operator: start externaloidc controller behind a featuregates accessor

openshift · Nov 19, 2024 · 5457a34 · 5457a34
1 parent 5d8965d
commit 5457a34
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 0 deletions.
diff --git a/pkg/operator/replacement_starter.go b/pkg/operator/replacement_starter.go
@@ -318,5 +318,12 @@ func CreateOperatorStarter(ctx context.Context, authOperatorInput *authenticatio
 	ret.ControllerRunFns = append(ret.ControllerRunFns, oauthAPIServerRunFns...)
 	ret.ControllerNamedRunOnceFns = append(ret.ControllerNamedRunOnceFns, oauthAPIServerRunOnceFns...)
 
+	externalOIDCRunOnceFns, externalOIDCRunFns, err := prepareExternalOIDC(ctx, authOperatorInput, informerFactories)
+	if err != nil {
+		return nil, fmt.Errorf("unable to prepare external OIDC: %w", err)
+	}
+	ret.ControllerRunFns = append(ret.ControllerRunFns, externalOIDCRunFns...)
+	ret.ControllerNamedRunOnceFns = append(ret.ControllerNamedRunOnceFns, externalOIDCRunOnceFns...)
+
 	return ret, nil
 }
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -12,13 +12,15 @@ import (
 	"github.com/openshift/multi-operator-manager/pkg/library/libraryapplyconfiguration"
 
 	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/api/features"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1"
 	"github.com/openshift/cluster-authentication-operator/bindata"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/configobservation/configobservercontroller"
 	componentroutesecretsync "github.com/openshift/cluster-authentication-operator/pkg/controllers/customroute"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/deployment"
+	"github.com/openshift/cluster-authentication-operator/pkg/controllers/externaloidc"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/ingressnodesavailable"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/ingressstate"
 	"github.com/openshift/cluster-authentication-operator/pkg/controllers/metadata"
@@ -39,6 +41,7 @@ import (
 	workloadcontroller "github.com/openshift/library-go/pkg/operator/apiserver/controller/workload"
 	apiservercontrollerset "github.com/openshift/library-go/pkg/operator/apiserver/controllerset"
 	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"github.com/openshift/library-go/pkg/operator/csr"
 	"github.com/openshift/library-go/pkg/operator/encryption"
 	"github.com/openshift/library-go/pkg/operator/encryption/controllers/migrators"
@@ -671,6 +674,57 @@ func prepareOauthAPIServerOperator(
 	return runOnceFns, runFns, nil
 }
 
+func prepareExternalOIDC(
+	ctx context.Context,
+	authOperatorInput *authenticationOperatorInput,
+	informerFactories authenticationOperatorInformerFactories,
+) ([]libraryapplyconfiguration.NamedRunOnce, []libraryapplyconfiguration.RunFunc, error) {
+
+	// By default, this will exit(0) if the featuregates change
+	featureGateAccessor := featuregates.NewFeatureGateAccess(
+		status.VersionForOperatorFromEnv(), "0.0.1-snapshot",
+		informerFactories.operatorConfigInformer.Config().V1().ClusterVersions(),
+		informerFactories.operatorConfigInformer.Config().V1().FeatureGates(),
+		authOperatorInput.eventRecorder,
+	)
+	go featureGateAccessor.Run(ctx)
+
+	var featureGates featuregates.FeatureGate
+	select {
+	case <-featureGateAccessor.InitialFeatureGatesObserved():
+		var err error
+		featureGates, err = featureGateAccessor.CurrentFeatureGates()
+		if err != nil {
+			return nil, nil, fmt.Errorf("error while accessing current featuregates: %v", err)
+		}
+
+	case <-time.After(1 * time.Minute):
+		klog.Errorf("timed out waiting for FeatureGate detection")
+		return nil, nil, fmt.Errorf("timed out waiting for FeatureGate detection")
+	}
+
+	if !featureGates.Enabled(features.FeatureGateExternalOIDC) {
+		return nil, nil, nil
+	}
+
+	externalOIDCController := externaloidc.NewExternalOIDCController(
+		informerFactories.kubeInformersForNamespaces,
+		informerFactories.operatorConfigInformer,
+		authOperatorInput.authenticationOperatorClient,
+		authOperatorInput.kubeClient.CoreV1(),
+		authOperatorInput.eventRecorder,
+	)
+
+	runOnceFns := []libraryapplyconfiguration.NamedRunOnce{
+		libraryapplyconfiguration.AdaptSyncFn(authOperatorInput.eventRecorder, "TODO-other-externalOIDCController", externalOIDCController.Sync),
+	}
+	runFns := []libraryapplyconfiguration.RunFunc{
+		libraryapplyconfiguration.AdaptRunFn(externalOIDCController.Run),
+	}
+
+	return runOnceFns, runFns, nil
+}
+
 func singleNameListOptions(name string) func(opts *metav1.ListOptions) {
 	return func(opts *metav1.ListOptions) {
 		opts.FieldSelector = fields.OneTermEqualSelector("metadata.name", name).String()