Add predictable Frontend token for external readonly authentication

ezr-ondrej · ezr-ondrej · commit 5d6c4c6bb394 · 2025-05-11T23:28:28.000+02:00
diff --git a/controllers/cloud.redhat.com/providers/featureflags/localfeatureflags.go b/controllers/cloud.redhat.com/providers/featureflags/localfeatureflags.go
@@ -220,8 +220,9 @@ func (ff *localFeatureFlagsProvider) EnvProvide() error {
 
 func createDefaultFFSecMap() map[string]string {
 	return map[string]string{
-		"adminAccessToken":  "*:*." + utils.RandHexString(32),
-		"clientAccessToken": "default:development." + utils.RandHexString(32),
+		"adminAccessToken":    "*:*." + utils.RandHexString(32),
+		"clientAccessToken":   "default:development." + utils.RandHexString(32),
+		"frontendAccessToken": "default:*.proxy-123",
 	}
 }
 
@@ -272,7 +273,7 @@ func makeLocalFFEdgeIngress(ff *localFeatureFlagsProvider) error {
 			IngressRuleValue: networking.IngressRuleValue{
 				HTTP: &networking.HTTPIngressRuleValue{
 					Paths: []networking.HTTPIngressPath{{
-						Path:     "/api/client/features",
+						Path:     "/api/frontend",
 						PathType: &prefixPathType,
 						Backend: networking.IngressBackend{
 							Service: &networking.IngressServiceBackend{
@@ -329,6 +330,7 @@ func makeLocalFeatureFlags(_ *crd.ClowdEnvironment, o obj.ClowdObject, objMap pr
 	envVars = provutils.AppendEnvVarsFromSecret(envVars, nn.Name,
 		provutils.NewSecretEnvVar("INIT_CLIENT_API_TOKENS", "clientAccessToken"),
 		provutils.NewSecretEnvVar("INIT_ADMIN_API_TOKENS", "adminAccessToken"),
+		provutils.NewSecretEnvVar("INIT_FRONTEND_API_TOKENS", "frontendAccessToken"),
 	)
 
 	ports := []core.ContainerPort{{
diff --git a/tests/kuttl/test-ff-local/01-assert.yaml b/tests/kuttl/test-ff-local/01-assert.yaml
@@ -70,7 +70,7 @@ spec:
     - http:
         paths:
           - pathType: Prefix
-            path: /api/client/features
+            path: /api/frontend
             backend:
               service:
                 name: test-ff-local-featureflags-edge
diff --git a/tests/kuttl/test-ff-local/test_feature_flags.sh b/tests/kuttl/test-ff-local/test_feature_flags.sh
@@ -16,8 +16,8 @@ get_request_ingress() {
 
 get_request_edge() {
 
-    local TOKEN="$1"
-    local ENDPOINT="$2"
+    local TOKEN="default:*.proxy-123"
+    local ENDPOINT="$1"
 
     kubectl exec -n test-ff-local "$FEATURE_FLAGS_POD" -- wget -q -O- \
         --header "Authorization: $TOKEN" "test-ff-local-featureflags-edge:3063${ENDPOINT}"
@@ -84,7 +84,7 @@ fi
 echo "Waiting for edge to sync"
 sleep 6
 
-if ! get_request_edge "$CLIENT_TOKEN" "/api/client/features/$FEATURE_TOGGLE_NAME"; then
+if ! get_request_edge "/api/frontend/$FEATURE_TOGGLE_NAME"; then
     echo "Feature toggle '$FEATURE_TOGGLE_NAME' should be available through edge"
     exit 1
 fi
