OCPBUGS-56444: feat: Promote ExternalOIDCWithUIDAndExtraClaimMappings feature to GA for Hypershift

[everettraven]

What this PR does / why we need it:

Promotes the ExternalOIDCWithUIDAndExtraClaimMappings feature to GA.

Feature was added as TPNU in #6073

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[everettraven]

Depends on #5840 merging

/hold

[openshift-ci-robot]

@everettraven: This pull request explicitly references no jira issue.

In response to this:

What this PR does / why we need it:

Promotes the ExternalOIDCWithUIDAndExtraClaimMappings feature to GA.

Feature was added as TPNU in #5840

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

This feature gate promotion will not pass the standard feature gate promotion criteria but is being proposed for promotion due to a critical need for this feature in HyperShift.

Holding until we have the necessary discussions, with the appropriate stakeholders, to determine if the risks associated with promoting this feature to GA in HyperShift are acceptable.

This also should not merge until openshift/api#2274 has merged.

/hold

[xiuwang]

Pre-merge test the opening openshift/api#2274 , #6025 without techpreviewnoupgrade, no regression issue, and with byo oidc with uid and extra field function well.

[kevinrizza]

/retitle OCPBUGS-56444: Promote ExternalOIDCWithUIDAndExtraClaimMappings feature to GA for Hypershift

[everettraven]

/payload-job periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-external-oidc-techpreview

[openshift-ci]

@everettraven: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-external-oidc-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/3406d740-b993-11f0-914f-cee57448abf8-0

[everettraven]

/payload-job periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-external-oidc

[openshift-ci]

@everettraven: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-external-oidc

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/20541ff0-b9a2-11f0-8a7c-3e8a24cae93a-0

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

test/e2e/util/external_oidc.go (1)

44-50: Consider fixing the typo in the constant name.

Line 45 defines ExternalOIDCUIDExpressionSubfix but the correct spelling is "Suffix" not "Subfix". Since this feature is being promoted to GA, this would be an appropriate time to correct the typo before broader adoption.

Apply this diff to fix the typo:

-	ExternalOIDCUIDExpressionSubfix        = "-uidtest"
+	ExternalOIDCUIDExpressionSuffix        = "-uidtest"

And update the usage on line 132:

-		Expression: fmt.Sprintf(`"%s" + claims.sub + "%s"`, ExternalOIDCUIDExpressionPrefix, ExternalOIDCUIDExpressionSubfix),
+		Expression: fmt.Sprintf(`"%s" + claims.sub + "%s"`, ExternalOIDCUIDExpressionPrefix, ExternalOIDCUIDExpressionSuffix),

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between ae45352 and 78321d9.

📒 Files selected for processing (2)

• test/e2e/external_oidc_test.go (0 hunks)
• test/e2e/util/external_oidc.go (2 hunks)

💤 Files with no reviewable changes (1)

• test/e2e/external_oidc_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / hypershift-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / control-plane-operator-main-on-pull-request

🔇 Additional comments (2)

test/e2e/util/external_oidc.go (2)

131-143: LGTM! Feature gate removal is clean.

The UID and Extra claim mappings are now unconditionally configured, which correctly aligns with the feature promotion to GA. The CEL expressions are syntactically correct:

• Line 132 properly quotes string literals and references claims.sub
• Line 137 wraps the string literal value in quotes
• Line 141 correctly uses an unquoted variable reference to claims.email

---

173-174: LGTM! Validation correctly updated.

The validation logic now unconditionally expects UID and Extra mappings to be present, which is consistent with the feature being promoted to GA and the unconditional configuration in GetAuthenticationConfig().

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

test/e2e/util/external_oidc.go (1)

131-143: LGTM! UID and Extra mappings are now unconditional.

The GA promotion correctly removes feature gate checks and makes these mappings always active. The UID expression construction and Extra mappings are appropriate.

However, note the typo in the constant name at line 45: ExternalOIDCUIDExpressionSubfix should be ExternalOIDCUIDExpressionSuffix. Consider fixing this in a follow-up to improve code quality.

If you'd like to address the typo now, apply this diff:

-	ExternalOIDCUIDExpressionSubfix        = "-uidtest"
+	ExternalOIDCUIDExpressionSuffix        = "-uidtest"

And update the reference on line 132:

-		Expression: fmt.Sprintf(`"%s" + claims.sub + "%s"`, ExternalOIDCUIDExpressionPrefix, ExternalOIDCUIDExpressionSubfix),
+		Expression: fmt.Sprintf(`"%s" + claims.sub + "%s"`, ExternalOIDCUIDExpressionPrefix, ExternalOIDCUIDExpressionSuffix),

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 78321d9 and b4ee0cb.

📒 Files selected for processing (2)

• test/e2e/external_oidc_test.go (0 hunks)
• test/e2e/util/external_oidc.go (2 hunks)

💤 Files with no reviewable changes (1)

• test/e2e/external_oidc_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / hypershift-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / control-plane-operator-main-on-pull-request

🔇 Additional comments (1)

test/e2e/util/external_oidc.go (1)

173-174: LGTM! Test expectations correctly updated.

The validation now properly expects UID and Extra claim mappings to always be present, which aligns with the unconditional configuration in GetAuthenticationConfig. This is appropriate for a GA feature.

[xiuwang]

/payload-job periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-external-oidc

[openshift-ci]

@xiuwang: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.21-periodics-e2e-aws-external-oidc

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d2efba10-b9e9-11f0-9c46-2e2c14faaa35-0

[xiuwang]

/verified by @xiuwang

[openshift-ci-robot]

@xiuwang: This PR has been marked as verified by @xiuwang.

In response to this:

/verified by @xiuwang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

/retest-required

[sjenning]

/lgtm

[everettraven]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD fd07723 and 2 for PR HEAD 8758069 in total

[xingxingxia]

/retest-required

[everettraven]

/retest-required

[sjenning]

AKS e2e is having DNS throttling issues

/override ci/prow/e2e-aks
/override ci/prow/e2e-aks-4-20

[openshift-ci]

@sjenning: Overrode contexts on behalf of sjenning: ci/prow/e2e-aks, ci/prow/e2e-aks-4-20

In response to this:

AKS e2e is having DNS throttling issues

/override ci/prow/e2e-aks
/override ci/prow/e2e-aks-4-20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sjenning]

/retest-required

[everettraven]

@sjenning looks like the failing test here is also a quota-like issue?

Error: could not complete platform specific options: failed to create infra: failed to create hosted zone: TooManyHostedZones: Limits Exceeded: MAX_HOSTED_ZONES_BY_OWNER - Cannot create more hosted zones.
status code: 400, request id: 086cf63c-7149-4f40-81f5-612ef6572bb2

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 75713b0 and 1 for PR HEAD 8758069 in total

[openshift-ci]

@everettraven: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@everettraven: Jira Issue Verification Checks: Jira Issue OCPBUGS-56444
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-56444 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

In response to this:

What this PR does / why we need it:

Promotes the ExternalOIDCWithUIDAndExtraClaimMappings feature to GA.

Feature was added as TPNU in #6073

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.