Skip deploying the ARO Operator identity secret at install-time (Azure#3905)

tsatam · web-flow · commit 02bba703b2db · 2024-10-16T17:01:42.000-05:00
diff --git a/pkg/cluster/workloadidentityresources.go b/pkg/cluster/workloadidentityresources.go
@@ -16,6 +16,7 @@ import (
 	kruntime "k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/Azure/ARO-RP/pkg/api"
+	pkgoperator "github.com/Azure/ARO-RP/pkg/operator"
 )
 
 const (
@@ -72,6 +73,13 @@ func (m *manager) generatePlatformWorkloadIdentitySecrets() ([]*corev1.Secret, e
 	secrets := []*corev1.Secret{}
 	for _, identity := range m.doc.OpenShiftCluster.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities {
 		if role, ok := roles[identity.OperatorName]; ok {
+			// Skip creating a secret for the ARO Operator. This will be
+			// generated by the ARO Operator deployer instead
+			// (see pkg/operator/deploy/deploy.go#generateOperatorIdentitySecret())
+			if role.OperatorName == pkgoperator.OperatorIdentityName {
+				continue
+			}
+
 			secrets = append(secrets, &corev1.Secret{
 				TypeMeta: metav1.TypeMeta{
 					APIVersion: corev1.SchemeGroupVersion.Identifier(),
diff --git a/pkg/cluster/workloadidentityresources_test.go b/pkg/cluster/workloadidentityresources_test.go
@@ -281,6 +281,55 @@ func TestGeneratePlatformWorkloadIdentitySecrets(t *testing.T) {
 			roles: []api.PlatformWorkloadIdentityRole{},
 			want:  []*corev1.Secret{},
 		},
+		{
+			name: "skips ARO operator identity",
+			identities: []api.PlatformWorkloadIdentity{
+				{
+					OperatorName: "foo",
+					ClientID:     "00f00f00-0f00-0f00-0f00-f00f00f00f00",
+				},
+				{
+					OperatorName: "ServiceOperator",
+					ClientID:     "00ba4ba4-0ba4-0ba4-0ba4-ba4ba4ba4ba4",
+				},
+			},
+			roles: []api.PlatformWorkloadIdentityRole{
+				{
+					OperatorName: "foo",
+					SecretLocation: api.SecretLocation{
+						Namespace: "openshift-foo",
+						Name:      "azure-cloud-credentials",
+					},
+				},
+				{
+					OperatorName: "ServiceOperator",
+					SecretLocation: api.SecretLocation{
+						Namespace: "openshift-bar",
+						Name:      "azure-cloud-credentials",
+					},
+				},
+			},
+			want: []*corev1.Secret{
+				{
+					TypeMeta: metav1.TypeMeta{
+						APIVersion: "v1",
+						Kind:       "Secret",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "openshift-foo",
+						Name:      "azure-cloud-credentials",
+					},
+					Type: corev1.SecretTypeOpaque,
+					StringData: map[string]string{
+						"azure_client_id":            "00f00f00-0f00-0f00-0f00-f00f00f00f00",
+						"azure_subscription_id":      subscriptionId,
+						"azure_tenant_id":            tenantId,
+						"azure_region":               location,
+						"azure_federated_token_file": azureFederatedTokenFileLocation,
+					},
+				},
+			},
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			controller := gomock.NewController(t)
