CNTRLPLANE-2990: Update CAO to no longer write to the Authentication.spec.webhookTokenAuthenticator field#854
Open
everettraven wants to merge 3 commits intoopenshift:masterfrom
Open
Conversation
Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
…ng gate Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
for communicating the webhook token authenticator secret to be used by the cluster-kube-apiserver-operator for configuring the kube-apiserver. Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
openshift-ci-robot
added
the
jira/valid-reference
Contributor
|
@everettraven: This pull request references CNTRLPLANE-2990 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (297)
📒 Files selected for processing (3)
WalkthroughThis PR updates Go module dependencies to newer versions across multiple packages (Ginkgo, Kubernetes, OpenTelemetry, Prometheus, and others) and introduces feature gate handling to the webhook authenticator controller to enable conditional logic based on the FeatureGateExternalOIDCExternalClaimsSourcing feature gate. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Comment Tip You can customize the tone of the review comments and chat replies.Configure the |
Contributor
Author
|
Depends on #853 /hold |
openshift-ci
bot
added
the
do-not-merge/hold
everettraven
commented
Mar 17, 2026
| // - CAO returns early and does not attempt to set the field (field is still set) | ||
| // - CKASO sees the field is set - it reads from the set field instead of using its hardcoded default | ||
| if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) { | ||
| return nil |
Contributor
Author
There was a problem hiding this comment.
Note for reviewers: I'm intentionally not removing any existing configuration so that there is a migration path from a version of CAO that did set this to one that does not.
When we tighten the validation of the API, ratcheting will be taken into consideration.
Contributor
|
@everettraven: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-ci
bot
added
the
needs-rebase
Contributor
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Contributor
|
/lgtm |
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: everettraven, ShazaAldawamneh The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR updates the webhook authenticator controller to return early when the
ExternalOIDCExternalClaimsSourcingfeature gate is enabled instead of attempting to write to theauthentications.config.openshift.io/clusterresource'sspec.webhookTokenAuthenticatorfield.This is part of a two-step change intended to allow us to maintain the existing validation enforced by https://github.com/openshift/kubernetes/blob/2034d92b4a3a51d42e306ba405fc10a89768ac69/openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go#L183-L200 that does not allow setting the
spec.webhookTokenAuthenticatorfield whenspec.typeis set toOIDC. The second step will be to update the cluster-kube-apiserver-operator to use a hardcoded default for the webhook token authenticator secret that is overridden when thespec.webhookTokenAuthenticatorfield is set.This is necessary as part of the work to implement the architectural change we are making to how the
OIDCauthentication mode operates under the hood that is outlined in openshift/enhancements#1907.