Merge pull request #15869 from openshift-cherrypick-robot/cherry-pick-15813-to-release-4.20

openshift-merge-bot[bot] · web-flow · commit 82a672022ea1 · 2026-01-19T19:18:11.000Z
[release-4.20] OCPBUGS-69917: There should be no role ARN field as token-auth-aws/azure/gcp=false in csv annotations
diff --git a/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/index.ts b/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/index.ts
@@ -40,6 +40,8 @@ export enum ValidSubscriptionValue {
   RequiresSeparateSubscription = 'Requires separate subscription',
 }
 
+export type TokenizedAuthProvider = 'AWS' | 'Azure' | 'GCP';
+
 export type OperatorHubItem = {
   authentication: AuthenticationKind;
   catalogSource: string;
diff --git a/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-items.tsx b/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-items.tsx
@@ -41,7 +41,7 @@ import {
   sourceSort,
   validSubscriptionSort,
 } from './operator-hub-utils';
-import { InfrastructureFeature, OperatorHubItem } from './index';
+import { InfrastructureFeature, OperatorHubItem, TokenizedAuthProvider } from './index';
 
 // Scoring and priority code no longer used and will be removed with Operator Hub catalog files cleanup effort
 const SCORE = {
@@ -578,7 +578,9 @@ export const OperatorHubTileView: React.FC<OperatorHubTileViewProps> = (props) =
   >(userSettingsKey, storeKey, false);
   const [updateChannel, setUpdateChannel] = React.useState('');
   const [updateVersion, setUpdateVersion] = React.useState('');
-  const [tokenizedAuth, setTokenizedAuth] = React.useState(null);
+  const [tokenizedAuth, setTokenizedAuth] = React.useState<TokenizedAuthProvider | undefined>(
+    undefined,
+  );
   const installVersion = getQueryArgument('version');
   const filteredItems = filterByArchAndOS(props.items);
 
@@ -769,7 +771,7 @@ export const OperatorHubTileView: React.FC<OperatorHubTileViewProps> = (props) =
     // reset version and channel state so that switching between operator cards does not carry over previous selections
     setUpdateChannel('');
     setUpdateVersion('');
-    setTokenizedAuth('');
+    setTokenizedAuth(undefined);
   };
 
   const openOverlay = (item: OperatorHubItem) => {
@@ -790,21 +792,24 @@ export const OperatorHubTileView: React.FC<OperatorHubTileViewProps> = (props) =
     <OperatorHubTile updateChannel={updateChannel} item={item} onClick={openOverlay} />
   );
 
-  const installParamsURL =
-    detailsItem &&
-    detailsItem.obj &&
-    new URLSearchParams({
+  let installParamsURL = '';
+  if (detailsItem && detailsItem.obj) {
+    const installParams: Record<string, string> = {
       pkg: detailsItem.obj.metadata.name,
       catalog: detailsItem.catalogSource,
       catalogNamespace: detailsItem.catalogSourceNamespace,
       targetNamespace: props.namespace,
       channel: updateChannel,
       version: updateVersion,
-      tokenizedAuth,
-    }).toString();
+    };
+    if (tokenizedAuth) {
+      installParams.tokenizedAuth = tokenizedAuth;
+    }
+    installParamsURL = new URLSearchParams(installParams).toString();
+  }
 
   const installLink =
-    detailsItem && detailsItem.obj && `/operatorhub/subscribe?${installParamsURL.toString()}`;
+    detailsItem && detailsItem.obj && `/operatorhub/subscribe?${installParamsURL}`;
 
   const uninstallLink = () =>
     detailsItem &&
diff --git a/frontend/packages/operator-lifecycle-manager/src/hooks/useOperatorCatalogItems.tsx b/frontend/packages/operator-lifecycle-manager/src/hooks/useOperatorCatalogItems.tsx
@@ -13,7 +13,13 @@ import { Timestamp } from '@console/shared/src/components/datetime/Timestamp';
 import { ExternalLink } from '@console/shared/src/components/links/ExternalLink';
 import { iconFor } from '../components';
 import { subscriptionFor } from '../components/operator-group';
-import { InstalledState, OLMAnnotation, CSVAnnotations } from '../components/operator-hub/index';
+import {
+  InstalledState,
+  OLMAnnotation,
+  CSVAnnotations,
+  InfrastructureFeature,
+  TokenizedAuthProvider,
+} from '../components/operator-hub/index';
 import {
   OperatorVersionSelect,
   OperatorChannelSelect,
@@ -87,7 +93,6 @@ export const useOperatorCatalogItems = () => {
 
   const [updateChannel, setUpdateChannel] = React.useState('');
   const [updateVersion, setUpdateVersion] = React.useState('');
-  const [tokenizedAuth, setTokenizedAuth] = React.useState(null);
 
   const loaded = React.useMemo(
     () =>
@@ -131,16 +136,6 @@ export const useOperatorCatalogItems = () => {
   const clusterIsAzureWIF = isAzureWIFCluster(cloudCredentials, infrastructure, authentication);
   const clusterIsGCPWIF = isGCPWIFCluster(cloudCredentials, infrastructure, authentication);
 
-  React.useEffect(() => {
-    if (clusterIsAWSSTS) {
-      setTokenizedAuth('AWS');
-    } else if (clusterIsAzureWIF) {
-      setTokenizedAuth('Azure');
-    } else if (clusterIsGCPWIF) {
-      setTokenizedAuth('GCP');
-    }
-  }, [clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF]);
-
   const items = React.useMemo(() => {
     if (!loaded || loadError) {
       return [];
@@ -212,14 +207,35 @@ export const useOperatorCatalogItems = () => {
         const imgUrl = iconFor(pkg);
         const type = 'operator';
 
+        // Compute tokenizedAuth per operator based on its infrastructureFeatures
+        // Only set tokenizedAuth if both the cluster supports it AND the operator supports it
+        // (i.e., the operator's CSV annotations don't have token-auth-aws/azure/gcp=false)
+        let operatorTokenizedAuth: TokenizedAuthProvider | undefined;
+        if (clusterIsAWSSTS && infrastructureFeatures.includes(InfrastructureFeature.TokenAuth)) {
+          operatorTokenizedAuth = 'AWS';
+        } else if (
+          clusterIsAzureWIF &&
+          infrastructureFeatures.includes(InfrastructureFeature.TokenAuth)
+        ) {
+          operatorTokenizedAuth = 'Azure';
+        } else if (
+          clusterIsGCPWIF &&
+          infrastructureFeatures.includes(InfrastructureFeature.TokenAuthGCP)
+        ) {
+          operatorTokenizedAuth = 'GCP';
+        }
+
         // Build install parameters URL
-        const installParamsURL = new URLSearchParams({
+        const installParams: Record<string, string> = {
           pkg: pkg.metadata.name,
           catalog: catalogSource,
           catalogNamespace: catalogSourceNamespace,
           targetNamespace: namespace,
-          tokenizedAuth,
-        }).toString();
+        };
+        if (operatorTokenizedAuth) {
+          installParams.tokenizedAuth = operatorTokenizedAuth;
+        }
+        const installParamsURL = new URLSearchParams(installParams).toString();
 
         const installLink = `/operatorhub/subscribe?${installParamsURL}`;
         const uninstallLink = subscription
@@ -446,7 +462,6 @@ export const useOperatorCatalogItems = () => {
     t,
     updateChannel,
     updateVersion,
-    tokenizedAuth,
   ]);
 
   return [items, loaded];

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,8 @@ export enum ValidSubscriptionValue {`
`40`	`40`	`RequiresSeparateSubscription = 'Requires separate subscription',`
`41`	`41`	`}`
`42`	`42`
	`43`	`+export type TokenizedAuthProvider = 'AWS' \| 'Azure' \| 'GCP';`
	`44`	`+`
`43`	`45`	`export type OperatorHubItem = {`
`44`	`46`	`authentication: AuthenticationKind;`
`45`	`47`	`catalogSource: string;`