CNTRLPLANE-312: Add generation logic for new API fields in the Authentication CR

[ShazaAldawamneh]

No description provided.

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-312 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updates OpenShift module dependencies and adds upstream parity support for external OIDC authentication through user validation rules and CEL-based claim validation. New functionality is guarded by a feature gate, with corresponding test coverage and expanded operator gating logic.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Updated github.com/openshift/api and github.com/openshift/library-go module versions to latest commits.
OIDC Controller Implementation pkg/controllers/externaloidc/externaloidc_controller.go	Added user validation rules generation with two new helper functions (generateUserValidationRule, generateUserValidationRules). Extended claim validation to support CEL expressions. Implemented upstream parity feature gate to conditionally populate UserValidationRules in JWT authenticator. Added DiscoveryURL propagation in issuer generation. Updated generateClaimValidationRules signature to include featureGates parameter.
Controller Tests pkg/controllers/externaloidc/externaloidc_controller_test.go	Added FeatureGateExternalOIDCWithUpstreamParity to test cases. Expanded test scenarios to cover invalid discovery URLs, missing required claims, and invalid user validation expressions under upstream parity gate. Updated test configurations for consistent feature gate coverage.
Operator Configuration pkg/operator/starter.go	Expanded feature gate condition in prepareExternalOIDC to include FeatureGateExternalOIDCWithUpstreamParity alongside existing external OIDC gates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ShazaAldawamneh
Once this PR has been reviewed and has the lgtm label, please assign liouk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

Overall, the structure looks pretty good.

I have a handful of comments.

[ShazaAldawamneh]

/retest-required

[ShazaAldawamneh]

/retest-required

[everettraven]

A few minor things. Other than that, this LGTM

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controllers/externaloidc/externaloidc_controller.go (1)

407-418: ⚠️ Potential issue | 🟠 Major

Enforce UpstreamParity gate for CEL claim validation rules.

Line 407 ignores featureGates, so TokenValidationRuleTypeCEL rules can be emitted even when FeatureGateExternalOIDCWithUpstreamParity is off. This bypasses feature gating for new fields.

🛠️ Suggested fix

 func generateClaimValidationRules(featureGates featuregates.FeatureGate, claimValidationRules ...configv1.TokenClaimValidationRule) ([]apiserverv1beta1.ClaimValidationRule, error) {
 	out := []apiserverv1beta1.ClaimValidationRule{}
 	errs := []error{}
 	for _, claimValidationRule := range claimValidationRules {
+		if claimValidationRule.Type == configv1.TokenValidationRuleTypeCEL &&
+			!featureGates.Enabled(features.FeatureGateExternalOIDCWithUpstreamParity) {
+			errs = append(errs, fmt.Errorf("claimValidationRule.type %q requires %s feature gate", configv1.TokenValidationRuleTypeCEL, features.FeatureGateExternalOIDCWithUpstreamParity))
+			continue
+		}
 		rule, err := generateClaimValidationRule(claimValidationRule)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("generating claimValidationRule: %v", err))
 			continue
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/externaloidc/externaloidc_controller.go` around lines 407 -
418, The loop in generateClaimValidationRules ignores the featureGates parameter
and may emit CEL-based rules regardless of the
FeatureGateExternalOIDCWithUpstreamParity flag; update
generateClaimValidationRules to check
featureGates.Has(featuregates.FeatureGateExternalOIDCWithUpstreamParity) (or
equivalent) before appending any rule whose type is TokenValidationRuleTypeCEL
(as determined from generateClaimValidationRule or the returned rule.Type), and
if the gate is off either skip that rule or return a descriptive error;
reference generateClaimValidationRules, generateClaimValidationRule,
TokenValidationRuleTypeCEL, and FeatureGateExternalOIDCWithUpstreamParity to
locate and implement the gate check.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 226-228: The code currently sets out.DiscoveryURL when
issuer.DiscoveryURL is non-empty; instead validate the URL scheme (parse
issuer.DiscoveryURL and ensure scheme == "https") before assigning to
out.DiscoveryURL and return the appropriate error for non-HTTPS or invalid URLs;
update the branch around issuer.DiscoveryURL and out.DiscoveryURL so it parses
the value (using net/url.Parse), checks u.Scheme == "https", and only then sets
out.DiscoveryURL = &issuer.DiscoveryURL, otherwise return the “invalid discovery
URL (http)” style error.

---

Outside diff comments:
In `@pkg/controllers/externaloidc/externaloidc_controller.go`:
- Around line 407-418: The loop in generateClaimValidationRules ignores the
featureGates parameter and may emit CEL-based rules regardless of the
FeatureGateExternalOIDCWithUpstreamParity flag; update
generateClaimValidationRules to check
featureGates.Has(featuregates.FeatureGateExternalOIDCWithUpstreamParity) (or
equivalent) before appending any rule whose type is TokenValidationRuleTypeCEL
(as determined from generateClaimValidationRule or the returned rule.Type), and
if the gate is off either skip that rule or return a descriptive error;
reference generateClaimValidationRules, generateClaimValidationRule,
TokenValidationRuleTypeCEL, and FeatureGateExternalOIDCWithUpstreamParity to
locate and implement the gate check.

[ShazaAldawamneh]

/retest

[openshift-ci]

@ShazaAldawamneh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-1of2	f2a9411	link	false	/test e2e-aws-operator-encryption-kms-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-2of2	f2a9411	link	false	/test e2e-aws-operator-encryption-rotation-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-2of2	f2a9411	link	false	/test e2e-aws-operator-encryption-perf-serial-ote-2of2
ci/prow/e2e-agnostic	f2a9411	link	true	/test e2e-agnostic
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-1of2	f2a9411	link	false	/test e2e-aws-operator-encryption-perf-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-serial-ote-2of2	f2a9411	link	false	/test e2e-aws-operator-encryption-serial-ote-2of2
ci/prow/e2e-aws-operator-serial-ote	f2a9411	link	false	/test e2e-aws-operator-serial-ote
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-2of2	f2a9411	link	false	/test e2e-aws-operator-encryption-kms-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-serial-ote-1of2	f2a9411	link	false	/test e2e-aws-operator-encryption-serial-ote-1of2
ci/prow/e2e-aws-operator-parallel-ote	f2a9411	link	false	/test e2e-aws-operator-parallel-ote
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-1of2	f2a9411	link	false	/test e2e-aws-operator-encryption-rotation-serial-ote-1of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.