Skip to content

CLOUDP-373260 Atlas Service Accounts support - phase 1#3323

Open
MaciejKaras wants to merge 17 commits intomainfrom
CLOUDP-373260/service-accounts-phase-1
Open

CLOUDP-373260 Atlas Service Accounts support - phase 1#3323
MaciejKaras wants to merge 17 commits intomainfrom
CLOUDP-373260/service-accounts-phase-1

Conversation

@MaciejKaras
Copy link
Copy Markdown
Collaborator

@MaciejKaras MaciejKaras commented Apr 20, 2026
edited
Loading

Summary

Adds Service Account (OAuth 2.0) authentication support to the Atlas Kubernetes Operator. Users can supply clientId / clientSecret in a Connection Secret; a new ServiceAccountToken controller obtains short-lived bearer tokens and caches them for all reconcilers to consume. Existing API-key authentication is unchanged.

See the Technical Design.

Related: #3329 — the Helm chart changes that expose these credentials via helm install / --set.

Proof of Work

Passing all new unit and e2e tests.

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you checked for release_note changes?
  • Have you signed our CLA?

Reminder (Please remove this when merging)

  • Please try to Approve or Reject Changes the PR, keep PRs in review as short as possible
  • Remember the following Communication Standards - use comment prefixes for clarity:
    • blocking: Must be addressed before approval.
    • follow-up: Can be addressed in a later PR or ticket.
    • q: Clarifying question.
    • nit: Non-blocking suggestions.
    • note: Side-note, non-actionable. Example: Praise
    • --> no prefix is considered a question

MaciejKaras
MaciejKaras commented Apr 20, 2026
View reviewed changes
Comment thread internal/controller/reconciler/credentials.go Outdated
MaciejKaras
MaciejKaras commented Apr 20, 2026
View reviewed changes
Comment thread internal/controller/reconciler/credentials.go Outdated
@MaciejKaras MaciejKaras force-pushed the CLOUDP-373260/service-accounts-phase-1 branch 2 times, most recently from db36adc to be90f98 Compare April 22, 2026 09:07
@MaciejKaras MaciejKaras force-pushed the CLOUDP-373260/service-accounts-phase-1 branch from cec4603 to 1c17e19 Compare April 23, 2026 08:22
@MaciejKaras MaciejKaras mentioned this pull request Apr 23, 2026
Open
4 tasks
@MaciejKaras MaciejKaras marked this pull request as ready for review April 23, 2026 10:56
@MaciejKaras MaciejKaras requested a review from a team as a code owner April 23, 2026 10:56
josvazg
josvazg reviewed Apr 23, 2026
View reviewed changes
Comment thread internal/controller/accesstoken/accesstoken_test.go Outdated
@josvazg
Copy link
Copy Markdown
Collaborator

josvazg commented Apr 23, 2026

Added label test/e2e2/* to ensure the included e2e2 test would run.

igor-karpukhin
igor-karpukhin reviewed Apr 28, 2026
View reviewed changes
Comment thread internal/controller/reconciler/credentials.go
@MaciejKaras
reconciler: reject expired access token from cached Secret
bfcec5a 
Adds a third guard to getServiceAccountAccessToken: after the staleness
hash check, parse the access token Secret's expiry field and refuse a
token whose RFC3339 expiry is missing, unparseable, or already past.
The service-account-token controller is expected to refresh ahead of
expiry; this check defends against controller lag or clock skew so the
consumer never hands a downstream reconciler a token Atlas would
already reject.

Addresses PR #3323 review comment on credentials.go:144.
@MaciejKaras
test/serviceaccounttoken: isolate expiry branch in RefreshesExpiredToken
698c1e6 
The pre-existing token Secret had no credentialsHash, so the staleness
branch (hash mismatch against current creds) was the actual trigger for
the refresh — the expired expiry was never exercised. Pre-populate a
matching credentialsHash so only the expired expiry can drive the
refresh.
@MaciejKaras
test/reconciler: convert TestGetConnectionConfig_ServiceAccount to table
ff74195 
Replace the four standalone t.Run subtests plus the inner four-case
table with a single 8-case table. Each row carries credSecret +
optional tokenSecret directly; the ref is derived from credSecret.
A small tokenSecret() factory and a shared saCredSecret keep each
row to its meaningful inputs. Resolves the dupl warnings from
golangci-lint and gives all SA-path scenarios one consistent shape.
@MaciejKaras
test/reconciler: convert TestValidate to table
85db6bc 
Match the table-driven shape used by TestGetConnectionConfig_*.
Each row carries the input Secret data plus an expectedError string;
the assertion uses require.EqualError for whole-message equality.
@MaciejKaras
Minor fixes
3dd3876
igor-karpukhin
igor-karpukhin reviewed Apr 29, 2026
View reviewed changes
Comment thread internal/controller/accesstoken/accesstoken.go Outdated
@MaciejKaras
accesstoken: drop unreachable error returns from hash helpers
dda3f76 
hash.Hash.Write is documented to never return an error, so the error
paths in DeriveSecretName and CredentialsHash were dead code. Simplify
both helpers to return only a string and update all callers.
igor-karpukhin
igor-karpukhin approved these changes Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@igor-karpukhin igor-karpukhin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Great work @MaciejKaras! I tested it in my local cluster as well, it works 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josvazg josvazg josvazg approved these changes

@helderjs helderjs helderjs approved these changes

@igor-karpukhin igor-karpukhin igor-karpukhin approved these changes

@s-urbaniak s-urbaniak Awaiting requested review from s-urbaniak

Assignees

No one assigned

Labels

test/e2e/* test/e2e2/* test/int/* test/openshift

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MaciejKaras @josvazg @helderjs @igor-karpukhin