CNTRLPLANE-947: Make oauthclients relatedObject dynamic depending on auth type

[liouk]

This PR moves oauthclients operator relatedObject to the dynamic func as it depends on whether OAuth is configured or not (i.e. in OIDC, there is no oauthclients API).

This will also prevent this cluster operators e2e test from failing when OIDC is configured.

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

[openshift-ci-robot]

@liouk: This pull request explicitly references no jira issue.

In response to this:

This PR moves oauthclients to the dynamic related objects func as it depends on whether OAuth is configured or not (i.e. in OIDC, there is no oauthclients API).

This will also prevent this cluster operators e2e test from failing when OIDC is configured.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

This PR moves oauthclients to the dynamic related objects func as it depends on whether OAuth is configured or not (i.e. in OIDC, there is no oauthclients API).

This will also prevent this cluster operators e2e test from failing when OIDC is configured.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[liouk]

/jira refresh

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR moves oauthclients operator relatedObject to the dynamic func as it depends on whether OAuth is configured or not (i.e. in OIDC, there is no oauthclients API).

This will also prevent this cluster operators e2e test from failing when OIDC is configured.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR moves oauthclients operator relatedObject to the dynamic func as it depends on whether OAuth is configured or not (i.e. in OIDC, there is no oauthclients API).

This will also prevent this cluster operators e2e test from failing when OIDC is configured.

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[spadgett]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liouk, spadgett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spadgett]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

/retest-required

AWS infra issue

[liouk]

/retest-required

[liouk]

/retest-required

[Mylanos]

/retest

[Mylanos]

QA verification
/assign yapei

[yanpzhan]

@liouk Checked on OCP cluster launched against the pr. When the cluster used openshift auth idp, 'oc get oauthclients' will return several existing oauthclients：

$ oc get oauthclient --kubeconfig ~/1048.kubeconfig
NAME                           SECRET                                        WWW-CHALLENGE   TOKEN-MAX-AGE   REDIRECT URIS
console                        *********              false           default         https://console-openshift-console.apps.yanpzh1048.qe.devcluster.openshift.com/auth/callback
openshift-browser-client       ********   false           default         https://oauth-openshift.apps.yanpzh1048.qe.devcluster.openshift.com/oauth/token/display
openshift-challenging-client                                                 true            default         https://oauth-openshift.apps.yanpzh1048.qe.devcluster.openshift.com/oauth/token/implicit
openshift-cli-client                                                         false           default         http://127.0.0.1/callback,http://[::1]/callback

After configure keycloak external OIDC for the cluster, 'oc get oauthclients' will not return any resources:

$ oc get oauthclient --kubeconfig ~/1048.kubeconfig
Error from server (NotFound): Unable to list "oauth.openshift.io/v1, Resource=oauthclients": the server could not find the requested resource (get oauthclients.oauth.openshift.io)

If this is the expected check point for the pr update?

[liouk]

@yanpzhan what you've described above is the expected behavior. When external OIDC is configured, the auth operator will take down all things OAuth related, including the oauthclients resource. Which is why this PR makes it so that the respective relatedObject is updated dynamically depending on auth type.

[yanpzhan]

/label qe-approved
/verified by @yanpzhan

[openshift-ci-robot]

@liouk: This pull request references CNTRLPLANE-947 which is a valid jira issue.

In response to this:

This PR moves oauthclients operator relatedObject to the dynamic func as it depends on whether OAuth is configured or not (i.e. in OIDC, there is no oauthclients API).

This will also prevent this cluster operators e2e test from failing when OIDC is configured.

Example failed run of conformance suite with OIDC configured: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/66981/rehearse-66981-periodic-ci-openshift-cluster-authentication-operator-release-4.21-periodics-e2e-aws-external-oidc-conformance-parallel-techpreview/1970076671268622336

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@yanpzhan: This PR has been marked as verified by @yanpzhan.

In response to this:

/label qe-approved
/verified by @yanpzhan

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jhadvig]

/retest

[jhadvig]

QE Approver:
/assign @yapei
Docs Approver:
/assign @jseseCCS
PX Approver:
/assign @sferich888

[sferich888]

/label px-approved

[jseseCCS]

didn't see anything jump out that seems to be user-facing! LGTM

[jseseCCS]

/label docs-approved

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 1960690 and 2 for PR HEAD 11f23cb in total

[yapei]

@jhadvig @yanpzhan verified the changes several days ago and verified label was added

[liouk]

/test e2e-aws-console

[openshift-ci]

@liouk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	11f23cb	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-console	11f23cb	link	true	/test e2e-aws-console

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.