CNTRLPLANE-2990: Update CAO to no longer write to the `Authentication.spec.webhookTokenAuthenticator` field by everettraven · Pull Request #854 · openshift/cluster-authentication-operator

everettraven · 2026-03-17T18:11:44Z

Description

This PR updates the webhook authenticator controller to return early when the ExternalOIDCExternalClaimsSourcing feature gate is enabled instead of attempting to write to the authentications.config.openshift.io/cluster resource's spec.webhookTokenAuthenticator field.

This is part of a two-step change intended to allow us to maintain the existing validation enforced by https://github.com/openshift/kubernetes/blob/2034d92b4a3a51d42e306ba405fc10a89768ac69/openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go#L183-L200 that does not allow setting the spec.webhookTokenAuthenticator field when spec.type is set to OIDC. The second step will be to update the cluster-kube-apiserver-operator to use a hardcoded default for the webhook token authenticator secret that is overridden when the spec.webhookTokenAuthenticator field is set.

This is necessary as part of the work to implement the architectural change we are making to how the OIDC authentication mode operates under the hood that is outlined in openshift/enhancements#1907.

openshift-ci-robot · 2026-03-17T18:11:49Z

@everettraven: This pull request references CNTRLPLANE-2990 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Description

This PR updates the webhook authenticator controller to return early when the ExternalOIDCExternalClaimsSourcing feature gate is enabled instead of attempting to write to the authentications.config.openshift.io/cluster resource's spec.webhookTokenAuthenticator field.

This is part of a two-step change intended to allow us to maintain the existing validation enforced by https://github.com/openshift/kubernetes/blob/2034d92b4a3a51d42e306ba405fc10a89768ac69/openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go#L183-L200 that does not allow setting the spec.webhookTokenAuthenticator field when spec.type is set to OIDC. The second step will be to update the cluster-kube-apiserver-operator to use a hardcoded default for the webhook token authenticator secret that is overridden when the spec.webhookTokenAuthenticator field is set.

This is necessary as part of the work to implement the architectural change we are making to how the OIDC authentication mode operates under the hood that is outlined in openshift/enhancements#1907.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-03-17T18:12:05Z

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d434b3be-73b0-463e-af9b-55366fe1edb8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Adds feature-gate observation to the webhook authenticator controller, narrows authConfigChecker to an oidcAvailabler interface, introduces a webhook secret builder abstraction, adjusts operator wiring to pass feature-gate accessor and pointer changes, adds table-driven controller tests, and bumps one go.mod dependency.

Changes

Cohort / File(s)	Summary
Module update `go.mod`	Updated direct dependency `github.com/openshift/api` version (single-line change).
Webhook authenticator controller `pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go`	Replaced concrete `AuthConfigChecker` with `oidcAvailabler`; added `featureGateAccessor` and `webhookSecretBuilder` fields and constructor params; sync blocks until feature gates observed and reads current gates; added feature-gated early return for `FeatureGateExternalOIDCExternalClaimsSourcing`; removed prior operator-version waiting; delegated kubeconfig secret construction to `webhookSecretBuilder`; standardized not-found checks to `apierrors.IsNotFound`.
Controller tests (new) `pkg/controllers/webhookauthenticator/webhookauthenticator_controller_test.go`	Added comprehensive table-driven tests for `webhookAuthenticatorController.sync` with fakes for OIDC availability and webhook secret building; covers feature-gate observation errors, OIDC availability/error paths, secret create/delete flows, Authentication spec updates, progressing/as-expected conditions, and feature-gate early-return behavior.
Operator wiring / starter `pkg/operator/starter.go`	Adjusted calls to `workload.NewOAuthAPIServerWorkload` and `webhookauthenticator.NewWebhookAuthenticatorController` to pass `featureGateAccessor` and to change `authConfigChecker` argument passing (pointer/value adjustments).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

everettraven · 2026-03-17T18:12:15Z

Depends on #853

/hold

everettraven · 2026-03-17T19:34:09Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

+	// - CAO returns early and does not attempt to set the field (field is still set)
+	// - CKASO sees the field is set - it reads from the set field instead of using its hardcoded default
+	if featureGates.Enabled(features.FeatureGateExternalOIDCExternalClaimsSourcing) {
+		return nil


Note for reviewers: I'm intentionally not removing any existing configuration so that there is a migration path from a version of CAO that did set this to one that does not.

When we tighten the validation of the API, ratcheting will be taken into consideration.

ShazaAldawamneh · 2026-03-18T18:40:59Z

/lgtm

liouk

Overall looks good; doesn't contain any tests, but I'm aware this is a preliminary review :)

We should keep track of this especially for GA; this isn't a blocker now that this featuregate is on DevPreview.

…ng gate Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

for communicating the webhook token authenticator secret to be used by the cluster-kube-apiserver-operator for configuring the kube-apiserver. Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven · 2026-03-19T16:05:00Z

/hold cancel

everettraven · 2026-03-19T19:55:33Z

@liouk I've updated this to add tests for the webhookauthenticator controller.

I had to do some refactoring to make it a bit easier to implement the tests (e.g to not always attempting to read a CA bundle from /var/...).

As a heads up, I used claude to write the unit tests and did a pretty thorough review. It looked pretty good to me and they all pass, but I'm still trying to find the best way to review the claude output so I may have missed something.

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go`:
- Around line 121-129: The sync method currently fails early by calling
featureGateAccessor.AreInitialFeatureGatesObserved() and CurrentFeatureGates()
at the top of webhookAuthenticatorController.sync; move the feature-gate lookup
(calls to AreInitialFeatureGatesObserved and CurrentFeatureGates) down into the
specific branch that actually uses the gates (the branch around the
OIDC/auth-type check currently referencing the gate at line ~175). Change the
behavior so that if AreInitialFeatureGatesObserved() is false you return a
requeue/wait (not an error) and if CurrentFeatureGates() returns an error handle
it locally in that branch (wrap/return as appropriate) so other no-op paths are
not blocked by gate warm-up/read failures.
- Around line 293-296: The nil-only guard in
defaultWebhookSecretBuilder.BuildWebhookSecret allows zero-length tls key/cert
to pass; change the check to reject empty slices (treat key or cert with len==0
same as nil) so BuildWebhookSecret returns an error for empty material, and make
the same change in the earlier secret validation path that inspects
tls.key/tls.crt and clears AuthenticatorCertKeyProgressing (ensure that code
also checks len(secret.Data["tls.key"])==0 and len(secret.Data["tls.crt"])==0
and treats them as missing/invalid).

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f7d15cd5-c549-4a26-bd8b-bee1b4ed7131

📥 Commits

Reviewing files that changed from the base of the PR and between 7709931 and a740957.

⛔ Files ignored due to path filters (42)

vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/fake/clientset_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/fake/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/fake/register.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_build.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusteroperator.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_clusterversion.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_console.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_dns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_featuregate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_image.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagecontentpolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagedigestmirrorset.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_imagetagmirrorset.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_infrastructure.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_ingress.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_network.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_oauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_operatorhub.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_project.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_scheduler.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_backup.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_clustermonitoring.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_criocredentialproviderconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_imagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_insightsdatagather.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_config_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha2/fake/fake_insightsdatagather.go is excluded by !vendor/**, !**/vendor/**
vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (3)

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go
pkg/controllers/webhookauthenticator/webhookauthenticator_controller_test.go
pkg/operator/starter.go

coderabbitai · 2026-03-19T20:01:15Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

 func (c *webhookAuthenticatorController) sync(ctx context.Context, syncCtx factory.SyncContext) error {
+	if !c.featureGateAccessor.AreInitialFeatureGatesObserved() {
+		return errors.New("observing feature gates: initial feature gates have not been observed yet")
+	}
+
+	featureGates, err := c.featureGateAccessor.CurrentFeatureGates()
+	if err != nil {
+		return fmt.Errorf("observing feature gates: %w", err)
+	}


⚠️ Potential issue | 🟠 Major

Move feature-gate lookup down to the only branch that uses it.

Lines 122-129 fail sync before the OIDC and auth-type checks, so a feature-gate warm-up/read problem now blocks paths that would otherwise be a no-op. The gate is only consulted at Line 175; fetch it there instead, and treat “not observed yet” as a wait/requeue path rather than an error.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go` around lines 121 - 129, The sync method currently fails early by calling featureGateAccessor.AreInitialFeatureGatesObserved() and CurrentFeatureGates() at the top of webhookAuthenticatorController.sync; move the feature-gate lookup (calls to AreInitialFeatureGatesObserved and CurrentFeatureGates) down into the specific branch that actually uses the gates (the branch around the OIDC/auth-type check currently referencing the gate at line ~175). Change the behavior so that if AreInitialFeatureGatesObserved() is false you return a requeue/wait (not an error) and if CurrentFeatureGates() returns an error handle it locally in that branch (wrap/return as appropriate) so other no-op paths are not blocked by gate warm-up/read failures.

coderabbitai · 2026-03-19T20:01:15Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

+func (d *defaultWebhookSecretBuilder) BuildWebhookSecret(ctx context.Context, svc *corev1.Service, key, cert []byte) (*corev1.Secret, error) {
+	if key == nil || cert == nil {
+		return nil, fmt.Errorf("nil key or cert")
+	}


⚠️ Potential issue | 🟠 Major

Reject empty TLS material, not just nil.

A zero-length tls.key or tls.crt still passes this guard, so the controller can publish a kubeconfig with empty client-cert data and clear AuthenticatorCertKeyProgressing as if everything were healthy. Please treat len(...) == 0 the same as missing data here and in the earlier secret validation path.

Possible fix

func (d *defaultWebhookSecretBuilder) BuildWebhookSecret(ctx context.Context, svc *corev1.Service, key, cert []byte) (*corev1.Secret, error) { - if key == nil || cert == nil { - return nil, fmt.Errorf("nil key or cert") + if len(key) == 0 || len(cert) == 0 { + return nil, fmt.Errorf("empty key or cert") }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

func (d *defaultWebhookSecretBuilder) BuildWebhookSecret(ctx context.Context, svc *corev1.Service, key, cert []byte) (*corev1.Secret, error) {

if key == nil || cert == nil {

return nil, fmt.Errorf("nil key or cert")

}

func (d *defaultWebhookSecretBuilder) BuildWebhookSecret(ctx context.Context, svc *corev1.Service, key, cert []byte) (*corev1.Secret, error) {

if len(key) == 0 || len(cert) == 0 {

return nil, fmt.Errorf("empty key or cert")

}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go` around lines 293 - 296, The nil-only guard in defaultWebhookSecretBuilder.BuildWebhookSecret allows zero-length tls key/cert to pass; change the check to reject empty slices (treat key or cert with len==0 same as nil) so BuildWebhookSecret returns an error for empty material, and make the same change in the earlier secret validation path that inspects tls.key/tls.crt and clears AuthenticatorCertKeyProgressing (ensure that code also checks len(secret.Data["tls.key"])==0 and len(secret.Data["tls.crt"])==0 and treats them as missing/invalid).

everettraven · 2026-03-19T19:57:44Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

-		serviceAccounts:                   serviceAccounts,
 		configNSSecretsLister:             kubeInformersForConfigNamespace.Core().V1().Secrets().Lister(),
 		secretsLister:                     kubeInformersForTargetNamespace.Core().V1().Secrets().Lister(),
 		svcLister:                         kubeInformersForTargetNamespace.Core().V1().Services().Lister(),
-		saLister:                          kubeInformersForTargetNamespace.Core().V1().ServiceAccounts().Lister(),


These were unused.

everettraven · 2026-03-19T19:58:24Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

-	// TODO: remove in 4.9; this is to ensure we don't configure webhook authenticators
-	// before the oauth-apiserver revision that's capable of handling it is ready
-	// during upgrade
-	versions := c.versionGetter.GetVersions()
-	if apiserverVersion, ok := versions["oauth-apiserver"]; ok {
-		// a previous version found means this could be an upgrade, unless the version is already current
-		if expectedVersion := os.Getenv("OPERATOR_IMAGE_VERSION"); apiserverVersion != expectedVersion {
-			if c.apiServerVersionWaitEventsLimiter.TryAccept() {
-				syncCtx.Recorder().Eventf("OAuthAPIServerWaitForLatest", "the oauth-apiserver hasn't reported its version to be %q yet, its current version is %q", expectedVersion, apiserverVersion)
-			}
-			return nil
-		}
-	}


I figured that while I was doing a refactor to implement the tests, I might as well clean this up based on the seemingly pretty old TODO.

liouk · 2026-03-20T13:54:52Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go


 	operatorClient v1helpers.OperatorClient

 	apiServerVersionWaitEventsLimiter flowcontrol.RateLimiter


This looks like it can be removed now that we've dropped that 4.9 TODO.

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

liouk · 2026-03-23T10:19:27Z

/lgtm

openshift-ci · 2026-03-23T10:20:18Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, liouk, ShazaAldawamneh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ehearne-redhat · 2026-03-23T10:28:47Z

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

-		Data: map[string][]byte{
-			"kubeConfig": []byte(kubeconfigComplete),
-		},
+		return nil, fmt.Errorf("building webhook secret: %w", err)


maybe should this read error building webhook secret: %w instead?

Generally, I prefer that if we are returning an error that we don't include the word "error". Following that pattern generally ends up in logs as something like:

ERR: error doing thing: error when trying something: error ...: error ......

Lots of, IMO, unnecessary repetition of the word "error".

ehearne-redhat · 2026-03-23T11:23:30Z

I'll come back to this once tests come back. So far, LGTM.

ehearne-redhat · 2026-03-23T14:38:22Z

/test e2e-agnostic

openshift-ci · 2026-03-23T17:47:12Z

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-encryption-serial-ote-2of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-serial-ote-2of2`
ci/prow/e2e-aws-operator-serial-ote	`83e1bc6`	link	false	`/test e2e-aws-operator-serial-ote`
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-2of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-rotation-serial-ote-2of2`
ci/prow/e2e-aws-operator-encryption-serial-ote-1of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-serial-ote-1of2`
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-2of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-kms-serial-ote-2of2`
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-1of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-perf-serial-ote-1of2`
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-1of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-kms-serial-ote-1of2`
ci/prow/e2e-aws-operator-parallel-ote	`83e1bc6`	link	false	`/test e2e-aws-operator-parallel-ote`
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-2of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-perf-serial-ote-2of2`
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-1of2	`83e1bc6`	link	false	`/test e2e-aws-operator-encryption-rotation-serial-ote-1of2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

everettraven · 2026-03-23T22:03:34Z

/verified by @everettraven

openshift-ci-robot · 2026-03-23T22:03:45Z

@everettraven: This PR has been marked as verified by @everettraven.

Details

In response to this:

/verified by @everettraven

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 17, 2026

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 17, 2026

openshift-ci bot requested review from ibihim and liouk March 17, 2026 18:19

everettraven commented Mar 17, 2026

View reviewed changes

everettraven mentioned this pull request Mar 17, 2026

CNTRLPLANE-2992: Update CKASO to use a default webhook authenticator secret when authentication type is not None openshift/cluster-kube-apiserver-operator#2074

Merged

openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 18, 2026

openshift-ci bot assigned ShazaAldawamneh Mar 18, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 18, 2026

liouk suggested changes Mar 19, 2026

View reviewed changes

everettraven added 2 commits March 19, 2026 10:40

dependencies: bump o/api to commit w/ExternalOIDCExternalClaimsSourci…

1bb682b

…ng gate Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

feat: webhookauthenticator: do not set authentications spec

7709931

for communicating the webhook token authenticator secret to be used by the cluster-kube-apiserver-operator for configuring the kube-apiserver. Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven force-pushed the feature/eoidc-ec-nosetspec branch from 32ddde8 to 7709931 Compare March 19, 2026 14:40

openshift-ci bot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Mar 19, 2026

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 19, 2026

coderabbitai bot reviewed Mar 19, 2026

View reviewed changes

everettraven commented Mar 20, 2026

View reviewed changes

liouk suggested changes Mar 20, 2026

View reviewed changes

everettraven force-pushed the feature/eoidc-ec-nosetspec branch from a740957 to 3d0b870 Compare March 23, 2026 10:01

testing: refactor webhookauthenticator controller and implement tests

83e1bc6

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

everettraven force-pushed the feature/eoidc-ec-nosetspec branch from 3d0b870 to 83e1bc6 Compare March 23, 2026 10:17

openshift-ci bot assigned liouk Mar 23, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 23, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 23, 2026

ehearne-redhat reviewed Mar 23, 2026

View reviewed changes

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Mar 23, 2026

openshift-merge-bot bot merged commit 9a8c53c into openshift:master Mar 23, 2026
14 of 24 checks passed


		operatorClient v1helpers.OperatorClient

		apiServerVersionWaitEventsLimiter flowcontrol.RateLimiter

Conversation

everettraven commented Mar 17, 2026

Description

Uh oh!

openshift-ci-robot commented Mar 17, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Uh oh!

coderabbitai bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Reviews paused

Walkthrough

Changes

Estimated code review effort

Uh oh!

everettraven commented Mar 17, 2026

Uh oh!

everettraven Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ShazaAldawamneh commented Mar 18, 2026

Uh oh!

liouk left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

everettraven commented Mar 19, 2026

Uh oh!

everettraven commented Mar 19, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

everettraven Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

everettraven Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

liouk Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

liouk commented Mar 23, 2026

Uh oh!

openshift-ci bot commented Mar 23, 2026

Uh oh!

ehearne-redhat Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

everettraven Mar 23, 2026

Choose a reason for hiding this comment

Uh oh!

ehearne-redhat commented Mar 23, 2026

Uh oh!

ehearne-redhat commented Mar 23, 2026

Uh oh!

openshift-ci bot commented Mar 23, 2026

Uh oh!

everettraven commented Mar 23, 2026

Uh oh!

openshift-ci-robot commented Mar 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

openshift-ci-robot commented Mar 17, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Mar 17, 2026 •

edited

Loading

everettraven Mar 17, 2026 •

edited

Loading

liouk left a comment •

edited

Loading