Merge pull request #373 from Disper/oidc-enabled-only-for-clusters-ma…

…naged-by-kim oidc extension added only if controlled-by-provisioner value is disabled
kyma-project · Sep 16, 2024 · a01253e · a01253e
2 parents e67a6d3 + 4efed7b
commit a01253e
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 30 deletions.
diff --git a/internal/gardener/shoot/extender/dns_test.go b/internal/gardener/shoot/extender/dns_test.go
@@ -58,6 +58,7 @@ func fixEmptyGardenerShoot(name, namespace string) gardener.Shoot {
 		ObjectMeta: v1.ObjectMeta{
 			Name:      name,
 			Namespace: namespace,
+			Labels:    map[string]string{},
 		},
 		Spec: gardener.ShootSpec{},
 	}

diff --git a/internal/gardener/shoot/extender/oidc.go b/internal/gardener/shoot/extender/oidc.go
@@ -13,12 +13,25 @@ const (
 func ExtendWithOIDC(runtime imv1.Runtime, shoot *gardener.Shoot) error {
 	oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig
 
-	setOIDCExtension(shoot)
+	if CanEnableExtension(runtime) {
+		setOIDCExtension(shoot)
+	}
 	setKubeAPIServerOIDCConfig(shoot, oidcConfig)
 
 	return nil
 }
 
+func CanEnableExtension(runtime imv1.Runtime) bool {
+	canEnable := true
+	createdByMigrator := runtime.Labels["operator.kyma-project.io/created-by-migrator"]
+
+	if createdByMigrator == "true" {
+		canEnable = false
+	}
+
+	return canEnable
+}
+
 func setOIDCExtension(shoot *gardener.Shoot) {
 	oidcService := gardener.Extension{
 		Type:     OidcExtensionType,

diff --git a/internal/gardener/shoot/extender/oidc_test.go b/internal/gardener/shoot/extender/oidc_test.go
@@ -1,6 +1,7 @@
 package extender
 
 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"testing"
 
 	gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1"
@@ -10,42 +11,74 @@ import (
 )
 
 func TestOidcExtender(t *testing.T) {
-	t.Run("Create kubernetes config", func(t *testing.T) {
-		// given
-		clientID := "client-id"
-		groupsClaim := "groups"
-		issuerURL := "https://my.cool.tokens.com"
-		usernameClaim := "sub"
+	const MigratorLabel = "operator.kyma-project.io/created-by-migrator"
+	for _, testCase := range []struct {
+		name                         string
+		migratorLabel                map[string]string
+		expectedOidcExtensionEnabled bool
+	}{
+		{
+			name:                         "label created-by-migrator=true should not configure OIDC",
+			migratorLabel:                map[string]string{MigratorLabel: "true"},
+			expectedOidcExtensionEnabled: false,
+		},
+		{
+			name:                         "label created-by-migrator=false should configure OIDC",
+			migratorLabel:                map[string]string{MigratorLabel: "false"},
+			expectedOidcExtensionEnabled: true,
+		},
+		{
+			name:                         "label created-by-migrator unset should configure OIDC",
+			migratorLabel:                nil,
+			expectedOidcExtensionEnabled: true,
+		},
+	} {
+		t.Run(testCase.name, func(t *testing.T) {
+			// given
+			clientID := "client-id"
+			groupsClaim := "groups"
+			issuerURL := "https://my.cool.tokens.com"
+			usernameClaim := "sub"
 
-		shoot := fixEmptyGardenerShoot("test", "kcp-system")
-		runtimeShoot := imv1.Runtime{
-			Spec: imv1.RuntimeSpec{
-				Shoot: imv1.RuntimeShoot{
-					Kubernetes: imv1.Kubernetes{
-						KubeAPIServer: imv1.APIServer{
-							OidcConfig: gardener.OIDCConfig{
-								ClientID:    &clientID,
-								GroupsClaim: &groupsClaim,
-								IssuerURL:   &issuerURL,
-								SigningAlgs: []string{
-									"RS256",
+			shoot := fixEmptyGardenerShoot("test", "kcp-system")
+			runtimeShoot := imv1.Runtime{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						MigratorLabel: testCase.migratorLabel[MigratorLabel],
+					},
+				},
+				Spec: imv1.RuntimeSpec{
+					Shoot: imv1.RuntimeShoot{
+						Kubernetes: imv1.Kubernetes{
+							KubeAPIServer: imv1.APIServer{
+								OidcConfig: gardener.OIDCConfig{
+									ClientID:    &clientID,
+									GroupsClaim: &groupsClaim,
+									IssuerURL:   &issuerURL,
+									SigningAlgs: []string{
+										"RS256",
+									},
+									UsernameClaim: &usernameClaim,
 								},
-								UsernameClaim: &usernameClaim,
 							},
 						},
 					},
 				},
-			},
-		}
+			}
 
-		// when
-		err := ExtendWithOIDC(runtimeShoot, &shoot)
+			// when
+			err := ExtendWithOIDC(runtimeShoot, &shoot)
 
-		// then
-		require.NoError(t, err)
+			// then
+			require.NoError(t, err)
 
-		assert.Equal(t, runtimeShoot.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig, *shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig)
-		assert.Equal(t, false, *shoot.Spec.Extensions[0].Disabled)
-		assert.Equal(t, "shoot-oidc-service", shoot.Spec.Extensions[0].Type)
-	})
+			assert.Equal(t, runtimeShoot.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig, *shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig)
+			if testCase.expectedOidcExtensionEnabled {
+				assert.Equal(t, testCase.expectedOidcExtensionEnabled, !*shoot.Spec.Extensions[0].Disabled)
+				assert.Equal(t, "shoot-oidc-service", shoot.Spec.Extensions[0].Type)
+			} else {
+				assert.Equal(t, 0, len(shoot.Spec.Extensions))
+			}
+		})
+	}
 }