fix(oidc): fix secret lookup and add condition cleanup

This commit addresses two issues related to OIDC authentication:

1. Fixed OIDC client secret lookup in oidcsetup controller to use
   the correct informer, namespace (openshift-config) and dynamic
   secret name from the Authentication CR, instead of hardcoded values.

2. Added condition cleanup in sync_v400 to properly clear the
   OIDCProviderTrustedAuthorityConfigGet degraded condition when
   authentication type changes from OIDC to non-OIDC (e.g.,
   IntegratedOAuth). This prevents the Console Operator
   from remaining in a Degraded state indefinitely during rollback
   scenarios.

The second fix follows the same pattern used in the oidcsetup
controller for clearing conditions when auth type is not OIDC.

Assisted-by: Claude Code 2.0.5, claude-sonnet-4-5@20250929
Signed-off-by: Ahmed Abdalla <[email protected]>

Author: devguyio

pkg/console/controllers/oidcsetup/oidcsetup.go

@@ -58,6 +58,7 @@ type oidcSetupController struct {
 	authnLister               configv1listers.AuthenticationLister
 	consoleOperatorLister     operatorv1listers.ConsoleLister
 	configConfigMapLister     corev1listers.ConfigMapLister
+	configSecretsLister       corev1listers.SecretLister
 	targetNSSecretsLister     corev1listers.SecretLister
 	targetNSConfigMapLister   corev1listers.ConfigMapLister
 	targetNSDeploymentsLister appsv1listers.DeploymentLister
@@ -74,6 +75,7 @@ func NewOIDCSetupController(
 	authenticationClient configv1client.AuthenticationInterface,
 	consoleOperatorInformer operatorv1informers.ConsoleInformer,
 	configConfigMapInformer corev1informers.ConfigMapInformer,
+	configSecretInformer corev1informers.SecretInformer,
 	targetNSsecretsInformer corev1informers.SecretInformer,
 	targetNSConfigMapInformer corev1informers.ConfigMapInformer,
 	targetNSDeploymentsInformer appsv1informers.DeploymentInformer,
@@ -87,6 +89,7 @@ func NewOIDCSetupController(
 		authnLister:               authnInformer.Lister(),
 		consoleOperatorLister:     consoleOperatorInformer.Lister(),
 		configConfigMapLister:     configConfigMapInformer.Lister(),
+		configSecretsLister:       configSecretInformer.Lister(),
 		targetNSSecretsLister:     targetNSsecretsInformer.Lister(),
 		targetNSDeploymentsLister: targetNSDeploymentsInformer.Lister(),
 		targetNSConfigMapLister:   targetNSConfigMapInformer.Lister(),
@@ -200,7 +203,7 @@ func (c *oidcSetupController) syncAuthTypeOIDC(ctx context.Context, authnConfig
 		return nil
 	}
 
-	clientSecret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get("console-oauth-config")
+	clientSecret, err := c.configSecretsLister.Secrets(api.OpenShiftConfigNamespace).Get(clientConfig.ClientSecret.Name)
 	if err != nil {
 		c.authStatusHandler.Degraded("OIDCClientSecretGet", err.Error())
 		return err

pkg/console/operator/sync_v400.go

@@ -117,6 +117,9 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		if err != nil {
 			return statusHandler.FlushAndReturn(err)
 		}
+	default:
+		// Clear OIDC-related conditions when auth type is not OIDC
+		statusHandler.AddConditions(status.HandleProgressingOrDegraded("OIDCProviderTrustedAuthorityConfigGet", "", nil))
 	}
 
 	customLogosErr, customLogosErrReason := co.SyncCustomLogos(updatedOperatorConfig)

pkg/console/starter/starter.go

@@ -295,6 +295,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		configClient.ConfigV1().Authentications(),
 		operatorConfigInformers.Operator().V1().Consoles(),
 		kubeInformersConfigNamespaced.Core().V1().ConfigMaps(),
+		kubeInformersConfigNamespaced.Core().V1().Secrets(),
 		kubeInformersNamespaced.Core().V1().Secrets(),
 		kubeInformersNamespaced.Core().V1().ConfigMaps(),
 		kubeInformersNamespaced.Apps().V1().Deployments(),