Bug 1879492: Add secure access token annotation controller to handle downgrade from 4.6

[sttts]

The annotation oauth-apiserver.openshift.io/secure-token-storage: true set on the config/v1 apiserver object make openshift-apiserver deeply log oauth tokens, noth access and authorize (if openshift-apiserver is responsible for this; in fresh 4.6 install it is not, but oauth-apiserver is).

This requires that there are no non-sha256 tokens in the system. For 4.6 installs this is guaranteed.

This PR adds a controller to remove the "oauth-apiserver.openshift.io/secure-token-storage" annotation from the APIServer config/v1 object after a potential downgrade from 4.6, to allow for the fact that non-sha256 are created on 4.5.

Counterpart to 4.6 PRs:

• Bug 1878648: apiserver-audit: add secure-oauth-storage-* policies library-go#894 (merged already)
• Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install cluster-openshift-apiserver-operator#392
• Bug 1878648: oauth-apiserver: audit log oauthaccesstokens if fresh 4.6 install cluster-authentication-operator#324
• Bug 1878648: oauth: audit log oauthaccesstokens if fresh 4.6 install #152

[openshift-ci-robot]

@sttts: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

Add secure access token annotation controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[p0lyn0mial]

why do we need this informer?

[sttts]

we don't

[p0lyn0mial]

usually, events are reserved for informing about the state change.

[p0lyn0mial]

/lgtm

[openshift-ci-robot]

@sttts: This pull request references Bugzilla bug 1878648, which is invalid:

• expected the bug to target the "4.5.z" release, but it targets "4.6.0" instead
• expected Bugzilla bug 1878648 to depend on a bug targeting a release in 4.6.0, 4.6.z and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1878648: Add secure access token annotation controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@sttts: This pull request references Bugzilla bug 1879492, which is invalid:

• expected Bugzilla bug 1879492 to depend on a bug targeting a release in 4.6.0, 4.6.z and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1879492: Add secure access token annotation controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[p0lyn0mial]

/lgtm

[openshift-bot]

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

[openshift-ci-robot]

@openshift-bot: This pull request references Bugzilla bug 1879492, which is invalid:

• expected dependent Bugzilla bug 1880407 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ASSIGNED instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sttts]

/bugzilla-refresh

[openshift-bot]

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

[openshift-ci-robot]

@openshift-bot: This pull request references Bugzilla bug 1879492, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.z) matches configured target release for branch (4.5.z)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 1880407 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
• dependent Bugzilla bug 1880407 targets the "4.6.0" release, which is one of the valid target releases: 4.6.0, 4.6.z
• bug has dependents

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@sttts: This pull request references Bugzilla bug 1879492, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.5.z) matches configured target release for branch (4.5.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 1880407 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA))
• dependent Bugzilla bug 1880407 targets the "4.6.0" release, which is one of the valid target releases: 4.6.0, 4.6.z
• bug has dependents

In response to this:

Bug 1879492: Add secure access token annotation controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[markmc]

/retitle Bug 1879492: Add secure access token annotation controller to handle downgrade from 4.6

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[sttts]

/retest

[sttts]

/retest

[sttts]

/test e2e-gcp

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@sttts: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-gcp	483686f	link	/test e2e-gcp

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@sttts: All pull requests linked via external trackers have merged:

• openshift/cluster-config-operator#153

Bugzilla bug 1879492 has been moved to the MODIFIED state.

In response to this:

Bug 1879492: Add secure access token annotation controller to handle downgrade from 4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.