HYPERFLEET-492 - refactor: replace OCM auth client with JWT-based auth

AGENTS.md

@@ -36,8 +36,8 @@ make generate-all     # Both of the above
 ```
 make verify           # go vet + gofmt check
 make lint             # golangci-lint
-make test             # Unit tests (OCM_ENV=unit_testing)
-make test-integration # Integration tests with testcontainers (OCM_ENV=integration_testing)
+make test             # Unit tests (HYPERFLEET_ENV=unit_testing)
+make test-integration # Integration tests with testcontainers (HYPERFLEET_ENV=integration_testing)
 make test-helm        # Helm chart lint + template validation
 make verify-all       # verify + lint + test — fast, no DB needed
 make test-all         # lint + test + test-integration + test-helm — full suite
@@ -54,9 +54,9 @@ Run `make help` for the complete target list.
 
 ## Testing
 
-**Unit tests**: `make test` — sets `OCM_ENV=unit_testing`, runs `./pkg/...` and `./cmd/...`
+**Unit tests**: `make test` — sets `HYPERFLEET_ENV=unit_testing`, runs `./pkg/...` and `./cmd/...`
 
-**Integration tests**: `make test-integration` — sets `OCM_ENV=integration_testing` and `TESTCONTAINERS_RYUK_DISABLED=true`. Testcontainers auto-creates isolated PostgreSQL instances. Located in `test/integration/`.
+**Integration tests**: `make test-integration` — sets `HYPERFLEET_ENV=integration_testing` and `TESTCONTAINERS_RYUK_DISABLED=true`. Testcontainers auto-creates isolated PostgreSQL instances. Located in `test/integration/`.
 
 **Helm tests**: `make test-helm` — lints and renders templates with multiple value combinations.
 
@@ -67,7 +67,7 @@ Run `make help` for the complete target list.
 **Integration test setup**: `test.RegisterIntegration(t)` returns `(helper, client)`. Uses Gomega assertions and Resty HTTP client.
 
 **Environment variables for tests**:
-- `OCM_ENV` — selects config: `unit_testing`, `integration_testing`, `development`
+- `HYPERFLEET_ENV` — selects config: `unit_testing`, `integration_testing`, `development`
 - `TESTCONTAINERS_RYUK_DISABLED=true` — required in CI
 - `HYPERFLEET_CLUSTER_ADAPTERS` / `HYPERFLEET_NODEPOOL_ADAPTERS` — adapter lists (defaults set in TestMain)
 

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- JWT authentication handler using `golang-jwt/jwt/v5` and `MicahParks/keyfunc/v3` with RS256 validation, configurable issuer and audience, and JWKS key rotation support ([#120](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/120))
 - Hard deletion for Clusters and NodePools: resources and their adapter statuses are permanently removed from the database once all required adapters report `Finalized=True` and no child resources remain ([#119](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/119))
 - `Finalized` condition aggregation with `WaitingForChildResources` intermediate state when all adapters are finalized but child node pools still exist ([#119](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/119))
 - Soft deletion for Clusters and NodePools with `deleted_time` and `deleted_by` fields for tracking deletion requests ([#106](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/106))
@@ -28,6 +29,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- Replaced OCM SDK authentication handler with standalone JWT middleware, removing `ocm-sdk-go` dependency and its transitive dependencies (`glog`, `bluemonday`, `json-iterator`) ([#120](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/120))
+- Upgraded JWT library from `golang-jwt/jwt/v4` to `golang-jwt/jwt/v5` ([#120](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/120))
 - Refactored `AdapterStatusDao.Upsert()` to accept a pre-fetched existing record, moving lookup and `LastTransitionTime` preservation logic to the service layer ([#119](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/119))
 - Refactored DAO methods to remove Unscoped calls for fetching Clusters and NodePools ([#106](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/106))
 - Bumped oapi-codegen version to fix missing `omitempty` on generated response objects ([#106](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/106))
@@ -37,6 +40,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Streamlined configuration system with Viper, removed getters and _FILE suffix pattern ([#75](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/75))
 - Used CHANGE_ME placeholder for image registry ([#83](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/83))
 
+### Removed
+
+- OCM SDK dependency (`ocm-sdk-go`), OCM client (`pkg/client/ocm/`), OCM configuration (`pkg/config/ocm.go`), OCM logger bridge (`pkg/logger/ocm_bridge.go`), and OCM authorization mocks ([#120](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/120))
+
 ### Fixed
 
 - Validated adapter status conditions in handler layer ([#88](https://github.com/openshift-hyperfleet/hyperfleet-api/pull/88))

CLAUDE.md

@@ -34,7 +34,7 @@ Tool management uses [Bingo](https://github.com/bwplotka/bingo) — tool version
 |---|---|---|
 | `make verify` | go vet + gofmt check | No |
 | `make lint` | golangci-lint | No |
-| `make test` | Unit tests (`OCM_ENV=unit_testing`) | No |
+| `make test` | Unit tests (`HYPERFLEET_ENV=unit_testing`) | No |
 | `make test-integration` | Integration tests (testcontainers) | No (auto-creates) |
 | `make test-helm` | Helm chart lint + template validation | No |
 | `make verify-all` | verify + lint + test (single command) | No |

CONTRIBUTING.md

@@ -96,7 +96,7 @@ make test
 make ci-test-unit
 ```
 
-Unit tests run with `OCM_ENV=unit_testing` and do not require a running database.
+Unit tests run with `HYPERFLEET_ENV=unit_testing` and do not require a running database.
 
 ### Integration Tests
 ```bash

Makefile

@@ -73,17 +73,14 @@ unit_test_json_output ?= ${PWD}/unit-test-results.json
 integration_test_json_output ?= ${PWD}/integration-test-results.json
 
 ### Environment-sourced variables with defaults
-ifndef OCM_ENV
-	OCM_ENV := development
+ifndef HYPERFLEET_ENV
+	HYPERFLEET_ENV := development
 endif
 
 ifndef TEST_SUMMARY_FORMAT
 	TEST_SUMMARY_FORMAT = short-verbose
 endif
 
-ifndef OCM_BASE_URL
-	OCM_BASE_URL := "https://api.integration.openshift.com"
-endif
 
 .PHONY: help
 help: ## Display this help
@@ -154,7 +151,7 @@ run: build ## Run the application
 .PHONY: run-no-auth
 run-no-auth: build ## Run the application without auth
 	./bin/hyperfleet-api migrate
-	./bin/hyperfleet-api serve --enable-authz=false --enable-jwt=false
+	./bin/hyperfleet-api serve --server-jwt-enabled=false
 
 .PHONY: run/docs
 run/docs: check-container-tool ## Run swagger and host the api spec
@@ -191,33 +188,31 @@ secrets: ## Initialize secrets directory with default values
 	@printf "$(db_password)" > secrets/db.password
 	@printf "$(db_port)" > secrets/db.port
 	@printf "$(db_user)" > secrets/db.user
-	@printf "ocm-hyperfleet-testing" > secrets/ocm-service.clientId
-	@printf "your-client-secret-here" > secrets/ocm-service.clientSecret
-	@printf "your-token-here" > secrets/ocm-service.token
+
 	@echo "Secrets directory initialized with default values"
 
 ##@ Testing
 
 .PHONY: test
 test: install secrets $(GOTESTSUM) ## Run unit tests
-	OCM_ENV=unit_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
+	HYPERFLEET_ENV=unit_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
 		./pkg/... \
 		./cmd/...
 
 .PHONY: ci-test-unit
 ci-test-unit: install secrets $(GOTESTSUM) ## Run unit tests with JSON output
-	OCM_ENV=unit_testing $(GOTESTSUM) --jsonfile-timing-events=$(unit_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
+	HYPERFLEET_ENV=unit_testing $(GOTESTSUM) --jsonfile-timing-events=$(unit_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -v $(TESTFLAGS) \
 		./pkg/... \
 		./cmd/...
 
 .PHONY: test-integration
 test-integration: install secrets $(GOTESTSUM) ## Run integration tests
-	TESTCONTAINERS_RYUK_DISABLED=true OCM_ENV=integration_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
+	TESTCONTAINERS_RYUK_DISABLED=true HYPERFLEET_ENV=integration_testing $(GOTESTSUM) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
 			./test/integration
 
 .PHONY: ci-test-integration
 ci-test-integration: install secrets $(GOTESTSUM) ## Run integration tests with JSON output
-	TESTCONTAINERS_RYUK_DISABLED=true OCM_ENV=integration_testing $(GOTESTSUM) --jsonfile-timing-events=$(integration_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
+	TESTCONTAINERS_RYUK_DISABLED=true HYPERFLEET_ENV=integration_testing $(GOTESTSUM) --jsonfile-timing-events=$(integration_test_json_output) --format $(TEST_SUMMARY_FORMAT) -- -p 1 -ldflags -s -v -timeout 1h $(TESTFLAGS) \
 			./test/integration
 
 .PHONY: test-all
@@ -329,8 +324,7 @@ test-helm: ## Test Helm charts (lint, template, validate)
 		--set image.tag=test \
 		--set 'adapters.cluster=["validation"]' \
 		--set 'adapters.nodepool=["validation"]' \
-		--set auth.enableJwt=false \
-		--set auth.enableAuthz=false > /dev/null
+		--set config.server.jwt.enabled=false > /dev/null
 	@echo "Auth disabled config template OK"
 	@echo ""
 	@echo "Testing template with custom image..."

PREREQUISITES.md

@@ -38,15 +38,6 @@ PostgreSQL client tools provide the `psql` command-line interface for database i
 - **Installation**: Follow the instructions on the [jq official website](https://jqlang.github.io/jq/)
 - **Verification**: Run `jq --version`
 
-## ocm CLI (Optional)
-
-`ocm` stands for OpenShift Cluster Manager CLI and is used for authentication in production mode.
-
-- **Purpose**: CLI tool for authenticating with OCM and making authenticated API requests
-- **Installation**: Refer to the [OCM CLI documentation](https://github.com/openshift-online/ocm-cli)
-- **Note**: Only required when running with authentication enabled (production mode)
-- **Development**: For local development, use `make run-no-auth` which bypasses authentication
-
 ## Quick Verification
 
 Run these commands to verify all prerequisites are installed:
@@ -57,9 +48,6 @@ go version              # Should show 1.24 or higher
 podman --version
 psql --version          # PostgreSQL client
 jq --version            # JSON processor
-
-# Optional tools
-ocm version             # OCM CLI (production auth only)
 ```
 
 ## Getting Started

charts/templates/configmap.yaml

@@ -28,9 +28,6 @@ data:
       jwt:
         enabled: {{ .Values.config.server.jwt.enabled }}
 
-      authz:
-        enabled: {{ .Values.config.server.authz.enabled }}
-
       jwk:
         cert_file: {{ .Values.config.server.jwk.cert_file | quote }}
         cert_url: {{ .Values.config.server.jwk.cert_url | quote }}

charts/values.yaml

@@ -51,9 +51,6 @@ config:
     jwt:
       enabled: true
 
-    authz:
-      enabled: false
-
     jwk:
       cert_file: ""
       cert_url: "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"

cmd/hyperfleet-api/environments/e_development.go

@@ -26,9 +26,6 @@ func (e *devEnvImpl) OverrideConfig(c *config.ApplicationConfig) error {
 		c.Database.SSL.Mode = SSLModeDisable
 	}
 
-	// Enable OCM mocks for development (no real OCM connection needed)
-	c.OCM.Mock.Enabled = true
-
 	return nil
 }
 
@@ -40,10 +37,6 @@ func (e *devEnvImpl) OverrideHandlers(h *Handlers) error {
 	return nil
 }
 
-func (e *devEnvImpl) OverrideClients(c *Clients) error {
-	return nil
-}
-
 func (e *devEnvImpl) EnvironmentDefaults() map[string]string {
 	// Return empty map - new config system has appropriate defaults
 	// and OverrideConfig() sets development-specific values programmatically

cmd/hyperfleet-api/environments/e_integration_testing.go

@@ -38,9 +38,6 @@ func (e *integrationTestingEnvImpl) OverrideConfig(c *config.ApplicationConfig)
 		c.Database.SSL.Mode = SSLModeDisable
 	}
 
-	// Enable OCM mocks for integration testing (no real OCM connection needed)
-	c.OCM.Mock.Enabled = true
-
 	return nil
 }
 
@@ -52,10 +49,6 @@ func (e *integrationTestingEnvImpl) OverrideHandlers(h *Handlers) error {
 	return nil
 }
 
-func (e *integrationTestingEnvImpl) OverrideClients(c *Clients) error {
-	return nil
-}
-
 func (e *integrationTestingEnvImpl) EnvironmentDefaults() map[string]string {
 	// Return empty map - new config system has appropriate defaults
 	// and OverrideConfig() sets test-specific values programmatically

cmd/hyperfleet-api/environments/e_production.go

@@ -29,14 +29,8 @@ func (e *productionEnvImpl) OverrideHandlers(h *Handlers) error {
 	return nil
 }
 
-func (e *productionEnvImpl) OverrideClients(c *Clients) error {
-	return nil
-}
-
 func (e *productionEnvImpl) EnvironmentDefaults() map[string]string {
 	return map[string]string{
-		"v":               "1",
-		"ocm-debug":       "false",
-		"enable-ocm-mock": "false",
+		"v": "1",
 	}
 }

cmd/hyperfleet-api/environments/e_unit_testing.go

@@ -30,10 +30,6 @@ func (e *unitTestingEnvImpl) OverrideConfig(c *config.ApplicationConfig) error {
 	if c.Database.SSL.Mode == "" {
 		c.Database.SSL.Mode = SSLModeDisable
 	}
-
-	// Enable OCM mocks for unit testing (no real OCM connection needed)
-	c.OCM.Mock.Enabled = true
-
 	// Unit tests use a mock DB and don't need real credentials
 	return nil
 }
@@ -46,10 +42,6 @@ func (e *unitTestingEnvImpl) OverrideHandlers(h *Handlers) error {
 	return nil
 }
 
-func (e *unitTestingEnvImpl) OverrideClients(c *Clients) error {
-	return nil
-}
-
 func (e *unitTestingEnvImpl) EnvironmentDefaults() map[string]string {
 	// Return empty map - new config system has appropriate defaults
 	// and OverrideConfig() sets test-specific values programmatically