CNTRLPLANE-311: adding auth config missing fields to API #2487

ShazaAldawamneh · 2025-09-19T10:24:44Z

No description provided.

openshift-ci · 2025-09-19T10:24:49Z

Hello @ShazaAldawamneh! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

openshift-ci-robot · 2025-09-19T10:25:07Z

@ShazaAldawamneh: This pull request references CNTRLPLANE-311 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml

config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml

config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml

config/v1/types_authentication.go

config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml

config/v1/types_authentication.go

features/features.go

everettraven · 2025-10-01T13:37:40Z

/assign

everettraven

For all of the CEL expression fields, can we also get a PR up against openshift/kubernetes similar to openshift/kubernetes#2353 to show that we are going to be adding admission time validation for the newly added CEL expression fields?

config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml

config/v1/types_authentication.go

Signed-off-by: Shaza Aldawamneh <[email protected]>

openshift-ci · 2025-11-03T14:55:38Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from everettraven. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2025-11-03T19:03:46Z

@ShazaAldawamneh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/minor-e2e-upgrade-minor	`f854a3d`	link	true	`/test minor-e2e-upgrade-minor`
ci/prow/integration	`f854a3d`	link	true	`/test integration`
ci/prow/verify	`f854a3d`	link	true	`/test verify`
ci/prow/okd-scos-e2e-aws-ovn	`f854a3d`	link	false	`/test okd-scos-e2e-aws-ovn`
ci/prow/verify-crd-schema	`f854a3d`	link	true	`/test verify-crd-schema`
ci/prow/lint	`f854a3d`	link	true	`/test lint`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

everettraven · 2025-11-04T15:44:14Z

config/v1/types_authentication.go

+	// See https://kubernetes.io/docs/reference/using-api/cel/ for CEL syntax.
+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:XValidation:rule="self.size() == 0 || <feature-gate-enabled-check>",message="user validation rules are not supported when StructuredAuthenticationConfiguration feature gate is disabled"


Suggested change

// +kubebuilder:validation:XValidation:rule="self.size() == 0 || <feature-gate-enabled-check>",message="user validation rules are not supported when StructuredAuthenticationConfiguration feature gate is disabled"

everettraven · 2025-11-04T15:46:31Z

config/v1/types_authentication.go

+	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:XValidation:rule="self.size() == 0 || <feature-gate-enabled-check>",message="user validation rules are not supported when StructuredAuthenticationConfiguration feature gate is disabled"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, x.expression.size() > 0)",message="each expression must be non-empty"


Expression is already required with a minimum length of 1, meaning it cannot be empty. That should be sufficient enforcement here, no need for this CEL check as well.

everettraven · 2025-11-04T16:02:45Z

config/v1/types_authentication.go

+	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:XValidation:rule="self.size() == 0 || <feature-gate-enabled-check>",message="user validation rules are not supported when StructuredAuthenticationConfiguration feature gate is disabled"
+	// +kubebuilder:validation:XValidation:rule="self.all(x, x.expression.size() > 0)",message="each expression must be non-empty"
+	// +kubebuilder:validation:XValidation:rule="self.map(x, x.expression).countDistinct() == self.size()",message="expressions must be unique"


I don't think countDistinct() is a real thing? Instead of an atomic list, we should probably make this a listType=map and set the listMapKey=expression so that it keys uniqueness of the list on that value.

everettraven · 2025-11-04T17:34:30Z

config/v1/types_authentication.go

+	// +kubebuilder:validation:XValidation:rule="self.size() > 0 ? isURL(self) : true",message="discoveryURL must be a valid URL"
+	// +kubebuilder:validation:XValidation:rule="self.size() > 0 ? (isURL(self) && url(self).getScheme() == 'https') : true",message="discoveryURL must be a valid https URL"
+	// +kubebuilder:validation:XValidation:rule="self.size() > 0 ? url(self).getQuery().size() == 0 : true",message="discoveryURL must not contain query parameters"


I don't think we actually need the self.size() > 0 on all of these?

everettraven · 2025-11-04T17:35:08Z

config/v1/types_authentication.go

-// +enum
+// TokenValidationRuleType defines the type of token validation rule.
+//
+// +kubebuilder:validation:Type=string


Keep the +enum marker, remove this one please.

everettraven · 2025-11-05T12:47:22Z

config/v1/types_authentication.go

+	//
+	// +optional
+	// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+	ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"`


When using a discriminated union, the discriminant (in this case the type field) and the required to be set must match in naming. Because the type option that corresponds to this field is Expression, this field should be named expression:

Suggested change

ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"`

Expression *TokenExpressionRule `json:"expression,omitempty"`

everettraven · 2025-11-05T12:47:48Z

config/v1/types_authentication.go

 }

 type TokenRequiredClaim struct {
-	// claim is a required field that configures the name of the required claim.


Not sure I understand why this line is being removed.

everettraven · 2025-11-05T12:48:01Z

config/v1/types_authentication.go

 	// When taken from the JWT claims, claim must be a string value.
 	//
 	// claim must not be an empty string ("").
-	//


Also not sure why this line is getting changed.

everettraven · 2025-11-05T12:50:02Z

config/v1/types_authentication.go

+	// when a token fails validation based on the CEL expression defined in 'Expression'.
+	// This field is optional. If provided, the message must be at least 1 character long
+	// and cannot exceed 256 characters. This message is logged and not returned to the caller.
+


Remove the empty spacing here please.

Spacing is OK as long as it is a continuation of the comment block.

For example:

// This is a comment block. // // With a valid separation.

is OK.

// This is a comment block. // With an invalid separation.

is not.

config/v1/types_authentication.go

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 19, 2025

ShazaAldawamneh changed the title ~~[WIP]: adding auth config missing fields to API~~ [WIP]: CNTRLPLANE-311: adding auth config missing fields to API Sep 19, 2025

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 19, 2025

openshift-ci bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 19, 2025

openshift-ci bot requested review from JoelSpeed and everettraven September 19, 2025 10:25

everettraven reviewed Sep 19, 2025

View reviewed changes

everettraven reviewed Sep 23, 2025

View reviewed changes

config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithNewAuthConfigFields.yaml Outdated Show resolved Hide resolved

everettraven reviewed Sep 29, 2025

View reviewed changes

config/v1/types_authentication.go Outdated Show resolved Hide resolved

everettraven reviewed Sep 29, 2025

View reviewed changes

config/v1/types_authentication.go Outdated Show resolved Hide resolved

everettraven reviewed Sep 29, 2025

View reviewed changes

features/features.go Outdated Show resolved Hide resolved

ShazaAldawamneh changed the title ~~[WIP]: CNTRLPLANE-311: adding auth config missing fields to API~~ CNTRLPLANE-311: adding auth config missing fields to API Oct 1, 2025

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 1, 2025

openshift-ci bot assigned everettraven Oct 1, 2025

everettraven reviewed Oct 1, 2025

View reviewed changes

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2025

everettraven reviewed Oct 6, 2025

View reviewed changes

config/v1/types_authentication.go Outdated Show resolved Hide resolved

adding auth config missing fields

f854a3d

Signed-off-by: Shaza Aldawamneh <[email protected]>

ShazaAldawamneh force-pushed the CNTRLPLANE-311-2 branch from 582db23 to f854a3d Compare November 3, 2025 14:54

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 3, 2025

everettraven reviewed Nov 5, 2025

View reviewed changes

	ExpressionRule *TokenExpressionRule `json:"expressionRule,omitempty"`
	Expression *TokenExpressionRule `json:"expression,omitempty"`

CNTRLPLANE-311: adding auth config missing fields to API #2487

Are you sure you want to change the base?

CNTRLPLANE-311: adding auth config missing fields to API #2487

Conversation

ShazaAldawamneh commented Sep 19, 2025

Uh oh!

openshift-ci bot commented Sep 19, 2025

Uh oh!

openshift-ci-robot commented Sep 19, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

everettraven commented Oct 1, 2025

Uh oh!

everettraven left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

openshift-ci bot commented Nov 3, 2025

Uh oh!

openshift-ci bot commented Nov 3, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

openshift-ci-robot commented Sep 19, 2025 •

edited by openshift-ci bot

Loading