ARO-4373 add RP Feature Flag EnablePublicOIDCBlobAccess

docs/feature-flags.md

@@ -44,3 +44,5 @@ feature flags defined in pkg/env/env.go.  At the time of writing these include:
 
 * EnableOCMEndpoints: Register the OCM endpoints in the frontend. Otherwise the
   endpoints are not available at all.
+
+* EnablePublicOIDCBlobAccess: Allow the Public access to the OIDC blob in case the environment needs a decoupling from an AFD endpoint. Production will always use AFD endpoint so no public access for the production.

pkg/cluster/deploybaseresources.go

@@ -47,7 +47,7 @@ func (m *manager) createOIDC(ctx context.Context) error {
 
 	publicAccess := azstorage.PublicAccessNone
 	// Public access on OIDC Container needed for development environments because of no AFD availability
-	if m.env.IsLocalDevelopmentMode() {
+	if m.env.FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess) {
 		publicAccess = azstorage.PublicAccessBlob
 	}
 	err := m.rpBlob.CreateBlobContainer(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), blobContainerName, publicAccess)

pkg/cluster/deploybaseresources_test.go

@@ -1466,12 +1466,12 @@ func TestCreateOIDC(t *testing.T) {
 					},
 				},
 			},
-			mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				env.EXPECT().IsLocalDevelopmentMode().Return(false)
-				env.EXPECT().ResourceGroup().Return(resourceGroupName)
-				env.EXPECT().Environment().Return(&azureclient.PublicCloud)
-				env.EXPECT().OIDCEndpoint().Return(afdEndpoint)
+			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
+				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().OIDCEndpoint().Return(afdEndpoint)
 				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil)
 				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil)
 				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(nil)
@@ -1494,12 +1494,12 @@ func TestCreateOIDC(t *testing.T) {
 					},
 				},
 			},
-			mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				env.EXPECT().IsLocalDevelopmentMode().Return(true)
-				env.EXPECT().ResourceGroup().Return(resourceGroupName)
-				env.EXPECT().Environment().Return(&azureclient.PublicCloud)
-				env.EXPECT().OIDCEndpoint().Return(storageEndpointForDev)
+			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(true)
+				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().OIDCEndpoint().Return(storageEndpointForDev)
 				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessBlob).Return(nil)
 				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil)
 				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(nil)
@@ -1522,10 +1522,10 @@ func TestCreateOIDC(t *testing.T) {
 					},
 				},
 			},
-			mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblob *mock_azblob.MockAZBlobClient) {
-				env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				env.EXPECT().IsLocalDevelopmentMode().Return(false)
-				env.EXPECT().ResourceGroup().Return(resourceGroupName)
+			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblob *mock_azblob.MockAZBlobClient) {
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
+				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
 				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(errors.New("generic error"))
 			},
 			wantBoundServiceAccountSigningKey: false,
@@ -1545,12 +1545,12 @@ func TestCreateOIDC(t *testing.T) {
 					},
 				},
 			},
-			mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				env.EXPECT().IsLocalDevelopmentMode().Return(false)
-				env.EXPECT().ResourceGroup().Return(resourceGroupName)
-				env.EXPECT().Environment().Return(&azureclient.PublicCloud)
-				env.EXPECT().OIDCEndpoint().Return(afdEndpoint)
+			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
+				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().OIDCEndpoint().Return(afdEndpoint)
 				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil)
 				blob.EXPECT().GetAZBlobClient(gomock.Any(), &azblob.ClientOptions{}).Return(azblobClient, errors.New("generic error"))
 			},
@@ -1571,12 +1571,12 @@ func TestCreateOIDC(t *testing.T) {
 					},
 				},
 			},
-			mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
-				env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
-				env.EXPECT().IsLocalDevelopmentMode().Return(false)
-				env.EXPECT().ResourceGroup().Return(resourceGroupName)
-				env.EXPECT().Environment().Return(&azureclient.PublicCloud)
-				env.EXPECT().OIDCEndpoint().Return(afdEndpoint)
+			mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) {
+				menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName)
+				menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false)
+				menv.EXPECT().ResourceGroup().Return(resourceGroupName)
+				menv.EXPECT().Environment().Return(&azureclient.PublicCloud)
+				menv.EXPECT().OIDCEndpoint().Return(afdEndpoint)
 				blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil)
 				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil)
 				azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(errors.New("generic error"))

pkg/deploy/devconfig.go

@@ -182,6 +182,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 				"RequireD2sV3Workers",
 				"DisableReadinessDelay",
 				"EnableOCMEndpoints",
+				"EnablePublicOIDCBlobAccess",
 			},
 			// TODO update this to support FF
 			RPImagePrefix:                     to.StringPtr(os.Getenv("USER") + "aro.azurecr.io/aro"),

pkg/env/dev.go

@@ -36,6 +36,7 @@ func newDev(ctx context.Context, log *logrus.Entry, component ServiceComponent)
 		FeatureDisableSignedCertificates,
 		FeatureRequireD2sV3Workers,
 		FeatureDisableReadinessDelay,
+		FeatureEnablePublicOIDCBlobAccess,
 	} {
 		d.features[feature] = true
 	}

pkg/env/env.go

@@ -35,6 +35,7 @@ const (
 	FeatureRequireD2sV3Workers
 	FeatureDisableReadinessDelay
 	FeatureEnableOCMEndpoints
+	FeatureEnablePublicOIDCBlobAccess
 )
 
 const (