WIP: Feature/external OIDC external sources

[everettraven]

Summary by CodeRabbit

• New Features

  • Authentication observers now support feature-gate-controlled behavior for OAuth and webhook token authentication configuration.

• Refactor

  • Restructured authentication configuration observers to enable conditional processing based on feature gates.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9ef76641-f641-41da-9160-273a719e693a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The changes integrate feature-gate awareness into OAuth metadata and webhook token authenticator observers. Standalone functions are converted to methods bound to new observer types with feature-gate accessors. Observers now conditionally suppress ConfigMap existence checks when the ExternalOIDCExternalClaimsSourcing feature gate is enabled. Dependencies are updated and observers are rewired in the controller.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Updated openshift/api from v0.0.0-20260302174620-dcac36b908db to v0.0.0-20260304205204-470851c945c9.
OAuth Metadata Observer pkg/operator/configobservation/auth/auth_metadata.go, pkg/operator/configobservation/auth/auth_metadata_test.go	Added NewOAuthMetadataObserver constructor returning an observer with feature-gate awareness. ObserveAuthMetadata converted to a method on oauthMetadataObserver. Implements early exit if feature gates not yet observed and conditionally guards ConfigMap checks behind ExternalOIDCExternalClaimsSourcing feature gate.
Webhook Token Authenticator Observer pkg/operator/configobservation/auth/webhook_authenticator.go, pkg/operator/configobservation/auth/webhook_authenticator_test.go	Added NewObserveWebhookTokenAuthenticator constructor returning an observer with feature-gate awareness. ObserveWebhookTokenAuthenticator converted to a method on webhookTokenAuthenticatorObserver. Implements branching logic: ensures webhook secret validation when ExternalOIDCExternalClaimsSourcing is enabled; validates kubeconfig secret conditionally when disabled.
External OIDC Feature Gate Guard pkg/operator/configobservation/auth/external_oidc.go	Added early return when ExternalOIDCExternalClaimsSourcing feature gate is enabled, skipping subsequent processing and preserving existingConfig.
Observer Wiring pkg/operator/configobservation/configobservercontroller/observe_config_controller.go	Updated observer instantiation: ObserveAuthMetadata replaced with NewOAuthMetadataObserver(featureGateAccessor); ObserveWebhookTokenAuthenticator replaced with NewObserveWebhookTokenAuthenticator(featureGateAccessor).

Sequence Diagram

sequenceDiagram
    participant Controller
    participant Observer as Observer<br/>(Feature-Gate Aware)
    participant FG as Feature Gate<br/>Accessor
    participant Listers
    participant Config

    Controller->>Observer: Invoke with listers, recorder, existingConfig
    Observer->>FG: Check if feature gates observed
    alt Feature gates not ready
        FG-->>Observer: Not observed
        Observer-->>Controller: Return existingConfig, no changes
    else Feature gates ready
        FG-->>Observer: Return current feature gates
        alt ExternalOIDCExternalClaimsSourcing enabled
            Observer->>Config: Skip ConfigMap existence check
            Observer->>Config: Proceed with conditional logic
        else Feature gate disabled
            Observer->>Listers: Check for AuthConfigCM
            Listers-->>Observer: ConfigMap status
            Observer->>Config: Apply original behavior
        end
        Observer-->>Controller: Return observedConfig, errors
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'WIP: Feature/external OIDC external sources' is vague and uses generic/placeholder-like language. It lacks clear, specific information about the main change.	Replace the vague title with a specific, descriptive summary of the primary change (e.g., 'Add feature-gate awareness to OAuth metadata and webhook authenticator observers').
Test Structure And Quality	❓ Inconclusive	Test files auth_metadata_test.go and webhook_authenticator_test.go either do not exist or cannot be accessed for assessment against Ginkgo quality requirements.	Verify test files exist in the PR branch and examine their implementations to confirm proper test structure, setup/cleanup patterns, and consistency with codebase testing practices.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Stable And Deterministic Test Names	✅ Passed	All test names in modified test files use static, descriptive strings with no dynamic values embedded.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven
Once this PR has been reviewed and has the lgtm label, please assign benluddy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/operator/configobservation/auth/webhook_authenticator.go (2)

113-116: ⚠️ Potential issue | 🟠 Major

Propagate SyncSecret failures before advertising the webhook args.

Both SyncSecret call sites ignore their error return. If the sync fails, this observer still returns authentication-token-webhook-*, so kube-apiserver can be reconfigured to use a secret that never made it into openshift-kube-apiserver.

🚨 Suggested fix

-		resourceSyncer.SyncSecret(
+		if err := resourceSyncer.SyncSecret(
 			resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "webhook-authenticator"},
 			resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName},
-		)
+		); err != nil {
+			return existingConfig, append(errs, err)
+		}

Apply the same pattern to the other SyncSecret(...) call sites in this function.

Also applies to: 138-156

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/configobservation/auth/webhook_authenticator.go` around lines
113 - 116, The SyncSecret calls on resourceSyncer (for
ResourceLocation{Namespace: operatorclient.TargetNamespace, Name:
"webhook-authenticator"} -> ResourceLocation{Namespace:
operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName}) are
ignoring returned errors; change both places where
resourceSyncer.SyncSecret(...) is invoked to capture the error, return or
propagate it (or stop and not advertise the webhook args) when non-nil, and
ensure the function does not proceed to set/return
authentication-token-webhook-* args if SyncSecret failed; apply the same
error-check-and-propagate pattern to the other SyncSecret call site(s) in this
function so failures prevent advertising the webhook secret.

---

90-117: ⚠️ Potential issue | 🟠 Major

Limit the new gate-specific branch to OIDC auth.

Unlike ObserveAuthMetadata, this branch is not scoped to configv1.AuthenticationTypeOIDC. As written, turning on ExternalOIDCExternalClaimsSourcing forces all auth modes through the webhook-secret path, and non-OIDC clusters with no webhook secret configured will start failing on Get("").

🎯 Suggested guard

-	if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) {
+	if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) &&
+		auth.Spec.Type == configv1.AuthenticationTypeOIDC {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/configobservation/auth/webhook_authenticator.go` around lines 90
- 117, The new feature-gate branch currently runs unconditionally and must be
limited to OIDC clusters: change the condition that checks
featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) to
also require that existingConfig.Authentication.Type ==
configv1.AuthenticationTypeOIDC (or equivalent check on the observed/existing
config object) so the webhook-secret path (calls to
listers.ConfigSecretLister().Secrets(...).Get(webhookSecretName),
validateKubeconfigSecret, and resourceSyncer.SyncSecret) only executes for OIDC
auth; update logic around featureGates.Enabled, existingConfig, and the
webhookSecretName/validateKubeconfigSecret usage so non-OIDC clusters are
skipped and you avoid calling Get("").

🧹 Nitpick comments (2)

pkg/operator/configobservation/auth/auth_metadata_test.go (1)

317-317: Add an enabled-gate OIDC case here.

This harness now goes through the feature-gated constructor, but the table still only validates the legacy OIDC flow. Please add at least one AuthenticationTypeOIDC case with ExternalOIDCExternalClaimsSourcing enabled so we cover the new “delete oauth metadata without waiting for auth-config” path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/configobservation/auth/auth_metadata_test.go` at line 317, Add a
test table entry that exercises the feature-gated OIDC path by creating an
Authentication object with Type set to AuthenticationTypeOIDC and the scenario
where ExternalOIDCExternalClaimsSourcing (feature gate) is enabled; call
NewOAuthMetadataObserver(featuregates.NewHardcodedFeatureGateAccess(map[string]bool{auth.ExternalOIDCExternalClaimsSourcing:
true}, nil))(listers, eventRecorder, tt.existingConfig) (or equivalent gate
construction used elsewhere in tests) and assert the behavior that deletes oauth
metadata without waiting for auth-config, mirroring the existing legacy OIDC
case but with AuthenticationTypeOIDC and the feature gate enabled so the new
branch is covered.

pkg/operator/configobservation/auth/webhook_authenticator_test.go (1)

178-178: The new OIDC/webhook gate path still has no coverage.

These cases never drive AuthenticationSpec.Type to OIDC and don't exercise the ExternalOIDCExternalClaimsSourcing branch, so the new behavior can regress silently. Please add one enabled-gate OIDC case and one non-OIDC case to verify the branch is correctly scoped.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/configobservation/auth/webhook_authenticator_test.go` at line
178, Add two unit tests in webhook_authenticator_test.go that call
NewObserveWebhookTokenAuthenticator(...) to exercise the OIDC gate path: create
one test case where the existingConfig.AuthenticationSpec.Type is set to "OIDC"
and the feature gate ExternalOIDCExternalClaimsSourcing is enabled via
featuregates.NewHardcodedFeatureGateAccess(nil,
map[string]bool{"ExternalOIDCExternalClaimsSourcing": true}) and assert the
observed config and errors reflect the OIDC-branch behavior; and add a second
case with AuthenticationSpec.Type set to a non-OIDC value (e.g., "Webhook") with
the gate enabled or disabled to verify the branch is not taken. Ensure both
cases use the same call site (NewObserveWebhookTokenAuthenticator(...)(listers,
eventRecorder, tt.existingConfig)) so the ExternalOIDCExternalClaimsSourcing
branch in NewObserveWebhookTokenAuthenticator is exercised and validated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@pkg/operator/configobservation/auth/webhook_authenticator.go`:
- Around line 113-116: The SyncSecret calls on resourceSyncer (for
ResourceLocation{Namespace: operatorclient.TargetNamespace, Name:
"webhook-authenticator"} -> ResourceLocation{Namespace:
operatorclient.GlobalUserSpecifiedConfigNamespace, Name: webhookSecretName}) are
ignoring returned errors; change both places where
resourceSyncer.SyncSecret(...) is invoked to capture the error, return or
propagate it (or stop and not advertise the webhook args) when non-nil, and
ensure the function does not proceed to set/return
authentication-token-webhook-* args if SyncSecret failed; apply the same
error-check-and-propagate pattern to the other SyncSecret call site(s) in this
function so failures prevent advertising the webhook secret.
- Around line 90-117: The new feature-gate branch currently runs unconditionally
and must be limited to OIDC clusters: change the condition that checks
featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) to
also require that existingConfig.Authentication.Type ==
configv1.AuthenticationTypeOIDC (or equivalent check on the observed/existing
config object) so the webhook-secret path (calls to
listers.ConfigSecretLister().Secrets(...).Get(webhookSecretName),
validateKubeconfigSecret, and resourceSyncer.SyncSecret) only executes for OIDC
auth; update logic around featureGates.Enabled, existingConfig, and the
webhookSecretName/validateKubeconfigSecret usage so non-OIDC clusters are
skipped and you avoid calling Get("").

---

Nitpick comments:
In `@pkg/operator/configobservation/auth/auth_metadata_test.go`:
- Line 317: Add a test table entry that exercises the feature-gated OIDC path by
creating an Authentication object with Type set to AuthenticationTypeOIDC and
the scenario where ExternalOIDCExternalClaimsSourcing (feature gate) is enabled;
call
NewOAuthMetadataObserver(featuregates.NewHardcodedFeatureGateAccess(map[string]bool{auth.ExternalOIDCExternalClaimsSourcing:
true}, nil))(listers, eventRecorder, tt.existingConfig) (or equivalent gate
construction used elsewhere in tests) and assert the behavior that deletes oauth
metadata without waiting for auth-config, mirroring the existing legacy OIDC
case but with AuthenticationTypeOIDC and the feature gate enabled so the new
branch is covered.

In `@pkg/operator/configobservation/auth/webhook_authenticator_test.go`:
- Line 178: Add two unit tests in webhook_authenticator_test.go that call
NewObserveWebhookTokenAuthenticator(...) to exercise the OIDC gate path: create
one test case where the existingConfig.AuthenticationSpec.Type is set to "OIDC"
and the feature gate ExternalOIDCExternalClaimsSourcing is enabled via
featuregates.NewHardcodedFeatureGateAccess(nil,
map[string]bool{"ExternalOIDCExternalClaimsSourcing": true}) and assert the
observed config and errors reflect the OIDC-branch behavior; and add a second
case with AuthenticationSpec.Type set to a non-OIDC value (e.g., "Webhook") with
the gate enabled or disabled to verify the branch is not taken. Ensure both
cases use the same call site (NewObserveWebhookTokenAuthenticator(...)(listers,
eventRecorder, tt.existingConfig)) so the ExternalOIDCExternalClaimsSourcing
branch in NewObserveWebhookTokenAuthenticator is exercised and validated.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d7cb59e5-59b3-4443-a7f7-20caa1bf3d5f

📥 Commits

Reviewing files that changed from the base of the PR and between 1a859bb and 80ccb22.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/AGENTS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (7)

• go.mod
• pkg/operator/configobservation/auth/auth_metadata.go
• pkg/operator/configobservation/auth/auth_metadata_test.go
• pkg/operator/configobservation/auth/external_oidc.go
• pkg/operator/configobservation/auth/webhook_authenticator.go
• pkg/operator/configobservation/auth/webhook_authenticator_test.go
• pkg/operator/configobservation/configobservercontroller/observe_config_controller.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Clear the old auth-config when external claims sourcing is enabled.

return existingConfig at Lines 66-71 keeps any previously observed apiServerArguments.authentication-config and also skips the SyncConfigMap(..., empty) cleanup path below. If a cluster enables ExternalOIDCExternalClaimsSourcing after already using external OIDC, the stale auth-config stays mounted even though this branch is supposed to disable the structured auth flow.

🧹 Suggested cleanup

 	if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) {
-		return existingConfig, nil
+		if err := genericListers.ResourceSyncer().SyncConfigMap(
+			resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: AuthConfigCMName},
+			resourcesynccontroller.ResourceLocation{Namespace: "", Name: ""},
+		); err != nil {
+			return existingConfig, []error{err}
+		}
+		return nil, nil
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// When the ExternalOIDCExternalClaimsSourcing feature gate is enabled, the kube-apiserver
	// should not have the built-in Structured Authentication Configuration feature configured,
	// which this controller handles.
	// When this feature goes GA, this controller should be removed.
	if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) {
	return existingConfig, nil
	// When the ExternalOIDCExternalClaimsSourcing feature gate is enabled, the kube-apiserver
	// should not have the built-in Structured Authentication Configuration feature configured,
	// which this controller handles.
	// When this feature goes GA, this controller should be removed.
	if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) {
	if err := genericListers.ResourceSyncer().SyncConfigMap(
	resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: AuthConfigCMName},
	resourcesynccontroller.ResourceLocation{Namespace: "", Name: ""},
	); err != nil {
	return existingConfig, []error{err}
	}
	return nil, nil
	}

[openshift-ci]

@everettraven: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.