Bug: IAM Trust Policy is not optional in the CM?

[diranged]

Is this a BUG REPORT or FEATURE REQUEST?:
Bug

What happened:
I don't know when this happened, but my IAM Manager install stopped functioning. I had a very simple configmap that let the controller come up and discover the OIDC Information for the cluster, and I did not hard-code any specific trust policy. It worked.

Then while testing another issue (#73), I discovered that the IAM roles I was creating were failing due to this error:

2021-01-28T14:20:42.394Z	ERROR	internal.utils.utils.GetTrustPolicy	unable to get the trust policy. It must follow v1alpha1.AssumeRolePolicyDocument syntax	{"request_id": "4c0ddbce-f413-4b3a-a80a-5739a0d0dd7a", "error": "default trust policy is not provided in the config map. Request must provide trust policy in the CR"}
github.com/go-logr/zapr.(*zapLogger).Error
	/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
github.com/keikoproj/iam-manager/internal/utils.GetTrustPolicy
	/workspace/internal/utils/utils.go:51
github.com/keikoproj/iam-manager/controllers.(*IamroleReconciler).ConstructCreateIAMRoleInput
	/workspace/controllers/iamrole_controller.go:284
github.com/keikoproj/iam-manager/controllers.(*IamroleReconciler).HandleReconcile
	/workspace/controllers/iamrole_controller.go:153
github.com/keikoproj/iam-manager/controllers.(*IamroleReconciler).Reconcile
	/workspace/controllers/iamrole_controller.go:106
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
I0128 14:20:42.394601       1 event.go:281] Event(v1.ObjectReference{Kind:"Iamrole", Namespace:"observability", Name:"test-role", UID:"09c02398-10f2-4f0f-aacf-6d0ede26839f", APIVersion:"iammanager.keikoproj.io/v1alpha1", ResourceVersion:"47393684", FieldPath:""}): type: 'Warning' reason: 'Error' Unable to create/update iam role due to error default trust policy is not provided in the config map. Request must provide trust policy in the CR

What you expected to happen:

I expected a default/generic trust policy to be used. Even though the IRSA enabled flag was disabled (because we manage our own OIDC settings for the cluster), we did pass in the OIDC URL.. however, this code I think bypasses that. If the IAM Manager cannot construct its own OIDC setup on startup, then it bails out?

It seems like if we supply the OIDC URL - or if one exists and the code can discover it - then we should just use that. Right?

Anything else we need to know?:

Environment:

• iam-manager version: 0.0.6
• Kubernetes version : 1.18.8

[mnkg561]

Did you include IRSA annotation in IamRole object? As long as you have that annotation for the incoming request and have OIDC URL in the config map, code should be able to construct the trust policy

[diranged]

Did you include IRSA annotation in IamRole object? As long as you have that annotation for the incoming request and have OIDC URL in the config map, code should be able to construct the trust policy

I did include the IRSA annotation and we had the OIDC URL as well.. yet it still did not work. It only began working after I implemented my own trust policy setting for the controller. :/