oauth: audit log oauthaccesstokens if fresh 4.6 install

openshift · Sep 16, 2020 · 7d1c06c · 7d1c06c
1 parent 02e63b1
commit 7d1c06c
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -280,14 +280,30 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		return err
 	}
 
+	// TODO(4.7): switch over to secure access-token logging by default and delete old non-sha256 tokens
+	auditPolicyPathGetterWithAccessTokenLogs := func(profile string) (string, error) {
+		apiServerConfig, err := configInformers.Config().V1().APIServers().Lister().Get("cluster")
+		if errors.IsNotFound(err) {
+			return auditPolicyPahGetter(profile)
+		}
+		if err != nil {
+			return "", err
+		}
+
+		if apiServerConfig.Annotations["oauth-apiserver.openshift.io/secure-token-storage"] == "true" {
+			return auditPolicyPahGetter("secure-oauth-storage-" + profile)
+		}
+		return auditPolicyPahGetter(profile)
+	}
+
 	configObserver := configobservercontroller.NewConfigObserver(
 		kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace),
 		kubeInformersForNamespaces.InformersFor(libgoetcd.EtcdEndpointNamespace),
 		operatorClient,
 		resourceSyncController,
 		operatorConfigInformers,
 		configInformers,
-		auditPolicyPahGetter,
+		auditPolicyPathGetterWithAccessTokenLogs,
 		controllerConfig.EventRecorder,
 	)