv1.CredentialsRequestConditionType
 	Message   string

diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller.go b/pkg/operator/credentialsrequest/credentialsrequest_controller.go
@@ -19,11 +19,12 @@ package credentialsrequest
 import (
 	"context"
 	"fmt"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/util/retry"
 	"reflect"
 	"time"
 
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/util/retry"
+
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/time/rate"
 	corev1applyconfigurations "k8s.io/client-go/applyconfigurations/core/v1"
@@ -518,11 +519,7 @@ func (r *ReconcileCredentialsRequest) Reconcile(ctx context.Context, request rec
 	mode, conflict, err := utils.GetOperatorConfiguration(r.Client, logger)
 
 	stsDetected := false
-	stsFeatureGateEnabled := r.Actuator.STSFeatureGateEnabled()
-
-	if stsFeatureGateEnabled {
-		stsDetected, _ = utils.IsTimedTokenCluster(r.Client, ctx, logger)
-	}
+	stsDetected, _ = utils.IsTimedTokenCluster(r.Client, ctx, logger)
 	if err != nil {
 		logger.WithError(err).Error("error checking if operator is disabled")
 		return reconcile.Result{}, err
@@ -679,7 +676,7 @@ func (r *ReconcileCredentialsRequest) Reconcile(ctx context.Context, request rec
 	} else {
 		crSecretExists = true
 	}
-	if stsFeatureGateEnabled && stsDetected {
+	if stsDetected {
 		// create time-based tokens based on settings in CredentialsRequests
 		logger.Debugf("timed token access cluster detected: %t, so not trying to provision with root secret",
 			stsDetected)

diff --git a/pkg/operator/platform/platform.go b/pkg/operator/platform/platform.go
@@ -2,26 +2,13 @@ package platform
 
 import (
 	"context"
-	"fmt"
-	"os"
-	"time"
 
-	"github.com/openshift/cloud-credential-operator/pkg/operator/constants"
 	"github.com/openshift/cloud-credential-operator/pkg/util"
 
-	log "github.com/sirupsen/logrus"
-
 	configv1 "github.com/openshift/api/config/v1"
-	configclient "github.com/openshift/client-go/config/clientset/versioned"
-	configinformers "github.com/openshift/client-go/config/informers/externalversions"
-	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
-	"github.com/openshift/library-go/pkg/operator/events"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	crtconfig "sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
 // GetInfraStatusUsingKubeconfig queries the k8s api for the infrastructure CR using the kubeconfig file
@@ -75,64 +62,3 @@ func getClient(explicitKubeconfig string) (client.Client, error) {
 
 	return dynamicClient, nil
 }
-
-func GetFeatureGates(ctx context.Context) (featuregates.FeatureGate, error) {
-	stop := make(chan struct{})
-	ctx, cancelFn := context.WithCancel(ctx)
-	go func() {
-		defer cancelFn()
-		<-stop
-	}()
-
-	config, err := crtconfig.GetConfig()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get kube config: %v", err)
-	}
-	clientSet, err := configclient.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-	configInformers := configinformers.NewSharedInformerFactory(clientSet, 10*time.Minute)
-	desiredVersion := computeClusterOperatorVersions()
-	missingVersion := desiredVersion
-
-	kubeClient, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create kube client: %w", err)
-	}
-	eventRecorder := events.NewKubeRecorder(kubeClient.CoreV1().Events("openshift-cloud-credential-operator"), "cloud-credential-operator", &corev1.ObjectReference{
-		APIVersion: "apps/v1",
-		Kind:       "Deployment",
-		Namespace:  constants.CCONameSpace,
-		Name:       constants.DeploymentName,
-	})
-
-	// By default, this will exit(0) the process if the featuregates ever change to a different set of values.
-	featureGateAccessor := featuregates.NewFeatureGateAccess(
-		desiredVersion, missingVersion,
-		configInformers.Config().V1().ClusterVersions(), configInformers.Config().V1().FeatureGates(),
-		eventRecorder,
-	)
-	go featureGateAccessor.Run(ctx)
-	go configInformers.Start(stop)
-
-	select {
-	case <-featureGateAccessor.InitialFeatureGatesObserved():
-		featureGates, _ := featureGateAccessor.CurrentFeatureGates()
-		log.Info("FeatureGates initialized", "knownFeatures", featureGates.KnownFeatures())
-	case <-time.After(1 * time.Minute):
-		log.Error(nil, "timed out waiting for FeatureGate detection")
-		return nil, fmt.Errorf("timed out waiting for FeatureGate detection")
-	}
-
-	featureGates, err := featureGateAccessor.CurrentFeatureGates()
-	if err != nil {
-		return nil, err
-	}
-	return featureGates, nil
-}
-
-func computeClusterOperatorVersions() string {
-	currentVersion := os.Getenv("RELEASE_VERSION")
-	return currentVersion
-}
diff --git a/pkg/ovirt/actuator.go b/pkg/ovirt/actuator.go
@@ -20,8 +20,6 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/openshift/cloud-credential-operator/pkg/operator/platform"
-	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	log "github.com/sirupsen/logrus"
@@ -53,14 +51,6 @@ type OvirtActuator struct {
 	RootCredClient client.Client
 }
 
-func (a *OvirtActuator) GetFeatureGates(ctx context.Context) (featuregates.FeatureGate, error) {
-	featureGates, err := platform.GetFeatureGates(nil)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return featureGates, err
-}
-
 type OvirtCreds struct {
 	URL      string `json:"ovirt_url"`
 	Username string `json:"ovirt_username"`
@@ -77,10 +67,6 @@ func NewActuator(client, rootCredClient client.Client) (*OvirtActuator, error) {
 	}, nil
 }
 
-func (a *OvirtActuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 // Exists checks if the credentials currently exist.
 func (a *OvirtActuator) Exists(ctx context.Context, cr *minterv1.CredentialsRequest) (bool, error) {
 	logger := a.getLogger(cr)

diff --git a/pkg/vsphere/actuator/actuator.go b/pkg/vsphere/actuator/actuator.go
@@ -49,10 +49,6 @@ type VSphereActuator struct {
 	RootCredClient client.Client
 }
 
-func (a *VSphereActuator) STSFeatureGateEnabled() bool {
-	return false
-}
-
 // NewVSphereActuator creates a new VSphereActuator.
 func NewVSphereActuator(client, rootCredClient client.Client) (*VSphereActuator, error) {
 	return &VSphereActuator{