Console-3733: Add support for Azure Workload Identity / Federated Identity based installs in OperatorHub

[gallettilance]

This PR adds the following:

1. A warning is displayed in the item modal that the cluster is in WI/FI mode if the operator claims to supports it
2. A warning is displayed in the item subscription page that the cluster is in WI/FI mode if the operator claims to support it
3. If the cluster is in WI/FI mode and the operator claims support for it the the subscription page provides configuring 3 additional fields: client ID, tenant ID, and subscription ID (we are assuming that token path will be standardized / defaulted to /var/run/secrets/openshift/serviceaccount/token and region is not a required configuration)
4. Default subscription to manual for installs on WI/FI mode clusters for operators that support it

Screencast.from.2023-08-08.11-52-54.webm

[openshift-ci-robot]

@gallettilance: This pull request references Console-3733 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@gallettilance: This pull request references Console-3733 which is a valid jira issue.

In response to this:

This PR adds the following:

1. A warning is displayed in the item modal that the cluster is in WI/FI mode if the operator claims to supports it
2. A warning is displayed in the item subscription page that the cluster is in WI/FI mode if the operator claims to support it
3. If the cluster is in WI/FI mode and the operator claims support for it the the subscription page provides configuring 3 additional fields: client ID, tenant ID, and subscription ID (we are assuming that token path will be standardized / defaulted to /var/run/secrets/openshift/serviceaccount/token and region is not a required configuration)

Screen capture to follow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gallettilance]

cc @rhamilto @TheRealJon @jhadvig

[TheRealJon]

QE Approver
/assign @yanpzhan

Docs Approver:
/assign @opayne1

PX Approver:
/assign @RickJWagner

[openshift-ci-robot]

@gallettilance: This pull request references Console-3733 which is a valid jira issue.

In response to this:

This PR adds the following:

1. A warning is displayed in the item modal that the cluster is in WI/FI mode if the operator claims to supports it
2. A warning is displayed in the item subscription page that the cluster is in WI/FI mode if the operator claims to support it
3. If the cluster is in WI/FI mode and the operator claims support for it the the subscription page provides configuring 3 additional fields: client ID, tenant ID, and subscription ID (we are assuming that token path will be standardized / defaulted to /var/run/secrets/openshift/serviceaccount/token and region is not a required configuration)
4. Default subscription to manual for installs on WI/FI mode clusters for operators that support it

Screencast.from.2023-08-08.11-52-54.webm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[RickJWagner]

/label px-approved

[TheRealJon]

/lgtm

[TheRealJon]

Is it possible for both the AWS and Azure warnings to be shown side by side or are they mutually exclusive? If they can, then each needs it's own "show/hide" state or else dismissing one will dismiss both.

[TheRealJon]

Also, the infraFeatures check is not necessary for either of these warnings. The isAzureWIFCluster check is a prerequisite for the shortLivedTokenAuth infra feature to be included. Seen here

[gallettilance]

@TheRealJon the warnings are mutually exclusive - an operator can support both AWS and Azure but the platform will only be one or the other.

[gallettilance]

shortLivedTokenAuth is set to true when the operator supports the platform-specific short lived tokenized auth and the cluster is in that mode. So if anything it's the isAzureWIFCluster or isAWSSTSCluster that isn't required (I think) but I would like to display a warning custom to the platform (and shortLivedTokenAuth doesn't tell me the platform type) so I need a way to detect the platform type which is why isAzure... and isAWS... were added.

[TheRealJon]

Suggested change

currentItem.infraFeatures?.find((i) => i === InfraFeatures[shortLivedTokenAuth])

[gallettilance]

not sure I understand why - I need to know the operator claims support for the platform's specific short term auth method

[TheRealJon]

The comments I made are just nits. You can address them or not. Just let me know if you make changes and I'll review again.

[opayne1]

/label docs-approved

[gallettilance]

/hold until openshift/cloud-credential-operator#587 merges

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[rhamilto]

cc: @jcaianirh

[yanpzhan]

@gallettilance I lauched a cluster against the pr, simulated a azure WI/FI configuration:

# oc get infrastructure cluster -o jsonpath --template '{ .status.platform }'
Azure
# oc get cloudcredential cluster -o jsonpath --template '{ .spec.credentialsMode }'
Manual
#  oc get authentication cluster -o jsonpath --template='{ .spec.serviceAccountIssuer }'
abutcher-oidc.apps.yanpz3733.qe.azure.devcluster.openshift.com

And prepared a operator with annotation: features.operators.openshift.io/token-auth-azure: 'true'
But I didn't see any warning about the cluster on this operator's item modal page and item subscription page.
I remember when I tested the pr in August, I could see warning info.
If there is something different in code recently and test steps are changed? How could I test the feature now?

[gallettilance]

@yanpzhan thanks for catching that! You were right there was an issue with the new infraFeatures that I've fixed and it should all be working now

[rhamilto]

/lgtm

[yanpzhan]

@gallettilance Thanks for your update, I could see the warning info on new cluster launched against the pr now.
But there is other issue, twhen click on input fields "Azure Client ID","Azure Tenant ID","Azure Subscription ID", they are set as "[object Object]" automatically, and could not be updated. If insist on clicking "Install" button, an error shows up:

Danger alert:An error occurred
Converting circular structure to JSON
--> starting at object with constructor 'HTMLInputElement'
| property '__reactFiber$abxqa1swcim' -> object with constructor 'Lu'
--- property 'stateNode' closes the circle

Could you pls help to check again?

[rhamilto]

Danger alert:An error occurred
Converting circular structure to JSON
--> starting at object with constructor 'HTMLInputElement'
| property '__reactFiber$abxqa1swcim' -> object with constructor 'Lu'
--- property 'stateNode' closes the circle

Related bug: https://issues.redhat.com/browse/ocpbugs-24252

[gallettilance]

waiting on #13416 to merge first

[rhamilto]

My memory on this is fuzzy as it has been awhile and this has changed a bit. featuresAnnotationsObjects really only exists in order to override legacy labels. Since tokenAuth*s are new, I would not include them here. I would preserve the existing functionality where you push the value on to infrastructureFeatures.

[rhamilto]

/lgtm

/hold for @gallettilance to finish testing

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gallettilance, rhamilto, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• frontend/packages/operator-lifecycle-manager/OWNERS [TheRealJon,rhamilto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@gallettilance: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[gallettilance]

/hold cancel
/label px-approved

Adding these labels since QE will not be able to add them before branch date and this needs to be in before then and extensive testing has been done prior to today.

[gallettilance]

/label qe-approved

[openshift-ci-robot]

@gallettilance: This pull request references Console-3733 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.15." or "openshift-4.15.", but it targets "openshift-4.14" instead.

In response to this:

This PR adds the following:

1. A warning is displayed in the item modal that the cluster is in WI/FI mode if the operator claims to supports it
2. A warning is displayed in the item subscription page that the cluster is in WI/FI mode if the operator claims to support it
3. If the cluster is in WI/FI mode and the operator claims support for it the the subscription page provides configuring 3 additional fields: client ID, tenant ID, and subscription ID (we are assuming that token path will be standardized / defaulted to /var/run/secrets/openshift/serviceaccount/token and region is not a required configuration)
4. Default subscription to manual for installs on WI/FI mode clusters for operators that support it

Screencast.from.2023-08-08.11-52-54.webm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gallettilance]

/jira refresh

[openshift-ci-robot]

@gallettilance: This pull request references Console-3733 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yanpzhan]

Retested on cluster launched against the pr, the warning info show correctly and operator could be installed successfully.
I have a question about where the info set for "Azure Client Id", "Azure Tenant Id". "Azure Subscription Id" fields are stored after the operator is installed. Pasted the comment in jira
@gallettilance could you give me some clue about the question? Thanks very much.

[rhamilto]

Backported to 4.15 as a bug.