From 83fa43ff6cdbe7f56f3c9ab037624bf6abecef9f Mon Sep 17 00:00:00 2001 From: Ahmed Abdalla Date: Fri, 5 Sep 2025 13:22:21 +0200 Subject: [PATCH] fix(oidc): fix secret lookup, validation, and condition cleanup This commit addresses three issues related to OIDC authentication: 1. Fixed OIDC client secret lookup in oidcsetup controller to use the correct informer (configSecretsLister), namespace (openshift-config), and dynamic secret name from the Authentication CR, instead of hardcoded values. 2. Fixed secret revision validation to compare the TARGET secret (openshift-console/console-oauth-config) with the deployment annotation, following the same pattern as ConfigMap CA trust validation. This ensures proper verification of secret sync status. 3. Added condition cleanup in sync_v400 to properly clear the OIDCProviderTrustedAuthorityConfigGet degraded condition when authentication type changes from OIDC to non-OIDC (e.g., IntegratedOAuth). This prevents the Console Operator from remaining in a Degraded state indefinitely during rollback scenarios. Assisted-by: Claude Code 2.0.5, claude-sonnet-4-5@20250929 Signed-off-by: Ahmed Abdalla --- pkg/console/controllers/oidcsetup/oidcsetup.go | 15 +++++++++++++-- pkg/console/operator/sync_v400.go | 3 +++ pkg/console/starter/starter.go | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/pkg/console/controllers/oidcsetup/oidcsetup.go b/pkg/console/controllers/oidcsetup/oidcsetup.go index ef0b506a6..9a6c1d458 100644 --- a/pkg/console/controllers/oidcsetup/oidcsetup.go +++ b/pkg/console/controllers/oidcsetup/oidcsetup.go @@ -58,6 +58,7 @@ type oidcSetupController struct { authnLister configv1listers.AuthenticationLister consoleOperatorLister operatorv1listers.ConsoleLister configConfigMapLister corev1listers.ConfigMapLister + configSecretsLister corev1listers.SecretLister targetNSSecretsLister corev1listers.SecretLister targetNSConfigMapLister corev1listers.ConfigMapLister targetNSDeploymentsLister appsv1listers.DeploymentLister @@ -74,6 +75,7 @@ func NewOIDCSetupController( authenticationClient configv1client.AuthenticationInterface, consoleOperatorInformer operatorv1informers.ConsoleInformer, configConfigMapInformer corev1informers.ConfigMapInformer, + configSecretInformer corev1informers.SecretInformer, targetNSsecretsInformer corev1informers.SecretInformer, targetNSConfigMapInformer corev1informers.ConfigMapInformer, targetNSDeploymentsInformer appsv1informers.DeploymentInformer, @@ -87,6 +89,7 @@ func NewOIDCSetupController( authnLister: authnInformer.Lister(), consoleOperatorLister: consoleOperatorInformer.Lister(), configConfigMapLister: configConfigMapInformer.Lister(), + configSecretsLister: configSecretInformer.Lister(), targetNSSecretsLister: targetNSsecretsInformer.Lister(), targetNSDeploymentsLister: targetNSDeploymentsInformer.Lister(), targetNSConfigMapLister: targetNSConfigMapInformer.Lister(), @@ -102,6 +105,7 @@ func NewOIDCSetupController( authnInformer.Informer(), configConfigMapInformer.Informer(), consoleOperatorInformer.Informer(), + configSecretInformer.Informer(), targetNSsecretsInformer.Informer(), targetNSDeploymentsInformer.Informer(), targetNSConfigMapInformer.Informer(), @@ -200,7 +204,7 @@ func (c *oidcSetupController) syncAuthTypeOIDC(ctx context.Context, authnConfig return nil } - clientSecret, err := c.targetNSSecretsLister.Secrets(api.TargetNamespace).Get("console-oauth-config") + clientSecret, err := c.configSecretsLister.Secrets(api.OpenShiftConfigNamespace).Get(clientConfig.ClientSecret.Name) if err != nil { c.authStatusHandler.Degraded("OIDCClientSecretGet", err.Error()) return err @@ -252,7 +256,14 @@ func (c *oidcSetupController) checkClientConfigStatus(authnConfig *configv1.Auth return false, "deployment unavailable or outdated", nil } - if clientSecret.GetResourceVersion() != depl.ObjectMeta.Annotations["console.openshift.io/oauth-secret-version"] { + // Get the TARGET secret (synced copy in openshift-console namespace) + // to compare its resource version with the deployment annotation + targetClientSecret, err := c.targetNSSecretsLister.Secrets(api.OpenShiftConsoleNamespace).Get("console-oauth-config") + if err != nil { + return false, "", err + } + + if targetClientSecret.GetResourceVersion() != depl.ObjectMeta.Annotations["console.openshift.io/oauth-secret-version"] { return false, "client secret version not up to date in current deployment", nil } diff --git a/pkg/console/operator/sync_v400.go b/pkg/console/operator/sync_v400.go index 048b19aa0..3a2cf9fd4 100644 --- a/pkg/console/operator/sync_v400.go +++ b/pkg/console/operator/sync_v400.go @@ -117,6 +117,9 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact if err != nil { return statusHandler.FlushAndReturn(err) } + default: + // Clear OIDC-related conditions when auth type is not OIDC + statusHandler.AddConditions(status.HandleProgressingOrDegraded("OIDCProviderTrustedAuthorityConfigGet", "", nil)) } customLogosErr, customLogosErrReason := co.SyncCustomLogos(updatedOperatorConfig) diff --git a/pkg/console/starter/starter.go b/pkg/console/starter/starter.go index bd9a2cbe0..f14e44ba3 100644 --- a/pkg/console/starter/starter.go +++ b/pkg/console/starter/starter.go @@ -296,6 +296,7 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle configClient.ConfigV1().Authentications(), operatorConfigInformers.Operator().V1().Consoles(), kubeInformersConfigNamespaced.Core().V1().ConfigMaps(), + kubeInformersConfigNamespaced.Core().V1().Secrets(), kubeInformersNamespaced.Core().V1().Secrets(), kubeInformersNamespaced.Core().V1().ConfigMaps(), kubeInformersNamespaced.Apps().V1().Deployments(),