From e94a834fe95b33520bb98a09579a9fe942c6fac8 Mon Sep 17 00:00:00 2001
From: Bryce Palmer <bpalmer@redhat.com>
Date: Wed, 29 Jan 2025 13:09:17 -0500
Subject: [PATCH] UPSTREAM: <carry>: Move Group informer configuration into
 RestrictSubjectBindings

admission plugin initialization to prevent Group informers being configured when
the plugin is disabled. This is necessary for when the OpenShift OAuth stack
is not present and the plugin is disabled as part of that.

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
---
 .../admission/authorization/restrictusers/restrictusers.go | 7 +++++++
 openshift-kube-apiserver/openshiftkubeapiserver/patch.go   | 7 -------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go b/openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go
index 4c78858203181..4dea00e61a4cf 100644
--- a/openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go
+++ b/openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go
@@ -13,6 +13,7 @@ import (
 	"k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 
@@ -87,6 +88,12 @@ func (q *restrictUsersAdmission) SetRESTClientConfig(restClientConfig rest.Confi
 }
 
 func (q *restrictUsersAdmission) SetUserInformer(userInformers userinformer.SharedInformerFactory) {
+	if err := userInformers.User().V1().Groups().Informer().AddIndexers(cache.Indexers{
+		usercache.ByUserIndexName: usercache.ByUserIndexKeys,
+	}); err != nil {
+		utilruntime.HandleError(err)
+		return
+	}
 	q.groupCache = usercache.NewGroupCache(userInformers.User().V1().Groups())
 }
 
diff --git a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
index 8b2dae53fc05b..6fcc493880a8a 100644
--- a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
+++ b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go
@@ -27,9 +27,7 @@ import (
 	clientgoinformers "k8s.io/client-go/informers"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/cache"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers"
-	"k8s.io/kubernetes/openshift-kube-apiserver/admission/authorization/restrictusers/usercache"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managednode"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/autoscaling/managementcpusoverride"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv"
@@ -176,11 +174,6 @@ func newInformers(loopbackClientConfig *rest.Config) (*kubeAPIServerInformers, e
 		OpenshiftUserInformers:     userinformer.NewSharedInformerFactory(userClient, defaultInformerResyncPeriod),
 		OpenshiftConfigInformers:   configv1informer.NewSharedInformerFactory(configClient, defaultInformerResyncPeriod),
 	}
-	if err := ret.OpenshiftUserInformers.User().V1().Groups().Informer().AddIndexers(cache.Indexers{
-		usercache.ByUserIndexName: usercache.ByUserIndexKeys,
-	}); err != nil {
-		return nil, err
-	}
 
 	return ret, nil
 }