AGENT-951: Add new security defn for ABI

[pawanpinjarkar]

The agent-based installer needs a new security definition to perform the read-only operations for the user persona watcher. The agent-based installer commands such as wait-for and monitor internally uses the read-only persona watcher which can only make read requests to the endpoints annotated with watcherAuth security definition.

Other existing authenticators do not support this agent-based installer specific watcherAuth security definition.

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pawanpinjarkar
Once this PR has been reviewed and has the lgtm label, please assign pastequo for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pawanpinjarkar: This pull request references AGENT-951 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

The agent-based installer needs a new security definition to perform the read-only operations for the user persona watcher. The agent-based installer commands such as wait-for and monitor internally uses the read-only persona watcher which can only make read requests to the endpoints annotated with watcherAuth security definition.

Other existing authenticators do not support this agent-based installer specific watcherAuth security definition.

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pawanpinjarkar]

/cc @carbonin

[codecov]

Codecov Report

Attention: Patch coverage is 44.44444% with 5 lines in your changes missing coverage. Please review.

Project coverage is 68.74%. Comparing base (476ce3a) to head (07ae8c0).

Files with missing lines	Patch %	Lines
pkg/auth/none_authenticator.go	0.00%	3 Missing ⚠️
pkg/auth/rhsso_authenticator.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6784      +/-   ##
==========================================
- Coverage   68.74%   68.74%   -0.01%     
==========================================
  Files         249      249              
  Lines       37439    37448       +9     
==========================================
+ Hits        25739    25743       +4     
- Misses       9402     9407       +5     
  Partials     2298     2298              

Files with missing lines	Coverage Δ
pkg/auth/agent_local_authenticator.go	55.10% <100.00%> (+1.91%)	⬆️
pkg/auth/authenticator.go	100.00% <ø> (ø)
pkg/auth/local_authenticator.go	50.64% <100.00%> (+1.31%)	⬆️
pkg/auth/rhsso_authenticator.go	50.90% <0.00%> (-0.63%)	⬇️
pkg/auth/none_authenticator.go	6.89% <0.00%> (-0.80%)	⬇️

... and 2 files with indirect coverage changes

[openshift-ci]

@pawanpinjarkar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/edge-subsystem-kubeapi-aws	07ae8c0	link	true	/test edge-subsystem-kubeapi-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.