vmware-tanzu · joshuatcasey · Jun 3, 2024 · May 30, 2024 · May 31, 2024 · May 31, 2024
diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go
@@ -51,14 +51,12 @@ const (
 
 	countExpectedConditions = 6
 
-	HostValid                string = "HostValid"
-	TLSConfigurationValid    string = "TLSConfigurationValid"
-	OrganizationsPolicyValid string = "OrganizationsPolicyValid"
-	// ClientCredentialsObtained is different from other status conditions because it only checks that the client credentials
-	// have been obtained. The controller has no way to verify whether they are valid.
-	ClientCredentialsObtained string = "ClientCredentialsObtained" //nolint:gosec // this is not a credential
-	GitHubConnectionValid     string = "GitHubConnectionValid"
-	ClaimsValid               string = "ClaimsValid"
+	HostValid                    string = "HostValid"
+	TLSConfigurationValid        string = "TLSConfigurationValid"
+	OrganizationsPolicyValid     string = "OrganizationsPolicyValid"
+	ClientCredentialsSecretValid string = "ClientCredentialsSecretValid" //nolint:gosec // this is not a credential
+	GitHubConnectionValid        string = "GitHubConnectionValid"
+	ClaimsValid                  string = "ClaimsValid"
 
 	defaultHost       = "github.com"
 	defaultApiBaseURL = "https://api.github.com"
@@ -166,7 +164,7 @@ func (c *gitHubWatcherController) validateClientSecret(secretName string) (*meta
 
 	buildFalseCondition := func(prefix string) (*metav1.Condition, string, string, error) {
 		return &metav1.Condition{
-			Type:   ClientCredentialsObtained,
+			Type:   ClientCredentialsSecretValid,
 			Status: metav1.ConditionFalse,
 			Reason: upstreamwatchers.ReasonNotFound,
 			Message: fmt.Sprintf("%s: secret from spec.client.SecretName (%q) must be found in namespace %q with type %q and keys %q and %q",
@@ -202,7 +200,7 @@ func (c *gitHubWatcherController) validateClientSecret(secretName string) (*meta
 	}
 
 	return &metav1.Condition{
-		Type:    ClientCredentialsObtained,
+		Type:    ClientCredentialsSecretValid,
 		Status:  metav1.ConditionTrue,
 		Reason:  upstreamwatchers.ReasonSuccess,
 		Message: fmt.Sprintf("clientID and clientSecret have been read from spec.client.SecretName (%q)", secretName),

diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher_test.go
diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher.go
@@ -54,7 +54,7 @@ const (
 	oidcValidatorCacheTTL = 15 * time.Minute
 
 	// Constants related to conditions.
-	typeClientCredentialsValid             = "ClientCredentialsValid" //nolint:gosec // this is not a credential
+	typeClientCredentialsSecretValid       = "ClientCredentialsSecretValid" //nolint:gosec // this is not a credential
 	typeAdditionalAuthorizeParametersValid = "AdditionalAuthorizeParametersValid"
 	typeOIDCDiscoverySucceeded             = "OIDCDiscoverySucceeded"
 
@@ -260,15 +260,15 @@ func (c *oidcWatcherController) validateUpstream(ctx controllerlib.Context, upst
 	return nil
 }
 
-// validateSecret validates the .spec.client.secretName field and returns the appropriate ClientCredentialsValid condition.
+// validateSecret validates the .spec.client.secretName field and returns the appropriate ClientCredentialsSecretValid condition.
 func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityProvider, result *upstreamoidc.ProviderConfig) *metav1.Condition {
 	secretName := upstream.Spec.Client.SecretName
 
 	// Fetch the Secret from informer cache.
 	secret, err := c.secretInformer.Lister().Secrets(upstream.Namespace).Get(secretName)
 	if err != nil {
 		return &metav1.Condition{
-			Type:    typeClientCredentialsValid,
+			Type:    typeClientCredentialsSecretValid,
 			Status:  metav1.ConditionFalse,
 			Reason:  upstreamwatchers.ReasonNotFound,
 			Message: err.Error(),
@@ -278,7 +278,7 @@ func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityPr
 	// Validate the secret .type field.
 	if secret.Type != oidcClientSecretType {
 		return &metav1.Condition{
-			Type:    typeClientCredentialsValid,
+			Type:    typeClientCredentialsSecretValid,
 			Status:  metav1.ConditionFalse,
 			Reason:  upstreamwatchers.ReasonWrongType,
 			Message: fmt.Sprintf("referenced Secret %q has wrong type %q (should be %q)", secretName, secret.Type, oidcClientSecretType),
@@ -290,7 +290,7 @@ func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityPr
 	clientSecret := secret.Data[clientSecretDataKey]
 	if len(clientID) == 0 || len(clientSecret) == 0 {
 		return &metav1.Condition{
-			Type:    typeClientCredentialsValid,
+			Type:    typeClientCredentialsSecretValid,
 			Status:  metav1.ConditionFalse,
 			Reason:  upstreamwatchers.ReasonMissingKeys,
 			Message: fmt.Sprintf("referenced Secret %q is missing required keys %q", secretName, []string{clientIDDataKey, clientSecretDataKey}),
@@ -301,7 +301,7 @@ func (c *oidcWatcherController) validateSecret(upstream *v1alpha1.OIDCIdentityPr
 	result.Config.ClientID = string(clientID)
 	result.Config.ClientSecret = string(clientSecret)
 	return &metav1.Condition{
-		Type:    typeClientCredentialsValid,
+		Type:    typeClientCredentialsSecretValid,
 		Status:  metav1.ConditionTrue,
 		Reason:  upstreamwatchers.ReasonSuccess,
 		Message: "loaded client credentials",