CNTRLPLANE-947: operator: set oauth-specific relatedObjects dynamically in the operator status

[liouk]

No description provided.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Removed two static relatedObjects from the ClusterOperator manifest and made relatedObjects conditional in the operator starter: the starter now adds Route/oauth-openshift and Service/oauth-openshift in openshift-authentication only when OIDC is detected as unavailable; otherwise it leaves them out. Tests updated to validate this.

Changes

Cohort / File(s)	Summary of modifications
ClusterOperator manifest manifests/08_clusteroperator.yaml	Removed two status.relatedObjects entries: the route.openshift.io route oauth-openshift and the Service oauth-openshift in openshift-authentication.
Operator starter logic pkg/operator/starter.go	Added a WithRelatedObjectsFunc customization that calls authConfigChecker.OIDCAvailable() and: on error or when OIDC is available, returns no related objects; when OIDC is unavailable, returns two related objects (Route/oauth-openshift and Service/oauth-openshift in openshift-authentication). Removed static related references.
E2E tests test/e2e-oidc/external_oidc_test.go	Added import for route/v1, new helper validateOAuthRelatedObjects to assert presence/absence of the two oauth-openshift related objects per requireMissing flag, and wired it into validateOAuthState.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "operator: set oauth-specific relatedObjects dynamically in the operator status" accurately describes the main objective of the changeset. The PR modifies the operator to dynamically manage OAuth-related objects based on OIDC availability, rather than having them statically defined in manifests. This is evidenced by the removal of static relatedObjects entries from the manifest and the addition of dynamic logic in pkg/operator/starter.go that conditionally includes or excludes these objects based on OIDC availability. The title is concise, clear, and directly reflects the primary change without unnecessary noise.
Description Check	✅ Passed	No pull request description was provided by the author. While a description would have been helpful for providing additional context about the motivation and implementation details behind the dynamic relatedObjects logic, the absence of a description is not actively misleading or off-topic. The check is explicitly lenient and only fails when the description is completely unrelated to the changeset; an empty description does not meet this failure criterion since it contains no off-topic content.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between daafb9f and 667ec70.

📒 Files selected for processing (3)

• manifests/08_clusteroperator.yaml (0 hunks)
• pkg/operator/starter.go (1 hunks)
• test/e2e-oidc/external_oidc_test.go (3 hunks)

💤 Files with no reviewable changes (1)

• manifests/08_clusteroperator.yaml

🔇 Additional comments (3)

test/e2e-oidc/external_oidc_test.go (3)

20-20: LGTM: Import addition is appropriate.

The route API import is needed for referencing the route group name in the new validation function.

---

731-731: LGTM: Integration into validation sequence is correct.

The function is appropriately called within the polling loop for eventual consistency, and the requireMissing parameter is correctly propagated.

---

877-911: LGTM: Validation function is well-implemented.

The function correctly validates the presence or absence of OAuth-related objects in the ClusterOperator status based on the requireMissing flag. The field comparison logic (Group, Resource, Name, Namespace) is comprehensive, and error messages are descriptive.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/operator/starter.go (1)

478-478: Clarify the comment - it states the opposite of what the code does.

The comment says "oauth-specific relatedObjects must not be defined when OIDC is not available", but the code actually defines them when OIDC is not available (lines 488-491) and omits them when OIDC is available (lines 484-486).

Apply this diff to fix the comment:

-		// oauth-specific relatedObjects must not be defined when OIDC is not available
+		// oauth-specific relatedObjects must be defined only when OIDC is not available

Or alternatively:

-		// oauth-specific relatedObjects must not be defined when OIDC is not available
+		// oauth-specific relatedObjects must not be defined when OIDC is available

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 215805c and 314fda7.

📒 Files selected for processing (2)

• manifests/08_clusteroperator.yaml (0 hunks)
• pkg/operator/starter.go (1 hunks)

💤 Files with no reviewable changes (1)

• manifests/08_clusteroperator.yaml

🔇 Additional comments (1)

pkg/operator/starter.go (1)

481-486: Verify that returning no related objects on error is the desired behavior.

When OIDCAvailable() returns an error or when OIDC is available, the code returns (false, nil), which means no related objects are set. For the error case, confirm this is the intended behavior and that it won't cause issues if there's a transient error checking OIDC availability. The current approach is consistent with the oidcAvailable helper function (line 862) which also returns false on error, but it's worth verifying that the default/fallback behavior is appropriate.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 314fda7 and daafb9f.

📒 Files selected for processing (2)

• manifests/08_clusteroperator.yaml (0 hunks)
• pkg/operator/starter.go (1 hunks)

💤 Files with no reviewable changes (1)

• manifests/08_clusteroperator.yaml

🔇 Additional comments (1)

pkg/operator/starter.go (1)

477-494: LGTM! Correct dynamic relatedObjects implementation.

The logic correctly sets oauth-openshift Route and Service as related objects only when OIDC is unavailable (Lines 488-491). When OIDC is available, these objects are appropriately omitted (Line 485). The error handling (Lines 481-483) safely returns no objects on failure, which is reasonable for non-critical status information.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the misleading comment.

The comment on Line 478 is incorrect and contradicts the implementation. It states "oauth-specific relatedObjects must not be defined when OIDC is not available", but the code does the opposite—it defines the oauth-specific objects when OIDC is not available (Lines 488-491), which is the correct behavior.

The logic is sound: when OIDC is unavailable, OAuth resources are in use and should be listed as related objects. When OIDC is available, OAuth resources are not needed and should not be listed.

Apply this diff to clarify the comment:

-	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
-		// oauth-specific relatedObjects must not be defined when OIDC is not available
+	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
+		// oauth-specific relatedObjects should only be defined when OIDC is not available (i.e., when OAuth is in use)
 		ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {

Additionally, consider using klog.Warningf instead of klog.Infof on Line 482, since encountering an error while determining related objects is an abnormal condition worth highlighting.

 			oidcAvailable, err := authConfigChecker.OIDCAvailable()
 			if err != nil {
-				klog.Infof("error while checking auth config to determine relatedObjects: %v", err)
+				klog.Warningf("error while checking auth config to determine relatedObjects: %v", err)
 				return false, nil

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
	// oauth-specific relatedObjects must not be defined when OIDC is not available
	ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {
	oidcAvailable, err := authConfigChecker.OIDCAvailable()
	if err != nil {
	klog.Infof("error while checking auth config to determine relatedObjects: %v", err)
	return false, nil
	} else if oidcAvailable {
	return true, nil
	}
	return true, []configv1.ObjectReference{
	{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	}
	})
	return ss
	})
	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
	// oauth-specific relatedObjects should only be defined when OIDC is not available (i.e., when OAuth is in use)
	ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {
	oidcAvailable, err := authConfigChecker.OIDCAvailable()
	if err != nil {
	klog.Warningf("error while checking auth config to determine relatedObjects: %v", err)
	return false, nil
	} else if oidcAvailable {
	return true, nil
	}
	return true, []configv1.ObjectReference{
	{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	}
	})
	return ss
	})

🤖 Prompt for AI Agents

In pkg/operator/starter.go around lines 477 to 494, the inline comment is
misleading (it says oauth-specific relatedObjects must not be defined when OIDC
is not available) but the code correctly defines oauth-related objects when OIDC
is not available; update the comment to accurately state that we list OAuth
resources as relatedObjects when OIDC is unavailable, and change the klog.Infof
call on the error path to klog.Warningf to better surface an abnormal condition
when checking OIDC availability.

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/test-operator-integration	be1d638	link	false	/test test-operator-integration
ci/prow/okd-scos-e2e-aws-ovn	be1d638	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[everettraven]

log as an error?

[xingxingxia]

Pre-merge tested this and PR #801 together within the cluster-bot payload build 4.21.0-0.nightly-2025-10-24-233040,openshift/cluster-authentication-operator#800,openshift/cluster-authentication-operator#801. In the fresh env, the OAuth route and service are shown, as before:

$ oc get co authentication -o yaml
...
  relatedObjects:
  - group: route.openshift.io
    name: oauth-openshift
    namespace: openshift-authentication
    resource: routes
  - group: ""
    name: oauth-openshift
    namespace: openshift-authentication
    resource: services
...

After configuring external oidc auth, the OAuth route and service are not shown anymore:

$ oc get co authentication -o yaml
...
  relatedObjects:
  - group: operator.openshift.io
    name: cluster
    resource: authentications
  - group: config.openshift.io
    name: cluster
    resource: authentications
  - group: config.openshift.io
    name: cluster
    resource: infrastructures
  - group: config.openshift.io
    name: cluster
    resource: oauths
  - group: ""
    name: openshift-config
    resource: namespaces
  - group: ""
    name: openshift-config-managed
    resource: namespaces
  - group: ""
    name: openshift-authentication
    resource: namespaces
  - group: ""
    name: openshift-authentication-operator
    resource: namespaces
  - group: ""
    name: openshift-ingress
    resource: namespaces
  - group: ""
    name: openshift-oauth-apiserver
    resource: namespaces
  versions:
  - name: operator
    version: 4.21.0-0-2025-10-25-075734-test-ci-ln-2cc4w02-latest
...

Also checked rolling back to IDP: after rolling back, above OAuth route and service are shown again.

/verified by @xingxingxia

[openshift-ci-robot]

@xingxingxia: This PR has been marked as verified by @xingxingxia.

In response to this:

Pre-merge tested this and PR #801 together within the cluster-bot payload build 4.21.0-0.nightly-2025-10-24-233040,openshift/cluster-authentication-operator#800,openshift/cluster-authentication-operator#801. In the fresh env, the OAuth route and service are shown, as before:

$ oc get co authentication -o yaml
...
 relatedObjects:
 - group: route.openshift.io
   name: oauth-openshift
   namespace: openshift-authentication
   resource: routes
 - group: ""
   name: oauth-openshift
   namespace: openshift-authentication
   resource: services
...

After configuring external oidc auth, the OAuth route and service are not shown anymore:

$ oc get co authentication -o yaml
...
 relatedObjects:
 - group: operator.openshift.io
   name: cluster
   resource: authentications
 - group: config.openshift.io
   name: cluster
   resource: authentications
 - group: config.openshift.io
   name: cluster
   resource: infrastructures
 - group: config.openshift.io
   name: cluster
   resource: oauths
 - group: ""
   name: openshift-config
   resource: namespaces
 - group: ""
   name: openshift-config-managed
   resource: namespaces
 - group: ""
   name: openshift-authentication
   resource: namespaces
 - group: ""
   name: openshift-authentication-operator
   resource: namespaces
 - group: ""
   name: openshift-ingress
   resource: namespaces
 - group: ""
   name: openshift-oauth-apiserver
   resource: namespaces
 versions:
 - name: operator
   version: 4.21.0-0-2025-10-25-075734-test-ci-ln-2cc4w02-latest
...

Will also check after rolling back to IDP
/verified by @xingxingxia

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.