OCPBUGS-61432: fix(oidc): fix OIDCClientSecretGet condition #1052
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
jira/valid-reference
|
@devguyio: This pull request references Jira Issue OCPBUGS-61432, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/invalid-bug
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: devguyio The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/pj-rehearse |
|
/payload-job e2e-aws-sno-external-oidc-configure |
|
@devguyio: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/b2a25b10-a2aa-11f0-9448-1ccf889bda9e-0 |
This commit addresses two issues related to OIDC authentication: 1. Fixed OIDC client secret lookup in oidcsetup controller to use the correct informer, namespace (openshift-config) and dynamic secret name from the Authentication CR, instead of hardcoded values. 2. Added condition cleanup in sync_v400 to properly clear the OIDCProviderTrustedAuthorityConfigGet degraded condition when authentication type changes from OIDC to non-OIDC (e.g., IntegratedOAuth). This prevents the Console Operator from remaining in a Degraded state indefinitely during rollback scenarios. The second fix follows the same pattern used in the oidcsetup controller for clearing conditions when auth type is not OIDC. Assisted-by: Claude Code 2.0.5, claude-sonnet-4-5@20250929 Signed-off-by: Ahmed Abdalla <[email protected]>
devguyio
force-pushed
the
cntrlplane-980-idp-status
branch
from
212fbfd to
a63d396
Compare
|
/payload-job e2e-aws-sno-external-oidc-configure |
|
@devguyio: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/648bde10-a304-11f0-9066-110d95fceb73-0 |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| // Clear OIDC-related conditions when auth type is not OIDC | ||
| statusHandler.AddConditions(status.HandleProgressingOrDegraded("OIDCProviderTrustedAuthorityConfigGet", "", nil)) |
There was a problem hiding this comment.
Is this the only external OIDC related status condition we need to clean up? Anything else that would make sense to clean up?
|
/payload-job e2e-aws-sno-external-oidc-revertoauth |
|
@everettraven: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ac25eb40-a376-11f0-9784-9932bfb8aff4-0 |
Note
The PR #1041 was introduced to fix a bug in client secret lookup in OIDC case, however it was reverted as it uncovered another bug that cause a release-blocking regression.
This PR is an attempt to fix both, the original bug and the uncovered bug that cause the regression.
Description
Fixed OIDC client secret lookup in oidcsetup controller to use the correct informer, namespace (openshift-config) and dynamic secret name from the Authentication CR, instead of hardcoded values.
Added condition cleanup in sync_v400 to properly clear the OIDCProviderTrustedAuthorityConfigGet degraded condition when authentication type changes from OIDC to non-OIDC (e.g., IntegratedOAuth). This prevents the Console Operator from remaining in a Degraded state indefinitely during rollback scenarios.