diff --git a/pkg/backends/features/iap.go b/pkg/backends/features/iap.go index 82aada2ff0..bc25120cc4 100644 --- a/pkg/backends/features/iap.go +++ b/pkg/backends/features/iap.go @@ -40,9 +40,13 @@ func EnsureIAP(sp utils.ServicePort, be *composite.BackendService, beLogger klog beTemp := &composite.BackendService{} applyIAPSettings(sp, beTemp) - if err := switchingToDefault(beTemp, be); err != nil { - beLogger.Error(err, "Errored updating IAP settings") - return false, fmt.Errorf("Errored updating IAP Settings for service %s/%s: %w", sp.ID.Service.Namespace, sp.ID.Service.Name, err) + // It's possible that a user could remove the credentials when + // disabling the IAP, so only check switchingToDefault when it's enabled. + if beTemp.Iap.Enabled { + if err := switchingToDefault(beTemp, be); err != nil { + beLogger.Error(err, "Errored updating IAP settings") + return false, fmt.Errorf("Errored updating IAP Settings for service %s/%s: %w", sp.ID.Service.Namespace, sp.ID.Service.Name, err) + } } if diffIAP(beTemp, be, beLogger) { diff --git a/pkg/backends/features/iap_test.go b/pkg/backends/features/iap_test.go index 5021de2983..c6ee8aac35 100644 --- a/pkg/backends/features/iap_test.go +++ b/pkg/backends/features/iap_test.go @@ -263,6 +263,34 @@ func TestEnsureIAP(t *testing.T) { updateExpected: false, expectErr: true, }, + { + desc: "enabled is changed to false, update needed", + sp: utils.ServicePort{ + BackendConfig: &backendconfigv1.BackendConfig{ + Spec: backendconfigv1.BackendConfigSpec{ + Iap: &backendconfigv1.IAPConfig{ + Enabled: false, + }, + }, + }, + }, + be: &composite.BackendService{ + Iap: &composite.BackendServiceIAP{ + Enabled: true, + Oauth2ClientId: "foo", + Oauth2ClientSecretSha256: fmt.Sprintf("%x", sha256.Sum256([]byte("baz"))), + }, + }, + wantBE: &composite.BackendService{ + Iap: &composite.BackendServiceIAP{ + Enabled: false, + Oauth2ClientId: "", + Oauth2ClientSecretSha256: "", + }, + }, + updateExpected: true, + expectErr: false, + }, } for _, tc := range testCases {