Skip to content

OCPBUGS-61432: fix(oidc): fix OIDCClientSecretGet condition #1041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 11, 2025
Merged

OCPBUGS-61432: fix(oidc): fix OIDCClientSecretGet condition #1041

merged 1 commit into from
Sep 11, 2025

Conversation

devguyio
Copy link
Contributor

@devguyio devguyio commented Sep 5, 2025

Since the Authentication resource references CAs and Secrets in the openshift-config namespace, its validation should focus on the openshift-config namespace.

However the OIDCClientSecretGet condition logic checks for the synced client secret, namely console-oauth-config under openshift-console, instead of the one referenced by the Authentication resource under openshift-config.

This PR fixes this behavior.

@devguyio
fix(oidc): fix OIDCClientSecretGet condition
868d0b7 
set the OIDCClientSecretGet condition when client secrets
don't exist in the openshift-config namespace instead of
the openshift-console namespace.

Signed-off-by: Ahmed Abdalla <[email protected]>
@openshift-ci openshift-ci bot requested review from jhadvig and TheRealJon September 5, 2025 11:45
@devguyio
Copy link
Contributor Author

devguyio commented Sep 9, 2025

/retest-required

@devguyio devguyio changed the title fix(oidc): fix OIDCClientSecretGet condition OCPBUGS-61432: fix(oidc): fix OIDCClientSecretGet condition Sep 9, 2025
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 9, 2025
@openshift-ci-robot
Copy link
Contributor

@devguyio: This pull request references Jira Issue OCPBUGS-61432, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Since the Authentication resource references CAs and Secrets in the openshift-config namespace, its validation should focus on the openshift-config namespace.

However the OIDCClientSecretGet condition logic checks for the synced client secret, namely console-oauth-config under openshift-console, instead of the one referenced by the Authentication resource under openshift-config.

This PR fixes this behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jhadvig
Copy link
Member

jhadvig commented Sep 10, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 10, 2025
@openshift-ci-robot
Copy link
Contributor

@jhadvig: This pull request references Jira Issue OCPBUGS-61432, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from yapei September 10, 2025 12:07
jhadvig
jhadvig approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@jhadvig jhadvig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 10, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: devguyio, jhadvig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 10, 2025
@jhadvig
Copy link
Member

jhadvig commented Sep 10, 2025

/verified later @yapei

@openshift-ci-robot openshift-ci-robot added verified-later verified Signifies that the PR passed pre-merge verification criteria labels Sep 10, 2025
@openshift-ci-robot
Copy link
Contributor

@jhadvig: This PR has been marked to be verified later by @yapei.

In response to this:

/verified later @yapei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jhadvig
Copy link
Member

jhadvig commented Sep 10, 2025

/cherry-pick release-4.20

@openshift-cherrypick-robot
Copy link

@jhadvig: once the present PR merges, I will cherry-pick it on top of release-4.20 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 26cc37b and 2 for PR HEAD 868d0b7 in total

1 similar comment
@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 26cc37b and 2 for PR HEAD 868d0b7 in total

@jhadvig
Copy link
Member

jhadvig commented Sep 11, 2025 

✖  app/deployments.cy.ts

/retest

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD a7eda2c and 1 for PR HEAD 868d0b7 in total

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 11, 2025

@devguyio: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit d86796f into openshift:main Sep 11, 2025
13 checks passed
@openshift-ci-robot
Copy link
Contributor

@devguyio: Jira Issue OCPBUGS-61432: All pull requests linked via external trackers have merged:

This pull request has the verified-later tag and will need to be manually moved to VERIFIED after testing. Jira Issue OCPBUGS-61432 has been moved to the MODIFIED state.

In response to this:

Since the Authentication resource references CAs and Secrets in the openshift-config namespace, its validation should focus on the openshift-config namespace.

However the OIDCClientSecretGet condition logic checks for the synced client secret, namely console-oauth-config under openshift-console, instead of the one referenced by the Authentication resource under openshift-config.

This PR fixes this behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot
Copy link

@jhadvig: new pull request created: #1045

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Sep 11, 2025
Open
@everettraven everettraven mentioned this pull request Sep 12, 2025
Merged
@openshift-merge-robot
Copy link
Contributor

Fix included in accepted release 4.21.0-0.nightly-2025-09-13-162334

@devguyio devguyio mentioned this pull request Oct 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhadvig jhadvig jhadvig approved these changes

@TheRealJon TheRealJon Awaiting requested review from TheRealJon

@yapei yapei Awaiting requested review from yapei

Assignees

@jhadvig jhadvig

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria verified-later
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@devguyio @openshift-ci-robot @jhadvig @openshift-cherrypick-robot @openshift-merge-robot