Skip to content

CNTRLPLANE-368: improve OIDC field validations for Authentication resources #2409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 7, 2025
Merged

CNTRLPLANE-368: improve OIDC field validations for Authentication resources #2409

merged 2 commits into from
Aug 7, 2025

Conversation

everettraven
Copy link
Contributor

@everettraven everettraven commented Jul 17, 2025
edited
Loading

Updates some of the validations for OIDC-specific fields in the authentications.config.openshift.io CRD.

Specifically:

@everettraven
config/authentication: oidc: tighten validation on CEL expression fields
ff3355d 
as we discovered in openshift/kubernetes#2353 (comment)
that the current constraints are to loose and result
in excessive expression compile times when used up to
the limitations.

Signed-off-by: Bryce Palmer <[email protected]>
@openshift-ci-robot
Copy link

@everettraven: This pull request explicitly references no jira issue.

In response to this:

as we discovered in openshift/kubernetes#2353 (comment) that the current constraints are to loose and result in excessive expression compile times when used up to the limitations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 17, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 17, 2025

Hello @everettraven! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@everettraven
Copy link
Contributor Author

This PR may evolve to include additional validation changes.

/hold

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 17, 2025
@openshift-ci openshift-ci bot requested review from deads2k and JoelSpeed July 17, 2025 20:03
@everettraven everettraven mentioned this pull request Jul 17, 2025
Merged
@everettraven everettraven changed the title NO-ISSUE: config/authentication: oidc: tighten validation on CEL expression fields CNTRLPLANE-368: improve OIDC field validations for Authentication resources Aug 5, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 5, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-368 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

as we discovered in openshift/kubernetes#2353 (comment) that the current constraints are to loose and result in excessive expression compile times when used up to the limitations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 5, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 5, 2025
edited by openshift-ci bot
Loading

@everettraven: This pull request references CNTRLPLANE-368 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Updates some of the validations for OIDC-specific fields in the authentications.config.openshift.io CRD.

Specifically:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

JoelSpeed
JoelSpeed reviewed Aug 5, 2025
View reviewed changes
Copy link
Contributor

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are any of these fields embedded in the HostedCluster on HyperShift? I believe they may be.

If they are, we need to be careful about the changes we introduce and how they might impact the HostedCluster API on older API servers (CC @enxebre since we talked about this yesterday)

@everettraven
Copy link
Contributor Author

Are any of these fields embedded in the HostedCluster on HyperShift? I believe they may be.

Yes, they are.

If they are, we need to be careful about the changes we introduce and how they might impact the HostedCluster API on older API servers

In theory, the ratcheting issuerURL changes should only impact existing HostedCluster instances that are invalid and fail to rollout a valid configuration to the Kube API server.

The tightening of the validations on the CEL expression fields should be safe because the feature-gate that corresponds to those fields is TPNU only for both HCP and OCP.

@everettraven everettraven force-pushed the improve/oidc-validations branch from 0cc875b to 8ef2976 Compare August 5, 2025 18:17
@openshift-ci openshift-ci bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 5, 2025
JoelSpeed
JoelSpeed reviewed Aug 6, 2025
View reviewed changes
@everettraven
config/authentication: improve issuerURL validations
2cfc921 
to align with the KAS validations

Signed-off-by: Bryce Palmer <[email protected]>
@everettraven everettraven force-pushed the improve/oidc-validations branch from 8ef2976 to 2cfc921 Compare August 6, 2025 13:26
@everettraven
Copy link
Contributor Author

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 6, 2025
@JoelSpeed
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 6, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 6, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 6, 2025
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 7605f9b and 2 for PR HEAD 2cfc921 in total

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 3315d66 and 1 for PR HEAD 2cfc921 in total

@everettraven
Copy link
Contributor Author

/retest-required

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 7, 2025
edited
Loading

@everettraven: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure 2cfc921 link false /test e2e-azure

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@everettraven
Copy link
Contributor Author

/retest-required

@openshift-merge-bot openshift-merge-bot bot merged commit a42cd21 into openshift:master Aug 7, 2025
26 of 27 checks passed
@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-config-api
This PR has been included in build ose-cluster-config-api-container-v4.20.0-202508072056.p0.ga42cd21.assembly.stream.el9.
All builds following this will include this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

1 more reviewer

@JoelSpeed JoelSpeed JoelSpeed left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@JoelSpeed JoelSpeed

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@everettraven @openshift-ci-robot @JoelSpeed @openshift-bot