From fb282fe5f87cb5d495992bae78b164e63b9dd5a7 Mon Sep 17 00:00:00 2001
From: Jon Jackson <jonjacks@redhat.com>
Date: Thu, 5 Feb 2026 11:26:57 -0500
Subject: [PATCH] Fix token auth annotation to use opt-in instead of opt-out

Restore correct opt-in behavior for token-auth-aws/azure annotations.
Operators must explicitly set the annotation to "true" to show ARN/credential
fields in subscription form on STS/WIF clusters.

Regression introduced in a931fbdc3b changed logic from opt-in (=== 'true')
to opt-out (!== 'false'), causing operators without annotation or with
annotation set to "false" to incorrectly show credential fields.

This fix ensures Cluster Observability Operator and similar operators
with token-auth-aws: "false" don't show ARN field, matching 4.20 behavior.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .../__tests__/operator-hub-utils.spec.ts      | 28 +++++++++++++++++++
 .../operator-hub/operator-hub-utils.ts        |  4 +--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-utils.spec.ts b/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-utils.spec.ts
index 7ad96a03b56..6b8d1b9821a 100644
--- a/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-utils.spec.ts
+++ b/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-utils.spec.ts
@@ -481,6 +481,7 @@ describe('getInfrastructureFeatures', () => {
     const result = getInfrastructureFeatures(
       {
         [OLMAnnotation.InfrastructureFeatures]: '["tokenAuth"]',
+        [OLMAnnotation.TokenAuthAWS]: 'true',
       },
       { clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
     );
@@ -493,6 +494,7 @@ describe('getInfrastructureFeatures', () => {
     const result = getInfrastructureFeatures(
       {
         [OLMAnnotation.InfrastructureFeatures]: '["TokenAuth"]',
+        [OLMAnnotation.TokenAuthAWS]: 'true',
       },
       { clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
     );
@@ -505,6 +507,7 @@ describe('getInfrastructureFeatures', () => {
     const result = getInfrastructureFeatures(
       {
         [OLMAnnotation.InfrastructureFeatures]: '["tokenAuth"]',
+        [OLMAnnotation.TokenAuthAzure]: 'true',
       },
       { clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
     );
@@ -517,6 +520,7 @@ describe('getInfrastructureFeatures', () => {
     const result = getInfrastructureFeatures(
       {
         [OLMAnnotation.InfrastructureFeatures]: '["TokenAuth"]',
+        [OLMAnnotation.TokenAuthAzure]: 'true',
       },
       { clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
     );
@@ -615,6 +619,30 @@ describe('getInfrastructureFeatures', () => {
     });
     expect(result).toEqual([InfrastructureFeature.FIPSMode]);
   });
+  it(`excludes TokenAuth when token-auth-aws is explicitly false on AWS STS cluster`, () => {
+    const clusterIsAWSSTS = true;
+    const clusterIsAzureWIF = false;
+    const clusterIsGCPWIF = false;
+    const result = getInfrastructureFeatures(
+      {
+        [OLMAnnotation.TokenAuthAWS]: 'false',
+      },
+      { clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
+    );
+    expect(result).toEqual([]);
+  });
+  it(`excludes TokenAuth when token-auth-aws annotation is missing on AWS STS cluster`, () => {
+    const clusterIsAWSSTS = true;
+    const clusterIsAzureWIF = false;
+    const clusterIsGCPWIF = false;
+    const result = getInfrastructureFeatures(
+      {
+        [OLMAnnotation.Disconnected]: 'true',
+      },
+      { clusterIsAWSSTS, clusterIsAzureWIF, clusterIsGCPWIF },
+    );
+    expect(result).toEqual([InfrastructureFeature.Disconnected]);
+  });
   it(`returns empty array when ${OLMAnnotation.InfrastructureFeatures} is empty`, () => {
     const result = getInfrastructureFeatures({
       [OLMAnnotation.InfrastructureFeatures]: '[]',
diff --git a/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-utils.ts b/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-utils.ts
index 69f42114d15..3b3d5226664 100644
--- a/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-utils.ts
+++ b/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-utils.ts
@@ -222,9 +222,9 @@ export const getInfrastructureFeatures: AnnotationParser<
     onError,
   });
   const azureTokenAuthIsSupported =
-    clusterIsAzureWIF && annotations[OLMAnnotation.TokenAuthAzure] !== 'false';
+    clusterIsAzureWIF && annotations[OLMAnnotation.TokenAuthAzure] === 'true';
   const awsTokenAuthIsSupported =
-    clusterIsAWSSTS && annotations[OLMAnnotation.TokenAuthAWS] !== 'false';
+    clusterIsAWSSTS && annotations[OLMAnnotation.TokenAuthAWS] === 'true';
   return [...parsedInfrastructureFeatures, ...Object.keys(annotations ?? {})].reduce(
     (supportedFeatures, key) => {
       const feature = infrastructureFeatureMap[key];