Skip to content

[WIP] CNTRLPLANE-3851: Oauth proxy config e2e#31398

Open
ehearne-redhat wants to merge 5 commits into
openshift:mainfrom
ehearne-redhat:oauth-proxy-config-e2e
Open

[WIP] CNTRLPLANE-3851: Oauth proxy config e2e#31398
ehearne-redhat wants to merge 5 commits into
openshift:mainfrom
ehearne-redhat:oauth-proxy-config-e2e

Conversation

@ehearne-redhat

@ehearne-redhat ehearne-redhat commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Tests
    • Added a new end-to-end integration test covering OIDC authentication when the proxy has TrustedCA configured, verifying hot-reload behavior.
    • Confirmed proxy and direct-connect flows by asserting successful OAuth token issuance and correct Kubernetes user/group claims.
    • Expanded and reused Keycloak/OIDC test helpers for consistent setup, cleanup, rollout, and health checks.
  • Chores
    • Updated Go and Kubernetes/OpenShift-related dependencies to newer versions for compatibility and maintenance.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 16, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@ehearne-redhat: This pull request explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 16, 2026
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign smg247 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Walkthrough

The change exports Keycloak and OIDC authentication test helpers, updates their call sites, adds proxy and trusted-CA OAuth coverage, and upgrades the Go toolchain and selected dependencies.

Changes

OIDC authentication test infrastructure

Layer / File(s) Summary
Go and dependency updates
go.mod
Updates the Go toolchain directive and selected OpenShift API, Kubernetes, and protobuf dependency versions.
Export Keycloak client and deployment helpers
test/extended/authentication/keycloak_client.go, test/extended/authentication/keycloak_helpers.go
Exports Keycloak client APIs, deployment helpers, constants, and cleanup types while updating resource references.
Export and rewire OIDC helpers
test/extended/authentication/oidc.go
Exports OIDC configuration, route, reset, rollout, health, and cleanup helpers and updates existing scenarios to use them.
Add proxy and CA hot-reload OAuth coverage
test/extended/oauth/oidc_proxy.go
Adds proxy and direct-connectivity login scenarios plus trusted CA synchronization and rotation checks.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant OIDCProxyTest
  participant Keycloak
  participant AuthenticationOperator
  participant OAuthServer
  participant KubernetesAPI
  OIDCProxyTest->>Keycloak: Create test user and group
  OIDCProxyTest->>AuthenticationOperator: Update proxy and trusted CA configuration
  AuthenticationOperator->>OAuthServer: Reconcile authentication configuration
  OIDCProxyTest->>OAuthServer: Request OAuth token
  OIDCProxyTest->>KubernetesAPI: Submit SelfSubjectReview
  KubernetesAPI-->>OIDCProxyTest: Return username and groups
Loading

Suggested reviewers: jacobsee, everettraven

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Test Structure And Quality ⚠️ Warning The new CA hot-reload spec reuses stale authConfig from BeforeAll and never waits for the rotated CA bundle, so it can conflict and doesn’t prove reload. Refetch Authentication before updating, wait until openshift-authentication’s synced ConfigMap matches newCAPEM, then verify login and unchanged pod names.
Microshift Test Compatibility ⚠️ Warning The new ordered test suite uses config.openshift.io FeatureGates and operator.openshift.io Authentication, and only one It has an apigroup tag; no MicroShift skip guards are present. Add a MicroShift skip or tag the whole suite with an unavailable apigroup; otherwise remove TechPreviewNoUpgrade and other non-Route OpenShift API usage.
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: new OAuth proxy config end-to-end coverage.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All changed Ginkgo titles are static literals; dynamic names only appear in setup/assertions, not in test titles.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The added Ginkgo tests only exercise proxy, OIDC, configmaps, and pod reconciliation; they don't require multiple nodes or HA behavior.
Topology-Aware Scheduling Compatibility ✅ Passed Only an e2e test file changed; no deployment manifests/controllers or topology-sensitive scheduling constraints were introduced.
Ote Binary Stdout Contract ✅ Passed No new stdout writes in process-level code; the only writes found are GinkgoWriter calls inside deferred test cleanups, and no init/TestMain/BeforeSuite/AfterSuite additions exist.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The new Ginkgo test uses cluster routes and network policies only; no hardcoded IPv4/IP parsing found, and Keycloak is pulled via image.LocationFor.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were added; the CA helper uses library-go, not a custom primitive.
Container-Privileges ✅ Passed No changed file adds privileged/host*/*SYS_ADMIN/allowPrivilegeEscalation settings; new test only uses ConfigMaps and NetworkPolicies.
No-Sensitive-Data-In-Logs ✅ Passed Only logs found are cleanup errors and keycloak deployment status; no passwords, tokens, PII, or customer data are logged.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from everettraven and jacobsee July 16, 2026 15:19
@openshift-ci openshift-ci Bot added the vendor-update Touching vendor dir or related files label Jul 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/oauth/oidc_proxy.go`:
- Around line 89-94: Replace the placeholder values in the
AuthenticationProxyConfig assigned to modified.Spec.Proxy with a provisioned or
discovered reachable test proxy endpoint for both HTTPProxy and HTTPSProxy.
Update the OIDC authentication test to assert that requests use the proxy, while
preserving the NoProxy behavior for dontGoHere.
- Around line 52-53: Update the test setup surrounding AdmittedURLForRoute to
provision the Keycloak fixture before resolving its route, rather than assuming
a prior package deployed it. Register the fixture’s cleanup in the spec’s
cleanups collection so resources are removed after the test, and preserve the
existing route lookup and test flow once provisioning succeeds.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2dc7acdd-97e1-48ce-9b79-8e32b97736d7

📥 Commits

Reviewing files that changed from the base of the PR and between 3fe65b3 and df906b4.

⛔ Files ignored due to path filters (70)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/apps/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/authorization/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/build/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/cloudnetwork/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/image/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/machineconfiguration/v1/register.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/machineconfiguration/v1/types_internalreleaseimage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/network/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/networkoperator/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/oauth/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/operator/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/operator/v1/types_csi_cluster_driver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/operator/v1/zz_generated.model_name.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/osin/v1/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/osin/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
  • vendor/github.com/openshift/api/project/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/quota/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/route/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/samples/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/security/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/template/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/api/user/.codegen.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/encoding/prototext/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/descfmt/stringer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/editionssupport/editions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/reflect/protodesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/reflect/protodesc/editions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/reflect/protodesc/proto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (5)
  • go.mod
  • test/extended/authentication/keycloak_client.go
  • test/extended/authentication/keycloak_helpers.go
  • test/extended/authentication/oidc.go
  • test/extended/oauth/oidc_proxy.go

Comment thread test/extended/oauth/oidc_proxy.go Outdated
Comment on lines +52 to +53
// We assume keycloak has been deployed and tests done previously that it works fine.
kcUrl, err := exauth.AdmittedURLForRoute(ctx, oc, exauth.KeycloakResourceName, ns)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Provision the Keycloak fixture in this test.

This spec never deploys Keycloak, so AdmittedURLForRoute polls for a nonexistent route in oidc-oauth-login-flow; cleanups is consequently always empty. E2e selection must not depend on another package having run first. Deploy the fixture and register its cleanup within this spec.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/oauth/oidc_proxy.go` around lines 52 - 53, Update the test
setup surrounding AdmittedURLForRoute to provision the Keycloak fixture before
resolving its route, rather than assuming a prior package deployed it. Register
the fixture’s cleanup in the spec’s cleanups collection so resources are removed
after the test, and preserve the existing route lookup and test flow once
provisioning succeeds.

Comment thread test/extended/oauth/oidc_proxy.go Outdated
Comment on lines +89 to +94
// actual proxy values will be set at a later stage
modified.Spec.Proxy = operatorv1.AuthenticationProxyConfig{
HTTPProxy: "httpProxyURL",
HTTPSProxy: "httpsProxyURL",
NoProxy: []string{"dontGoHere"},
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Replace placeholder proxy endpoints with a reachable test proxy.

httpProxyURL and httpsProxyURL are not usable proxy targets. The authentication flow cannot demonstrate proxied OIDC login with these values. Provision or discover a reachable proxy endpoint and assert the expected proxy behavior.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/oauth/oidc_proxy.go` around lines 89 - 94, Replace the
placeholder values in the AuthenticationProxyConfig assigned to
modified.Spec.Proxy with a provisioned or discovered reachable test proxy
endpoint for both HTTPProxy and HTTPSProxy. Update the OIDC authentication test
to assert that requests use the proxy, while preserving the NoProxy behavior for
dontGoHere.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@ehearne-redhat ehearne-redhat changed the title [WIP] NO-JIRA: Oauth proxy config e2e [WIP] CNTRLPLANE-3851: Oauth proxy config e2e Jul 17, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 17, 2026

Copy link
Copy Markdown

@ehearne-redhat: This pull request references CNTRLPLANE-3851 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

  • Tests

  • Added end-to-end coverage for OIDC authentication through the component proxy.

  • Verified proxy configuration, OAuth token issuance, and identity/group claims during login.

  • Improved reusable authentication test helpers for setup, cleanup, rollout, and health checks.

  • Chores

  • Updated Go and Kubernetes-related components to newer versions.

  • Refreshed supporting API and protocol dependencies for improved compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ehearne-redhat

Copy link
Copy Markdown
Contributor Author

/jira-refresh

@ehearne-redhat

Copy link
Copy Markdown
Contributor Author

/jira refresh

@openshift-ci-robot

openshift-ci-robot commented Jul 17, 2026

Copy link
Copy Markdown

@ehearne-redhat: This pull request references CNTRLPLANE-3851 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-trt

openshift-trt Bot commented Jul 17, 2026

Copy link
Copy Markdown

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: 102559c

Job Name New Test Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift High - "[sig-auth][Feature:AuthenticationComponentProxy] OIDC login component proxy should fall back to direct IdP connectivity for oidc login [Suite:openshift/conformance/parallel]" is a new test, was only seen in one job, and failed 1 time(s) against the current commit.

New tests seen in this PR at sha: 102559c

  • "[sig-auth][Feature:AuthenticationComponentProxy] OIDC login component proxy should fall back to direct IdP connectivity for oidc login [Suite:openshift/conformance/parallel]" [Total: 1, Pass: 0, Fail: 1, Flake: 0]

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
test/extended/oauth/oidc_proxy.go (1)

182-183: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Assert the expected mapped username.

Checking only for a non-empty username allows an incorrectly mapped identity to pass. Match the expected <username>@payload.openshift.io`` value, as the authentication OIDC coverage does.

Proposed fix
-			gomega.Expect(ssr.Status.UserInfo.Username).NotTo(o.BeEmpty())
+			gomega.Expect(ssr.Status.UserInfo.Username).To(o.Equal(fmt.Sprintf("%s@payload.openshift.io", username)))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/oauth/oidc_proxy.go` around lines 182 - 183, Update the
username assertion in the OIDC proxy test to compare
ssr.Status.UserInfo.Username against the expected mapped value
"<username>`@payload.openshift.io`" instead of only checking that it is non-empty;
keep the existing groups assertion unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/oauth/oidc_proxy.go`:
- Around line 273-313: Update the rotation flow in the test around
assertOIDCLogin and the openshift-config ConfigMap update so the proxy or IdP
TLS endpoint serves a certificate signed by newCA. Wait until the synchronized
ConfigMap in openshift-authentication contains newCAPEM, then assert login
succeeds and verify the oauth-server pod list remains unchanged, proving hot
reload without redeployment.
- Around line 239-241: Update the temporary-directory cleanup deferred in the
OIDC proxy test to handle the error returned by os.RemoveAll instead of
discarding it. Preserve cleanup execution for tempDir and report any cleanup
failure through the test’s existing assertion or error-handling mechanism.
- Around line 344-350: Update updateAuthenticationProxyConfig to fetch the
current Authentication resource from the operator client before modifying it,
rather than deep-copying the stale authConfig from BeforeAll. Apply the proxy
change to the freshly retrieved object and then perform the existing Update
call.

---

Outside diff comments:
In `@test/extended/oauth/oidc_proxy.go`:
- Around line 182-183: Update the username assertion in the OIDC proxy test to
compare ssr.Status.UserInfo.Username against the expected mapped value
"<username>`@payload.openshift.io`" instead of only checking that it is non-empty;
keep the existing groups assertion unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ebf00ea9-0bee-4fbc-b1d8-9975e1348b9b

📥 Commits

Reviewing files that changed from the base of the PR and between 102559c and 614051c.

📒 Files selected for processing (1)
  • test/extended/oauth/oidc_proxy.go

Comment on lines +239 to +241
tempDir, err := os.MkdirTemp("", "testca")
o.Expect(err).NotTo(o.HaveOccurred())
defer os.RemoveAll(tempDir)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Check the temporary-directory cleanup error.

defer os.RemoveAll(tempDir) discards its error and can silently leave CA key material behind.

As per path instructions, “Never ignore error returns.”

Proposed fix
-		defer os.RemoveAll(tempDir)
+		g.DeferCleanup(func() {
+			o.Expect(os.RemoveAll(tempDir)).To(o.Succeed())
+		})
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
tempDir, err := os.MkdirTemp("", "testca")
o.Expect(err).NotTo(o.HaveOccurred())
defer os.RemoveAll(tempDir)
tempDir, err := os.MkdirTemp("", "testca")
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(func() {
o.Expect(os.RemoveAll(tempDir)).To(o.Succeed())
})
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/oauth/oidc_proxy.go` around lines 239 - 241, Update the
temporary-directory cleanup deferred in the OIDC proxy test to handle the error
returned by os.RemoveAll instead of discarding it. Preserve cleanup execution
for tempDir and report any cleanup failure through the test’s existing assertion
or error-handling mechanism.

Source: Path instructions

Comment on lines +273 to +313
updateAuthenticationProxyConfig(ctx, oc, authConfig, operatorv1.AuthenticationProxyConfig{
HTTPProxy: "httpProxyURL",
HTTPSProxy: "httpsProxyURL",
NoProxy: []string{"dontGoHere"},
TrustedCA: operatorv1.AuthenticationConfigMapReference{
Name: configMapName,
},
})

assertOIDCLogin("should be able to log in after setting spec.proxy with trustedCA")

// Explicitly verify trustedCA ConfigMap is synced to openshift-authentication namespace.
cm, err := oc.AdminKubeClient().CoreV1().ConfigMaps("openshift-authentication").Get(ctx, configMapName, metav1.GetOptions{})
o.Expect(err).NotTo(o.HaveOccurred(), "trustedCA ConfigMap %s should exist in openshift-authentication", configMapName)
o.Expect(cm).NotTo(o.BeEmpty(), "trustedCA ConfigMap %s should have data", configMapName)

// Grab oauth-server pod list to confirm no re-deployment later
oauthServerPodList, err := oc.AdminKubeClient().CoreV1().Pods("openshift-authentication").List(ctx, metav1.ListOptions{LabelSelector: "app=oauth-openshift"})
o.Expect(err).NotTo(o.HaveOccurred(), "should be able to query for oauth-server pods")
o.Expect(oauthServerPodList.Items).NotTo(o.BeEmpty(), "pod items list should contain at least one")

// Update CA file contents
newCA, err := crypto.MakeSelfSignedCA(
path.Join(tempDir, "ca-new.crt"),
path.Join(tempDir, "ca-new.key"),
path.Join(tempDir, "serial-new"),
"proxy-e2e-ca-rotated",
100*24*time.Hour,
)
o.Expect(err).NotTo(o.HaveOccurred())

newCAPEM, _, err := newCA.Config.GetPEMBytes()
o.Expect(err).NotTo(o.HaveOccurred())

cm, err = oc.AdminKubeClient().CoreV1().ConfigMaps("openshift-config").Get(ctx, configMapName, metav1.GetOptions{})
o.Expect(err).NotTo(o.HaveOccurred())
cm.Data["ca-bundle.crt"] = string(newCAPEM)
_, err = oc.AdminKubeClient().CoreV1().ConfigMaps("openshift-config").Update(ctx, cm, metav1.UpdateOptions{})
o.Expect(err).NotTo(o.HaveOccurred())

assertOIDCLogin("should be able to log in after setting spec.proxy with trustedCA")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

Make login depend on the rotated CA.

The generated CA is only stored in a ConfigMap; no proxy or IdP endpoint presents a certificate signed by it. After rotation, assertOIDCLogin can also succeed before the updated bundle is synchronized. Consequently, this test does not prove hot reload.

Rotate the certificate used by the TLS endpoint, wait until the synchronized ConfigMap contains newCAPEM, and then verify login succeeds without pod replacement.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/oauth/oidc_proxy.go` around lines 273 - 313, Update the
rotation flow in the test around assertOIDCLogin and the openshift-config
ConfigMap update so the proxy or IdP TLS endpoint serves a certificate signed by
newCA. Wait until the synchronized ConfigMap in openshift-authentication
contains newCAPEM, then assert login succeeds and verify the oauth-server pod
list remains unchanged, proving hot reload without redeployment.

Comment on lines +344 to +350
func updateAuthenticationProxyConfig(ctx context.Context, oc *exutil.CLI, authConfig *operatorv1.Authentication, proxy operatorv1.AuthenticationProxyConfig) {
g.GinkgoHelper()

modified := authConfig.DeepCopy()
modified.Spec.Proxy = proxy

_, err := oc.AdminOperatorClient().OperatorV1().Authentications().Update(ctx, modified, metav1.UpdateOptions{})

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file='test/extended/oauth/oidc_proxy.go'

echo '--- outline ---'
ast-grep outline "$file" --view expanded || true

echo '--- relevant lines 1 ---'
sed -n '1,220p' "$file" | cat -n

echo '--- relevant lines 220-420 ---'
sed -n '220,420p' "$file" | cat -n

echo '--- call sites ---'
rg -n "updateAuthenticationProxyConfig|authConfig" "$file"

Repository: openshift/origin

Length of output: 20110


Fetch the current Authentication before updating it.
authConfig comes from BeforeAll, so its resourceVersion becomes stale after the first AfterEach update. The next ordered spec reuses that object and can hit an Update conflict.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/oauth/oidc_proxy.go` around lines 344 - 350, Update
updateAuthenticationProxyConfig to fetch the current Authentication resource
from the operator client before modifying it, rather than deep-copying the stale
authConfig from BeforeAll. Apply the proxy change to the freshly retrieved
object and then perform the existing Update call.

@openshift-ci

openshift-ci Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

@ehearne-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-serial-1of2 102559c link true /test e2e-aws-ovn-serial-1of2
ci/prow/e2e-vsphere-ovn-upi 102559c link true /test e2e-vsphere-ovn-upi
ci/prow/e2e-aws-ovn-fips 102559c link true /test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-serial-2of2 102559c link true /test e2e-aws-ovn-serial-2of2
ci/prow/e2e-metal-ipi-ovn-ipv6 102559c link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-gcp-ovn 102559c link true /test e2e-gcp-ovn
ci/prow/e2e-vsphere-ovn 102559c link true /test e2e-vsphere-ovn
ci/prow/e2e-aws-ovn-microshift 102559c link true /test e2e-aws-ovn-microshift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. vendor-update Touching vendor dir or related files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants