CNTRLPLANE-3629: authentication: skip external oidc kube-apiserver configuration check when new architecture gate is enabled

[everettraven]

As part of the work to accomplish https://redhat.atlassian.net/browse/CNTRLPLANE-2512 we've done some re-architecting as to how the ExternalOIDC feature works under the hood.

This PR updates the tests to skip a test case that was opinionated as to the underlying architecture for the feature that is obsolete with the incoming architecture changes. We will not remove the test case entirely until the new feature that introduces the new architecture has been promoted to the Default feature set and has shipped in a GA release. This prevents a lapse in automated regression coverage for how the baseline ExternalOIDC feature works in fully supported clusters today.

Summary by CodeRabbit

• Tests
  • Enhanced OIDC authentication test suite to properly handle pre-configured feature states, improving test reliability and preventing obsolete test runs.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@everettraven: This pull request references CNTRLPLANE-3629 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

As part of the work to accomplish https://redhat.atlassian.net/browse/CNTRLPLANE-2512 we've done some re-architecting as to how the ExternalOIDC feature works under the hood.

This PR updates the tests to skip a test case that was opinionated as to the underlying architecture for the feature that is obsolete with the incoming architecture changes. We will not remove the test case entirely until the new feature that introduces the new architecture has been promoted to the Default feature set and has shipped in a GA release. This prevents a lapse in automated regression coverage for how the baseline ExternalOIDC feature works in fully supported clusters today.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The OIDC test for "should configure kube-apiserver" gains a pre-check that fetches the cluster FeatureGates resource and skips the test as obsolete when the ExternalOIDCExternalClaimsSourcing feature gate is already enabled. The github.com/openshift/api/features package is imported to reference the feature gate constant.

OIDC kube-apiserver test feature gate guard

Layer / File(s)	Summary
Feature gate pre-check and import test/extended/authentication/oidc.go	Imports github.com/openshift/api/features and inserts a block at the start of the kube-apiserver test that reads cluster FeatureGates, iterates enabled gates, and calls g.Skip(...) when ExternalOIDCExternalClaimsSourcing is enabled.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	The FeatureGates().Get() call at line 130 uses context.TODO() without timeout; criterion #3 requires timeouts for cluster-interacting operations.	Wrap the FeatureGates().Get() call in o.Eventually() with WithTimeout() or use context with timeout instead of context.TODO().
Microshift Test Compatibility	⚠️ Warning	New test file uses config.openshift.io/v1 (FeatureGates, Authentications) and operator.openshift.io/v1 (KubeAPIServers) APIs unavailable on MicroShift with no protection tags or runtime checks.	Add [apigroup:config.openshift.io] tag to main test descriptor or guard with exutil.IsMicroShiftCluster() check, or add [Skipped:MicroShift] label to test names.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: conditionally skipping an external OIDC kube-apiserver configuration test when a new feature gate is enabled, matching the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the modified file are stable and deterministic; the modified test "should configure kube-apiserver" contains no dynamic information and follows Ginkgo best practices.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds new OIDC authentication tests that are SNO-compatible. Tests deploy single-replica Keycloak, validate cluster-wide API configuration, and contain no multi-node assumptions, affinity rules,...
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only test code (test/extended/authentication/oidc.go), not deployment manifests, operators, or controllers. No scheduling constraints are introduced. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	All changes are inside g.It() test case blocks, not in process-level code. The new import (github.com/openshift/api/features) has no init() or stdout-writing code. No fmt.Print/Println calls. Compl...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds a feature gate check that uses only cluster-internal Kubernetes API calls with no IPv4 assumptions or external connectivity requirements. No new test structures were added; only a skip...
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish), custom crypto implementations, or insecure token/secret comparisons found in the modified test file.
Container-Privileges	✅ Passed	This PR modifies only a Go test file (oidc.go) with test logic changes. No container or Kubernetes manifest files are added or modified, so the container-privileges check does not apply.
No-Sensitive-Data-In-Logs	✅ Passed	The PR changes (lines 128-146) add feature gate checking logic with no logging of sensitive data. No passwords, tokens, or other secrets are exposed in logs anywhere in the code modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/authentication/OWNERS [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@everettraven: This PR was included in a payload test run from openshift/api#2893
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/cce98770-6b48-11f1-9b34-4683d9c5c4ec-0

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/authentication/oidc.go`:
- Around line 135-142: The loop iterating through fgs.Status.FeatureGates is
checking feature gate states across all release versions instead of filtering to
only the cluster's current version, which causes false test skips. Modify the
code to filter the FeatureGates slice to include only entries matching the
cluster's current version before or during iteration, ensuring the
externalClaimsSourcingEnabled flag is only set based on the active version's
feature gate state rather than any historical version entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f8af2790-a287-44aa-a805-f2885edfcf4a

📥 Commits

Reviewing files that changed from the base of the PR and between 0d8f07f and b8cec14.

📒 Files selected for processing (1)

• test/extended/authentication/oidc.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn	b8cec14	link	true	/test e2e-gcp-ovn
ci/prow/e2e-gcp-ovn-upgrade	b8cec14	link	true	/test e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.