ROX-17335: Reconcile auth provider + groups declaratively.

[dhaus67]

Description

This PR adds the capability to reconcile auth provider configuration declaratively instead of imperatively as done previously via separate API calls to Central.

In essence, the declarative config secret will now include an additional key of default-sso-auth-provider which contains all previously existing configuration in the form of declarative configuration.

Additionally, the previously used code was deleted which was now rendered unused after the refactoring.

One caveat exists within the PR:

For a limited time (namely until ROX-17336 has landed), we will have auth providers created in two different ways: the "legacy" way via API calls, as well as the "new" way via declarative config.

During that period, in case we reconcile Central with the "legacy" auth provider, we will create declarative configs for the auth providers, but the configuration will fail to be applied due to a name uniqueness violation.

This isn't as bad though, since we ensure that these errors will not be highlighted to the customer, and once we migrate we can do so with virtually no downtime for existing clients.

Checklist (Definition of Done)

• Unit and integration tests added
• Added test description under Test manual
  - [ ] Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
• CI and all relevant tests are passing
• Add the ticket number to the PR title if available, i.e. ROX-12345: ...
  - [ ] Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
  - [ ] Add secret to app-interface Vault or Secrets Manager if necessary
  - [ ] RDS changes were e2e tested manually
  - [ ] Check AWS limits are reasonable for changes provisioning new resources

Test manual

# Start all relevant components (fleetmanager, fleet-sync, operator).
# Ensure that the fleetmanager specifies auth configuration (either the dynamic client SSO service account or the static IdP config) and that fleet-sync uses `CREATE_AUTHPROVIDER=true`.

1. Checkout the "main" branch and create a central instance via `./scripts/create-central.sh`

2. Observe that the central is created correctly and an auth provider is created (which is _not_ the basic auth provider) via
curl https://<central-endpoint>/v1/login/authproviders

3. Keep fleet manager running, stop fleet-sync, checkout the current branch, run `make binary` and start fleet-sync again.

4. Observe that reconciliation works without errors and the auth provider doesn't change. Additionally, observe that within the secret `sensible-declarative-configs` only a single data key exists, and `default-sso-auth-provider` does not.

5. Delete the previously created central with the "legacy" auth provider:
curl -X DELETE -H "Authorization: Bearer $(ocm token)" http://127.0.0.1:8000/api/rhacs/v1/centrals/<central-id>\?async\=true

6. Create a new Central via `./scripts/create-central.sh`.

7. Observe within fleet-sync logs that no error occurred. Additionally, observe that `sensible-declarative-configs` secret now contains the data key `default-sso-auth-provider`.

8. Ensure login works within the Central instance.

9. Delete the previously created central with the declarative auth provider:
curl -X DELETE -H "Authorization: Bearer $(ocm token)" http://127.0.0.1:8000/api/rhacs/v1/centrals/<central-id>\?async\=true

10. Ensure that the `sensible-declarative-configs` secret is removed and no config is retained of the auth provider.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[dhaus67]

/test

[openshift-ci]

@dhaus67: No presubmit jobs available for stackrox/acs-fleet-manager@yann/ROX-16734-fleetshard_configure_audit_log_notifier

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ivan-degtiarenko]

nit: is it possible to change signatures so we would pass just central here?

[dhaus67]

I think it's worthwhile changing the signature, but not for NewCentralClient.. but rather isCentralDeploymentReady, getServiceAddress, and authProviderName. They don't require a pointer being passed.

[dhaus67]

Current dependencies on/for this PR:

• main
  • PR ROX-17335: Reconcile auth provider + groups declaratively. #1156 👈

This comment was auto-generated by Graphite.