using api auth consts (#1146)

Signed-off-by: Wei Liu <liuweixa@redhat.com>
2026-02-14 18:09:57 +00:00 · 2025-08-28 15:15:36 +08:00
parent c5f6e30ab8
commit 74aa03b01c
71 changed files with 1188 additions and 269 deletions
--- a/pkg/registration/hub/manager.go
+++ b/pkg/registration/hub/manager.go
@@ -27,6 +27,7 @@ import (
 	workv1informers "open-cluster-management.io/api/client/work/informers/externalversions"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
 	ocmfeature "open-cluster-management.io/api/feature"
+	operatorv1 "open-cluster-management.io/api/operator/v1"

 	commonhelpers "open-cluster-management.io/ocm/pkg/common/helpers"
 	"open-cluster-management.io/ocm/pkg/features"
@@ -73,7 +74,7 @@ func NewHubManagerOptions() *HubManagerOptions {
 		GCResourceList: []string{"addon.open-cluster-management.io/v1alpha1/managedclusteraddons",
 			"work.open-cluster-management.io/v1/manifestworks"},
 		ImportOption:               importeroptions.New(),
-		EnabledRegistrationDrivers: []string{commonhelpers.CSRAuthType},
+		EnabledRegistrationDrivers: []string{operatorv1.CSRAuthType},
 		GRPCSigningDuration:        720 * time.Hour,
 	}
 }
@@ -191,7 +192,7 @@ func (m *HubManagerOptions) RunControllerManagerWithInformers(
 	var drivers []register.HubDriver
 	for _, enabledRegistrationDriver := range m.EnabledRegistrationDrivers {
 		switch enabledRegistrationDriver {
-		case commonhelpers.CSRAuthType:
+		case operatorv1.CSRAuthType:
 			autoApprovedCSRUsers := m.ClusterAutoApprovalUsers
 			if len(m.AutoApprovedCSRUsers) > 0 {
 				autoApprovedCSRUsers = m.AutoApprovedCSRUsers
@@ -201,13 +202,13 @@ func (m *HubManagerOptions) RunControllerManagerWithInformers(
 				return err
 			}
 			drivers = append(drivers, csrDriver)
-		case commonhelpers.AwsIrsaAuthType:
+		case operatorv1.AwsIrsaAuthType:
 			awsIRSAHubDriver, err := awsirsa.NewAWSIRSAHubDriver(ctx, m.HubClusterArn, m.AutoApprovedARNPatterns, m.AwsResourceTags)
 			if err != nil {
 				return err
 			}
 			drivers = append(drivers, awsIRSAHubDriver)
-		case commonhelpers.GRPCCAuthType:
+		case operatorv1.GRPCAuthType:
 			grpcHubDriver, err := grpc.NewGRPCHubDriver(
 				kubeClient, kubeInformers,
 				m.GRPCCAKeyFile, m.GRPCCAFile, m.GRPCSigningDuration,
--- a/pkg/registration/register/factory/options.go
+++ b/pkg/registration/register/factory/options.go
@@ -3,7 +3,8 @@ package factory
 import (
 	"github.com/spf13/pflag"

-	"open-cluster-management.io/ocm/pkg/common/helpers"
+	operatorv1 "open-cluster-management.io/api/operator/v1"
+
 	"open-cluster-management.io/ocm/pkg/registration/register"
 	awsirsa "open-cluster-management.io/ocm/pkg/registration/register/aws_irsa"
 	"open-cluster-management.io/ocm/pkg/registration/register/csr"
@@ -13,14 +14,14 @@ import (
 type Options struct {
 	RegistrationAuth string
 	CSROption        *csr.Option
-	AWSISRAOption    *awsirsa.AWSOption
+	AWSIRSAOption    *awsirsa.AWSOption
 	GRPCOption       *grpc.Option
 }

 func NewOptions() *Options {
 	return &Options{
 		CSROption:     csr.NewCSROption(),
-		AWSISRAOption: awsirsa.NewAWSOption(),
+		AWSIRSAOption: awsirsa.NewAWSOption(),
 		GRPCOption:    grpc.NewOptions(),
 	}
 }
@@ -29,15 +30,15 @@ func (s *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.RegistrationAuth, "registration-auth", s.RegistrationAuth,
 		"The type of authentication to use to authenticate with hub.")
 	s.CSROption.AddFlags(fs)
-	s.AWSISRAOption.AddFlags(fs)
+	s.AWSIRSAOption.AddFlags(fs)
 	s.GRPCOption.AddFlags(fs)
 }

 func (s *Options) Validate() error {
 	switch s.RegistrationAuth {
-	case helpers.AwsIrsaAuthType:
-		return s.AWSISRAOption.Validate()
-	case helpers.GRPCCAuthType:
+	case operatorv1.AwsIrsaAuthType:
+		return s.AWSIRSAOption.Validate()
+	case operatorv1.GRPCAuthType:
 		return s.GRPCOption.Validate()
 	default:
 		return s.CSROption.Validate()
@@ -46,9 +47,9 @@ func (s *Options) Validate() error {

 func (s *Options) Driver(secretOption register.SecretOption) (register.RegisterDriver, error) {
 	switch s.RegistrationAuth {
-	case helpers.AwsIrsaAuthType:
-		return awsirsa.NewAWSIRSADriver(s.AWSISRAOption, secretOption), nil
-	case helpers.GRPCCAuthType:
+	case operatorv1.AwsIrsaAuthType:
+		return awsirsa.NewAWSIRSADriver(s.AWSIRSAOption, secretOption), nil
+	case operatorv1.GRPCAuthType:
 		return grpc.NewGRPCDriver(s.GRPCOption, s.CSROption, secretOption)
 	default:
 		return csr.NewCSRDriver(s.CSROption, secretOption)
--- a/pkg/registration/register/factory/options_test.go
+++ b/pkg/registration/register/factory/options_test.go
@@ -38,7 +38,7 @@ func TestValidate(t *testing.T) {
 			name: "aws validate",
 			opt: &Options{
 				RegistrationAuth: "awsirsa",
-				AWSISRAOption:    &awsirsa.AWSOption{},
+				AWSIRSAOption:    &awsirsa.AWSOption{},
 			},
 			expectErr: true,
 		},
@@ -46,7 +46,7 @@ func TestValidate(t *testing.T) {
 			name: "aws validate pass",
 			opt: &Options{
 				RegistrationAuth: "awsirsa",
-				AWSISRAOption: &awsirsa.AWSOption{
+				AWSIRSAOption: &awsirsa.AWSOption{
 					HubClusterArn: "arn:aws:iam::123456789012:role/aws-iam-authenticator",
 				},
 			},
--- a/pkg/registration/register/grpc/hub_driver.go
+++ b/pkg/registration/register/grpc/hub_driver.go
@@ -21,9 +21,9 @@ import (

 	clusterv1 "open-cluster-management.io/api/cluster/v1"
 	ocmfeature "open-cluster-management.io/api/feature"
+	operatorv1 "open-cluster-management.io/api/operator/v1"
 	sdkhelpers "open-cluster-management.io/sdk-go/pkg/helpers"

-	"open-cluster-management.io/ocm/pkg/common/helpers"
 	"open-cluster-management.io/ocm/pkg/features"
 	"open-cluster-management.io/ocm/pkg/registration/register"
 	"open-cluster-management.io/ocm/pkg/registration/register/csr"
@@ -51,11 +51,11 @@ func NewGRPCHubDriver(
 	duration time.Duration,
 	autoApprovedCSRUsers []string,
 	recorder events.Recorder) (register.HubDriver, error) {
-	csrReconciles := []csr.Reconciler{csr.NewCSRRenewalReconciler(kubeClient, helpers.GRPCCAuthSigner, recorder)}
+	csrReconciles := []csr.Reconciler{csr.NewCSRRenewalReconciler(kubeClient, operatorv1.GRPCAuthSigner, recorder)}
 	if features.HubMutableFeatureGate.Enabled(ocmfeature.ManagedClusterAutoApproval) {
 		csrReconciles = append(csrReconciles, csr.NewCSRBootstrapReconciler(
 			kubeClient,
-			helpers.GRPCCAuthSigner,
+			operatorv1.GRPCAuthSigner,
 			autoApprovedCSRUsers,
 			recorder,
 		))
@@ -170,7 +170,7 @@ func (c *csrSignController) sync(ctx context.Context, syncCtx factory.SyncContex
 	}

 	// Do not sign apiserver cert
-	if csr.Spec.SignerName != helpers.GRPCCAuthSigner {
+	if csr.Spec.SignerName != operatorv1.GRPCAuthSigner {
 		return nil
 	}

@@ -192,7 +192,7 @@ func getCSRInfo(c *certificatesv1.CertificateSigningRequest) csr.CSRInfo {
 		Name:       c.Name,
 		Labels:     c.Labels,
 		SignerName: c.Spec.SignerName,
-		Username:   c.Annotations[helpers.CSRUserAnnotation],
+		Username:   c.Annotations[operatorv1.CSRUsernameAnnotation],
 		UID:        c.Spec.UID,
 		Groups:     c.Spec.Groups,
 		Extra:      extra,
@@ -203,7 +203,7 @@ func getCSRInfo(c *certificatesv1.CertificateSigningRequest) csr.CSRInfo {
 func eventFilter(csr any) bool {
 	switch v := csr.(type) {
 	case *certificatesv1.CertificateSigningRequest:
-		return v.Spec.SignerName == helpers.GRPCCAuthSigner
+		return v.Spec.SignerName == operatorv1.GRPCAuthSigner
 	default:
 		return false
 	}
--- a/pkg/registration/register/grpc/hub_driver_test.go
+++ b/pkg/registration/register/grpc/hub_driver_test.go
@@ -16,7 +16,8 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/keyutil"

-	"open-cluster-management.io/ocm/pkg/common/helpers"
+	operatorv1 "open-cluster-management.io/api/operator/v1"
+
 	testingcommon "open-cluster-management.io/ocm/pkg/common/testing"
 )

@@ -101,7 +102,7 @@ func TestSignCSR(t *testing.T) {
 							Usages: []certificatesv1.KeyUsage{
 								certificatesv1.UsageClientAuth,
 							},
-							SignerName: helpers.GRPCCAuthSigner,
+							SignerName: operatorv1.GRPCAuthSigner,
 							Username:   "system:open-cluster-management:test",
 							Request:    request,
 						},
@@ -167,7 +168,7 @@ func TestEventFilter(t *testing.T) {
 			name: "v1 CSR with matching signer",
 			input: &certificatesv1.CertificateSigningRequest{
 				Spec: certificatesv1.CertificateSigningRequestSpec{
-					SignerName: helpers.GRPCCAuthSigner,
+					SignerName: operatorv1.GRPCAuthSigner,
 				},
 			},
 			expected: true,
@@ -196,11 +197,11 @@ func TestGetCSRInfo(t *testing.T) {
 	csr := &certificatesv1.CertificateSigningRequest{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations: map[string]string{
-				helpers.CSRUserAnnotation: "test",
+				operatorv1.CSRUsernameAnnotation: "test",
 			},
 		},
 		Spec: certificatesv1.CertificateSigningRequestSpec{
-			SignerName: helpers.GRPCCAuthSigner,
+			SignerName: operatorv1.GRPCAuthSigner,
 		},
 	}

--- a/pkg/registration/register/grpc/spoke_driver.go
+++ b/pkg/registration/register/grpc/spoke_driver.go
@@ -22,6 +22,7 @@ import (
 	addoninformers "open-cluster-management.io/api/client/addon/informers/externalversions"
 	clusterinformers "open-cluster-management.io/api/client/cluster/informers/externalversions"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
+	operatorv1 "open-cluster-management.io/api/operator/v1"
 	cloudeventsaddon "open-cluster-management.io/sdk-go/pkg/cloudevents/clients/addon"
 	cloudeventscluster "open-cluster-management.io/sdk-go/pkg/cloudevents/clients/cluster"
 	cloudeventscsr "open-cluster-management.io/sdk-go/pkg/cloudevents/clients/csr"
@@ -34,7 +35,6 @@ import (
 	"open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert"
 	"open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc"

-	"open-cluster-management.io/ocm/pkg/common/helpers"
 	"open-cluster-management.io/ocm/pkg/registration/register"
 	"open-cluster-management.io/ocm/pkg/registration/register/csr"
 )
@@ -50,7 +50,7 @@ var _ register.RegisterDriver = &GRPCDriver{}
 var _ register.AddonDriver = &GRPCDriver{}

 func NewGRPCDriver(opt *Option, csrOption *csr.Option, secretOption register.SecretOption) (register.RegisterDriver, error) {
-	secretOption.Signer = helpers.GRPCCAuthSigner
+	secretOption.Signer = operatorv1.GRPCAuthSigner
 	csrDriver, err := csr.NewCSRDriver(csrOption, secretOption)
 	if err != nil {
 		return nil, err
--- a/pkg/registration/spoke/spokeagent_test.go
+++ b/pkg/registration/spoke/spokeagent_test.go
@@ -19,8 +19,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"

 	ocmfeature "open-cluster-management.io/api/feature"
+	operatorv1 "open-cluster-management.io/api/operator/v1"

-	commonhelpers "open-cluster-management.io/ocm/pkg/common/helpers"
 	commonoptions "open-cluster-management.io/ocm/pkg/common/options"
 	testingcommon "open-cluster-management.io/ocm/pkg/common/testing"
 	"open-cluster-management.io/ocm/pkg/features"
@@ -82,8 +82,8 @@ func TestValidate(t *testing.T) {
 			options: func() *SpokeAgentOptions {
 				awsDefaultCompletedOptions := NewSpokeAgentOptions()
 				awsDefaultCompletedOptions.BootstrapKubeconfig = "/spoke/bootstrap/kubeconfig"
-				awsDefaultCompletedOptions.RegisterDriverOption.RegistrationAuth = commonhelpers.AwsIrsaAuthType
-				awsDefaultCompletedOptions.RegisterDriverOption.AWSISRAOption.HubClusterArn = "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1"
+				awsDefaultCompletedOptions.RegisterDriverOption.RegistrationAuth = operatorv1.AwsIrsaAuthType
+				awsDefaultCompletedOptions.RegisterDriverOption.AWSIRSAOption.HubClusterArn = "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1"
 				return awsDefaultCompletedOptions
 			}(),
 			expectedErr: "",
@@ -93,7 +93,7 @@ func TestValidate(t *testing.T) {
 			options: func() *SpokeAgentOptions {
 				awsCompletedOptionsHubArnMissing := NewSpokeAgentOptions()
 				awsCompletedOptionsHubArnMissing.BootstrapKubeconfig = "/spoke/bootstrap/kubeconfig"
-				awsCompletedOptionsHubArnMissing.RegisterDriverOption.RegistrationAuth = commonhelpers.AwsIrsaAuthType
+				awsCompletedOptionsHubArnMissing.RegisterDriverOption.RegistrationAuth = operatorv1.AwsIrsaAuthType
 				return awsCompletedOptionsHubArnMissing
 			}(),
 			expectedErr: "EksHubClusterArn cannot be empty if RegistrationAuth is awsirsa",