operator: set oauth-specific relatedObjects dynamically in the operator status

liouk · liouk · commit 8d37f9594b3a · 2025-10-16T12:24:09.000+02:00
diff --git a/manifests/08_clusteroperator.yaml b/manifests/08_clusteroperator.yaml
@@ -20,14 +20,6 @@ status:
     - group: config.openshift.io
       name: cluster
       resource: oauths
-    - group: route.openshift.io
-      name: oauth-openshift
-      namespace: openshift-authentication
-      resource: routes
-    - group: ""
-      name: oauth-openshift
-      namespace: openshift-authentication
-      resource: services
     - group: ""
       name: openshift-config
       resource: namespaces
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -474,6 +474,25 @@ func prepareOauthAPIServerOperator(
 		statusControllerOptions = append(statusControllerOptions, apiservercontrollerset.WithStatusControllerPdbCompatibleHighInertia("(APIServer|OAuthServer)"))
 	}
 
+	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
+		// oauth-specific relatedObjects must not be defined when OIDC is not available
+		ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {
+			oidcAvailable, err := authConfigChecker.OIDCAvailable()
+			if err != nil {
+				klog.Infof("error while checking auth config to determine relatedObjects: %v", err)
+				return false, nil
+			} else if oidcAvailable {
+				return true, nil
+			}
+
+			return true, []configv1.ObjectReference{
+				{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
+				{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
+			}
+		})
+		return ss
+	})
+
 	const apiServerConditionsPrefix = "APIServer"
 
 	apiServerControllers, err := apiservercontrollerset.NewAPIServerControllerSet(
@@ -617,8 +636,6 @@ func prepareOauthAPIServerOperator(
 				{Group: configv1.GroupName, Resource: "authentications", Name: "cluster"},
 				{Group: configv1.GroupName, Resource: "infrastructures", Name: "cluster"},
 				{Group: configv1.GroupName, Resource: "oauths", Name: "cluster"},
-				{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
-				{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
 				{Resource: "namespaces", Name: "openshift-config"},
 				{Resource: "namespaces", Name: "openshift-config-managed"},
 				{Resource: "namespaces", Name: "openshift-authentication"},
diff --git a/test/e2e-oidc/external_oidc_test.go b/test/e2e-oidc/external_oidc_test.go
@@ -17,6 +17,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/api/features"
 	operatorv1 "github.com/openshift/api/operator/v1"
+	routev1 "github.com/openshift/api/route/v1"
 	configclient "github.com/openshift/client-go/config/clientset/versioned"
 	oauthclient "github.com/openshift/client-go/oauth/clientset/versioned"
 	operatorversionedclient "github.com/openshift/client-go/operator/clientset/versioned"
@@ -727,6 +728,7 @@ func (tc *testClient) validateOAuthState(t *testing.T, ctx context.Context, requ
 		validationErrs = append(validationErrs, validateOAuthResources(ctx, dynamicClient, requireMissing)...)
 		validationErrs = append(validationErrs, validateOAuthRoutes(ctx, tc.routeClient, tc.configClient, requireMissing)...)
 		validationErrs = append(validationErrs, validateOAuthControllerConditions(tc.operatorClient, requireMissing)...)
+		validationErrs = append(validationErrs, validateOAuthRelatedObjects(requireMissing)...)
 		return len(validationErrs) == 0, nil
 	})
 
@@ -872,6 +874,42 @@ func validateOAuthControllerConditions(operatorClient v1helpers.OperatorClient,
 	return nil
 }
 
+func validateOAuthRelatedObjects(ctx context.Context, configClient *configclient.Clientset, requireMissing bool) []error {
+	co, err := configClient.ConfigV1().ClusterOperators().Get(ctx, "authentication", metav1.GetOptions{})
+	if err != nil {
+		return []error{err}
+	}
+
+	oauthRelatedObjects := []configv1.ObjectReference{
+		{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
+		{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
+	}
+
+	errs := make([]error, 0)
+	for _, oauthObj := range oauthRelatedObjects {
+		found := false
+		for _, existingObj := range co.Status.RelatedObjects {
+			if oauthObj.Group == existingObj.Group &&
+				oauthObj.Resource == existingObj.Resource &&
+				oauthObj.Name == existingObj.Name &&
+				oauthObj.Namespace == existingObj.Namespace {
+				found = true
+				break
+			}
+		}
+
+		if requireMissing && found {
+			errs = append(errs, fmt.Errorf("oauth related object %s/%s %s/%s should be missing but was found in RelatedObjects",
+				oauthObj.Group, oauthObj.Resource, oauthObj.Namespace, oauthObj.Name))
+		} else if !requireMissing && !found {
+			errs = append(errs, fmt.Errorf("oauth related object %s/%s %s/%s should be present but was not found in RelatedObjects",
+				oauthObj.Group, oauthObj.Resource, oauthObj.Namespace, oauthObj.Name))
+		}
+	}
+
+	return errs
+}
+
 func (tc *testClient) testOIDCAuthentication(t *testing.T, ctx context.Context, kcClient *test.KeycloakClient, usernameClaim, usernamePrefix string, expectAuthSuccess bool) {
 	// re-authenticate to ensure we always have a fresh token
 	var err error
