Add function to test if miwi enabled

Azure · Jun 28, 2024 · 524b396 · 524b396
1 parent 2c53a31
commit 524b396
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 1 deletion.
diff --git a/pkg/api/util/identity/identity.go b/pkg/api/util/identity/identity.go
@@ -0,0 +1,13 @@
+package identity
+
+import (
+	"github.com/Azure/ARO-RP/pkg/api"
+)
+
+func IsManagedWorkloadIdentityEnabled(cluster *api.OpenShiftCluster) bool {
+	if cluster.Properties.ServicePrincipalProfile == nil && cluster.Properties.PlatformWorkloadIdentityProfile != nil && cluster.Identity != nil {
+		return true
+	}
+
+	return false
+}
diff --git a/pkg/api/util/identity/identity_test.go b/pkg/api/util/identity/identity_test.go
@@ -0,0 +1,69 @@
+package identity
+
+import (
+	"testing"
+
+	"github.com/Azure/ARO-RP/pkg/api"
+)
+
+func TestIsManagedWorkloadIdentityEnabled(t *testing.T) {
+	tests := []struct {
+		name     string
+		cluster  *api.OpenShiftCluster
+		expected bool
+	}{
+		{
+			name: "Workload Identity Enabled",
+			cluster: &api.OpenShiftCluster{
+				Properties: api.OpenShiftClusterProperties{
+					ServicePrincipalProfile:         nil,
+					PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{},
+				},
+				Identity: &api.Identity{},
+			},
+			expected: true,
+		},
+		{
+			name: "Service Principal Profile not nil",
+			cluster: &api.OpenShiftCluster{
+				Properties: api.OpenShiftClusterProperties{
+					ServicePrincipalProfile:         &api.ServicePrincipalProfile{},
+					PlatformWorkloadIdentityProfile: nil,
+				},
+				Identity: nil,
+			},
+			expected: false,
+		},
+		{
+			name: "PlatformWorkloadIdentityProfile is nil",
+			cluster: &api.OpenShiftCluster{
+				Properties: api.OpenShiftClusterProperties{
+					ServicePrincipalProfile:         nil,
+					PlatformWorkloadIdentityProfile: nil,
+				},
+				Identity: &api.Identity{},
+			},
+			expected: false,
+		},
+		{
+			name: "Identity is nil",
+			cluster: &api.OpenShiftCluster{
+				Properties: api.OpenShiftClusterProperties{
+					ServicePrincipalProfile:         nil,
+					PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{},
+				},
+				Identity: nil,
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsManagedWorkloadIdentityEnabled(tt.cluster)
+			if result != tt.expected {
+				t.Errorf("expected %t, got %t", tt.expected, result)
+			}
+		})
+	}
+}
diff --git a/pkg/frontend/openshiftcluster_putorpatch.go b/pkg/frontend/openshiftcluster_putorpatch.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/api/admin"
+	"github.com/Azure/ARO-RP/pkg/api/util/identity"
 	"github.com/Azure/ARO-RP/pkg/database/cosmosdb"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/frontend/middleware"
@@ -99,7 +100,8 @@ func (f *frontend) _putOrPatchOpenShiftCluster(ctx context.Context, log *logrus.
 	}
 
 	// Don't persist identity parameters in non-wimi clusters
-	if doc.OpenShiftCluster.Properties.ServicePrincipalProfile == nil || doc.OpenShiftCluster.Identity != nil {
+	if identity.IsManagedWorkloadIdentityEnabled(doc.OpenShiftCluster) {
+		// We don't support changing the cluster MSI, so only need to validate/apply on create
 		if isCreate {
 			if err := validateIdentityUrl(doc.OpenShiftCluster, identityURL); err != nil {
 				return nil, err