Skip to content

CNTRLPLANE-3629: features: promote ExternalOIDCExternalClaimsSourcing to TechPreviewNoUpgrade#2893

Draft
everettraven wants to merge 1 commit into
openshift:masterfrom
everettraven:feature/promote-externalclaimssourcing-tpnu
Draft

CNTRLPLANE-3629: features: promote ExternalOIDCExternalClaimsSourcing to TechPreviewNoUpgrade#2893
everettraven wants to merge 1 commit into
openshift:masterfrom
everettraven:feature/promote-externalclaimssourcing-tpnu

Conversation

@everettraven

@everettraven everettraven commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@openshift-merge-bot

openshift-merge-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 16, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 16, 2026
edited by openshift-ci Bot
Loading

Copy link
Copy Markdown

@everettraven: This pull request references CNTRLPLANE-3629 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4e28e144-3589-43c1-94ac-5c6a8c975b0b

📥 Commits

Reviewing files that changed from the base of the PR and between afae6dc and a41e2c7.

⛔ Files ignored due to path filters (1)
  • config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
📒 Files selected for processing (5)
  • features.md
  • features/features.go
  • payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
✅ Files skipped from review due to trivial changes (1)
  • features.md
🚧 Files skipped from review as they are similar to previous changes (3)
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
  • features/features.go
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
📝 Walkthrough

Walkthrough

FeatureGateExternalOIDCExternalClaimsSourcing is enabled in TechPreviewNoUpgrade by extending the Authentication CRD with a new externalClaimsSources field that supports fetching additional JWT claims from external HTTP sources with configurable authentication, TLS, URL construction, predicates, and claim mappings. The feature gate is expanded in code to include inTechPreviewNoUpgrade() alongside the existing inDevPreviewNoUpgrade() condition, and two TechPreviewNoUpgrade payload manifests move the gate from disabled to enabled. The features.md documentation table is updated to reposition the feature gate entry to its correct location.

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Test Structure And Quality ⚠️ Warning Multiple test assertions in GenerateTestSuite lack meaningful failure messages. Lines 107, 110, 126, and similar lack diagnostic context per requirement 4. Add failure messages to Expect() calls without messages (e.g., line 107, 110, 126): Expect(err).ToNot(HaveOccurred(), "failed to load versioned CRD").
Description check ❓ Inconclusive No pull request description was provided by the author. Add a description explaining the purpose, context, and rationale for promoting this feature gate to TechPreviewNoUpgrade status.
✅ Passed checks (13 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: promoting the ExternalOIDCExternalClaimsSourcing feature to TechPreviewNoUpgrade status, which aligns with all file modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names in the PR are stable and deterministic. Test names in YAML test specs (e.g., "Should be able to create a minimal Authentication") are static strings. Generated test suite name...
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests added. PR contains generated code, feature gate configs, and test infrastructure using envtest (local test environment), not e2e tests requiring MicroShift-incompatible APIs.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new e2e tests targeting SNO assumptions were added. The only Ginkgo tests found (tests/eval/eval_test.go) are AI review evaluations with build:eval tag, not cluster e2e tests with multi-node ass...
Topology-Aware Scheduling Compatibility ✅ Passed PR only updates feature gate definitions and Authentication CRD schema; no deployment manifests, operator code, or scheduling constraints are introduced.
Ote Binary Stdout Contract ✅ Passed PR properly configures logging to GinkgoWriter instead of stdout. No process-level stdout writes found that would violate OTE binary JSON contract with openshift-tests.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR does not add new Ginkgo e2e tests; check only applies to new tests. Changes are feature gate declarations, documentation, and CRD schemas only.
No-Weak-Crypto ✅ Passed No weak cryptography detected. PR contains only configuration/schema changes for OIDC external claims sourcing, with proper use of TLS, HTTPS, and Kubernetes Secrets for credential storage.
Container-Privileges ✅ Passed This PR modifies the openshift/api repository to promote the ExternalOIDCExternalClaimsSourcing feature gate to TechPreviewNoUpgrade status. The changes are: feature gate definitions, CRD schema ex...
No-Sensitive-Data-In-Logs ✅ Passed No logging statements that expose sensitive data (passwords, tokens, API keys, PII, session IDs, hostnames) found in code changes; PR only contains feature gate promotion and CRD schema definition...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 16, 2026
@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Hello @everettraven! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 16, 2026
@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@everettraven
features: promote ExternalOIDCExternalClaimsSourcing to TechPreviewNo…
a41e2c7 
…Upgrade

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
@everettraven everettraven force-pushed the feature/promote-externalclaimssourcing-tpnu branch from afae6dc to a41e2c7 Compare June 16, 2026 12:11
@openshift-ci openshift-ci Bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 16, 2026
@everettraven

everettraven commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Looks like we removed the TPNU jobs I would have used to test that this doesn't introduce any regressions in TPNU. Will need to update that.

@everettraven everettraven mentioned this pull request Jun 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@everettraven @openshift-ci-robot