From 5e63cbface26f968f5a84d741c8d9786dce5e0d8 Mon Sep 17 00:00:00 2001
From: Fabio Graetz <fabiograetz@googlemail.com>
Date: Thu, 4 Jan 2024 11:59:02 +0000
Subject: [PATCH] Always inject user identity as pod label if known

Signed-off-by: Fabio Graetz <fabiograetz@googlemail.com>
---
 .../nodes/task/k8s/task_exec_context.go       | 11 +++-----
 .../nodes/task/k8s/task_exec_context_test.go  | 26 +------------------
 2 files changed, 5 insertions(+), 32 deletions(-)

diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
index a7c7d2326b..2bdaeeba58 100644
--- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
+++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
@@ -3,7 +3,6 @@ package k8s
 import (
 	"github.com/flyteorg/flyte/flyteidl/gen/pb-go/flyteidl/core"
 	pluginsCore "github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/core"
-	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/flytek8s/config"
 	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils"
 	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/utils/secrets"
 )
@@ -45,7 +44,7 @@ func (t TaskExecutionMetadata) GetAnnotations() map[string]string {
 }
 
 // newTaskExecutionMetadata creates a TaskExecutionMetadata with secrets serialized as annotations and a label added
-// to trigger the flyte pod webhook. Optionally, the execution identity is injected as a label.
+// to trigger the flyte pod webhook. If known, the execution identity is injected as a label.
 func newTaskExecutionMetadata(tCtx pluginsCore.TaskExecutionMetadata, taskTmpl *core.TaskTemplate) (TaskExecutionMetadata, error) {
 	var err error
 	secretsMap := make(map[string]string)
@@ -59,11 +58,9 @@ func newTaskExecutionMetadata(tCtx pluginsCore.TaskExecutionMetadata, taskTmpl *
 		injectLabels[secrets.PodLabel] = secrets.PodLabelValue
 	}
 
-	if config.GetK8sPluginConfig().InjectExecutionIdentity {
-		id := tCtx.GetSecurityContext().RunAs.ExecutionIdentity
-		if id != "" {
-			injectLabels[executionIdentityVariable] = id
-		}
+	id := tCtx.GetSecurityContext().RunAs.ExecutionIdentity
+	if id != "" {
+		injectLabels[executionIdentityVariable] = id
 	}
 
 	return TaskExecutionMetadata{
diff --git a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go
index be62f050f3..c15e5978f0 100644
--- a/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go
+++ b/flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context_test.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/flyteorg/flyte/flyteidl/gen/pb-go/flyteidl/core"
 	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/core/mocks"
-	"github.com/flyteorg/flyte/flyteplugins/go/tasks/pluginmachinery/flytek8s/config"
 )
 
 func Test_newTaskExecutionMetadata(t *testing.T) {
@@ -67,7 +66,6 @@ func Test_newTaskExecutionMetadata(t *testing.T) {
 	})
 
 	t.Run("Inject exec identity", func(t *testing.T) {
-		assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{InjectExecutionIdentity: true}))
 
 		existingMetadata := &mocks.TaskExecutionMetadata{}
 		existingAnnotations := map[string]string{}
@@ -87,29 +85,7 @@ func Test_newTaskExecutionMetadata(t *testing.T) {
 		assert.Equal(t, "test-exec-identity", actual.GetLabels()[executionIdentityVariable])
 	})
 
-	t.Run("No inject exec identity", func(t *testing.T) {
-		assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{InjectExecutionIdentity: false}))
-
-		existingMetadata := &mocks.TaskExecutionMetadata{}
-		existingAnnotations := map[string]string{}
-		existingMetadata.OnGetAnnotations().Return(existingAnnotations)
-
-		existingMetadata.OnGetSecurityContext().Return(core.SecurityContext{RunAs: &core.Identity{ExecutionIdentity: "test-exec-identity"}})
-
-		existingLabels := map[string]string{
-			"existingLabel": "existingLabelValue",
-		}
-		existingMetadata.OnGetLabels().Return(existingLabels)
-
-		actual, err := newTaskExecutionMetadata(existingMetadata, &core.TaskTemplate{})
-		assert.NoError(t, err)
-
-		assert.Equal(t, 1, len(actual.GetLabels()))
-		assert.Equal(t, "existingLabelValue", actual.GetLabels()["existingLabel"])
-	})
-
-	t.Run("Inject non-existing exec identity", func(t *testing.T) {
-		assert.NoError(t, config.SetK8sPluginConfig(&config.K8sPluginConfig{InjectExecutionIdentity: true})) // configure to inject exec identity
+	t.Run("Empty exec identity", func(t *testing.T) {
 
 		existingMetadata := &mocks.TaskExecutionMetadata{}
 		existingAnnotations := map[string]string{}