CONSOLE-4822: Refactor Console Operator Authentication Controllers #1054
Conversation
This commit addresses two issues related to OIDC authentication: 1. Fixed OIDC client secret lookup in oidcsetup controller to use the correct informer, namespace (openshift-config) and dynamic secret name from the Authentication CR, instead of hardcoded values. 2. Added condition cleanup in sync_v400 to properly clear the OIDCProviderTrustedAuthorityConfigGet degraded condition when authentication type changes from OIDC to non-OIDC (e.g., IntegratedOAuth). This prevents the Console Operator from remaining in a Degraded state indefinitely during rollback scenarios. The second fix follows the same pattern used in the oidcsetup controller for clearing conditions when auth type is not OIDC. Assisted-by: Claude Code 2.0.5, claude-sonnet-4-5@20250929 Signed-off-by: Ahmed Abdalla <[email protected]>
Split oauthClientSecretController and oidcSetupController into two
clearly-separated controllers based on authentication type to improve
code organization and eliminate duplicate resource management.
Changes:
- Renamed oauthClientSecretController → integratedOAuthController
- Handles only IntegratedOAuth and None authentication types
- Removed OIDC client secret fetching logic
- Location: pkg/console/controllers/integratedoauth/
- Renamed oidcSetupController → oidcController
- Handles all OIDC authentication resources
- Added OIDC client secret syncing from openshift-config to
openshift-console/console-oauth-config
- Now owns complete OIDC resource lifecycle
- Location: pkg/console/controllers/oidc/
- Updated pkg/console/starter/starter.go with new controller names
Benefits:
- Clear separation of concerns by authentication type
- Eliminates duplicate OIDC client secret fetching
- Controller names accurately reflect their responsibilities
- Easier maintenance and debugging
🤖 Generated with Claude Code 2.0.5, claude-sonnet-4-5@20250929
Co-Authored-By: Claude <[email protected]>
Replace all hardcoded "console-oauth-config" strings with the existing constant deploymentsub.ConsoleOauthConfigName for consistency and maintainability. Changes: - pkg/console/controllers/oidc/oidc.go - Added deploymentsub import - Use constant for secret name lookup - pkg/console/controllers/integratedoauth/integratedoauth.go - Added deploymentsub import - Use constant in informer filter, sync(), and syncSecret() - pkg/console/controllers/oauthclients/oauthclients.go - Added deploymentsub import - Use constant for secret lookup Benefits: - Single source of truth for the secret name - Easier refactoring if name needs to change - Consistent with existing codebase patterns 🤖 Generated with Claude Code 2.0.9, claude-sonnet-4-5@20250929 Co-Authored-By: Claude <[email protected]>
openshift-ci-robot
added
the
jira/valid-reference
|
@devguyio: This pull request references CONSOLE-4822 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
1 similar comment
|
@devguyio: This pull request references CONSOLE-4822 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: devguyio The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@devguyio: This pull request references CONSOLE-4822 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
@devguyio: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
2 participants
Note
This PR is stacked on top of #1052
Summary
Refactors console-operator authentication controllers to improve separation of concerns and eliminate duplicate resource management by splitting controllers by authentication type.
Fixes CONSOLE-4822
Problem
oauthClientSecretControllerhandled both IntegratedOAuth AND OIDC (despite OAuth-only name)oidcSetupControllervalidated OIDC secret but didn't sync itSolution
Split Controllers by Auth Type
integratedOAuthController(pkg/console/controllers/integratedoauth/)oidcController(pkg/console/controllers/oidc/)openshift-configtoopenshift-console/console-oauth-configUse Constants
Replaced hardcoded
"console-oauth-config"strings withdeploymentsub.ConsoleOauthConfigNameconstant.Benefits