OCM-6419 | feat: fetch OIDC thumbprint from CS

openshift · Apr 19, 2024 · 1d3c4dc · 1d3c4dc
1 parent 5935b9c
commit 1d3c4dc
Show file tree

Hide file tree

Showing 18 changed files with 39,301 additions and 38,496 deletions.
diff --git a/cmd/create/oidcconfig/cmd.go b/cmd/create/oidcconfig/cmd.go
@@ -300,21 +300,21 @@ func run(cmd *cobra.Command, _ []string) {
 		r.Reporter.Errorf("%s", err)
 		os.Exit(1)
 	}
-	oidcConfigStrategy.execute(r)
-	if !args.rawFiles {
-		oidcprovider.Cmd.Run(oidcprovider.Cmd, []string{"", mode, oidcConfigInput.IssuerUrl})
+	oidcConfigId := oidcConfigStrategy.execute(r)
+	if !args.rawFiles && oidcConfigId != "" {
+		oidcprovider.Cmd.Run(oidcprovider.Cmd, []string{"--oidc-config-id", oidcConfigId, "--mode", mode})
 	}
 }
 
 type CreateOidcConfigStrategy interface {
-	execute(r *rosa.Runtime)
+	execute(r *rosa.Runtime) string
 }
 
 type CreateUnmanagedOidcConfigRawStrategy struct {
 	oidcConfig *oidcconfigs.OidcConfigInput
 }
 
-func (s *CreateUnmanagedOidcConfigRawStrategy) execute(r *rosa.Runtime) {
+func (s *CreateUnmanagedOidcConfigRawStrategy) execute(r *rosa.Runtime) string {
 	bucketName := s.oidcConfig.BucketName
 	discoveryDocument := s.oidcConfig.DiscoveryDocument
 	jwks := s.oidcConfig.Jwks
@@ -342,6 +342,8 @@ func (s *CreateUnmanagedOidcConfigRawStrategy) execute(r *rosa.Runtime) {
 			"Please refer to documentation to use generated files to create an OIDC compliant configuration.",
 		)
 	}
+
+	return ""
 }
 
 type CreateUnmanagedOidcConfigAutoStrategy struct {
@@ -353,7 +355,7 @@ const (
 	jwksKey              = "keys.json"
 )
 
-func (s *CreateUnmanagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) {
+func (s *CreateUnmanagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) string {
 	bucketUrl := s.oidcConfig.IssuerUrl
 	bucketName := s.oidcConfig.BucketName
 	discoveryDocument := s.oidcConfig.DiscoveryDocument
@@ -429,13 +431,15 @@ func (s *CreateUnmanagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) {
 		output := fmt.Sprintf(InformOperatorRolesOutput, oidcConfig.ID())
 		r.Reporter.Infof(output)
 	}
+
+	return oidcConfig.ID()
 }
 
 type CreateUnmanagedOidcConfigManualStrategy struct {
 	oidcConfig *oidcconfigs.OidcConfigInput
 }
 
-func (s *CreateUnmanagedOidcConfigManualStrategy) execute(r *rosa.Runtime) {
+func (s *CreateUnmanagedOidcConfigManualStrategy) execute(r *rosa.Runtime) string {
 	commands := []string{}
 	bucketName := s.oidcConfig.BucketName
 	discoveryDocument := s.oidcConfig.DiscoveryDocument
@@ -538,13 +542,15 @@ func (s *CreateUnmanagedOidcConfigManualStrategy) execute(r *rosa.Runtime) {
 			"rosa register oidc-config\n" +
 			"For more information please refer to the documentation")
 	}
+
+	return ""
 }
 
 type CreateManagedOidcConfigAutoStrategy struct {
 	oidcConfigInput *oidcconfigs.OidcConfigInput
 }
 
-func (s *CreateManagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) {
+func (s *CreateManagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) string {
 	var spin *spinner.Spinner
 	if !output.HasFlag() && r.Reporter.IsTerminal() {
 		spin = spinner.New(spinner.CharSets[9], 100*time.Millisecond)
@@ -582,6 +588,8 @@ func (s *CreateManagedOidcConfigAutoStrategy) execute(r *rosa.Runtime) {
 		output := fmt.Sprintf(InformOperatorRolesOutput, oidcConfig.ID())
 		r.Reporter.Infof(output)
 	}
+
+	return oidcConfig.ID()
 }
 
 func getOidcConfigStrategy(mode string, input *oidcconfigs.OidcConfigInput) (CreateOidcConfigStrategy, error) {

diff --git a/cmd/create/oidcprovider/cmd.go b/cmd/create/oidcprovider/cmd.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/openshift-online/ocm-common/pkg/rosa/oidcconfigs"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+	v1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	"github.com/spf13/cobra"
 
 	"github.com/openshift/rosa/pkg/aws"
@@ -138,22 +139,51 @@ func run(cmd *cobra.Command, argv []string) {
 		}
 	}
 
-	oidcEndpointURL := ""
-	if cluster != nil {
-		oidcEndpointURL = cluster.AWS().STS().OIDCEndpointURL()
+	var thumbprint *v1.AwsOidcThumbprint
+	if isProgmaticallyCalled && args.oidcEndpointUrl != "" {
+		// In the case of specifying a OIDC endpoint URL explicitly, fetch the
+		// thumbprint directly
+		sha1Thumbprint, err := oidcconfigs.FetchThumbprint(args.oidcEndpointUrl)
+		if err != nil {
+			r.Reporter.Errorf("Unable to get OIDC thumbprint: %s", err)
+			os.Exit(1)
+		}
+		thumbprint, err = v1.NewAwsOidcThumbprint().
+			Thumbprint(sha1Thumbprint).
+			IssuerUrl(args.oidcEndpointUrl).
+			Build()
+		if err != nil {
+			r.Reporter.Errorf("There was an error creating OIDC provider: %s", err)
+			os.Exit(1)
+		}
+	} else if cluster != nil {
+		if cluster.AWS().STS().OIDCEndpointURL() == "" {
+			r.Reporter.Errorf("Cluster '%s' does not have an OIDC endpoint URL; provider cannot be created.", clusterKey)
+			os.Exit(1)
+		}
+
+		thumbprint, err = r.OCMClient.GetThumbprintByClusterId(cluster.ID())
+		if err != nil {
+			r.Reporter.Errorf("Unable to get OIDC thumbprint: %s", err)
+			os.Exit(1)
+		}
 	} else {
-		if isProgmaticallyCalled && args.oidcEndpointUrl != "" {
-			oidcEndpointURL = args.oidcEndpointUrl
-		} else {
-			if args.oidcConfigId == "" {
-				args.oidcConfigId = interactiveOidc.GetOidcConfigID(r, cmd)
-			}
-			oidcConfig, err := r.OCMClient.GetOidcConfig(args.oidcConfigId)
-			if err != nil {
-				r.Reporter.Errorf("There was a problem retrieving OIDC Config '%s': %v", args.oidcConfigId, err)
-				os.Exit(1)
-			}
-			oidcEndpointURL = oidcConfig.IssuerUrl()
+		if args.oidcConfigId == "" {
+			args.oidcConfigId = interactiveOidc.GetOidcConfigID(r, cmd)
+		}
+		oidcConfig, err := r.OCMClient.GetOidcConfig(args.oidcConfigId)
+		if err != nil {
+			r.Reporter.Errorf("There was a problem retrieving OIDC Config '%s': %v", args.oidcConfigId, err)
+			os.Exit(1)
+		}
+		if oidcConfig.IssuerUrl() == "" {
+			r.Reporter.Errorf("OIDC config '%s' does not have an OIDC endpoint URL; provider cannot be created.", args.oidcConfigId)
+			os.Exit(1)
+		}
+		thumbprint, err = r.OCMClient.GetThumbprintByOidcConfigId(oidcConfig.ID())
+		if err != nil {
+			r.Reporter.Errorf("Unable to get OIDC thumbprint: %s", err)
+			os.Exit(1)
 		}
 	}
 
@@ -162,7 +192,7 @@ func run(cmd *cobra.Command, argv []string) {
 		clusterId = cluster.ID()
 	}
 
-	oidcProviderExists, err := r.AWSClient.HasOpenIDConnectProvider(oidcEndpointURL,
+	oidcProviderExists, err := r.AWSClient.HasOpenIDConnectProvider(thumbprint.IssuerUrl(),
 		r.Creator.Partition, r.Creator.AccountID)
 	if err != nil {
 		if strings.Contains(err.Error(), "AccessDenied") {
@@ -196,7 +226,7 @@ func run(cmd *cobra.Command, argv []string) {
 		if !confirm.Prompt(true, confirmPromptMessage) {
 			os.Exit(0)
 		}
-		err = createProvider(r, oidcEndpointURL, clusterId)
+		err = createProvider(r, thumbprint, clusterId)
 		if err != nil {
 			r.Reporter.Errorf("There was an error creating the OIDC provider: %s", err)
 			r.OCMClient.LogEvent("ROSACreateOIDCProviderModeAuto", map[string]string{
@@ -210,7 +240,7 @@ func run(cmd *cobra.Command, argv []string) {
 			ocm.Response:  ocm.Success,
 		})
 	case aws.ModeManual:
-		commands, err := buildCommands(r, oidcEndpointURL, clusterId)
+		commands, err := buildCommands(r, thumbprint, clusterId)
 		if err != nil {
 			r.Reporter.Errorf("There was an error building the list of resources: %s", err)
 			os.Exit(1)
@@ -232,14 +262,11 @@ func run(cmd *cobra.Command, argv []string) {
 	}
 }
 
-func createProvider(r *rosa.Runtime, oidcEndpointUrl string, clusterId string) error {
-	thumbprint, err := oidcconfigs.FetchThumbprint(oidcEndpointUrl)
-	if err != nil {
-		return err
-	}
-	r.Reporter.Debugf("Using thumbprint '%s'", thumbprint)
+func createProvider(r *rosa.Runtime, thumbprint *v1.AwsOidcThumbprint, clusterId string) error {
+	r.Reporter.Debugf("Using thumbprint '%s'", thumbprint.Thumbprint())
 
-	oidcProviderARN, err := r.AWSClient.CreateOpenIDConnectProvider(oidcEndpointUrl, thumbprint, clusterId)
+	oidcProviderARN, err := r.AWSClient.CreateOpenIDConnectProvider(thumbprint.IssuerUrl(),
+		thumbprint.Thumbprint(), clusterId)
 	if err != nil {
 		return err
 	}
@@ -250,14 +277,10 @@ func createProvider(r *rosa.Runtime, oidcEndpointUrl string, clusterId string) e
 	return nil
 }
 
-func buildCommands(r *rosa.Runtime, oidcEndpointUrl string, clusterId string) (string, error) {
+func buildCommands(r *rosa.Runtime, thumbprint *v1.AwsOidcThumbprint, clusterId string) (string, error) {
 	commands := []string{}
 
-	thumbprint, err := oidcconfigs.FetchThumbprint(oidcEndpointUrl)
-	if err != nil {
-		return "", err
-	}
-	r.Reporter.Debugf("Using thumbprint '%s'", thumbprint)
+	r.Reporter.Debugf("Using thumbprint '%s'", thumbprint.Thumbprint())
 
 	iamTags := map[string]string{
 		tags.RedHatManaged: tags.True,
@@ -270,9 +293,9 @@ func buildCommands(r *rosa.Runtime, oidcEndpointUrl string, clusterId string) (s
 
 	createOpenIDConnectProvider := awscb.NewIAMCommandBuilder().
 		SetCommand(awscb.CreateOpenIdConnectProvider).
-		AddParam(awscb.Url, oidcEndpointUrl).
+		AddParam(awscb.Url, thumbprint.IssuerUrl()).
 		AddParam(awscb.ClientIdList, clientIdList).
-		AddParam(awscb.ThumbprintList, thumbprint).
+		AddParam(awscb.ThumbprintList, thumbprint.Thumbprint()).
 		AddTags(iamTags).
 		Build()
 	commands = append(commands, createOpenIDConnectProvider)

diff --git a/go.mod b/go.mod
@@ -4,6 +4,10 @@ go 1.21
 
 toolchain go1.21.3
 
+replace github.com/openshift-online/ocm-sdk-go => ../../openshift-online/ocm-sdk-go
+
+replace github.com/openshift-online/ocm-common => ../../openshift-online/ocm-common
+
 require (
 	github.com/AlecAivazis/survey/v2 v2.2.15
 	github.com/Masterminds/semver v1.5.0

diff --git a/go.sum b/go.sum
@@ -262,10 +262,6 @@ github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4
 github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
-github.com/openshift-online/ocm-common v0.0.0-20240129111424-ff8c6c11d909 h1:WV67GNazQuGDaLX3kBbz0859NYPOQCsDCY5XUScF85M=
-github.com/openshift-online/ocm-common v0.0.0-20240129111424-ff8c6c11d909/go.mod h1:7FaAb07S63RF4sFMLSLtQaJLvPdaRnhAT4dBLD8/5kM=
-github.com/openshift-online/ocm-sdk-go v0.1.411 h1:DlNHC3yqmk77Wzc+YJBsd0ccHXn7JFwGC1C1NOp/faw=
-github.com/openshift-online/ocm-sdk-go v0.1.411/go.mod h1:CiAu2jwl3ITKOxkeV0Qnhzv4gs35AmpIzVABQLtcI2Y=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/pkg/ocm/helpers.go b/pkg/ocm/helpers.go
@@ -38,6 +38,7 @@ import (
 	common "github.com/openshift-online/ocm-common/pkg/ocm/validations"
 	amsv1 "github.com/openshift-online/ocm-sdk-go/accountsmgmt/v1"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
+	v1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	ocmerrors "github.com/openshift-online/ocm-sdk-go/errors"
 	errors "github.com/zgalor/weberr"
 
@@ -276,6 +277,26 @@ func (c *Client) GetCurrentOrganization() (id string, externalID string, err err
 	return
 }
 
+func (c *Client) GetThumbprintByClusterId(clusterId string) (*v1.AwsOidcThumbprint, error) {
+	response, err := c.ocm.ClustersMgmt().V1().AWSInquiries().OidcThumbprint().
+		Get().ClusterId(clusterId).Send()
+	if err != nil {
+		return nil, err
+	}
+
+	return response.Body(), nil
+}
+
+func (c *Client) GetThumbprintByOidcConfigId(oidcConfigId string) (*v1.AwsOidcThumbprint, error) {
+	response, err := c.ocm.ClustersMgmt().V1().AWSInquiries().OidcThumbprint().
+		Get().OidcConfigId(oidcConfigId).Send()
+	if err != nil {
+		return nil, err
+	}
+
+	return response.Body(), nil
+}
+
 func (c *Client) IsCapabilityEnabled(capability string) (enabled bool, err error) {
 	organizationID, _, err := c.GetCurrentOrganization()
 	if err != nil {

diff --git a/pkg/ocm/oidc_config.go b/pkg/ocm/oidc_config.go
@@ -30,6 +30,18 @@ func (c *Client) GetOidcConfig(id string) (*cmv1.OidcConfig, error) {
 	return response.Body(), nil
 }
 
+func (c *Client) GetOidcConfigWithThumbprint(id string) (*cmv1.OidcConfig, error) {
+	response, err := c.ocm.ClustersMgmt().V1().
+		OidcConfigs().OidcConfig(id).Get().
+		Parameter("fetchThumbprint", true).
+		Send()
+	if err != nil {
+		return nil, handleErr(response.Error(), err)
+	}
+
+	return response.Body(), nil
+}
+
 func (c *Client) ListOidcConfigs(awsAccountId string) ([]*cmv1.OidcConfig, error) {
 	response, err := c.ocm.ClustersMgmt().V1().
 		OidcConfigs().

diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/aws/errors/errors.go b/vendor/github.com/openshift-online/ocm-common/pkg/aws/errors/errors.go
diff --git a/vendor/github.com/openshift-online/ocm-common/pkg/rosa/oidcconfigs/oidcconfigs.go b/vendor/github.com/openshift-online/ocm-common/pkg/rosa/oidcconfigs/oidcconfigs.go
diff --git a/vendor/github.com/openshift-online/ocm-sdk-go/CHANGES.md b/vendor/github.com/openshift-online/ocm-sdk-go/CHANGES.md