openshift · liouk · Oct 16, 2025 · Nov 3, 2025 · everettraven · Oct 24, 2025
diff --git a/pkg/controllers/common/external_oidc.go b/pkg/controllers/common/external_oidc.go
@@ -67,13 +67,26 @@ func (c *AuthConfigChecker) OIDCAvailable() (bool, error) {
 		return false, fmt.Errorf("getting kubeapiservers.operator.openshift.io/cluster: %v", err)
 	}
 
+	if len(kas.Status.NodeStatuses) == 0 {
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; no node statuses found")
+	}
+
 	observedRevisions := sets.New[int32]()
+	nodesWithEmptyRevision := false
 	for _, nodeStatus := range kas.Status.NodeStatuses {
-		observedRevisions.Insert(nodeStatus.CurrentRevision)
+		if nodeStatus.CurrentRevision > 0 {
+			observedRevisions.Insert(nodeStatus.CurrentRevision)
+		} else {
+			nodesWithEmptyRevision = true
+		}
+	}
+
+	if nodesWithEmptyRevision {
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
-	nodesWithEmptyRevision := false
-	for _, nodeStatus := range kas.Status.NodeStatuses {
-		observedRevisions.Insert(nodeStatus.CurrentRevision)
-		if nodeStatus.CurrentRevision > 0 {
-			observedRevisions.Insert(nodeStatus.CurrentRevision)
-		} else {
-			nodesWithEmptyRevision = true
-		}
-	}
-
-	if nodesWithEmptyRevision {
-		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
+for _, nodeStatus := range kas.Status.NodeStatuses {
+		if nodeStatus.CurrentRevision <= 0 {
+			return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
+		} 
+		
+		observedRevisions.Insert(nodeStatus.CurrentRevision)
+	}
-	nodesWithEmptyRevision := false
-	for _, nodeStatus := range kas.Status.NodeStatuses {
-		observedRevisions.Insert(nodeStatus.CurrentRevision)
-		if nodeStatus.CurrentRevision > 0 {
-			observedRevisions.Insert(nodeStatus.CurrentRevision)
-		} else {
-			nodesWithEmptyRevision = true
-		}
-	}
-
-	if nodesWithEmptyRevision {
-		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
+for _, nodeStatus := range kas.Status.NodeStatuses {
+		if nodeStatus.CurrentRevision <= 0 {
+			return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
+		} 
+		
+		observedRevisions.Insert(nodeStatus.CurrentRevision)
+	}
 	}
 
 	if observedRevisions.Len() == 0 {
-		return false, nil
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; no observed revisions found")
 	}
 
 	for _, revision := range observedRevisions.UnsortedList() {

diff --git a/pkg/controllers/common/external_oidc_test.go b/pkg/controllers/common/external_oidc_test.go
@@ -32,7 +32,29 @@ func TestExternalOIDCConfigAvailable(t *testing.T) {
 			name:            "no node statuses observed",
 			authType:        configv1.AuthenticationTypeOIDC,
 			expectAvailable: false,
-			expectError:     false,
+			expectError:     true,
+		},
+		{
+			name:     "some node revisions are zero",
+			authType: configv1.AuthenticationTypeOIDC,
+			nodeStatuses: []operatorv1.NodeStatus{
+				{CurrentRevision: 10},
+				{CurrentRevision: 10},
+				{CurrentRevision: 0},
+			},
+			expectAvailable: false,
+			expectError:     true,
+		},
+		{
+			name:     "node revisions are zero",
+			authType: configv1.AuthenticationTypeOIDC,
+			nodeStatuses: []operatorv1.NodeStatus{
+				{CurrentRevision: 0},
+				{CurrentRevision: 0},
+				{CurrentRevision: 0},
+			},
+			expectAvailable: false,
+			expectError:     true,
 		},
 		{
 			name:       "oidc disabled, no rollout",