Merge pull request #30406 from everettraven/oidc/ensure-clientconfigs-happy

openshift-merge-bot[bot] · web-flow · commit 4ad2c3574d3b · 2025-11-09T08:01:12.000Z
NO-JIRA: oidc: ensure console and cli OIDC clients are available when enabling OIDC
diff --git a/test/extended/authentication/oidc.go b/test/extended/authentication/oidc.go
@@ -19,6 +19,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/util/errors"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -116,6 +117,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
 			o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error configuring OIDC authentication")
 
 			waitForRollout(ctx, oc)
+			waitForHealthyOIDCClients(ctx, oc)
 		})
 
 		g.Describe("external IdP is configured", g.Ordered, func() {
@@ -283,6 +285,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
 					o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error configuring OIDC authentication")
 
 					waitForRollout(ctx, oc)
+					waitForHealthyOIDCClients(ctx, oc)
 				})
 
 				g.It("should default UID to the 'sub' claim in the access token from the IdP", func() {
@@ -322,6 +325,7 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
 					o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error configuring OIDC authentication")
 
 					waitForRollout(ctx, oc)
+					waitForHealthyOIDCClients(ctx, oc)
 				})
 
 				g.Describe("checking cluster identity mapping", g.Ordered, func() {
@@ -485,6 +489,14 @@ func generateOIDCProvider(ctx context.Context, client *exutil.CLI, namespace, oi
 					Name: oidcClientSecret,
 				},
 			},
+			{
+				ComponentName:      "cli",
+				ComponentNamespace: "openshift-console",
+				ClientID:           "openshift-cli-oidc-client",
+				ClientSecret: configv1.SecretNameReference{
+					Name: oidcClientSecret,
+				},
+			},
 		},
 	}, nil
 }
@@ -601,3 +613,21 @@ func checkKubeAPIServerCondition(ctx context.Context, kasCli operatorv1client.Ku
 
 	return nil
 }
+
+func waitForHealthyOIDCClients(ctx context.Context, client *exutil.CLI) {
+	o.Eventually(func(gomega o.Gomega) {
+		authn, err := client.AdminConfigClient().ConfigV1().Authentications().Get(ctx, "cluster", metav1.GetOptions{})
+		gomega.Expect(err).NotTo(o.HaveOccurred())
+
+		for _, client := range authn.Status.OIDCClients {
+			// ignore clients that aren't OpenShift default clients
+			if client.ComponentNamespace != "openshift-console" && !(client.ComponentName == "console" || client.ComponentName == "cli") {
+				continue
+			}
+
+			availableCondition := meta.FindStatusCondition(client.Conditions, "Available")
+			gomega.Expect(availableCondition).NotTo(o.BeNil(), fmt.Sprintf("oidc client %s/%s should have an Available condition", client.ComponentNamespace, client.ComponentName))
+			gomega.Expect(availableCondition.Status).To(o.Equal(metav1.ConditionTrue), fmt.Sprintf("oidc client %s/%s should be available but was not", client.ComponentNamespace, client.ComponentName), availableCondition)
+		}
+	}).WithTimeout(10*time.Minute).WithPolling(20*time.Second).Should(o.Succeed(), "should eventually have healthy OIDC client configurations")
+}
