Uploaded image for project: 'Zero Trust Workload Identity Manager'
  1. Zero Trust Workload Identity Manager
  2. SPIRE-376

CREATE_ONLY_MODE : Invalid values should not change current state - only TRUE/FALSE should change state

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Issue Summary

      When CREATE_ONLY_MODE is set to an invalid value (e.g., "random-123", "yes", "1"), it incorrectly changes the state to disabled (FALSE). Invalid values should NOT change the current state - only valid values "TRUE" or "FALSE" (case-insensitive) should be allowed to change the state.

      Current Behavior (Bug)

      Current State New Value Capitalized Result Issue
      TRUE (enabled) "random-123" "RANDOM-123" FALSE (disabled) ❌ State changed by invalid value
      TRUE (enabled) "yes" "YES" FALSE (disabled) ❌ State changed by invalid value
      FALSE (disabled) "xyz" "XYZ" FALSE (disabled) ✅ OK (but silent, no warning)

      Expected Behavior

      Current State New Value Capitalized Valid? Expected Result
      TRUE (enabled) "true" "TRUE" ✅ Yes TRUE (state changed)
      TRUE (enabled) "false" "FALSE" ✅ Yes FALSE (state changed)
      TRUE (enabled) "random-123" "RANDOM-123" ❌ No TRUE (state UNCHANGED + warning)
      TRUE (enabled) "yes" "YES" ❌ No TRUE (state UNCHANGED + warning)
      FALSE (disabled) "true" "TRUE" ✅ Yes TRUE (state changed)
      FALSE (disabled) "xyz" "XYZ" ❌ No FALSE (state UNCHANGED + warning)

      Problem

      1. Invalid values silently change the state to FALSE
      2. If create-only mode is TRUE and user sets invalid value, it becomes FALSE unexpectedly
      3. No warning is logged for invalid values
      4. User loses their enabled state due to a typo or invalid input

      Steps to Reproduce

      # Step 1: Enable create-only mode
oc patch subscription zero-trust-workload-identity-manager-v1-0-0-sub \
  -n zero-trust-workload-identity-manager \
  --type='merge' -p '\{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"true"}]}}}'

# Step 2: Verify CreateOnlyMode is TRUE
oc get zerotrustworkloadidentitymanagers cluster -o jsonpath='\{.status.conditions[?(@.type=="CreateOnlyMode")].status}'
# Output: True

# Step 3: Set invalid value
oc patch subscription zero-trust-workload-identity-manager-v1-0-0-sub \
  -n zero-trust-workload-identity-manager \
  --type='merge' -p '\{"spec":{"config":{"env":[{"name":"CREATE_ONLY_MODE","value":"random-123"}]}}}'

# Step 4: Check status - BUG: it becomes FALSE!
oc get zerotrustworkloadidentitymanagers cluster -o jsonpath='\{.status.conditions[?(@.type=="CreateOnlyMode")].status}'
# Output: False  ← BUG! Should remain True

      Root Cause

      Current code in pkg/controller/utils/utils.go:

      func IsInCreateOnlyMode() bool {
    createOnlyEnvValue := os.Getenv(createOnlyEnvName)
    return createOnlyEnvValue == "true"  // Returns false for ANY non-"true" value
}

      Suggested Fix

      func IsInCreateOnlyMode() bool {
    value := os.Getenv(CreateOnlyEnvName)
    
    if value == "" {
        return getCurrentState()  // Return current state if empty
    }
    
    // Capitalize the input
    capitalizedValue := strings.ToUpper(strings.TrimSpace(value))
    
    switch capitalizedValue {
    case "TRUE":
        // Valid TRUE - change state to enabled
        setCurrentState(true)
        return true
        
    case "FALSE":
        // Valid FALSE - change state to disabled
        setCurrentState(false)
        return false
        
    default:
        // Invalid value - DO NOT change state, log warning
        log.Info("Invalid CREATE_ONLY_MODE value: state unchanged",
            "inputValue", value,
            "capitalizedValue", capitalizedValue,
            "currentState", getCurrentState(),
            "validValues", "true, false (case-insensitive)")
        return getCurrentState()  // Return current state unchanged
    }
}

      Acceptance Criteria

      • [ ] Only "true"/"TRUE"/"True" changes state to ENABLED
      • [ ] Only "false"/"FALSE"/"False" changes state to DISABLED
      • [ ] Invalid values DO NOT change current state
      • [ ] Invalid values log a WARNING message with details
      • [ ] Empty value keeps current state (default: disabled)
      • [ ] Unit tests added for state preservation scenarios
      • [ ] Tested transition: TRUE → invalid → should remain TRUE

      Impact

      High - Users can accidentally disable create-only mode by setting an invalid value (typo), causing the operator to start reconciling and overwriting their manual changes.

              rh-ee-manpilla Manish Pillai
              rh-ee-sayadas SAYAK DAS
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: