Fix IAP OAuth credentials not being fetched when IAP is disabled

sysedwinistrator · sysedwinistrator · commit a1f477fb83e9 · 2025-07-29T16:52:31.000+02:00
The behavior in validateIAP() of treating .spec.iap.enabled=false as
equivalent to .spec.iap=nil and abort all validation is incongruent with
that in pkg/backends/features/iap.go, where a full sync of the IAP
configuration is triggered as long as .spec.iap!=nil.

The latter behavior is the correct one, as it allows disabling IAP on an
ingress where it was previously enabled by setting
.spec.spec.enabled=false in the BackendConfig.

However, because pkg/backendconfig/validation.go skips the entire
validation and with that the lookup of the OAuth credentials referenced
in .spec.iap.oauthclientCredentials.secretName, the desired
BackendConfig's OAuth Client ID will be uninitialized and interpreted
as empty (""). And in the case that IAP was previously configured with a
non-default Client ID, this will trigger a switchingToDefaultError.
diff --git a/pkg/backendconfig/validation.go b/pkg/backendconfig/validation.go
@@ -66,11 +66,11 @@ func Validate(kubeClient kubernetes.Interface, beConfig *backendconfigv1.Backend
 // between which error is returned.
 func validateIAP(kubeClient kubernetes.Interface, beConfig *backendconfigv1.BackendConfig, servicePort *utils.ServicePort) error {
 	// If IAP settings are not found or IAP is not enabled then don't bother continuing.
-	if beConfig.Spec.Iap == nil || beConfig.Spec.Iap.Enabled == false {
+	if beConfig.Spec.Iap == nil {
 		return nil
 	}
 
-	if servicePort != nil && servicePort.L7XLBRegionalEnabled {
+	if beConfig.Spec.Iap.Enabled && servicePort != nil && servicePort.L7XLBRegionalEnabled {
 		return fmt.Errorf("IAP configuration is not supported in TPC Environment")
 	}
 	// If necessary, get the OAuth credentials stored in the K8s secret.
@@ -92,7 +92,7 @@ func validateIAP(kubeClient kubernetes.Interface, beConfig *backendconfigv1.Back
 		beConfig.Spec.Iap.OAuthClientCredentials.ClientSecret = string(clientSecret)
 	}
 
-	if beConfig.Spec.Cdn != nil && beConfig.Spec.Cdn.Enabled {
+	if beConfig.Spec.Iap.Enabled && beConfig.Spec.Cdn != nil && beConfig.Spec.Cdn.Enabled {
 		return fmt.Errorf("iap and cdn cannot be enabled at the same time")
 	}
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -66,11 +66,11 @@ func Validate(kubeClient kubernetes.Interface, beConfig *backendconfigv1.Backend`
`66`	`66`	`// between which error is returned.`
`67`	`67`	`func validateIAP(kubeClient kubernetes.Interface, beConfig backendconfigv1.BackendConfig, servicePort utils.ServicePort) error {`
`68`	`68`	`// If IAP settings are not found or IAP is not enabled then don't bother continuing.`
`69`		`- if beConfig.Spec.Iap == nil \|\| beConfig.Spec.Iap.Enabled == false {`
	`69`	`+ if beConfig.Spec.Iap == nil {`
`70`	`70`	`return nil`
`71`	`71`	`}`
`72`	`72`
`73`		`- if servicePort != nil && servicePort.L7XLBRegionalEnabled {`
	`73`	`+ if beConfig.Spec.Iap.Enabled && servicePort != nil && servicePort.L7XLBRegionalEnabled {`
`74`	`74`	`return fmt.Errorf("IAP configuration is not supported in TPC Environment")`
`75`	`75`	`}`
`76`	`76`	`// If necessary, get the OAuth credentials stored in the K8s secret.`
`@@ -92,7 +92,7 @@ func validateIAP(kubeClient kubernetes.Interface, beConfig *backendconfigv1.Back`
`92`	`92`	`beConfig.Spec.Iap.OAuthClientCredentials.ClientSecret = string(clientSecret)`
`93`	`93`	`}`
`94`	`94`
`95`		`- if beConfig.Spec.Cdn != nil && beConfig.Spec.Cdn.Enabled {`
	`95`	`+ if beConfig.Spec.Iap.Enabled && beConfig.Spec.Cdn != nil && beConfig.Spec.Cdn.Enabled {`
`96`	`96`	`return fmt.Errorf("iap and cdn cannot be enabled at the same time")`
`97`	`97`	`}`
`98`	`98`	`return nil`