From 0d6abafcfd9eed1a96599ef63e701496aaecadf6 Mon Sep 17 00:00:00 2001 From: Rajdeep Singh Chauhan Date: Mon, 10 Jun 2024 15:23:28 -0400 Subject: [PATCH] ARO-4373 add RP Feature Flag EnablePublicOIDCBlobAccess --- docs/feature-flags.md | 2 + pkg/cluster/deploybaseresources.go | 2 +- pkg/cluster/deploybaseresources_test.go | 56 ++++++++++++------------- pkg/deploy/devconfig.go | 1 + pkg/env/dev.go | 1 + pkg/env/env.go | 1 + pkg/env/zz_generated_feature_enumer.go | 7 ++-- 7 files changed, 38 insertions(+), 32 deletions(-) diff --git a/docs/feature-flags.md b/docs/feature-flags.md index 467ebf11390..64c1116bdc9 100644 --- a/docs/feature-flags.md +++ b/docs/feature-flags.md @@ -44,3 +44,5 @@ feature flags defined in pkg/env/env.go. At the time of writing these include: * EnableOCMEndpoints: Register the OCM endpoints in the frontend. Otherwise the endpoints are not available at all. + +* EnablePublicOIDCBlobAccess: Allow the Public access to the OIDC blob in case the environment needs a decoupling from an AFD endpoint. Production will always use AFD endpoint so no public access for the production. \ No newline at end of file diff --git a/pkg/cluster/deploybaseresources.go b/pkg/cluster/deploybaseresources.go index 9acd50b5dbd..06b97798f54 100644 --- a/pkg/cluster/deploybaseresources.go +++ b/pkg/cluster/deploybaseresources.go @@ -47,7 +47,7 @@ func (m *manager) createOIDC(ctx context.Context) error { publicAccess := azstorage.PublicAccessNone // Public access on OIDC Container needed for development environments because of no AFD availability - if m.env.IsLocalDevelopmentMode() { + if m.env.FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess) { publicAccess = azstorage.PublicAccessBlob } err := m.rpBlob.CreateBlobContainer(ctx, m.env.ResourceGroup(), m.env.OIDCStorageAccountName(), blobContainerName, publicAccess) diff --git a/pkg/cluster/deploybaseresources_test.go b/pkg/cluster/deploybaseresources_test.go index 942581a0027..9b445f9b434 100644 --- a/pkg/cluster/deploybaseresources_test.go +++ b/pkg/cluster/deploybaseresources_test.go @@ -1466,12 +1466,12 @@ func TestCreateOIDC(t *testing.T) { }, }, }, - mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { - env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) - env.EXPECT().IsLocalDevelopmentMode().Return(false) - env.EXPECT().ResourceGroup().Return(resourceGroupName) - env.EXPECT().Environment().Return(&azureclient.PublicCloud) - env.EXPECT().OIDCEndpoint().Return(afdEndpoint) + mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { + menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) + menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false) + menv.EXPECT().ResourceGroup().Return(resourceGroupName) + menv.EXPECT().Environment().Return(&azureclient.PublicCloud) + menv.EXPECT().OIDCEndpoint().Return(afdEndpoint) blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil) azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil) azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(nil) @@ -1494,12 +1494,12 @@ func TestCreateOIDC(t *testing.T) { }, }, }, - mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { - env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) - env.EXPECT().IsLocalDevelopmentMode().Return(true) - env.EXPECT().ResourceGroup().Return(resourceGroupName) - env.EXPECT().Environment().Return(&azureclient.PublicCloud) - env.EXPECT().OIDCEndpoint().Return(storageEndpointForDev) + mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { + menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) + menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(true) + menv.EXPECT().ResourceGroup().Return(resourceGroupName) + menv.EXPECT().Environment().Return(&azureclient.PublicCloud) + menv.EXPECT().OIDCEndpoint().Return(storageEndpointForDev) blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessBlob).Return(nil) azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil) azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(nil) @@ -1522,10 +1522,10 @@ func TestCreateOIDC(t *testing.T) { }, }, }, - mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblob *mock_azblob.MockAZBlobClient) { - env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) - env.EXPECT().IsLocalDevelopmentMode().Return(false) - env.EXPECT().ResourceGroup().Return(resourceGroupName) + mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblob *mock_azblob.MockAZBlobClient) { + menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) + menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false) + menv.EXPECT().ResourceGroup().Return(resourceGroupName) blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(errors.New("generic error")) }, wantBoundServiceAccountSigningKey: false, @@ -1545,12 +1545,12 @@ func TestCreateOIDC(t *testing.T) { }, }, }, - mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { - env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) - env.EXPECT().IsLocalDevelopmentMode().Return(false) - env.EXPECT().ResourceGroup().Return(resourceGroupName) - env.EXPECT().Environment().Return(&azureclient.PublicCloud) - env.EXPECT().OIDCEndpoint().Return(afdEndpoint) + mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { + menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) + menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false) + menv.EXPECT().ResourceGroup().Return(resourceGroupName) + menv.EXPECT().Environment().Return(&azureclient.PublicCloud) + menv.EXPECT().OIDCEndpoint().Return(afdEndpoint) blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil) blob.EXPECT().GetAZBlobClient(gomock.Any(), &azblob.ClientOptions{}).Return(azblobClient, errors.New("generic error")) }, @@ -1571,12 +1571,12 @@ func TestCreateOIDC(t *testing.T) { }, }, }, - mocks: func(blob *mock_azblob.MockManager, env *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { - env.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) - env.EXPECT().IsLocalDevelopmentMode().Return(false) - env.EXPECT().ResourceGroup().Return(resourceGroupName) - env.EXPECT().Environment().Return(&azureclient.PublicCloud) - env.EXPECT().OIDCEndpoint().Return(afdEndpoint) + mocks: func(blob *mock_azblob.MockManager, menv *mock_env.MockInterface, azblobClient *mock_azblob.MockAZBlobClient) { + menv.EXPECT().OIDCStorageAccountName().AnyTimes().Return(oidcStorageAccountName) + menv.EXPECT().FeatureIsSet(env.FeatureEnablePublicOIDCBlobAccess).Return(false) + menv.EXPECT().ResourceGroup().Return(resourceGroupName) + menv.EXPECT().Environment().Return(&azureclient.PublicCloud) + menv.EXPECT().OIDCEndpoint().Return(afdEndpoint) blob.EXPECT().CreateBlobContainer(gomock.Any(), resourceGroupName, oidcStorageAccountName, gomock.Any(), azstorage.PublicAccessNone).Return(nil) azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.DiscoveryDocumentKey, gomock.Any()).Return(nil) azblobClient.EXPECT().UploadBuffer(gomock.Any(), "", oidcbuilder.JWKSKey, gomock.Any()).Return(errors.New("generic error")) diff --git a/pkg/deploy/devconfig.go b/pkg/deploy/devconfig.go index d5d17d8b8ce..960e73a9aa0 100644 --- a/pkg/deploy/devconfig.go +++ b/pkg/deploy/devconfig.go @@ -182,6 +182,7 @@ func DevConfig(_env env.Core) (*Config, error) { "RequireD2sV3Workers", "DisableReadinessDelay", "EnableOCMEndpoints", + "EnablePublicOIDCBlobAccess", }, // TODO update this to support FF RPImagePrefix: to.StringPtr(os.Getenv("USER") + "aro.azurecr.io/aro"), diff --git a/pkg/env/dev.go b/pkg/env/dev.go index 8ca201be3d4..9edf1698901 100644 --- a/pkg/env/dev.go +++ b/pkg/env/dev.go @@ -36,6 +36,7 @@ func newDev(ctx context.Context, log *logrus.Entry, component ServiceComponent) FeatureDisableSignedCertificates, FeatureRequireD2sV3Workers, FeatureDisableReadinessDelay, + FeatureEnablePublicOIDCBlobAccess, } { d.features[feature] = true } diff --git a/pkg/env/env.go b/pkg/env/env.go index 6c334eedd8d..5fd94515d37 100644 --- a/pkg/env/env.go +++ b/pkg/env/env.go @@ -35,6 +35,7 @@ const ( FeatureRequireD2sV3Workers FeatureDisableReadinessDelay FeatureEnableOCMEndpoints + FeatureEnablePublicOIDCBlobAccess ) const ( diff --git a/pkg/env/zz_generated_feature_enumer.go b/pkg/env/zz_generated_feature_enumer.go index 13c788b33d6..f9793262abe 100644 --- a/pkg/env/zz_generated_feature_enumer.go +++ b/pkg/env/zz_generated_feature_enumer.go @@ -6,9 +6,9 @@ import ( "fmt" ) -const _FeatureName = "FeatureDisableDenyAssignmentsFeatureDisableSignedCertificatesFeatureEnableDevelopmentAuthorizerFeatureRequireD2sV3WorkersFeatureDisableReadinessDelayFeatureEnableOCMEndpoints" +const _FeatureName = "FeatureDisableDenyAssignmentsFeatureDisableSignedCertificatesFeatureEnableDevelopmentAuthorizerFeatureRequireD2sV3WorkersFeatureDisableReadinessDelayFeatureEnableOCMEndpointsFeatureEnablePublicOIDCBlobAccess" -var _FeatureIndex = [...]uint8{0, 29, 61, 95, 121, 149, 174} +var _FeatureIndex = [...]uint8{0, 29, 61, 95, 121, 149, 174, 207} func (i Feature) String() string { if i < 0 || i >= Feature(len(_FeatureIndex)-1) { @@ -17,7 +17,7 @@ func (i Feature) String() string { return _FeatureName[_FeatureIndex[i]:_FeatureIndex[i+1]] } -var _FeatureValues = []Feature{0, 1, 2, 3, 4, 5} +var _FeatureValues = []Feature{0, 1, 2, 3, 4, 5, 6} var _FeatureNameToValueMap = map[string]Feature{ _FeatureName[0:29]: 0, @@ -26,6 +26,7 @@ var _FeatureNameToValueMap = map[string]Feature{ _FeatureName[95:121]: 3, _FeatureName[121:149]: 4, _FeatureName[149:174]: 5, + _FeatureName[174:207]: 6, } // FeatureString retrieves an enum value from the enum constants string name.