Bug 1906880: operator: remove odicdiscoveryendpoint controller

[sjenning]

implements https://issues.redhat.com/browse/CO-1317

@marun @dgoodwin @joelddiaz

[sjenning]

fyi @deads2k

[joelddiaz]

@sjenning Do we care that future versions of OpenShift will handle changing the issuer field gracefully? (or at least I remember @marun mentioning something like this)

[sjenning]

@joelddiaz I guess the two options are 1) this PR or 2) we disable the controller for 4.7 and re-enable for 4.8

@marun did say that 4.8 should be able to handle this gracefully. However, my understanding is that it would require a complete restart of the cluster. Thus 4.8 cluster install time would regress if we didn't set the serivceAccountIssuer in the install manifests.

[marun]

@joelddiaz I guess the two options are 1) this PR or 2) we disable the controller for 4.7 and re-enable for 4.8

@marun did say that 4.8 should be able to handle this gracefully. However, my understanding is that it would require a complete restart of the cluster. Thus 4.8 cluster install time would regress if we didn't set the serivceAccountIssuer in the install manifests.

My understanding is that for 4.8 the goal is to remove the requirement to require a restart on issuer change. The apiserver would be updated to support multiple issuers to ensure that previously issued tokens would continue to be accepted until expiry. That would allow an issuer change without risk of breakage.

cc: @stlaz

[joelddiaz]

@dgoodwin i'm fine with the PR (even after 4.8 gains the ability to gracefully handle the issuer change). With STS we will already require that these pieces be set up pre-installation anyway. WDYT?

[dgoodwin]

I largely have to defer to you folks, but if you and Seth are on board then no objections from me, I'd say ship it.

[joelddiaz]

I largely have to defer to you folks, but if you and Seth are on board then no objections from me, I'd say ship it.

I think the TL;DR for what this means is that using the AWS pod identity stuff will require some extra steps going forward as CCO will not be performing this one step.

[sjenning]

/cc @derekwaynecarr

[dgoodwin]

/lgtm

We need a bug though and will need a release note, cc @jeana-redhat

@sjenning could you fire a draft note into this PR or maybe the bug once it exists that Jeana can work with? Or I can give it a shot.

[derekwaynecarr]

as discussed:

upgrade from 4.6 -> 4.7 is not impacted
fresh install on 4.7 will not have this component (no real option here)
release notes need to ensure change is clear
doc should provide steps on how to configure sts as part of install procedure

/lgtm

[jeana-redhat]

so this will be a known issue in the 4.7 RNs? just keep me posted 👍

doc should provide steps on how to configure sts as part of install procedure

@derekwaynecarr do you mean internal docs or user docs?

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, dgoodwin, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dgoodwin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[marun]

as discussed:

upgrade from 4.6 -> 4.7 is not impacted
fresh install on 4.7 will not have this component (no real option here)
release notes need to ensure change is clear
doc should provide steps on how to configure sts as part of install procedure

What about upgrade from 4.5 to 4.6? Or is this not enabled by default for 4.6?

[openshift-ci-robot]

@sjenning: This pull request references Bugzilla bug 1906880, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.0) matches configured target release for branch (4.7.0)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1906880: operator: remove odicdiscoveryendpoint controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sjenning]

What about upgrade from 4.5 to 4.6? Or is this not enabled by default for 4.6?

@marun It is enabled by default in 4.6.

I think we should backport this to 4.6 z-stream asap. That way new 4.6 clusters and clusters upgrading from 4.5 to latest 4.6.z have the same behavior as 4.7 clusters.

It will only be clusters that have already installed/upgraded to a 4.6.0-4.6.9ish that will have serviceAccountIssuer set by this controller and there really isn't a way to undo it.

[openshift-ci-robot]

@sjenning: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#276

Bugzilla bug 1906880 has been moved to the MODIFIED state.

In response to this:

Bug 1906880: operator: remove odicdiscoveryendpoint controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[joelddiaz]

I think we should backport this to 4.6 z-stream asap. That way new 4.6 clusters and clusters upgrading from 4.5 to latest 4.6.z have the same behavior as 4.7 clusters.

Can we put in 4.6 an update to this controller to undo the changes back to the internal issuer URL? (so that all clusters would have the internal issuer?)

[sjenning]

@joelddiaz we can't do that without causing the issue we are avoiding here; invalidating all the TokenRequest API acquired tokens in the the cluster.

[joelddiaz]

I now understand that it's too late for this, and that we're only finding out now because the first bound token users have appeared.

[sjenning]

/cherry-pick release-4.6

[openshift-cherrypick-robot]

@sjenning: #276 failed to apply on top of branch "release-4.6":

Applying: operator: remove odicdiscoveryendpoint controller
Using index info to reconstruct a base tree...
M	go.mod
M	pkg/operator/controller.go
M	pkg/operator/oidcdiscoveryendpoint/controller.go
M	vendor/modules.txt
Falling back to patching base and 3-way merge...
Auto-merging vendor/modules.txt
Removing vendor/gopkg.in/square/go-jose.v2/symmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/signing.go
Removing vendor/gopkg.in/square/go-jose.v2/shared.go
Removing vendor/gopkg.in/square/go-jose.v2/opaque.go
Removing vendor/gopkg.in/square/go-jose.v2/jws.go
Removing vendor/gopkg.in/square/go-jose.v2/jwk.go
Removing vendor/gopkg.in/square/go-jose.v2/jwe.go
Removing vendor/gopkg.in/square/go-jose.v2/json/tags.go
Removing vendor/gopkg.in/square/go-jose.v2/json/stream.go
Removing vendor/gopkg.in/square/go-jose.v2/json/scanner.go
Removing vendor/gopkg.in/square/go-jose.v2/json/indent.go
Removing vendor/gopkg.in/square/go-jose.v2/json/encode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/decode.go
Removing vendor/gopkg.in/square/go-jose.v2/json/README.md
Removing vendor/gopkg.in/square/go-jose.v2/json/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/encoding.go
Removing vendor/gopkg.in/square/go-jose.v2/doc.go
Removing vendor/gopkg.in/square/go-jose.v2/crypter.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
Removing vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
Removing vendor/gopkg.in/square/go-jose.v2/asymmetric.go
Removing vendor/gopkg.in/square/go-jose.v2/README.md
Removing vendor/gopkg.in/square/go-jose.v2/LICENSE
Removing vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md
Removing vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
Removing vendor/gopkg.in/square/go-jose.v2/.travis.yml
Removing vendor/gopkg.in/square/go-jose.v2/.gitignore
Removing vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
Removing vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
Removing vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
Removing vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
Removing vendor/golang.org/x/crypto/ed25519/ed25519_go113.go
Removing vendor/golang.org/x/crypto/ed25519/ed25519.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/scheduler.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/proxy.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/project.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/operatorhub.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/oauth.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/network.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/ingress.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/infrastructure.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/image.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/featuregate.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/doc.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/dns.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/console.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/clusterversion.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/clusteroperator.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/build.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/authentication.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/apiserver.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/scheme/register.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/scheme/doc.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/doc.go
Removing vendor/github.com/openshift/client-go/config/clientset/versioned/clientset.go
Removing vendor/github.com/openshift/client-go/LICENSE
CONFLICT (modify/delete): pkg/operator/oidcdiscoveryendpoint/controller.go deleted in operator: remove odicdiscoveryendpoint controller and modified in HEAD. Version HEAD of pkg/operator/oidcdiscoveryendpoint/controller.go left in tree.
Auto-merging pkg/operator/controller.go
CONFLICT (content): Merge conflict in pkg/operator/controller.go
Auto-merging go.mod
CONFLICT (content): Merge conflict in go.mod
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 operator: remove odicdiscoveryendpoint controller
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.