CNTRLPLANE-2521: feat: configv1/authentication: add fields for sourcing claims from external sources

[everettraven]

Description

Updates the authentications.config.openshift.io/v1 API to add new fields for sourcing claims from external sources (i.e not from the token being authenticated).

This PR is based on the changes in openshift/oauth-apiserver#197 which adds all the fields to the configuration file that this API is used to generate.

[openshift-ci-robot]

@everettraven: This pull request references CNTRLPLANE-2521 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Description

Updates the authentications.config.openshift.io/v1 API to add new fields for sourcing claims from external sources (i.e not from the token being authenticated).

This PR is based on the changes in openshift/oauth-apiserver#197 which adds all the fields to the configuration file that this API is used to generate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @everettraven! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds feature-gated ExternalOIDCExternalClaimsSourcing to the Authentication API. Introduces new exported types and constants for external claim sources, authentication modes, OAuth2 client-credential and TLS config, URL hostname/path inputs, predicates, and claim mappings. Extends OIDCProvider with an atomic externalClaimsSources list (min 1, max 5) and cross-source uniqueness validation for mapping names. Updates CRD schemas (DevPreview and CustomNoUpgrade) with OpenAPI and x-kubernetes-validations enforcing conditional fields, formats, sizing, and uniqueness rules. Adds an apiextensions.k8s.io/v1 test manifest covering positive and negative validation cases.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	Tests use config.openshift.io/v1 API unavailable on MicroShift and lack required [apigroup:...] tag or [Skipped:MicroShift] label for auto-skip protection.	Add [apigroup:config.openshift.io] tag to test names in ExternalOIDCExternalClaimsSourcing.yaml, or add [Skipped:MicroShift] labels. The apigroup tag approach is preferred for API-specific tests.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of adding new fields for external claims sourcing to the authentications API.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds 30 declarative test cases with static, deterministic names. No UUIDs, timestamps, pod/node names, or IP addresses. All names are descriptive and stable across test runs.
Test Structure And Quality	✅ Passed	PR adds YAML test specifications that are auto-generated into Ginkgo tests. Framework provides setup/cleanup, timeouts, assertion messages automatically.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are present in this PR. Changes are API type definitions and CRD validation manifests in YAML format, not e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds API types and CRD schemas for external claims sourcing. No deployment manifests, operator code, controllers, or scheduling constraints are present.
Ote Binary Stdout Contract	✅ Passed	PR adds only Go type definitions and YAML manifests. No process-level code, main/init functions, or stdout writes present. Check is not applicable to API definitions.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. The only test file is a declarative YAML CRD schema validation manifest, not a Ginkgo test. Check not applicable.
Title check	✅ Passed	The title accurately summarizes the main change: adding fields to the authentication API for sourcing claims from external sources, which is reflected across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml (1)

280-943: ⚡ Quick win

Add tests for two contract edges to prevent drift.

Please add cases for:

• duplicate mappings[].name across two externalClaimsSources entries, and
• explicit predicates: [] behavior (accept or reject, based on intended contract).

These two edges are currently where schema-vs-contract drift is most likely.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml`
around lines 280 - 943, Add two test cases to the existing list: (1) "Cannot
duplicate mappings.name across externalClaimsSources" that defines two
externalClaimsSources each with a mappings entry using the same name (e.g.,
name: email) and sets expectedError to assert duplication (e.g., "Duplicate
value: \"email\"") to catch cross-source duplicate mapping names; (2) "Explicit
predicates empty array behavior" that adds an externalClaimsSources entry with
predicates: [] and an initial config, and set either expected (if contract
allows an explicit empty predicates array) or expectedError (if contract forbids
empty predicates) to reflect the intended contract—use the same structures and
fields (externalClaimsSources, mappings, predicates) as the surrounding tests so
the new entries align with the suite.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_authentication.go`:
- Around line 893-911: The struct field Predicates is documented to allow
omitted or empty lists but the validation tag +kubebuilder:validation:MinItems=1
prevents an explicit empty slice; remove or change that validation so empty
lists are accepted (e.g., delete the +kubebuilder:validation:MinItems=1 tag or
set it to 0) on the Predicates []ExternalSourcePredicate field and keep the
existing +kubebuilder:validation:MaxItems=16 and list/map tags intact so the
documented semantics match the schema.

---

Nitpick comments:
In
`@config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml`:
- Around line 280-943: Add two test cases to the existing list: (1) "Cannot
duplicate mappings.name across externalClaimsSources" that defines two
externalClaimsSources each with a mappings entry using the same name (e.g.,
name: email) and sets expectedError to assert duplication (e.g., "Duplicate
value: \"email\"") to catch cross-source duplicate mapping names; (2) "Explicit
predicates empty array behavior" that adds an externalClaimsSources entry with
predicates: [] and an initial config, and set either expected (if contract
allows an explicit empty predicates array) or expectedError (if contract forbids
empty predicates) to reflect the intended contract—use the same structures and
fields (externalClaimsSources, mappings, predicates) as the surrounding tests so
the new entries align with the suite.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1e34b0e9-5d75-41d8-a767-d23db5e399c1

📥 Commits

Reviewing files that changed from the base of the PR and between 21ed4c2 and 09e520a.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (4)

• config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml
• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml (1)

918-943: ⚡ Quick win

Add the matching invalid-name case for authentication.clientCredential.tls.certificateAuthority.

This manifest only exercises the DNS-name validation for the top-level externalClaimsSources[].tls.certificateAuthority, but the same validation is duplicated under externalClaimsSources[].authentication.clientCredential.tls.certificateAuthority. A broken schema generation in that nested branch would currently go uncaught.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml`
around lines 918 - 943, Add a second invalid-name test case that mirrors the
existing externalClaimsSources TLS CA check but for the nested
authentication.clientCredential.tls.certificateAuthority path: update the YAML
in ExternalOIDCExternalClaimsSourcing.yaml to include an authentication:
clientCredential: tls: certificateAuthority: name: "INVALID_NAME!" entry under
the same externalClaimsSources item and assert the same expectedError string
("name must start and end with a lowercase alphanumeric character, and must only
contain lowercase alphanumeric characters, '-' or '.'") so the schema validation
for
externalClaimsSources[].authentication.clientCredential.tls.certificateAuthority
is exercised just like externalClaimsSources[].tls.certificateAuthority.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_authentication.go`:
- Around line 94-96: The new FeatureGate annotation
ExternalOIDCExternalClaimsSourcing was added to OIDCProviders but not propagated
across the OIDC-related API surface; update the API types and annotations so the
gate consistently enables OIDC everywhere: add the same
+openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing (and +optional
where appropriate) to the AuthenticationType enum entry that allows "OIDC", to
the OIDCClients (oidcClients) type/status/validation annotations, and any
xValidation annotations tied to OIDC so that oidcProviders, oidcClients, and
AuthenticationType check the same gate; locate symbols AuthenticationType,
OIDCProviders, oidcClients, and related xValidation annotations in
types_authentication.go and the OIDC client/status definitions and add the gate
annotation to each corresponding declaration to maintain consistent gating.

---

Nitpick comments:
In
`@config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml`:
- Around line 918-943: Add a second invalid-name test case that mirrors the
existing externalClaimsSources TLS CA check but for the nested
authentication.clientCredential.tls.certificateAuthority path: update the YAML
in ExternalOIDCExternalClaimsSourcing.yaml to include an authentication:
clientCredential: tls: certificateAuthority: name: "INVALID_NAME!" entry under
the same externalClaimsSources item and assert the same expectedError string
("name must start and end with a lowercase alphanumeric character, and must only
contain lowercase alphanumeric characters, '-' or '.'") so the schema validation
for
externalClaimsSources[].authentication.clientCredential.tls.certificateAuthority
is exercised just like externalClaimsSources[].tls.certificateAuthority.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f0339821-9928-47c2-b13d-2bb067849bbb

📥 Commits

Reviewing files that changed from the base of the PR and between 09e520a and 6498c6e.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (4)

• config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml
• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml`:
- Around line 786-790: The schema for url.hostname currently allows an optional
":port" but enforces maxLength: 253 which will reject a valid 253-character
hostname with a port appended; update the constraint for the url.hostname field
(the minLength/maxLength entries) to allow the colon and up to 5 port digits by
increasing maxLength from 253 to 259, or alternatively split host and port into
separate fields (e.g., hostname and port) and validate each independently; make
the change where url.hostname's maxLength/minLength are defined so the optional
":65535" can be accommodated.
- Around line 605-611: Replace the raw-string check for user info (the rule
"self.find('@') == ''" under the "tokenEndpoint must not have user info"
message) with a parsed-URL userinfo check so paths containing '@' are not
rejected; change the rule to use the URL parser like "url(self).getUserInfo() ==
''" (or the equivalent parsed userinfo accessor in this policy language) so only
authority userinfo is disallowed while allowing '@' in the path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 49bac58b-6fe1-4b05-b238-bdca3f196925

📥 Commits

Reviewing files that changed from the base of the PR and between 6498c6e and a9da673.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (4)

• config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml
• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• config/v1/types_authentication.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

config/v1/types_authentication.go (1)

8-8: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Thread ExternalOIDCExternalClaimsSourcing through the rest of the OIDC API surface.

This updates the top-level OIDC validation and spec.oidcProviders, but AuthenticationType still does not allow OIDC for this gate and status.oidcClients is still guarded by the older gate set. With only ExternalOIDCExternalClaimsSourcing enabled, the new manifests in this PR can still be rejected or lose the existing oidcClients invariant.

Also applies to: 94-94

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_authentication.go` at line 8, The top-level validation and
spec.oidcProviders were updated for ExternalOIDCExternalClaimsSourcing, but you
must also propagate that feature gate through AuthenticationType checks and the
status.oidcClients guard so enabling only ExternalOIDCExternalClaimsSourcing
doesn't leave AuthenticationType disallowing OIDC or keep status.oidcClients
behind the old gate; update the feature-gate annotations and validation
conditions that reference AuthenticationType and status.oidcClients to include
ExternalOIDCExternalClaimsSourcing (in the same style as the long
openshift:validation tag and inside any code paths that validate
AuthenticationType == OIDC or access status.oidcClients) so the new gate is
threaded consistently across AuthenticationType, spec.oidcProviders, and
status.oidcClients.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/v1/types_authentication.go`:
- Around line 881-886: The godoc comment for the mappings field contains a stale
TODO; remove the line "TODO: Should this hold true? If so, validate it." from
the comment block that documents mappings in config/v1/types_authentication.go
so the API contract reads as definitive (keep the rest of the text about
required entries, min/max and uniqueness) and do not change any validation
logic—references to mappings and externalClaimsSources should remain intact.

---

Duplicate comments:
In `@config/v1/types_authentication.go`:
- Line 8: The top-level validation and spec.oidcProviders were updated for
ExternalOIDCExternalClaimsSourcing, but you must also propagate that feature
gate through AuthenticationType checks and the status.oidcClients guard so
enabling only ExternalOIDCExternalClaimsSourcing doesn't leave
AuthenticationType disallowing OIDC or keep status.oidcClients behind the old
gate; update the feature-gate annotations and validation conditions that
reference AuthenticationType and status.oidcClients to include
ExternalOIDCExternalClaimsSourcing (in the same style as the long
openshift:validation tag and inside any code paths that validate
AuthenticationType == OIDC or access status.oidcClients) so the new gate is
threaded consistently across AuthenticationType, spec.oidcProviders, and
status.oidcClients.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 72fbd2c4-e141-4c12-b8ef-54ee46817177

📥 Commits

Reviewing files that changed from the base of the PR and between a9da673 and ee1517b.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (4)

• config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml
• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

✅ Files skipped from review due to trivial changes (2)

• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml

[coderabbitai]

♻️ Duplicate comments (1)

config/v1/types_authentication.go (1)

94-96: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Propagate ExternalOIDCExternalClaimsSourcing across the rest of the OIDC surface.

spec.oidcProviders is enabled for the new gate here, but AuthenticationType still does not allow OIDC under that gate and status.oidcClients is still missing it as well. With only ExternalOIDCExternalClaimsSourcing enabled, the new create cases can still fail before externalClaimsSources is even validated.

Suggested follow-up

-// +openshift:enable:FeatureGate=ExternalOIDC
-// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+// +openshift:enable:FeatureGate=ExternalOIDC
+// +openshift:enable:FeatureGate=ExternalOIDCWithUIDAndExtraClaimMappings
+// +openshift:enable:FeatureGate=ExternalOIDCWithUpstreamParity
+// +openshift:enable:FeatureGate=ExternalOIDCExternalClaimsSourcing
 // +optional
 OIDCClients []OIDCClientStatus `json:"oidcClients"`

-// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings,enum="";None;IntegratedOAuth;OIDC
+// +openshift:validation:FeatureGateAwareEnum:featureGate=ExternalOIDC;ExternalOIDCWithUIDAndExtraClaimMappings;ExternalOIDCWithUpstreamParity;ExternalOIDCExternalClaimsSourcing,enum="";None;IntegratedOAuth;OIDC
 type AuthenticationType string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/v1/types_authentication.go` around lines 94 - 96, The new feature gate
ExternalOIDCExternalClaimsSourcing is enabled for spec.oidcProviders but not
propagated elsewhere; update AuthenticationType to allow the OIDC enum value
when ExternalOIDCExternalClaimsSourcing is enabled (modify the validation/enum
logic around AuthenticationType), and ensure status.oidcClients includes
OIDC-based entries when the gate is present (add gating checks where status is
constructed/updated to append OIDC client info tied to spec.oidcProviders and
externalClaimsSources). Also audit any create/validation paths that currently
reject OIDC when the gate is set and modify them to consult
ExternalOIDCExternalClaimsSourcing so new create flows don’t fail before
externalClaimsSources are validated.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@config/v1/types_authentication.go`:
- Around line 94-96: The new feature gate ExternalOIDCExternalClaimsSourcing is
enabled for spec.oidcProviders but not propagated elsewhere; update
AuthenticationType to allow the OIDC enum value when
ExternalOIDCExternalClaimsSourcing is enabled (modify the validation/enum logic
around AuthenticationType), and ensure status.oidcClients includes OIDC-based
entries when the gate is present (add gating checks where status is
constructed/updated to append OIDC client info tied to spec.oidcProviders and
externalClaimsSources). Also audit any create/validation paths that currently
reject OIDC when the gate is set and modify them to consult
ExternalOIDCExternalClaimsSourcing so new create flows don’t fail before
externalClaimsSources are validated.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: aa5bf0e5-8bfc-4dbf-97be-88d9725d1175

📥 Commits

Reviewing files that changed from the base of the PR and between ee1517b and 4affa2a.

⛔ Files ignored due to path filters (8)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (4)

• config/v1/tests/authentications.config.openshift.io/ExternalOIDCExternalClaimsSourcing.yaml
• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

[everettraven]

Holding until openshift/oauth-apiserver#197 makes it in.

/hold

[openshift-ci]

@everettraven: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.