Skip to content

Promote ExternalOIDCWithUpstreamParity to Default feature set#2915

Open
ShazaAldawamneh wants to merge 1 commit into
openshift:masterfrom
ShazaAldawamneh:CNTRLPLANE-3375
Open

Promote ExternalOIDCWithUpstreamParity to Default feature set#2915
ShazaAldawamneh wants to merge 1 commit into
openshift:masterfrom
ShazaAldawamneh:CNTRLPLANE-3375

Conversation

@ShazaAldawamneh

Copy link
Copy Markdown
Contributor

Replaces #2843

This PR promotes the ExternalOIDCWithUpstreamParity feature gate from DevPreview/TechPreview to Default feature set.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Hello @ShazaAldawamneh! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 653ca380-51a8-4b19-9be5-5cc0329de4f2

📥 Commits

Reviewing files that changed from the base of the PR and between 4e33629 and 34bfe5f.

⛔ Files ignored due to path filters (2)
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
📒 Files selected for processing (8)
  • features.md
  • features/features.go
  • payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
✅ Files skipped from review due to trivial changes (1)
  • features.md
🚧 Files skipped from review as they are similar to previous changes (7)
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
  • features/features.go
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml

📝 Walkthrough

Walkthrough

The PR enables ExternalOIDCWithUpstreamParity for Default and OKD configurations and updates corresponding feature-gate manifests. Authentication CRDs gain CEL expression-based group and username mappings, CEL claim validation rules, validated issuer discovery URLs, and top-level user validation rules. The feature-gate documentation row is repositioned without changing its enabled-state markings.

Suggested reviewers: deads2k, JoelSpeed

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: promoting ExternalOIDCWithUpstreamParity to the Default feature set.
Description check ✅ Passed The description directly matches the changeset by stating the feature gate is promoted from DevPreview/TechPreview to Default.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test files or titles were changed, and the modified files contain no dynamic test-name patterns.
Test Structure And Quality ✅ Passed No Ginkgo test code was added or changed; this PR only updates feature-gate manifests and CRDs, so the test-quality review is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo specs or MicroShift-unsafe tests were added; the PR only changes feature-gate docs/manifests and CRD YAML.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; only feature-gate and CRD manifest changes appear, with no SNO-sensitive test code.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: PR only changes feature-gate registration and CRD schema/manifests; no deployments, controllers, nodeSelectors, affinity, spread, taints, or replica logic added.
Ote Binary Stdout Contract ✅ Passed No process-level stdout writes were introduced; the only Go change is a feature-gate enablement tweak, and changed files contain no main/init/TestMain/stdout logging.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo/e2e tests were added; the diff is limited to feature-gate and CRD manifest updates, with no test paths or network assumptions.
No-Weak-Crypto ✅ Passed PASS: The patch only updates feature-gate/CRD manifests; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret-comparison code appears in touched files.
Container-Privileges ✅ Passed No changed manifest adds privileged/root/hostNetwork settings; the PR only updates FeatureGate and CRD schema YAML, not container specs.
No-Sensitive-Data-In-Logs ✅ Passed No logging statements were added; the diff only changes feature-gate enablement and CRD schema/docs, with no sensitive data exposure in logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented


Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 7, 2026
@openshift-ci openshift-ci Bot requested review from JoelSpeed and everettraven July 7, 2026 07:33
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 7, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
features/features.go (1)

459-465: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Unrelated reformatting bundled into this PR.

This whitespace/indentation reformat of FeatureGateOLMLifecycleAndCompatibility doesn't change any values and is unrelated to the ExternalOIDCWithUpstreamParity promotion. Harmless, but consider splitting unrelated formatting changes into a separate commit/PR for a cleaner diff.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@features/features.go` around lines 459 - 465, The
`FeatureGateOLMLifecycleAndCompatibility` block in `features.go` is just an
unrelated whitespace/indentation reformat and should be separated from the
`ExternalOIDCWithUpstreamParity` work. Revert or isolate that formatting-only
change from the current PR so the diff contains only the promotion-related
updates, keeping the
`newFeatureGate(...).reportProblemsToJiraComponent(...).mustRegister()` chain
unchanged in behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@features/features.go`:
- Around line 459-465: The `FeatureGateOLMLifecycleAndCompatibility` block in
`features.go` is just an unrelated whitespace/indentation reformat and should be
separated from the `ExternalOIDCWithUpstreamParity` work. Revert or isolate that
formatting-only change from the current PR so the diff contains only the
promotion-related updates, keeping the
`newFeatureGate(...).reportProblemsToJiraComponent(...).mustRegister()` chain
unchanged in behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 032ebdf0-844c-4f35-9a2f-fe9e2d5c4ac7

📥 Commits

Reviewing files that changed from the base of the PR and between 02e2c3d and 37585b3.

⛔ Files ignored due to path filters (6)
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • openapi/openapi.json is excluded by !openapi/**
📒 Files selected for processing (11)
  • features.md
  • features/features.go
  • payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications.crd.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
💤 Files with no reviewable changes (5)
  • payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications.crd.yaml

@openshift-ci openshift-ci Bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 7, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml (1)

422-436: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Make type documentation match the required schema.

Line 435 makes type required, but Line 424 still describes it as optional. Update the source API comment and regenerate the CRD so the published schema does not contradict itself. As per coding guidelines, required fields must explicitly state that the field is required.

Proposed generated-doc wording
-                              type is an optional field that configures the type of the validation rule.
+                              type is a required field that configures the type of the validation rule.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml`
around lines 422 - 436, The CRD schema and docs for the validation rule field
are inconsistent: the `type` property is marked required in the schema but still
described as optional in the generated documentation. Update the source API
comment on the `type` field in the relevant authentication validation struct so
it explicitly says the field is required, then regenerate the CRD so the
description matches the required schema and the published `required` entry stays
consistent with the docs.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml`:
- Around line 627-638: The generated docs for TokenUserValidationRule are
inconsistent: the top-level description in the userValidationRules block says
the CEL rule evaluates token claims, while the expression field describes
validating cluster user identity attributes. Update the TokenUserValidationRule
and expression descriptions to consistently reference constructed user identity
attributes rather than token claims, so the schema docs match the intended
validation behavior.
- Around line 489-490: The discoveryURL validation rule is too narrow because it
only rejects URLs with user:pass@ and still allows user@host, so tighten the
auth-info check in the CRD validation for discoveryURL. Update the rule in the
same authentication schema block to match any user info before the host, or
align it with the stricter issuerURL validation pattern used elsewhere in the
CRD, so all URLs containing @ in the authority are rejected.

---

Outside diff comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml`:
- Around line 422-436: The CRD schema and docs for the validation rule field are
inconsistent: the `type` property is marked required in the schema but still
described as optional in the generated documentation. Update the source API
comment on the `type` field in the relevant authentication validation struct so
it explicitly says the field is required, then regenerate the CRD so the
description matches the required schema and the published `required` entry stays
consistent with the docs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 44872d86-bfbc-413d-91cb-3244873d78c0

📥 Commits

Reviewing files that changed from the base of the PR and between b638bb1 and 4e33629.

⛔ Files ignored due to path filters (3)
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • openapi/openapi.json is excluded by !openapi/**
📒 Files selected for processing (8)
  • features.md
  • features/features.go
  • payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml
  • payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
✅ Files skipped from review due to trivial changes (1)
  • features.md
🚧 Files skipped from review as they are similar to previous changes (5)
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
  • features/features.go
  • payload-manifests/crds/0000_10_config-operator_01_authentications-Default.crd.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

@saschagrunert saschagrunert left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The verify-feature-promotion check is failing: tests have 2-13 runs across platforms (14 required), and one Azure HA test is at 92% pass rate (95% required). vSphere HA is the biggest gap at only 2 runs. The code change itself looks correct. Cannot approve until the promotion criteria are met.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 8, 2026
Signed-off-by: Shaza Aldawamneh <shaza.aldawamneh@hotmail.com>
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 10, 2026
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@ShazaAldawamneh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify-feature-promotion 34bfe5f link true /test verify-feature-promotion
ci/prow/verify-hypershift-integration 34bfe5f link true /test verify-hypershift-integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants