ROX-23709: Load token from file in fleetshard-sync

.secrets.baseline

@@ -330,6 +330,16 @@
         "line_number": 1057
       }
     ],
+    "pkg/client/fleetmanager/impl/testdata/token": [
+      {
+        "type": "JSON Web Token",
+        "filename": "pkg/client/fleetmanager/impl/testdata/token",
+        "hashed_secret": "d6b66ddd9ea7dbe760114bfe9a97352a5e139134",
+        "is_verified": true,
+        "is_secret": false,
+        "line_number": 1
+      }
+    ],
     "pkg/client/fleetmanager/mocks/client_moq.go": [
       {
         "type": "Secret Keyword",
@@ -463,5 +473,5 @@
       }
     ]
   },
-  "generated_at": "2024-05-13T18:42:38Z"
+  "generated_at": "2024-05-14T09:23:23Z"
 }

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml

@@ -11,6 +11,7 @@ spec:
     name: fleetshard-sync
     creationPolicy: Owner
   data:
+    {{- if eq "RHSSO" .Values.fleetshardSync.authType }}
     - secretKey: rhsso-service-account-client-id # pragma: allowlist secret
       remoteRef:
         key: "fleetshard-sync"
@@ -19,6 +20,7 @@ spec:
       remoteRef:
         key: "fleetshard-sync"
         property: "rhsso_service_account_client_secret"
+    {{- end }}
     - secretKey: telemetry-storage-key # pragma: allowlist secret
       remoteRef:
         key: "fleetshard-sync"

dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml

@@ -57,6 +57,7 @@ spec:
           value: {{ .Values.fleetshardSync.egressProxy.image | quote }}
         - name: SECURE_TENANT_NETWORK
           value: {{ .Values.fleetshardSync.secureTenantNetwork | quote }}
+        {{- if eq "RHSSO" .Values.fleetshardSync.authType }}
         - name: RHSSO_SERVICE_ACCOUNT_CLIENT_ID
           valueFrom:
             secretKeyRef:
@@ -73,6 +74,7 @@ spec:
           value: {{ .Values.fleetshardSync.redHatSSO.realm }}
         - name: RHSSO_ENDPOINT
           value: {{ .Values.fleetshardSync.redHatSSO.endpoint }}
+        {{- end }}
         - name: AUDIT_LOG_ENABLED
           value: {{ .Values.fleetshardSync.auditLogs.enabled | quote }}
         - name: AUDIT_LOG_SKIP_TLS_VERIFY
@@ -128,9 +130,17 @@ spec:
           value: {{ .Values.fleetshardSync.addonAutoUpgradeEnabled | quote }}
         - name: FLEETSHARD_ADDON_NAME
           value: {{ .Values.fleetshardSync.addonName | quote }}
+        {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.fleetshardSync.authType }}
+        - name: FLEET_MANAGER_TOKEN_FILE
+          value: "/var/run/secrets/tokens/fleet-manager-token"
+        {{- end }}
         volumeMounts:
           - mountPath: /var/run/secrets/tokens
             name: aws-token
+          {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.fleetshardSync.authType }}
+          - mountPath: /var/run/secrets/tokens
+            name: fleet-manager-token
+          {{- end }}
         ports:
         - name: monitoring
           containerPort: 8080
@@ -148,3 +158,13 @@ spec:
               - serviceAccountToken:
                   path: aws-token
                   audience: sts.amazonaws.com
+                  expirationSeconds: 3600
+        {{- if eq "SERVICE_ACCOUNT_TOKEN" .Values.fleetshardSync.authType }}
+        - name: fleet-manager-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: fleet-manager-token
+                  audience: acs-fleet-manager-private-api
+                  expirationSeconds: 3600
+        {{- end }}

dp-terraform/helm/rhacs-terraform/values.yaml

@@ -6,8 +6,8 @@ fleetshardSync:
   image:
     repo: "quay.io/app-sre/acs-fleet-manager"
     tag: "main"
-  # Can be either OCM, RHSSO, STATIC_TOKEN. When choosing RHSSO, make sure the clientId/secret is set. By default, uses RHSSO.
-  authType: "RHSSO"
+  # Can be either OCM, RHSSO, STATIC_TOKEN, SERVICE_ACCOUNT_TOKEN. When choosing RHSSO, make sure the clientId/secret is set. By default, uses SERVICE_ACCOUNT_TOKEN.
+  authType: "SERVICE_ACCOUNT_TOKEN"
   # OCM refresh token, only required in combination with authType=OCM.
   ocmToken: ""
   fleetManagerEndpoint: ""

dp-terraform/test/helm_template_test.go

@@ -0,0 +1,62 @@
+package test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/gruntwork-io/terratest/modules/k8s"
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestHelmTemplate_FleetshardSyncDeployment_ServiceAccountTokenAuthType(t *testing.T) {
+	t.Parallel()
+
+	helmChartPath, err := filepath.Abs("../helm/rhacs-terraform")
+	releaseName := "rhacs-terraform"
+	require.NoError(t, err)
+
+	namespaceName := "rhacs"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"secured-cluster.enabled":          "false",
+			"fleetshardSync.managedDB.enabled": "false",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/fleetshard-sync.yaml"})
+
+	var deployment appsv1.Deployment
+	helm.UnmarshalK8SYaml(t, output, &deployment)
+
+	container := deployment.Spec.Template.Spec.Containers[0]
+	require.Equal(t, "fleetshard-sync", container.Name)
+
+	volumes := deployment.Spec.Template.Spec.Volumes
+	require.Equal(t, 2, len(volumes))
+	volume := volumes[1]
+	require.Equal(t, "fleet-manager-token", volume.Name)
+
+	envVars := container.Env
+	require.Equal(t, "SERVICE_ACCOUNT_TOKEN", findEnvVar("AUTH_TYPE", envVars))
+	require.Empty(t, findEnvVar("RHSSO_SERVICE_ACCOUNT_CLIENT_ID", envVars))
+	require.Empty(t, findEnvVar("RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET", envVars))
+	require.Empty(t, findEnvVar("RHSSO_REALM", envVars))
+	require.Empty(t, findEnvVar("RHSSO_ENDPOINT", envVars))
+
+	tokenFile := findEnvVar("FLEET_MANAGER_TOKEN_FILE", envVars)
+	require.NotEmpty(t, tokenFile)
+}
+
+func findEnvVar(name string, envVars []corev1.EnvVar) string {
+	for _, envVar := range envVars {
+		if envVar.Name == name {
+			return envVar.Value
+		}
+	}
+	return ""
+}

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
+	github.com/gruntwork-io/terratest v0.46.14
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/lib/pq v1.10.9
 	github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103
@@ -78,9 +79,11 @@ require (
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cloudflare/cfssl v1.6.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -89,14 +92,22 @@ require (
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/go-sql-driver/mysql v1.7.1 // indirect
 	github.com/go-task/slim-sprig v2.20.0+incompatible // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/gonvenience/bunt v1.3.5 // indirect
+	github.com/gonvenience/neat v1.3.12 // indirect
+	github.com/gonvenience/term v1.0.2 // indirect
+	github.com/gonvenience/text v1.0.7 // indirect
+	github.com/gonvenience/wrap v1.1.2 // indirect
+	github.com/gonvenience/ytbx v1.4.4 // indirect
 	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -105,8 +116,10 @@ require (
 	github.com/gorilla/schema v1.2.1 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
+	github.com/gruntwork-io/go-commons v0.8.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/homeport/dyff v1.6.0 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -120,30 +133,45 @@ require (
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-ciede2000 v0.0.0-20170301095244-782e8c62fec3 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.23 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/hashstructure v1.1.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/openshift/client-go v0.0.0-20230926161409-848405da69e1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pquerna/otp v1.2.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.66.0-rhobs1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/segmentio/analytics-go/v3 v3.3.0 // indirect
 	github.com/segmentio/backo-go v1.0.1 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/stackrox/scanner v0.0.0-20240110222630-351caa1e0024 // indirect
 	github.com/stretchr/objx v0.5.1 // indirect
+	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/tkuchiki/go-timezone v0.2.2 // indirect
+	github.com/urfave/cli v1.22.14 // indirect
+	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 // indirect
 	github.com/weppos/publicsuffix-go v0.30.1-0.20230620154423-38c92ad2d5c6 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -153,6 +181,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20230307190834-24139beb5833 // indirect
 	golang.org/x/term v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
@@ -166,6 +195,7 @@ require (
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	honnef.co/go/tools v0.4.6 // indirect
 	k8s.io/apiextensions-apiserver v0.29.1 // indirect
 	k8s.io/component-base v0.29.1 // indirect
 	k8s.io/klog/v2 v2.120.0 // indirect