Skip to content

Commit efe36ee

Browse files
hunterkepleyhunterkepley
authored
Merge pull request #3003 from hunterkepley/ocm-18278
OCM-18278 | fix: Broken ARN fetching for OIDC providers
2 parents 2e32d20 + 9b48346 commit efe36ee

File tree

2 files changed

+29
-32
lines changed

2 files changed

+29
-32
lines changed

cmd/create/iamserviceaccount/cmd.go

Lines changed: 7 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -78,12 +78,6 @@ func CreateIamServiceAccountRunner(userOptions *iamServiceAccountOpts.CreateIamS
7878
roleName = iamserviceaccount.GenerateRoleName(cluster.Name(), userOptions.Namespace, userOptions.ServiceAccountNames[0])
7979
}
8080

81-
// Generate trust policy using existing helpers
82-
oidcConfig := cluster.AWS().STS().OidcConfig()
83-
if oidcConfig == nil {
84-
return fmt.Errorf("cluster '%s' does not have OIDC configuration", cluster.Name())
85-
}
86-
8781
serviceAccounts := make([]iamserviceaccount.ServiceAccountIdentifier, len(userOptions.ServiceAccountNames))
8882
for i, name := range userOptions.ServiceAccountNames {
8983
serviceAccounts[i] = iamserviceaccount.ServiceAccountIdentifier{
@@ -149,19 +143,16 @@ func CreateIamServiceAccountRunner(userOptions *iamServiceAccountOpts.CreateIamS
149143
}
150144

151145
func getOIDCProviderARN(r *rosa.Runtime, cluster *cmv1.Cluster) (string, error) {
152-
oidcConfig := cluster.AWS().STS().OidcConfig()
153-
if oidcConfig == nil {
154-
return "", fmt.Errorf("cluster does not have OIDC configuration")
146+
oidcConfigEndpointUrl, ok := cluster.AWS().STS().GetOIDCEndpointURL()
147+
if oidcConfigEndpointUrl == "" || !ok {
148+
return "", fmt.Errorf("cluster with ID '%s' does not have an OIDC configuration", cluster.ID())
155149
}
156150

157-
providers, err := r.AWSClient.ListOidcProviders(cluster.ID(), oidcConfig)
158-
if err != nil {
159-
return "", fmt.Errorf("failed to list OIDC providers: %w", err)
160-
}
151+
providerArn, err := r.AWSClient.GetOpenIDConnectProviderByOidcEndpointUrl(oidcConfigEndpointUrl)
161152

162-
if len(providers) == 0 {
163-
return "", fmt.Errorf("no OIDC provider found for cluster")
153+
if err != nil || providerArn == "" {
154+
return "", fmt.Errorf("no OIDC provider found for cluster with ID '%s'", cluster.ID())
164155
}
165156

166-
return providers[0].Arn, nil
157+
return providerArn, nil
167158
}

cmd/create/iamserviceaccount/cmd_test.go

Lines changed: 22 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,8 @@ var _ = Describe("Create IAM Service Account", func() {
6161
RoleARN("arn:aws:iam::123456789012:role/test-role").
6262
OidcConfig(cmv1.NewOidcConfig().
6363
ID("test-oidc-id").
64-
IssuerUrl("https://test.example.com"))))
64+
IssuerUrl("https://test.example.com")).
65+
OIDCEndpointURL("https://test.example.com")))
6566
})
6667

6768
t.SetCluster(cluster.ID(), cluster)
@@ -84,8 +85,8 @@ var _ = Describe("Create IAM Service Account", func() {
8485
}
8586

8687
mockAWS.EXPECT().
87-
ListOidcProviders(cluster.ID(), cluster.AWS().STS().OidcConfig()).
88-
Return(providers, nil)
88+
GetOpenIDConnectProviderByOidcEndpointUrl("https://test.example.com").
89+
Return(providers[0].Arn, nil)
8990

9091
mockAWS.EXPECT().
9192
EnsureRole(gomock.Any(), gomock.Any(), gomock.Any(), "", "", gomock.Any(), gomock.Any(), false).
@@ -170,7 +171,8 @@ var _ = Describe("Create IAM Service Account", func() {
170171
RoleARN("arn:aws:iam::123456789012:role/test-role").
171172
OidcConfig(cmv1.NewOidcConfig().
172173
ID("test-oidc-id").
173-
IssuerUrl("https://test.example.com"))))
174+
IssuerUrl("https://test.example.com")).
175+
OIDCEndpointURL("https://test.example.com")))
174176
})
175177

176178
t.SetCluster(cluster.ID(), cluster)
@@ -193,8 +195,8 @@ var _ = Describe("Create IAM Service Account", func() {
193195
}
194196

195197
mockAWS.EXPECT().
196-
ListOidcProviders(cluster.ID(), cluster.AWS().STS().OidcConfig()).
197-
Return(providers, nil)
198+
GetOpenIDConnectProviderByOidcEndpointUrl("https://test.example.com").
199+
Return(providers[0].Arn, nil)
198200

199201
mockAWS.EXPECT().
200202
EnsureRole(gomock.Any(), gomock.Any(), gomock.Any(), "", "", gomock.Any(), gomock.Any(), false).
@@ -224,7 +226,8 @@ var _ = Describe("Create IAM Service Account", func() {
224226
RoleARN("arn:aws-us-gov:iam::123456789012:role/test-role").
225227
OidcConfig(cmv1.NewOidcConfig().
226228
ID("test-oidc-id").
227-
IssuerUrl("https://test.gov.example.com"))))
229+
IssuerUrl("https://test.gov.example.com")).
230+
OIDCEndpointURL("https://test.gov.example.com")))
228231
})
229232

230233
t.SetCluster(cluster.ID(), cluster)
@@ -247,8 +250,8 @@ var _ = Describe("Create IAM Service Account", func() {
247250
}
248251

249252
mockAWS.EXPECT().
250-
ListOidcProviders(cluster.ID(), cluster.AWS().STS().OidcConfig()).
251-
Return(providers, nil)
253+
GetOpenIDConnectProviderByOidcEndpointUrl("https://test.gov.example.com").
254+
Return(providers[0].Arn, nil)
252255

253256
mockAWS.EXPECT().
254257
EnsureRole(gomock.Any(), gomock.Any(), gomock.Any(), "", "", gomock.Any(), gomock.Any(), false).
@@ -280,7 +283,8 @@ var _ = Describe("Create IAM Service Account", func() {
280283
STS(cmv1.NewSTS().
281284
OidcConfig(cmv1.NewOidcConfig().
282285
ID("test-oidc-id").
283-
IssuerUrl("https://test.example.com"))))
286+
IssuerUrl("https://test.example.com")).
287+
OIDCEndpointURL("https://test.example.com")))
284288
})
285289

286290
providers := []aws.OidcProviderOutput{
@@ -290,8 +294,8 @@ var _ = Describe("Create IAM Service Account", func() {
290294
}
291295

292296
mockAWS.EXPECT().
293-
ListOidcProviders(cluster.ID(), cluster.AWS().STS().OidcConfig()).
294-
Return(providers, nil)
297+
GetOpenIDConnectProviderByOidcEndpointUrl("https://test.example.com").
298+
Return(providers[0].Arn, nil)
295299

296300
arn, err := getOIDCProviderARN(t.RosaRuntime, cluster)
297301
Expect(err).ToNot(HaveOccurred())
@@ -306,16 +310,18 @@ var _ = Describe("Create IAM Service Account", func() {
306310
STS(cmv1.NewSTS().
307311
OidcConfig(cmv1.NewOidcConfig().
308312
ID("test-oidc-id").
309-
IssuerUrl("https://test.example.com"))))
313+
IssuerUrl("https://test.example.com")).
314+
OIDCEndpointURL("https://test123.example.com")))
310315
})
311316

312317
mockAWS.EXPECT().
313-
ListOidcProviders(cluster.ID(), cluster.AWS().STS().OidcConfig()).
314-
Return([]aws.OidcProviderOutput{}, nil)
318+
GetOpenIDConnectProviderByOidcEndpointUrl("https://test123.example.com").
319+
Return("", nil)
315320

316321
_, err := getOIDCProviderARN(t.RosaRuntime, cluster)
317322
Expect(err).To(HaveOccurred())
318-
Expect(err.Error()).To(ContainSubstring("no OIDC provider found"))
323+
Expect(err.Error()).To(ContainSubstring("no OIDC provider found for cluster with ID " +
324+
"'test-cluster-id'"))
319325
})
320326
})
321327
})

0 commit comments

Comments
 (0)