elveeram
diff --git a/‎Makefile‎
Lines changed: 156 additions & 1 deletion b/‎Makefile‎
Lines changed: 156 additions & 1 deletion
diff --git a/‎bundle/manifests/oadp-operator.clusterserviceversion.yaml‎
Lines changed: 2 additions & 2 deletions b/‎bundle/manifests/oadp-operator.clusterserviceversion.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cmd/main.go‎
Lines changed: 9 additions & 109 deletions b/‎cmd/main.go‎
Lines changed: 9 additions & 109 deletions
diff --git a/‎config/manifests/bases/oadp-operator.clusterserviceversion.yaml‎
Lines changed: 2 additions & 2 deletions b/‎config/manifests/bases/oadp-operator.clusterserviceversion.yaml‎
Lines changed: 2 additions & 2 deletions
@@ -462,7 +462,162 @@ deploy-olm: undeploy-olm ## Build current branch operator image, bundle image, p
 undeploy-olm: login-required operator-sdk ## Uninstall current branch operator via OLM
 	$(OC_CLI) whoami # Check if logged in
 	$(OC_CLI) create namespace $(OADP_TEST_NAMESPACE) || true
-	$(OPERATOR_SDK) cleanup oadp-operator --namespace $(OADP_TEST_NAMESPACE)
+	-$(OPERATOR_SDK) cleanup oadp-operator --namespace $(OADP_TEST_NAMESPACE) || true
+	# Also try to clean up any leftover resources
+	-$(OC_CLI) delete subscription oadp-operator -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) get subscription -n $(OADP_TEST_NAMESPACE) -o name | xargs -I {} $(OC_CLI) get {} -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.metadata.name}{"\t"}{.spec.source}{"\n"}' | grep "oadp-operator-catalog" | cut -f1 | xargs -I {} $(OC_CLI) delete subscription {} -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) delete csv -l operators.coreos.com/oadp-operator.$(OADP_TEST_NAMESPACE) -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) delete catalogsource oadp-operator-catalog -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+
+# Create subscription YAML helper function
+# Parameters:
+#   $(1) - Path to the subscription YAML file to create (e.g., /tmp/oadp-gcp-subscription.yaml)
+create-sts-subscription = \
+	echo "apiVersion: operators.coreos.com/v1alpha1" > $(1) && \
+	echo "kind: Subscription" >> $(1) && \
+	echo "metadata:" >> $(1) && \
+	echo "  name: oadp-operator" >> $(1) && \
+	echo "  namespace: $(OADP_TEST_NAMESPACE)" >> $(1) && \
+	echo "spec:" >> $(1) && \
+	echo "  channel: operator-sdk-run-bundle" >> $(1) && \
+	echo "  name: oadp-operator" >> $(1) && \
+	echo "  source: oadp-operator-catalog" >> $(1) && \
+	echo "  sourceNamespace: $(OADP_TEST_NAMESPACE)" >> $(1) && \
+	echo "  installPlanApproval: Automatic" >> $(1) && \
+	echo "  config:" >> $(1) && \
+	echo "    env:" >> $(1)
+
+# Apply subscription and wait for ready helper function
+# Parameters:
+#   $(1) - Path to the subscription YAML file to apply (e.g., /tmp/oadp-gcp-subscription.yaml)
+#   $(2) - Cloud provider descriptive name for status messages (e.g., "GCP WIF", "AWS STS", "Azure Workload Identity")
+apply-sts-subscription = \
+	$(OC_CLI) apply -f $(1) && \
+	rm -f $(1) && \
+	echo "" && \
+	echo "Subscription created with $(2) environment variables." && \
+	echo "Waiting for operator to be ready..." && \
+	echo "Waiting for InstallPlan to be created..." && \
+	timeout=60; \
+	while [ $$timeout -gt 0 ]; do \
+		INSTALL_PLAN=$$($(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.status.installPlanRef.name}' 2>/dev/null); \
+		if [ -n "$$INSTALL_PLAN" ]; then \
+			echo "InstallPlan $$INSTALL_PLAN found"; \
+			break; \
+		fi; \
+		echo -n "."; \
+		sleep 2; \
+		timeout=$$((timeout-2)); \
+	done; \
+	if [ $$timeout -le 0 ]; then \
+		echo "Timeout waiting for InstallPlan"; \
+		exit 1; \
+	fi; \
+	echo "Waiting for CSV to exist..."; \
+	timeout=120; \
+	while [ $$timeout -gt 0 ]; do \
+		CSV_NAME=$$($(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.status.currentCSV}' 2>/dev/null); \
+		if [ -n "$$CSV_NAME" ]; then \
+			if $(OC_CLI) get csv/$$CSV_NAME -n $(OADP_TEST_NAMESPACE) >/dev/null 2>&1; then \
+				echo "CSV $$CSV_NAME found"; \
+				break; \
+			fi; \
+		fi; \
+		echo -n "."; \
+		sleep 2; \
+		timeout=$$((timeout-2)); \
+	done; \
+	if [ $$timeout -le 0 ]; then \
+		echo "Timeout waiting for CSV to exist"; \
+		exit 1; \
+	fi; \
+	echo "Waiting for CSV to be ready..."; \
+	if [ -n "$$CSV_NAME" ]; then \
+		$(OC_CLI) wait --for=jsonpath='{.status.phase}'=Succeeded csv/$$CSV_NAME -n $(OADP_TEST_NAMESPACE) --timeout=300s; \
+	fi; \
+	echo "Operator is ready!"; \
+	$(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE); \
+	$(OC_CLI) get csv -n $(OADP_TEST_NAMESPACE)
+
+.PHONY: deploy-olm-stsflow
+deploy-olm-stsflow: deploy-olm ## Deploy via OLM then uninstall CSV/Subscription and provide console URL for standardized flow
+	@echo "Uninstalling CSV and Subscription to trigger standardized flow UI..."
+	-$(OC_CLI) get subscription -n $(OADP_TEST_NAMESPACE) -o name | xargs -I {} $(OC_CLI) get {} -n $(OADP_TEST_NAMESPACE) -o jsonpath='{.metadata.name}{"\t"}{.spec.source}{"\n"}' | grep "oadp-operator-catalog" | cut -f1 | xargs -I {} $(OC_CLI) delete subscription {} -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	-$(OC_CLI) delete csv oadp-operator.v$(VERSION) -n $(OADP_TEST_NAMESPACE) --ignore-not-found=true
+	@echo ""
+	@echo "==========================================================================="
+	@echo "Open the following URL in your browser to trigger the standardized flow UI:"
+	@echo ""
+	@CONSOLE_URL=$$($(OC_CLI) get route console -n openshift-console -o jsonpath='{.spec.host}'); \
+	echo "https://$$CONSOLE_URL/operatorhub/ns/$(OADP_TEST_NAMESPACE)?keyword=oadp-operator&details-item=oadp-operator-oadp-operator-catalog-$(OADP_TEST_NAMESPACE)&channel=operator-sdk-run-bundle&version=$(VERSION)"
+	@echo ""
+	@echo "==========================================================================="
+
+.PHONY: deploy-olm-stsflow-gcp
+deploy-olm-stsflow-gcp: deploy-olm-stsflow ## Deploy via OLM with GCP WIF standardized flow and create subscription with GCP env vars
+	@if [ -n "$(GCP_PROJECT_NUM)" ] && [ -n "$(GCP_POOL_ID)" ] && [ -n "$(GCP_PROVIDER_ID)" ] && [ -n "$(GCP_SA_EMAIL)" ]; then \
+		echo "Creating subscription with GCP WIF environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-gcp-subscription.yaml); \
+		echo "    - name: PROJECT_NUMBER" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_PROJECT_NUM)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "    - name: POOL_ID" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_POOL_ID)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "    - name: PROVIDER_ID" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_PROVIDER_ID)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "    - name: SERVICE_ACCOUNT_EMAIL" >> /tmp/oadp-gcp-subscription.yaml; \
+		echo "      value: \"$(GCP_SA_EMAIL)\"" >> /tmp/oadp-gcp-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-gcp-subscription.yaml,GCP WIF); \
+	else \
+		echo ""; \
+		echo "GCP WIF environment variables not set. Please set all of the following:"; \
+		echo "  GCP_PROJECT_NUM"; \
+		echo "  GCP_POOL_ID"; \
+		echo "  GCP_PROVIDER_ID"; \
+		echo "  GCP_SA_EMAIL"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-gcp GCP_PROJECT_NUM=123456789 GCP_POOL_ID=my-pool GCP_PROVIDER_ID=my-provider GCP_SA_EMAIL=my-sa@my-project.iam.gserviceaccount.com"; \
+	fi
+
+.PHONY: deploy-olm-stsflow-aws
+deploy-olm-stsflow-aws: deploy-olm-stsflow ## Deploy via OLM with AWS STS standardized flow and create subscription with AWS env vars
+	@if [ -n "$(AWS_ROLE_ARN)" ]; then \
+		echo "Creating subscription with AWS STS environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-aws-subscription.yaml); \
+		echo "    - name: ROLEARN" >> /tmp/oadp-aws-subscription.yaml; \
+		echo "      value: \"$(AWS_ROLE_ARN)\"" >> /tmp/oadp-aws-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-aws-subscription.yaml,AWS STS); \
+	else \
+		echo ""; \
+		echo "AWS STS environment variable not set. Please set:"; \
+		echo "  AWS_ROLE_ARN"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-aws AWS_ROLE_ARN=arn:aws:iam::123456789012:role/my-oadp-role"; \
+	fi
+
+.PHONY: deploy-olm-stsflow-azure
+deploy-olm-stsflow-azure: deploy-olm-stsflow ## Deploy via OLM with Azure Workload Identity standardized flow and create subscription with Azure env vars
+	@if [ -n "$(AZURE_CLIENT_ID)" ] && [ -n "$(AZURE_TENANT_ID)" ] && [ -n "$(AZURE_SUBSCRIPTION_ID)" ]; then \
+		echo "Creating subscription with Azure Workload Identity environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-azure-subscription.yaml); \
+		echo "    - name: CLIENTID" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "      value: \"$(AZURE_CLIENT_ID)\"" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "    - name: TENANTID" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "      value: \"$(AZURE_TENANT_ID)\"" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "    - name: SUBSCRIPTIONID" >> /tmp/oadp-azure-subscription.yaml; \
+		echo "      value: \"$(AZURE_SUBSCRIPTION_ID)\"" >> /tmp/oadp-azure-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-azure-subscription.yaml,Azure Workload Identity); \
+	else \
+		echo ""; \
+		echo "Azure Workload Identity environment variables not set. Please set all of the following:"; \
+		echo "  AZURE_CLIENT_ID"; \
+		echo "  AZURE_TENANT_ID"; \
+		echo "  AZURE_SUBSCRIPTION_ID"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-azure AZURE_CLIENT_ID=12345678-1234-1234-1234-123456789012 AZURE_TENANT_ID=87654321-4321-4321-4321-210987654321 AZURE_SUBSCRIPTION_ID=abcdef12-3456-7890-abcd-ef1234567890"; \
+	fi
 
 # A valid Git branch from https://github.com/openshift/oadp-operator
 PREVIOUS_CHANNEL ?= oadp-1.5
 
@@ -279,8 +279,8 @@ metadata:
     features.operators.openshift.io/proxy-aware: "true"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "true"
-    features.operators.openshift.io/token-auth-azure: "false"
-    features.operators.openshift.io/token-auth-gcp: "false"
+    features.operators.openshift.io/token-auth-azure: "true"
+    features.operators.openshift.io/token-auth-gcp: "true"
     olm.skipRange: '>=0.0.0 <99.0.0'
     operatorframework.io/suggested-namespace: openshift-adp
     operators.openshift.io/infrastructure-features: '["Disconnected"]'
 
@@ -31,10 +31,8 @@ import (
 	monitor "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	appsv1 "k8s.io/api/apps/v1"
-	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -55,8 +53,9 @@ import (
 
 	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
 	"github.com/openshift/oadp-operator/internal/controller"
+	pkgclient "github.com/openshift/oadp-operator/pkg/client"
 	//+kubebuilder:scaffold:imports
-	"github.com/openshift/oadp-operator/pkg/common"
+	"github.com/openshift/oadp-operator/pkg/credentials/stsflow"
 	"github.com/openshift/oadp-operator/pkg/leaderelection"
 )
 
@@ -66,8 +65,6 @@ var (
 )
 
 const (
-	// WebIdentityTokenPath mount present on operator CSV
-	WebIdentityTokenPath = "/var/run/secrets/openshift/serviceaccount/token"
 
 	// CloudCredentials API constants
 	CloudCredentialGroupVersion = "cloudcredential.openshift.io/v1"
@@ -113,7 +110,7 @@ func main() {
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	kubeconf := ctrl.GetConfigOrDie()
-
+	pkgclient.SetKubeconf(kubeconf)
 	// Get LeaderElection configs
 	leConfig := leaderelection.GetLeaderElectionConfig(kubeconf, enableLeaderElection)
 
@@ -136,31 +133,10 @@ func main() {
 		os.Exit(1)
 	}
 
-	// check if this is standardized STS workflow via OLM and CCO
-	if common.CCOWorkflow() {
-		setupLog.Info("AWS Role ARN specified by the user, following standardized STS workflow")
-		// ROLEARN env var is set via operator subscription
-		roleARN := os.Getenv("ROLEARN")
-		setupLog.Info("getting role ARN", "role ARN =", roleARN)
-
-		// check if cred request API exists in the cluster before creating a cred request
-		setupLog.Info("Checking if credentialsrequest CRD exists in the cluster")
-		credReqCRDExists, err := DoesCRDExist(CloudCredentialGroupVersion, CloudCredentialsCRDName, kubeconf)
-		if err != nil {
-			setupLog.Error(err, "problem checking the existence of CredentialRequests CRD")
-			os.Exit(1)
-		}
-
-		if credReqCRDExists {
-			// create cred request
-			setupLog.Info(fmt.Sprintf("Creating credentials request for role: %s, and WebIdentityTokenPath: %s", roleARN, WebIdentityTokenPath))
-			if err := CreateOrUpdateCredRequest(roleARN, WebIdentityTokenPath, watchNamespace, kubeconf); err != nil {
-				if !errors.IsAlreadyExists(err) {
-					setupLog.Error(err, "unable to create credRequest")
-					os.Exit(1)
-				}
-			}
-		}
+	// Create Secret and wait for STS cred to exists
+	if _, err := stsflow.STSStandardizedFlow(); err != nil {
+		setupLog.Error(err, "error setting up STS Standardized Flow")
+		os.Exit(1)
 	}
 
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
@@ -234,7 +210,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	if err := v1.AddToScheme(mgr.GetScheme()); err != nil {
+	if err := apiextensionsv1.AddToScheme(mgr.GetScheme()); err != nil {
 		setupLog.Error(err, "unable to add Kubernetes API extensions to scheme")
 		os.Exit(1)
 	}
@@ -371,80 +347,4 @@ func DoesCRDExist(CRDGroupVersion, CRDName string, kubeconf *rest.Config) (bool,
 		}
 	}
 	return discoveryResult, nil
-
-}
-
-// CreateCredRequest WITP : WebIdentityTokenPath
-func CreateOrUpdateCredRequest(roleARN string, WITP string, secretNS string, kubeconf *rest.Config) error {
-	clientInstance, err := client.New(kubeconf, client.Options{})
-	if err != nil {
-		setupLog.Error(err, "unable to create client")
-	}
-
-	// Extra deps were getting added and existing ones were getting upgraded when the CloudCredentials API was imported
-	// This caused updates to go.mod and started resulting in operator build failures due to incompatibility with the existing velero deps
-	// Hence for now going via the unstructured route
-	credRequest := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "cloudcredential.openshift.io/v1",
-			"kind":       "CredentialsRequest",
-			"metadata": map[string]interface{}{
-				"name":      "oadp-aws-credentials-request",
-				"namespace": "openshift-cloud-credential-operator",
-			},
-			"spec": map[string]interface{}{
-				"secretRef": map[string]interface{}{
-					"name":      "cloud-credentials",
-					"namespace": secretNS,
-				},
-				"serviceAccountNames": []interface{}{
-					common.OADPOperatorServiceAccount,
-				},
-				"providerSpec": map[string]interface{}{
-					"apiVersion": "cloudcredential.openshift.io/v1",
-					"kind":       "AWSProviderSpec",
-					"statementEntries": []interface{}{
-						map[string]interface{}{
-							"effect": "Allow",
-							"action": []interface{}{
-								"s3:*",
-							},
-							"resource": "arn:aws:s3:*:*:*",
-						},
-					},
-					"stsIAMRoleARN": roleARN,
-				},
-				"cloudTokenPath": WITP,
-			},
-		},
-	}
-	verb := "created"
-	if err := clientInstance.Create(context.Background(), credRequest); err != nil {
-		if errors.IsAlreadyExists(err) {
-			verb = "updated"
-			setupLog.Info("CredentialsRequest already exists, updating")
-			fromCluster := &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"apiVersion": "cloudcredential.openshift.io/v1",
-					"kind":       "CredentialsRequest",
-				},
-			}
-			err = clientInstance.Get(context.Background(), types.NamespacedName{Name: "oadp-aws-credentials-request", Namespace: "openshift-cloud-credential-operator"}, fromCluster)
-			if err != nil {
-				setupLog.Error(err, "unable to get existing credentials request resource")
-				return err
-			}
-			// update spec
-			fromCluster.Object["spec"] = credRequest.Object["spec"]
-			if err := clientInstance.Update(context.Background(), fromCluster); err != nil {
-				setupLog.Error(err, fmt.Sprintf("unable to update credentials request resource, %v, %+v", err, fromCluster.Object))
-				return err
-			}
-		} else {
-			setupLog.Error(err, "unable to create credentials request resource")
-			return err
-		}
-	}
-	setupLog.Info("Custom resource credentialsrequest " + verb + " successfully")
-	return nil
 }
@@ -18,8 +18,8 @@ metadata:
     features.operators.openshift.io/proxy-aware: "true"
     features.operators.openshift.io/tls-profiles: "false"
     features.operators.openshift.io/token-auth-aws: "true"
-    features.operators.openshift.io/token-auth-azure: "false"
-    features.operators.openshift.io/token-auth-gcp: "false"
+    features.operators.openshift.io/token-auth-azure: "true"
+    features.operators.openshift.io/token-auth-gcp: "true"
     olm.skipRange: '>=0.0.0 <99.0.0'
     operatorframework.io/suggested-namespace: openshift-adp
     operators.openshift.io/infrastructure-features: '["Disconnected"]'