Skip to content

API-1835: adds an integration test for the oauth-server deployment controller #784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
p0lyn0mial wants to merge 1 commit into
base: master
Choose a base branch
from
Open

API-1835: adds an integration test for the oauth-server deployment controller #784

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions ...tus/cluster-scoped-resources/operator.openshift.io/authentications/5749-body-cluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: operator.openshift.io/v1
kind: Authentication
metadata:
name: cluster
status:
conditions:
- lastTransitionTime: "2025-08-07T22:38:20Z"
message: no oauth-openshift.openshift-authentication pods available on any node.
reason: NoPod
status: "False"
type: OAuthServerDeploymentAvailable
- lastTransitionTime: "2025-08-01T18:45:36Z"
reason: AsExpected
status: "False"
type: OAuthServerDeploymentDegraded
- lastTransitionTime: "2025-08-07T22:38:20Z"
message: 'deployment/oauth-openshift.openshift-authentication: 0/1 pods have been
updated to the latest generation and 0/1 pods are available'
reason: PodsUpdating
status: "True"
type: OAuthServerDeploymentProgressing
Comment on lines +17 to +21
Copy link

@coderabbitai coderabbitai bot Aug 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix replica math in condition message (0/1 vs replicas: 0).

This status says “0/1 … 0/1 available” while the expected Deployment sets replicas to 0. Align this to 0/0 or change the Deployment to 1 replica; otherwise the test is self-inconsistent and brittle.

Apply one of:

-    message: 'deployment/oauth-openshift.openshift-authentication: 0/1 pods have been
-      updated to the latest generation and 0/1 pods are available'
+    message: 'deployment/oauth-openshift.openshift-authentication: 0/0 pods have been
+      updated to the latest generation and 0/0 pods are available'

…or switch the Deployment to replicas: 1 to match “0/1”.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
message: 'deployment/oauth-openshift.openshift-authentication: 0/1 pods have been
updated to the latest generation and 0/1 pods are available'
reason: PodsUpdating
status: "True"
type: OAuthServerDeploymentProgressing
message: 'deployment/oauth-openshift.openshift-authentication: 0/0 pods have been
updated to the latest generation and 0/0 pods are available'
reason: PodsUpdating
status: "True"
type: OAuthServerDeploymentProgressing
🤖 Prompt for AI Agents 
In
test-data/apply-configuration/overall/oauth-server-creation-minimal/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/5749-body-cluster.yaml
around lines 17-21, the condition message reports "0/1 pods" while the actual
Deployment replica count is 0; make them consistent by either (A) updating the
condition message to "0/0 pods have been updated to the latest generation and
0/0 pods are available" to reflect replicas: 0, or (B) change the expected
Deployment spec to replicas: 1 so the message "0/1 ... 0/1 available" is
correct—choose one approach and apply that single, consistent fix throughout the
expected output and any related test fixtures.

- lastTransitionTime: "2025-08-01T18:45:36Z"
status: "False"
type: OAuthServerWorkloadDegraded
generations:
- group: apps
lastGeneration: 0
name: oauth-openshift
namespace: openshift-authentication
resource: deployments
9 changes: 9 additions & 0 deletions ...cluster-scoped-resources/operator.openshift.io/authentications/5749-metadata-cluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
action: ApplyStatus
controllerInstanceName: TODO-deploymentController
fieldManager: OAuthServer-Workload
generateName: ""
name: cluster
resourceType:
Group: operator.openshift.io
Resource: authentications
Version: v1
2 changes: 2 additions & 0 deletions .../cluster-scoped-resources/operator.openshift.io/authentications/5749-options-cluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
fieldManager: OAuthServer-Workload
force: true
22 changes: 22 additions & 0 deletions ...ion-operator/core/events/6672-body-authentication-operator.18599d2230299800.64fe3b99.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2025-08-07T22:38:20Z"
involvedObject:
kind: Deployment
name: authentication-operator
namespace: openshift-authentication-operator
kind: Event
lastTimestamp: "2025-08-07T22:38:20Z"
message: Created Deployment.apps/oauth-openshift -n openshift-authentication because
it was missing
metadata:
creationTimestamp: null
name: authentication-operator.18599d2230299800.64fe3b99
namespace: openshift-authentication-operator
reason: DeploymentCreated
reportingComponent: ""
reportingInstance: ""
source:
component: cluster-authentication-operator-run-once-sync-context
type: Normal
9 changes: 9 additions & 0 deletions ...operator/core/events/6672-metadata-authentication-operator.18599d2230299800.64fe3b99.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
action: Create
controllerInstanceName: ""
generateName: ""
name: authentication-operator.18599d2230299800.64fe3b99
namespace: openshift-authentication-operator
resourceType:
Group: ""
Resource: events
Version: v1
191 changes: 191 additions & 0 deletions ...reate/namespaces/openshift-authentication/apps/deployments/a3d6-body-oauth-openshift.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
operator.openshift.io/rvs-hash: f4V-TOKKLhC7zxXahsybviIQ6XFZf_Ua2SFe2jckw9gL4UuCiEXYmFPtjUvFGC13xB72tEYqR0N1somiZq0-JQ
operator.openshift.io/spec-hash: 0a0b624d81acaa84b703ae631aa8552ec31f538924445ffe696cf9a6c39d7dac
labels:
app: oauth-openshift
name: oauth-openshift
namespace: openshift-authentication
spec:
replicas: 3
selector:
matchLabels:
app: oauth-openshift
strategy:
rollingUpdate:
maxSurge: 3
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
openshift.io/required-scc: privileged
operator.openshift.io/rvs-hash: f4V-TOKKLhC7zxXahsybviIQ6XFZf_Ua2SFe2jckw9gL4UuCiEXYmFPtjUvFGC13xB72tEYqR0N1somiZq0-JQ
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
app: oauth-openshift
oauth-openshift-anti-affinity: "true"
name: oauth-openshift
namespace: openshift-authentication
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: oauth-openshift
oauth-openshift-anti-affinity: "true"
topologyKey: kubernetes.io/hostname
containers:
- args:
- |
if [ -s /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle/ca-bundle.crt ]; then
echo "Copying system trust bundle"
cp -f /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
fi
exec oauth-server osinserver \
--config=/var/config/system/configmaps/v4-0-config-system-cliconfig/v4-0-config-system-cliconfig \
--v=2 \
--audit-log-format=json \
--audit-log-maxbackup=10 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/oauth-server/audit.log \
--audit-policy-file=/var/run/configmaps/audit/audit.yaml
command:
- /bin/bash
- -ec
lifecycle:
preStop:
exec:
command:
- sleep
- "25"
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: oauth-openshift
ports:
- containerPort: 6443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 6443
scheme: HTTPS
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 50Mi
securityContext:
privileged: true
readOnlyRootFilesystem: false
runAsUser: 0
Comment on lines +93 to +96
Copy link

@coderabbitai coderabbitai bot Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Document the security rationale for privileged container execution.

The container runs with privileged: true, readOnlyRootFilesystem: false, and runAsUser: 0. While the OAuth server may legitimately require elevated privileges for TLS and security operations, this security posture should be documented or hardened if possible. Consider adding a comment or test documentation explaining why privilege escalation cannot be avoided.

Per static analysis (CKV_K8S_16, CKV_K8S_20, CKV_K8S_23), this configuration permits privilege escalation and root execution. For a test fixture, this is acceptable if intentional, but the rationale should be clear.

🤖 Prompt for AI Agents 
In
test-data/apply-configuration/overall/oauth-server-creation-minimal/expected-output/Management/Create/namespaces/openshift-authentication/apps/deployments/a3d6-body-oauth-openshift.yaml
lines 95-98, document and/or harden the privileged container configuration:
either add a clear inline YAML comment and test fixture documentation stating
why privileged: true, readOnlyRootFilesystem: false, and runAsUser: 0 are
required for this OAuth server (include link or reference to the security
justification), or if privilege is not strictly required, harden the pod
security settings by setting privileged: false, readOnlyRootFilesystem: true,
runAsNonRoot: true (or remove runAsUser: 0) and set
securityContext.allowPrivilegeEscalation: false; ensure the chosen approach is
reflected in test docs and any gating checks.

terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/configmaps/audit
name: audit-policies
- mountPath: /var/log/oauth-server
name: audit-dir
- mountPath: /var/config/system/secrets/v4-0-config-system-session
name: v4-0-config-system-session
readOnly: true
- mountPath: /var/config/system/configmaps/v4-0-config-system-cliconfig
name: v4-0-config-system-cliconfig
readOnly: true
- mountPath: /var/config/system/secrets/v4-0-config-system-serving-cert
name: v4-0-config-system-serving-cert
readOnly: true
- mountPath: /var/config/system/configmaps/v4-0-config-system-service-ca
name: v4-0-config-system-service-ca
readOnly: true
- mountPath: /var/config/system/secrets/v4-0-config-system-router-certs
name: v4-0-config-system-router-certs
readOnly: true
- mountPath: /var/config/system/secrets/v4-0-config-system-ocp-branding-template
name: v4-0-config-system-ocp-branding-template
readOnly: true
- mountPath: /var/config/user/template/secret/v4-0-config-user-template-login
name: v4-0-config-user-template-login
readOnly: true
- mountPath: /var/config/user/template/secret/v4-0-config-user-template-provider-selection
name: v4-0-config-user-template-provider-selection
readOnly: true
- mountPath: /var/config/user/template/secret/v4-0-config-user-template-error
name: v4-0-config-user-template-error
readOnly: true
- mountPath: /var/config/system/configmaps/v4-0-config-system-trusted-ca-bundle
name: v4-0-config-system-trusted-ca-bundle
readOnly: true
nodeSelector:
node-role.kubernetes.io/master: ""
priorityClassName: system-cluster-critical
serviceAccountName: oauth-openshift
terminationGracePeriodSeconds: 40
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 120
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 120
volumes:
- configMap:
name: audit
name: audit-policies
- hostPath:
path: /var/log/oauth-server
name: audit-dir
- name: v4-0-config-system-session
secret:
secretName: v4-0-config-system-session
- configMap:
name: v4-0-config-system-cliconfig
name: v4-0-config-system-cliconfig
- name: v4-0-config-system-serving-cert
secret:
secretName: v4-0-config-system-serving-cert
- configMap:
name: v4-0-config-system-service-ca
name: v4-0-config-system-service-ca
- name: v4-0-config-system-router-certs
secret:
secretName: v4-0-config-system-router-certs
- name: v4-0-config-system-ocp-branding-template
secret:
secretName: v4-0-config-system-ocp-branding-template
- name: v4-0-config-user-template-login
secret:
optional: true
secretName: v4-0-config-user-template-login
- name: v4-0-config-user-template-provider-selection
secret:
optional: true
secretName: v4-0-config-user-template-provider-selection
- name: v4-0-config-user-template-error
secret:
optional: true
secretName: v4-0-config-user-template-error
- configMap:
name: v4-0-config-system-trusted-ca-bundle
optional: true
name: v4-0-config-system-trusted-ca-bundle
status: {}
9 changes: 9 additions & 0 deletions ...e/namespaces/openshift-authentication/apps/deployments/a3d6-metadata-oauth-openshift.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
action: Create
controllerInstanceName: TODO-deploymentController
generateName: ""
name: oauth-openshift
namespace: openshift-authentication
resourceType:
Group: apps
Resource: deployments
Version: v1
81 changes: 81 additions & 0 deletions ...nfiguration/overall/oauth-server-creation-minimal/expected-output/controller-results.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
controllerResults:
- controllerName: APIServerStaticResources-StaticResources
status: Skipped
- controllerName: NamespaceFinalizerController_openshift-oauth-apiserver
status: Skipped
- controllerName: OAuthAPIServerController-WorkloadWorkloadController
status: Skipped
- controllerName: RevisionController
status: Skipped
- controllerName: SecretRevisionPruneController
status: Skipped
- controllerName: TODO-authRouteCheckController
status: Skipped
- controllerName: TODO-authServiceCheckController
status: Skipped
- controllerName: TODO-authServiceEndpointCheckController
status: Skipped
- controllerName: TODO-authenticatorCertRequester
status: Skipped
- controllerName: TODO-configObserver
status: Skipped
- controllerName: TODO-configOverridesController
status: Skipped
- controllerName: TODO-customRouteController
status: Skipped
- controllerName: TODO-deploymentController
status: Succeeded
- controllerName: TODO-ingressStateController
status: Skipped
- controllerName: TODO-logLevelController
status: Skipped
- controllerName: TODO-managementStateController
status: Skipped
- controllerName: TODO-metadataController
status: Skipped
- controllerName: TODO-oauthClientsSwitchedController
status: Skipped
- controllerName: TODO-other-configObserver
status: Skipped
- controllerName: TODO-other-externalOIDCController
status: Skipped
- controllerName: TODO-payloadConfigController
status: Skipped
- controllerName: TODO-proxyConfigController
status: Skipped
- controllerName: TODO-resourceSyncer
status: Skipped
- controllerName: TODO-routerCertsController
status: Skipped
- controllerName: TODO-serviceCAController
status: Skipped
- controllerName: TODO-staleConditions
status: Skipped
- controllerName: TODO-staticResourceController
status: Skipped
- controllerName: TODO-trustDistributionController
status: Skipped
- controllerName: TODO-webhookAuthController
status: Skipped
- controllerName: TODO-webhookCertsApprover
status: Skipped
- controllerName: TODO-wellKnownReadyController
status: Skipped
- controllerName: TODO-workersAvailableController
status: Skipped
- controllerName: auditPolicyController
status: Skipped
- controllerName: authentication
status: Skipped
- controllerName: openshift-apiserver-APIService
status: Skipped
- controllerName: openshift-oauth-apiserver-EncryptionCondition
status: Skipped
- controllerName: openshift-oauth-apiserver-EncryptionKey
status: Skipped
- controllerName: openshift-oauth-apiserver-EncryptionMigration
status: Skipped
- controllerName: openshift-oauth-apiserver-EncryptionPrune
status: Skipped
- controllerName: openshift-oauth-apiserver-EncryptionState
status: Skipped
Loading