From 77e50eb2cbaa6cb83c9a16516d120002091065ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Drzewiecki?= <michal.drzewiecki@sap.com>
Date: Mon, 16 Sep 2024 11:18:48 +0200
Subject: [PATCH] adds OIDC conditions

---
 api/v1/runtime_types.go                       |  2 ++
 .../runtime/fsm/runtime_fsm_configure_oidc.go | 34 ++++++++++++++++---
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/api/v1/runtime_types.go b/api/v1/runtime_types.go
index e4bd0446..257f1c7d 100644
--- a/api/v1/runtime_types.go
+++ b/api/v1/runtime_types.go
@@ -101,6 +101,8 @@ const (
 	ConditionReasonAuditLogConfigured           = RuntimeConditionReason("AuditLogConfigured")
 	ConditionReasonAuditLogError                = RuntimeConditionReason("AuditLogErr")
 	ConditionReasonAuditLogMissingRegionMapping = RuntimeConditionReason("AuditLogMissingRegionMappingErr")
+	ConditionReasonOidcConfigured               = RuntimeConditionReason("OidcConfigured")
+	ConditionReasonOidcError                    = RuntimeConditionReason("OidcConfigurationErr")
 )
 
 //+kubebuilder:object:root=true
diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go
index e3f3d37a..362e4742 100644
--- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go
+++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go
@@ -17,24 +17,32 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct
 
 	if !isOidcExtensionEnabled(*s.shoot) {
 		m.log.Info("OIDC extension is disabled")
+		s.instance.UpdateStateReady(
+			imv1.ConditionTypeOidcConfigured,
+			imv1.ConditionReasonOidcConfigured,
+			"OIDC extension disabled",
+		)
 		updateStatusAndStop()
 	}
 
-	if s.instance.Spec.Shoot.Kubernetes.KubeAPIServer.AdditionalOidcConfig == nil {
-		var error = errors.New("default OIDC configuration is not present")
-		m.log.Error(error, "default OIDC configuration is not present")
-		return updateStatusAndStopWithError(error)
+	validationError := validateOidcConfiguration(s.instance)
+	if validationError != nil {
+		m.log.Error(validationError, "default OIDC configuration is not present")
+		updateConditionFailed(&s.instance)
+		return updateStatusAndStopWithError(validationError)
 	}
 
 	err := createOpenIdConnectResources(ctx, m, s)
 
 	if err != nil {
 		m.log.Error(err, "Failed to create OpenIDConnect resource")
+		updateConditionFailed(&s.instance)
+		return updateStatusAndStopWithError(err)
 	}
 
 	s.instance.UpdateStateReady(
 		imv1.ConditionTypeOidcConfigured,
-		imv1.ConditionReasonConfigurationCompleted,
+		imv1.ConditionReasonOidcConfigured,
 		"OIDC configuration completed",
 	)
 
@@ -43,6 +51,13 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct
 	return updateStatusAndStop()
 }
 
+func validateOidcConfiguration(rt imv1.Runtime) (err error) {
+	if rt.Spec.Shoot.Kubernetes.KubeAPIServer.AdditionalOidcConfig == nil {
+		err = errors.New("default OIDC configuration is not present")
+	}
+	return err
+}
+
 func createOpenIdConnectResources(ctx context.Context, m *fsm, s *systemState) error {
 	srscClient := m.ShootClient.SubResource("adminkubeconfig")
 	shootAdminClient, shootClientError := GetShootClient(ctx, srscClient, s.shoot)
@@ -92,3 +107,12 @@ func createOpenIDConnectResource(additionalOidcConfig gardener.OIDCConfig, oidcI
 
 	return cr
 }
+
+func updateConditionFailed(rt *imv1.Runtime) {
+	rt.UpdateStatePending(
+		imv1.ConditionTypeOidcConfigured,
+		imv1.ConditionReasonOidcError,
+		string(metav1.ConditionFalse),
+		"failed to configure OIDC",
+	)
+}