Add secure access token annotation controller

pkg/operator/secureaccesstoken/controller.go

@@ -0,0 +1,61 @@
+package secureaccesstoken
+
+import (
+	"context"
+	"time"
+
+	configv1 "github.com/openshift/api/config/v1"
+	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/events"
+	operatorv1helpers "github.com/openshift/library-go/pkg/operator/v1helpers"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const secureTokenStorageAnnotationKey = "oauth-apiserver.openshift.io/secure-token-storage"
+
+// Controller removes the "oauth-apiserver.openshift.io/secure-token-storage"
+// annotation from the APIServer config/v1 object after a potential downgrade from 4.6.
+type Controller struct {
+	apiserverClient configv1client.APIServerInterface
+	apiserverLister configlistersv1.APIServerLister
+}
+
+// NewController returns a new secure access token annotation removal controller.
+func NewController(operatorClient operatorv1helpers.OperatorClient,
+	apiserverClient configv1client.APIServerInterface, apiserverLister configlistersv1.APIServerLister, apiserverInformer factory.Informer,
+	recorder events.Recorder) factory.Controller {
+	c := &Controller{
+		apiserverClient: apiserverClient,
+		apiserverLister: apiserverLister,
+	}
+	return factory.New().
+		WithInformers(apiserverInformer).
+		WithSync(c.sync).
+		WithSyncDegradedOnError(operatorClient).
+		ResyncEvery(time.Minute).
+		ToController("SecureAccessTokenAnnotationController", recorder)
+}
+
+func (c Controller) sync(ctx context.Context, syncCtx factory.SyncContext) error {
+	obj, err := c.apiserverLister.Get("cluster")
+	if errors.IsNotFound(err) {
+		syncCtx.Recorder().Warningf("SecureAccessTokenAnnotationController", "Required apiservers.%s/cluster not found", configv1.GroupName)
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	if _, ok := obj.Annotations[secureTokenStorageAnnotationKey]; !ok {
+		return nil
+	}
+
+	updated := obj.DeepCopy()
+	delete(updated.Annotations, secureTokenStorageAnnotationKey)
+
+	_, err = c.apiserverClient.Update(ctx, updated, metav1.UpdateOptions{})
+	return err
+}

pkg/operator/starter.go

@@ -25,6 +25,7 @@ import (
 	"github.com/openshift/cluster-config-operator/pkg/operator/kube_cloud_config"
 	"github.com/openshift/cluster-config-operator/pkg/operator/migration_aws_status"
 	"github.com/openshift/cluster-config-operator/pkg/operator/operatorclient"
+	"github.com/openshift/cluster-config-operator/pkg/operator/secureaccesstoken"
 )
 
 func RunOperator(ctx context.Context, controllerContext *controllercmd.ControllerContext) error {
@@ -105,6 +106,14 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 
 	logLevelController := loglevel.NewClusterOperatorLoggingController(operatorClient, controllerContext.EventRecorder)
 
+	secureAccessTokenAnnotationController := secureaccesstoken.NewController(
+		operatorClient,
+		configClient.ConfigV1().APIServers(),
+		configInformers.Config().V1().APIServers().Lister(),
+		configInformers.Config().V1().APIServers().Informer(),
+		controllerContext.EventRecorder,
+	)
+
 	// As this operator does not manage any component/workload, report this operator as available and not progressing by default.
 	// TODO: Revisit this with full controller at some point.
 	operatorController := factory.New().ResyncEvery(10*time.Second).WithSync(func(ctx context.Context, controllerContext factory.SyncContext) error {
@@ -141,6 +150,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 	go statusController.Run(ctx, 1)
 	go operatorController.Run(ctx, 1)
 	go migrationAWSStatusController.Run(ctx, 1)
+	go secureAccessTokenAnnotationController.Run(ctx, 1)
 
 	<-ctx.Done()
 	return nil