diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go index c00be845c..1e7303737 100644 --- a/pkg/aws/actuator/actuator.go +++ b/pkg/aws/actuator/actuator.go @@ -69,23 +69,21 @@ var _ actuatoriface.Actuator = (*AWSActuator)(nil) // AWSActuator implements the CredentialsRequest Actuator interface to create credentials in AWS. type AWSActuator struct { - Client client.Client - RootCredClient client.Client - LiveClient client.Client - AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error) - Scheme *runtime.Scheme - AWSSecurityTokenServiceGateEnabled bool + Client client.Client + RootCredClient client.Client + LiveClient client.Client + AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error) + Scheme *runtime.Scheme } // NewAWSActuator creates a new AWSActuator. -func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme, awsSecurityTokenServiceGateEnabled bool) (*AWSActuator, error) { +func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) { return &AWSActuator{ - Client: client, - LiveClient: liveClient, - RootCredClient: rootCredClient, - AWSClientBuilder: awsutils.ClientBuilder, - Scheme: scheme, - AWSSecurityTokenServiceGateEnabled: awsSecurityTokenServiceGateEnabled, + Client: client, + LiveClient: liveClient, + RootCredClient: rootCredClient, + AWSClientBuilder: awsutils.ClientBuilder, + Scheme: scheme, }, nil } @@ -116,10 +114,6 @@ func DecodeProviderSpec(codec *minterv1.ProviderCodec, cr *minterv1.CredentialsR return nil, fmt.Errorf("no providerSpec defined") } -func (a *AWSActuator) STSFeatureGateEnabled() bool { - return a.AWSSecurityTokenServiceGateEnabled -} - // Checks if the credentials currently exist. // // To do this we will check if the target secret exists. This call is only used to determine @@ -334,17 +328,12 @@ func (a *AWSActuator) sync(ctx context.Context, cr *minterv1.CredentialsRequest) logger.Debug("credentials already up to date") return nil } - stsDetected := false - stsFeatureGateEnabled := a.STSFeatureGateEnabled() - if stsFeatureGateEnabled { - stsDetected, err = utils.IsTimedTokenCluster(a.Client, ctx, logger) - if err != nil { - return err - } + stsDetected, err := utils.IsTimedTokenCluster(a.Client, ctx, logger) + if err != nil { + return err } - logger.Infof("stsFeatureGateEnabled: %v", stsFeatureGateEnabled) logger.Infof("stsDetected: %v", stsDetected) - if stsFeatureGateEnabled && stsDetected { + if stsDetected { logger.Debug("actuator detected STS enabled cluster, enabling STS secret brokering for CredentialsRequests providing an IAM Role ARN") awsSTSIAMRoleARN, err := awsSTSIAMRoleARN(minterv1.Codec, cr) if err != nil { diff --git a/pkg/aws/actuator/actuator_test.go b/pkg/aws/actuator/actuator_test.go index 56ddbfa51..20214f7bb 100644 --- a/pkg/aws/actuator/actuator_test.go +++ b/pkg/aws/actuator/actuator_test.go @@ -577,7 +577,6 @@ func TestDetectSTS(t *testing.T) { wantErr assert.ErrorAssertionFunc CredentialsRequest *minterv1.CredentialsRequest issuer string - stsEnabled bool }{ { name: "empty ServiceAccountIssuer on AWS STS-enabled CCO in Manual mode should error", @@ -614,9 +613,8 @@ func TestDetectSTS(t *testing.T) { } return cr }(), - issuer: "non-empty", - stsEnabled: true, - wantErr: assert.NoError, + issuer: "non-empty", + wantErr: assert.NoError, }, { name: "STS mode and with a CloudTokenString and CloudTokenPath set in CredentialsRequest should create Secret & not error", @@ -634,9 +632,8 @@ func TestDetectSTS(t *testing.T) { cr.Spec.CloudTokenPath = "/var/token" return cr }(), - issuer: "non-empty", - stsEnabled: true, - wantErr: assert.NoError, + issuer: "non-empty", + wantErr: assert.NoError, }, } for _, test := range tests { @@ -651,9 +648,8 @@ func TestDetectSTS(t *testing.T) { panic(err) } a := &AWSActuator{ - Client: fakeClient, - RootCredClient: fakeAdminClient, - AWSSecurityTokenServiceGateEnabled: test.stsEnabled, + Client: fakeClient, + RootCredClient: fakeAdminClient, } test.wantErr(t, a.sync(context.Background(), test.CredentialsRequest), fmt.Sprintf("sync(%v)", test.CredentialsRequest)) }) diff --git a/pkg/azure/actuator.go b/pkg/azure/actuator.go index 801445554..8b8b88dfa 100644 --- a/pkg/azure/actuator.go +++ b/pkg/azure/actuator.go @@ -49,10 +49,6 @@ type Actuator struct { credentialMinterBuilder credentialMinterBuilder } -func (a *Actuator) STSFeatureGateEnabled() bool { - return false -} - func NewActuator(c, rootCredClient client.Client, cloudName configv1.AzureCloudEnvironment) (*Actuator, error) { client := newClientWrapper(c, rootCredClient) return &Actuator{ diff --git a/pkg/cmd/operator/cmd.go b/pkg/cmd/operator/cmd.go index 64fcef22e..281a839a5 100644 --- a/pkg/cmd/operator/cmd.go +++ b/pkg/cmd/operator/cmd.go @@ -106,12 +106,6 @@ func NewOperator() *cobra.Command { ctrlruntimelog.SetLogger(logr.New(ctrlruntimelog.NullLogSink{})) log.Info("checking prerequisites") - featureGates, err := platform.GetFeatureGates(ctx) - if err != nil { - log.WithError(err).Fatal("unable to read feature gates") - } - awsSecurityTokenServiceGateEnabled := featureGates.Enabled(configv1.FeatureGateAWSSecurityTokenService) - kubeconfigCommandLinePath := cmd.PersistentFlags().Lookup("kubeconfig").Value.String() rules := clientcmd.NewDefaultClientConfigLoadingRules() rules.ExplicitPath = kubeconfigCommandLinePath @@ -213,7 +207,7 @@ func NewOperator() *cobra.Command { // Setup all Controllers log.Info("setting up controllers") - if err := controller.AddToManager(mgr, rootMgr, kubeconfigCommandLinePath, coreClient, awsSecurityTokenServiceGateEnabled); err != nil { + if err := controller.AddToManager(mgr, rootMgr, kubeconfigCommandLinePath, coreClient); err != nil { log.WithError(err).Fatal("unable to register controllers to the manager") } diff --git a/pkg/gcp/actuator/actuator.go b/pkg/gcp/actuator/actuator.go index 236f22828..30c31b3aa 100644 --- a/pkg/gcp/actuator/actuator.go +++ b/pkg/gcp/actuator/actuator.go @@ -65,10 +65,6 @@ type Actuator struct { GCPClientBuilder func(string, []byte) (ccgcp.Client, error) } -func (a *Actuator) STSFeatureGateEnabled() bool { - return false -} - // NewActuator initializes and returns a new Actuator for GCP. func NewActuator(c, rootCredClient client.Client, projectName string) (*Actuator, error) { return &Actuator{ diff --git a/pkg/kubevirt/actuator.go b/pkg/kubevirt/actuator.go index c7e29df34..587a075d1 100644 --- a/pkg/kubevirt/actuator.go +++ b/pkg/kubevirt/actuator.go @@ -41,10 +41,6 @@ type KubevirtActuator struct { RootCredClient client.Client } -func (a *KubevirtActuator) STSFeatureGateEnabled() bool { - return false -} - const ( KubevirtCredentialsSecretKey = "kubeconfig" ) diff --git a/pkg/openstack/actuator.go b/pkg/openstack/actuator.go index 0dbf79dff..bfd3908f5 100644 --- a/pkg/openstack/actuator.go +++ b/pkg/openstack/actuator.go @@ -42,10 +42,6 @@ type OpenStackActuator struct { RootCredClient client.Client } -func (a *OpenStackActuator) STSFeatureGateEnabled() bool { - return false -} - // NewOpenStackActuator creates a new OpenStack actuator. func NewOpenStackActuator(client, rootCredClient client.Client) (*OpenStackActuator, error) { return &OpenStackActuator{ diff --git a/pkg/operator/controller.go b/pkg/operator/controller.go index ddcd8ddd7..41385ec3c 100644 --- a/pkg/operator/controller.go +++ b/pkg/operator/controller.go @@ -66,7 +66,7 @@ var AddToManagerFuncs []func(manager.Manager, manager.Manager, string) error var AddToManagerWithActuatorFuncs []func(manager.Manager, manager.Manager, actuator.Actuator, configv1.PlatformType, corev1client.CoreV1Interface) error // AddToManager adds all Controllers to the Manager -func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClient corev1client.CoreV1Interface, awsSecurityTokenServiceGateEnabled bool) error { +func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClient corev1client.CoreV1Interface) error { for _, f := range AddToManagerFuncs { if err := f(m, rootM, explicitKubeconfig); err != nil { return err @@ -86,7 +86,7 @@ func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClien switch platformType { case configv1.AWSPlatformType: log.Info("initializing AWS actuator") - a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme(), awsSecurityTokenServiceGateEnabled) + a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme()) if err != nil { return err } diff --git a/pkg/operator/credentialsrequest/actuator/actuator.go b/pkg/operator/credentialsrequest/actuator/actuator.go index 7c41c1e26..13e15811f 100644 --- a/pkg/operator/credentialsrequest/actuator/actuator.go +++ b/pkg/operator/credentialsrequest/actuator/actuator.go @@ -46,8 +46,6 @@ type Actuator interface { Upgradeable(operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition // GetCredentialsRootSecret returns the credentials root secret. GetCredentialsRootSecret(ctx context.Context, cr *minterv1.CredentialsRequest) (*corev1.Secret, error) - // Query STSFeatureGateEnabled. - STSFeatureGateEnabled() bool } type DummyActuator struct { @@ -86,10 +84,6 @@ func (a *DummyActuator) GetCredentialsRootSecret(ctx context.Context, cr *minter return nil, nil } -func (a *DummyActuator) STSFeatureGateEnabled() bool { - return false -} - type ActuatorError struct { ErrReason minterv1.CredentialsRequestConditionType Message string diff --git a/pkg/operator/credentialsrequest/credentialsrequest_controller.go b/pkg/operator/credentialsrequest/credentialsrequest_controller.go index 2e22b9030..0227aabc2 100644 --- a/pkg/operator/credentialsrequest/credentialsrequest_controller.go +++ b/pkg/operator/credentialsrequest/credentialsrequest_controller.go @@ -19,11 +19,12 @@ package credentialsrequest import ( "context" "fmt" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/util/retry" "reflect" "time" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/util/retry" + log "github.com/sirupsen/logrus" "golang.org/x/time/rate" corev1applyconfigurations "k8s.io/client-go/applyconfigurations/core/v1" @@ -518,11 +519,7 @@ func (r *ReconcileCredentialsRequest) Reconcile(ctx context.Context, request rec mode, conflict, err := utils.GetOperatorConfiguration(r.Client, logger) stsDetected := false - stsFeatureGateEnabled := r.Actuator.STSFeatureGateEnabled() - - if stsFeatureGateEnabled { - stsDetected, _ = utils.IsTimedTokenCluster(r.Client, ctx, logger) - } + stsDetected, _ = utils.IsTimedTokenCluster(r.Client, ctx, logger) if err != nil { logger.WithError(err).Error("error checking if operator is disabled") return reconcile.Result{}, err @@ -679,7 +676,7 @@ func (r *ReconcileCredentialsRequest) Reconcile(ctx context.Context, request rec } else { crSecretExists = true } - if stsFeatureGateEnabled && stsDetected { + if stsDetected { // create time-based tokens based on settings in CredentialsRequests logger.Debugf("timed token access cluster detected: %t, so not trying to provision with root secret", stsDetected) diff --git a/pkg/operator/platform/platform.go b/pkg/operator/platform/platform.go index 21e645b82..e4c0767ca 100644 --- a/pkg/operator/platform/platform.go +++ b/pkg/operator/platform/platform.go @@ -2,26 +2,13 @@ package platform import ( "context" - "fmt" - "os" - "time" - "github.com/openshift/cloud-credential-operator/pkg/operator/constants" "github.com/openshift/cloud-credential-operator/pkg/util" - log "github.com/sirupsen/logrus" - configv1 "github.com/openshift/api/config/v1" - configclient "github.com/openshift/client-go/config/clientset/versioned" - configinformers "github.com/openshift/client-go/config/informers/externalversions" - "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" - "github.com/openshift/library-go/pkg/operator/events" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" "sigs.k8s.io/controller-runtime/pkg/client" - crtconfig "sigs.k8s.io/controller-runtime/pkg/client/config" ) // GetInfraStatusUsingKubeconfig queries the k8s api for the infrastructure CR using the kubeconfig file @@ -75,64 +62,3 @@ func getClient(explicitKubeconfig string) (client.Client, error) { return dynamicClient, nil } - -func GetFeatureGates(ctx context.Context) (featuregates.FeatureGate, error) { - stop := make(chan struct{}) - ctx, cancelFn := context.WithCancel(ctx) - go func() { - defer cancelFn() - <-stop - }() - - config, err := crtconfig.GetConfig() - if err != nil { - return nil, fmt.Errorf("failed to get kube config: %v", err) - } - clientSet, err := configclient.NewForConfig(config) - if err != nil { - return nil, err - } - configInformers := configinformers.NewSharedInformerFactory(clientSet, 10*time.Minute) - desiredVersion := computeClusterOperatorVersions() - missingVersion := desiredVersion - - kubeClient, err := kubernetes.NewForConfig(config) - if err != nil { - return nil, fmt.Errorf("failed to create kube client: %w", err) - } - eventRecorder := events.NewKubeRecorder(kubeClient.CoreV1().Events("openshift-cloud-credential-operator"), "cloud-credential-operator", &corev1.ObjectReference{ - APIVersion: "apps/v1", - Kind: "Deployment", - Namespace: constants.CCONameSpace, - Name: constants.DeploymentName, - }) - - // By default, this will exit(0) the process if the featuregates ever change to a different set of values. - featureGateAccessor := featuregates.NewFeatureGateAccess( - desiredVersion, missingVersion, - configInformers.Config().V1().ClusterVersions(), configInformers.Config().V1().FeatureGates(), - eventRecorder, - ) - go featureGateAccessor.Run(ctx) - go configInformers.Start(stop) - - select { - case <-featureGateAccessor.InitialFeatureGatesObserved(): - featureGates, _ := featureGateAccessor.CurrentFeatureGates() - log.Info("FeatureGates initialized", "knownFeatures", featureGates.KnownFeatures()) - case <-time.After(1 * time.Minute): - log.Error(nil, "timed out waiting for FeatureGate detection") - return nil, fmt.Errorf("timed out waiting for FeatureGate detection") - } - - featureGates, err := featureGateAccessor.CurrentFeatureGates() - if err != nil { - return nil, err - } - return featureGates, nil -} - -func computeClusterOperatorVersions() string { - currentVersion := os.Getenv("RELEASE_VERSION") - return currentVersion -} diff --git a/pkg/ovirt/actuator.go b/pkg/ovirt/actuator.go index 4ef04c6c6..11ad2b39e 100644 --- a/pkg/ovirt/actuator.go +++ b/pkg/ovirt/actuator.go @@ -20,8 +20,6 @@ import ( "fmt" "strconv" - "github.com/openshift/cloud-credential-operator/pkg/operator/platform" - "github.com/openshift/library-go/pkg/operator/configobserver/featuregates" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" log "github.com/sirupsen/logrus" @@ -53,14 +51,6 @@ type OvirtActuator struct { RootCredClient client.Client } -func (a *OvirtActuator) GetFeatureGates(ctx context.Context) (featuregates.FeatureGate, error) { - featureGates, err := platform.GetFeatureGates(nil) - if err != nil { - log.Fatal(err) - } - return featureGates, err -} - type OvirtCreds struct { URL string `json:"ovirt_url"` Username string `json:"ovirt_username"` @@ -77,10 +67,6 @@ func NewActuator(client, rootCredClient client.Client) (*OvirtActuator, error) { }, nil } -func (a *OvirtActuator) STSFeatureGateEnabled() bool { - return false -} - // Exists checks if the credentials currently exist. func (a *OvirtActuator) Exists(ctx context.Context, cr *minterv1.CredentialsRequest) (bool, error) { logger := a.getLogger(cr) diff --git a/pkg/vsphere/actuator/actuator.go b/pkg/vsphere/actuator/actuator.go index 08afaab67..036ff506e 100644 --- a/pkg/vsphere/actuator/actuator.go +++ b/pkg/vsphere/actuator/actuator.go @@ -49,10 +49,6 @@ type VSphereActuator struct { RootCredClient client.Client } -func (a *VSphereActuator) STSFeatureGateEnabled() bool { - return false -} - // NewVSphereActuator creates a new VSphereActuator. func NewVSphereActuator(client, rootCredClient client.Client) (*VSphereActuator, error) { return &VSphereActuator{