ARO-4373 change BoundServiceAccountSigningKey SecureString to SecureBytes

pkg/api/openshiftcluster.go

@@ -264,7 +264,7 @@ type ClusterProfile struct {
 	ResourceGroupID               string               `json:"resourceGroupId,omitempty"`
 	FipsValidatedModules          FipsValidatedModules `json:"fipsValidatedModules,omitempty"`
 	OIDCIssuer                    OIDCIssuer           `json:"oidcIssuer,omitempty"`
-	BoundServiceAccountSigningKey SecureString         `json:"boundServiceAccountSigningKey,omitempty"`
+	BoundServiceAccountSigningKey SecureBytes          `json:"boundServiceAccountSigningKey,omitempty"`
 }
 
 // FeatureProfile represents a feature profile.

pkg/cluster/deploybaseresources.go

@@ -73,7 +73,7 @@ func (m *manager) createOIDC(ctx context.Context) error {
 
 	m.doc, err = m.db.PatchWithLease(ctx, m.doc.Key, func(doc *api.OpenShiftClusterDocument) error {
 		doc.OpenShiftCluster.Properties.ClusterProfile.OIDCIssuer = api.OIDCIssuer(oidcBuilder.GetEndpointUrl())
-		doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = api.SecureString(oidcBuilder.GetPrivateKey())
+		doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = api.SecureBytes(oidcBuilder.GetPrivateKey())
 		return nil
 	})
 

pkg/cluster/deploybaseresources_test.go

@@ -1419,25 +1419,24 @@ func TestCreateOIDC(t *testing.T) {
 		wantErr                           string
 		wantBoundServiceAccountSigningKey bool
 	}{
-		// TODO: Uncomment the test case after testing the PR on all the environments
-		// {
-		// 	name: "Success - Exit createOIDC for non MIWI clusters",
-		// 	oc: &api.OpenShiftClusterDocument{
-		// 		Key: strings.ToLower(resourceID),
-		// 		ID:  resourceID,
-		// 		OpenShiftCluster: &api.OpenShiftCluster{
-		// 			Properties: api.OpenShiftClusterProperties{
-		// 				ClusterProfile: api.ClusterProfile{
-		// 					ResourceGroupID: resourceGroup,
-		// 				},
-		// 				ServicePrincipalProfile: &api.ServicePrincipalProfile{
-		// 					SPObjectID: fakeClusterSPObjectId,
-		// 				},
-		// 			},
-		// 		},
-		// 	},
-		// 	wantBoundServiceAccountSigningKey: false,
-		// },
+		{
+			name: "Success - Exit createOIDC for non MIWI clusters",
+			oc: &api.OpenShiftClusterDocument{
+				Key: strings.ToLower(resourceID),
+				ID:  resourceID,
+				OpenShiftCluster: &api.OpenShiftCluster{
+					Properties: api.OpenShiftClusterProperties{
+						ClusterProfile: api.ClusterProfile{
+							ResourceGroupID: resourceGroup,
+						},
+						ServicePrincipalProfile: &api.ServicePrincipalProfile{
+							SPObjectID: fakeClusterSPObjectId,
+						},
+					},
+				},
+			},
+			wantBoundServiceAccountSigningKey: false,
+		},
 		{
 			name: "Success - Create and persist OIDC Issuer URL",
 			oc: &api.OpenShiftClusterDocument{
@@ -1586,7 +1585,7 @@ func TestCreateOIDC(t *testing.T) {
 				t.Fatalf("OIDC Issuer URL - %s != %s (wanted)", checkDoc.OpenShiftCluster.Properties.ClusterProfile.OIDCIssuer, tt.wantedOIDCIssuer)
 			}
 
-			if checkDoc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey == "" && tt.wantBoundServiceAccountSigningKey {
+			if checkDoc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey == nil && tt.wantBoundServiceAccountSigningKey {
 				t.Fatalf("Bound Service Account Token is not as expected - wantBoundServiceAccountSigningKey is %t", tt.wantBoundServiceAccountSigningKey)
 			}
 		})

pkg/frontend/asyncoperationresult_get.go

@@ -67,7 +67,7 @@ func (f *frontend) _getAsyncOperationResult(ctx context.Context, r *http.Request
 	if asyncdoc.OpenShiftCluster.Properties.ServicePrincipalProfile != nil {
 		asyncdoc.OpenShiftCluster.Properties.ServicePrincipalProfile.ClientSecret = ""
 	}
-	asyncdoc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = ""
+	asyncdoc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = nil
 
 	return json.MarshalIndent(converter.ToExternal(asyncdoc.OpenShiftCluster), "", "    ")
 }

pkg/frontend/openshiftcluster_get.go

@@ -48,7 +48,7 @@ func (f *frontend) _getOpenShiftCluster(ctx context.Context, log *logrus.Entry,
 	if doc.OpenShiftCluster.Properties.ServicePrincipalProfile != nil {
 		doc.OpenShiftCluster.Properties.ServicePrincipalProfile.ClientSecret = ""
 	}
-	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = ""
+	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = nil
 
 	return json.MarshalIndent(converter.ToExternal(doc.OpenShiftCluster), "", "    ")
 }

pkg/frontend/openshiftcluster_list.go

@@ -70,7 +70,7 @@ func (f *frontend) _getOpenShiftClusters(ctx context.Context, log *logrus.Entry,
 		if ocs[i].Properties.ServicePrincipalProfile != nil {
 			ocs[i].Properties.ServicePrincipalProfile.ClientSecret = ""
 		}
-		ocs[i].Properties.ClusterProfile.BoundServiceAccountSigningKey = ""
+		ocs[i].Properties.ClusterProfile.BoundServiceAccountSigningKey = nil
 	}
 
 	nextLink, err := f.buildNextLink(r.Header.Get("Referer"), i.Continuation())

pkg/frontend/openshiftcluster_putorpatch.go

@@ -257,7 +257,7 @@ func (f *frontend) _putOrPatchOpenShiftCluster(ctx context.Context, log *logrus.
 	if doc.OpenShiftCluster.Properties.ServicePrincipalProfile != nil {
 		doc.OpenShiftCluster.Properties.ServicePrincipalProfile.ClientSecret = ""
 	}
-	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = ""
+	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = nil
 
 	// We don't return enriched worker profile data on PUT/PATCH operations
 	doc.OpenShiftCluster.Properties.WorkerProfilesStatus = nil

pkg/frontend/openshiftclustercredentials_post.go

@@ -70,7 +70,7 @@ func (f *frontend) _postOpenShiftClusterCredentials(ctx context.Context, r *http
 	if doc.OpenShiftCluster.Properties.ServicePrincipalProfile != nil {
 		doc.OpenShiftCluster.Properties.ServicePrincipalProfile.ClientSecret = ""
 	}
-	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = ""
+	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = nil
 
 	return json.MarshalIndent(converter.ToExternal(doc.OpenShiftCluster), "", "    ")
 }

pkg/frontend/openshiftclusterkubeconfigcredentials_post.go

@@ -73,7 +73,7 @@ func (f *frontend) _postOpenShiftClusterKubeConfigCredentials(ctx context.Contex
 	if doc.OpenShiftCluster.Properties.ServicePrincipalProfile != nil {
 		doc.OpenShiftCluster.Properties.ServicePrincipalProfile.ClientSecret = ""
 	}
-	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = ""
+	doc.OpenShiftCluster.Properties.ClusterProfile.BoundServiceAccountSigningKey = nil
 
 	return json.MarshalIndent(converter.ToExternal(doc.OpenShiftCluster), "", "    ")
 }

pkg/util/oidcbuilder/oidcbuilder.go

@@ -53,8 +53,8 @@ func (b *OIDCBuilder) GetEndpointUrl() string {
 	return b.endpointURL
 }
 
-func (b *OIDCBuilder) GetPrivateKey() string {
-	return string(b.privateKey)
+func (b *OIDCBuilder) GetPrivateKey() []byte {
+	return b.privateKey
 }
 
 func (b *OIDCBuilder) GetBlobContainerURL() string {

pkg/util/oidcbuilder/oidcbuilder_test.go

@@ -7,6 +7,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"reflect"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -135,8 +136,8 @@ func TestEnsureOIDCDocs(t *testing.T) {
 				t.Fatalf("GetEndpointUrl doesn't match the original endpointURL - %s != %s (wanted)", tt.oidcbuilder.GetEndpointUrl(), tt.oidcbuilder.endpointURL)
 			}
 
-			if tt.oidcbuilder.GetPrivateKey() != string(tt.oidcbuilder.privateKey) {
-				t.Fatalf("GetPrivateKey doesn't match the original endpointURL - %s != %s (wanted)", tt.oidcbuilder.GetPrivateKey(), string(tt.oidcbuilder.privateKey))
+			if !reflect.DeepEqual(tt.oidcbuilder.privateKey, tt.oidcbuilder.GetPrivateKey()) {
+				t.Fatalf("GetPrivateKey doesn't match the original privateKey")
 			}
 
 			if tt.oidcbuilder.GetBlobContainerURL() != tt.oidcbuilder.blobContainerURL {