CNTRLPLANE-947: operator: set oauth-specific relatedObjects dynamically in the operator status

[liouk]

No description provided.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Removed two static relatedObjects from the ClusterOperator manifest and made relatedObjects dynamic: the operator starter adds Route/oauth-openshift and Service/oauth-openshift in openshift-authentication only when OIDC is detected as unavailable; tests were updated to validate presence/absence accordingly.

Changes

Cohort / File(s)	Summary of modifications
ClusterOperator manifest manifests/08_clusteroperator.yaml	Removed two status.relatedObjects entries: the route.openshift.io route oauth-openshift and the Service oauth-openshift in openshift-authentication.
Operator starter logic pkg/operator/starter.go	Added WithRelatedObjectsFunc that queries authConfigChecker.OIDCAvailable() and returns no related objects when OIDC is available (or on success), or returns two related objects (Route/oauth-openshift and Service/oauth-openshift in openshift-authentication) when OIDC is unavailable. Removed previous static related references and adjusted logging level for OIDC checks.
E2E tests test/e2e-oidc/external_oidc_test.go	Added import for route/v1, implemented validateOAuthRelatedObjects to assert presence/absence of the two oauth-openshift related objects based on a requireMissing flag, and invoked it from validateOAuthState.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to the runtime behavior of WithRelatedObjectsFunc and its error/logging semantics in pkg/operator/starter.go.
• Verify test expectations and clusteroperator status parsing in test/e2e-oidc/external_oidc_test.go to ensure nondeterministic OIDC availability is handled reliably.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	❓ Inconclusive	No pull request description was provided by the author. While the check is intentionally lenient and should only fail when the description is completely off-topic, an empty description provides no information to reviewers about the changeset's motivation or scope. The description check criteria cannot be conclusively evaluated when there is no description content present to assess for relatedness to the changeset.	The author should provide a pull request description explaining the motivation and context for making OAuth-related objects dynamic based on OIDC availability. Even though verification comments in the PR objectives indicate the changes were tested and verified, a description would help future reviewers understand the reasoning behind the design decision and the expected behavior when OIDC is available versus unavailable.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "CNTRLPLANE-947: operator: set oauth-specific relatedObjects dynamically in the operator status" clearly and accurately summarizes the main objective of the changeset. The changes demonstrate exactly this behavior: the PR removes static hardcoded relatedObjects entries from the manifest and replaces them with dynamic determination in the operator starter code based on OIDC availability. The title is specific, concise, and directly reflects the primary change from the developer's perspective.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 667ec70 and e612a85.

📒 Files selected for processing (3)

• manifests/08_clusteroperator.yaml (0 hunks)
• pkg/operator/starter.go (2 hunks)
• test/e2e-oidc/external_oidc_test.go (3 hunks)

💤 Files with no reviewable changes (1)

• manifests/08_clusteroperator.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e-oidc/external_oidc_test.go
• pkg/operator/starter.go

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/operator/starter.go (1)

478-478: Clarify the comment - it states the opposite of what the code does.

The comment says "oauth-specific relatedObjects must not be defined when OIDC is not available", but the code actually defines them when OIDC is not available (lines 488-491) and omits them when OIDC is available (lines 484-486).

Apply this diff to fix the comment:

-		// oauth-specific relatedObjects must not be defined when OIDC is not available
+		// oauth-specific relatedObjects must be defined only when OIDC is not available

Or alternatively:

-		// oauth-specific relatedObjects must not be defined when OIDC is not available
+		// oauth-specific relatedObjects must not be defined when OIDC is available

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 215805c and 314fda7.

📒 Files selected for processing (2)

• manifests/08_clusteroperator.yaml (0 hunks)
• pkg/operator/starter.go (1 hunks)

💤 Files with no reviewable changes (1)

• manifests/08_clusteroperator.yaml

🔇 Additional comments (1)

pkg/operator/starter.go (1)

481-486: Verify that returning no related objects on error is the desired behavior.

When OIDCAvailable() returns an error or when OIDC is available, the code returns (false, nil), which means no related objects are set. For the error case, confirm this is the intended behavior and that it won't cause issues if there's a transient error checking OIDC availability. The current approach is consistent with the oidcAvailable helper function (line 862) which also returns false on error, but it's worth verifying that the default/fallback behavior is appropriate.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 314fda7 and daafb9f.

📒 Files selected for processing (2)

• manifests/08_clusteroperator.yaml (0 hunks)
• pkg/operator/starter.go (1 hunks)

💤 Files with no reviewable changes (1)

• manifests/08_clusteroperator.yaml

🔇 Additional comments (1)

pkg/operator/starter.go (1)

477-494: LGTM! Correct dynamic relatedObjects implementation.

The logic correctly sets oauth-openshift Route and Service as related objects only when OIDC is unavailable (Lines 488-491). When OIDC is available, these objects are appropriately omitted (Line 485). The error handling (Lines 481-483) safely returns no objects on failure, which is reasonable for non-critical status information.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the misleading comment.

The comment on Line 478 is incorrect and contradicts the implementation. It states "oauth-specific relatedObjects must not be defined when OIDC is not available", but the code does the opposite—it defines the oauth-specific objects when OIDC is not available (Lines 488-491), which is the correct behavior.

The logic is sound: when OIDC is unavailable, OAuth resources are in use and should be listed as related objects. When OIDC is available, OAuth resources are not needed and should not be listed.

Apply this diff to clarify the comment:

-	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
-		// oauth-specific relatedObjects must not be defined when OIDC is not available
+	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
+		// oauth-specific relatedObjects should only be defined when OIDC is not available (i.e., when OAuth is in use)
 		ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {

Additionally, consider using klog.Warningf instead of klog.Infof on Line 482, since encountering an error while determining related objects is an abnormal condition worth highlighting.

 			oidcAvailable, err := authConfigChecker.OIDCAvailable()
 			if err != nil {
-				klog.Infof("error while checking auth config to determine relatedObjects: %v", err)
+				klog.Warningf("error while checking auth config to determine relatedObjects: %v", err)
 				return false, nil

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
	// oauth-specific relatedObjects must not be defined when OIDC is not available
	ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {
	oidcAvailable, err := authConfigChecker.OIDCAvailable()
	if err != nil {
	klog.Infof("error while checking auth config to determine relatedObjects: %v", err)
	return false, nil
	} else if oidcAvailable {
	return true, nil
	}
	return true, []configv1.ObjectReference{
	{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	}
	})
	return ss
	})
	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
	// oauth-specific relatedObjects should only be defined when OIDC is not available (i.e., when OAuth is in use)
	ss.WithRelatedObjectsFunc(func() (isset bool, objs []configv1.ObjectReference) {
	oidcAvailable, err := authConfigChecker.OIDCAvailable()
	if err != nil {
	klog.Warningf("error while checking auth config to determine relatedObjects: %v", err)
	return false, nil
	} else if oidcAvailable {
	return true, nil
	}
	return true, []configv1.ObjectReference{
	{Group: routev1.GroupName, Resource: "routes", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	{Resource: "services", Name: "oauth-openshift", Namespace: "openshift-authentication"},
	}
	})
	return ss
	})

🤖 Prompt for AI Agents

In pkg/operator/starter.go around lines 477 to 494, the inline comment is
misleading (it says oauth-specific relatedObjects must not be defined when OIDC
is not available) but the code correctly defines oauth-related objects when OIDC
is not available; update the comment to accurately state that we list OAuth
resources as relatedObjects when OIDC is unavailable, and change the klog.Infof
call on the error path to klog.Warningf to better surface an abnormal condition
when checking OIDC availability.

[everettraven]

log as an error?

[liouk]

fixed in latest commit 👍

[xingxingxia]

Pre-merge tested this and PR #801 together within the cluster-bot payload build 4.21.0-0.nightly-2025-10-24-233040,openshift/cluster-authentication-operator#800,openshift/cluster-authentication-operator#801. In the fresh env, the OAuth route and service are shown, as before:

$ oc get co authentication -o yaml
...
  relatedObjects:
  - group: route.openshift.io
    name: oauth-openshift
    namespace: openshift-authentication
    resource: routes
  - group: ""
    name: oauth-openshift
    namespace: openshift-authentication
    resource: services
...

After configuring external oidc auth, the OAuth route and service are not shown anymore:

$ oc get co authentication -o yaml
...
  relatedObjects:
  - group: operator.openshift.io
    name: cluster
    resource: authentications
  - group: config.openshift.io
    name: cluster
    resource: authentications
  - group: config.openshift.io
    name: cluster
    resource: infrastructures
  - group: config.openshift.io
    name: cluster
    resource: oauths
  - group: ""
    name: openshift-config
    resource: namespaces
  - group: ""
    name: openshift-config-managed
    resource: namespaces
  - group: ""
    name: openshift-authentication
    resource: namespaces
  - group: ""
    name: openshift-authentication-operator
    resource: namespaces
  - group: ""
    name: openshift-ingress
    resource: namespaces
  - group: ""
    name: openshift-oauth-apiserver
    resource: namespaces
  versions:
  - name: operator
    version: 4.21.0-0-2025-10-25-075734-test-ci-ln-2cc4w02-latest
...

Also checked rolling back to IDP: after rolling back, above OAuth route and service are shown again.

/verified by @xingxingxia

[openshift-ci-robot]

@xingxingxia: This PR has been marked as verified by @xingxingxia.

In response to this:

Pre-merge tested this and PR #801 together within the cluster-bot payload build 4.21.0-0.nightly-2025-10-24-233040,openshift/cluster-authentication-operator#800,openshift/cluster-authentication-operator#801. In the fresh env, the OAuth route and service are shown, as before:

$ oc get co authentication -o yaml
...
 relatedObjects:
 - group: route.openshift.io
   name: oauth-openshift
   namespace: openshift-authentication
   resource: routes
 - group: ""
   name: oauth-openshift
   namespace: openshift-authentication
   resource: services
...

After configuring external oidc auth, the OAuth route and service are not shown anymore:

$ oc get co authentication -o yaml
...
 relatedObjects:
 - group: operator.openshift.io
   name: cluster
   resource: authentications
 - group: config.openshift.io
   name: cluster
   resource: authentications
 - group: config.openshift.io
   name: cluster
   resource: infrastructures
 - group: config.openshift.io
   name: cluster
   resource: oauths
 - group: ""
   name: openshift-config
   resource: namespaces
 - group: ""
   name: openshift-config-managed
   resource: namespaces
 - group: ""
   name: openshift-authentication
   resource: namespaces
 - group: ""
   name: openshift-authentication-operator
   resource: namespaces
 - group: ""
   name: openshift-ingress
   resource: namespaces
 - group: ""
   name: openshift-oauth-apiserver
   resource: namespaces
 versions:
 - name: operator
   version: 4.21.0-0-2025-10-25-075734-test-ci-ln-2cc4w02-latest
...

Will also check after rolling back to IDP
/verified by @xingxingxia

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

Latest push changes only log-level; no changes to verification.

/verified by @xingxingxia

[openshift-ci-robot]

@liouk: This PR has been marked as verified by @xingxingxia.

In response to this:

Latest push changes only log-level; no changes to verification.

/verified by @xingxingxia

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/test-operator-integration	e612a85	link	false	/test test-operator-integration
ci/prow/okd-scos-e2e-aws-ovn	e612a85	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[everettraven]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment