Skip to content

OCPBUGS-34027: fix(hcco): clean up OIDC auth resources when external auth is removed#9017

Open
hypershift-jira-solve-ci[bot] wants to merge 1 commit into
openshift:mainfrom
hypershift-community:fix-OCPBUGS-34027
Open

OCPBUGS-34027: fix(hcco): clean up OIDC auth resources when external auth is removed#9017
hypershift-jira-solve-ci[bot] wants to merge 1 commit into
openshift:mainfrom
hypershift-community:fix-OCPBUGS-34027

Conversation

@hypershift-jira-solve-ci

@hypershift-jira-solve-ci hypershift-jira-solve-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

When external OIDC authentication is removed from a HostedControlPlane (e.g. OIDCProviders cleared or auth type changed back to OAuth), the HCCO was not cleaning up the previously-created ConfigMaps and Secrets in the guest cluster's openshift-config namespace. This left stale OIDC resources behind.

This fix adds a garbage-collection mechanism to reconcileAuthOIDC:

  1. Labels managed resources: All OIDC ConfigMaps and Secrets created by HCCO are now labeled with hypershift.openshift.io/oidc-config-resource: "true" so they can be identified as managed resources.
  2. Tracks desired state: Builds sets of desired ConfigMap and Secret names from the current HCP spec.
  3. Cleans up stale resources: After reconciling the desired resources, lists all labeled resources in openshift-config and deletes any that are no longer in the desired set. When OIDCProviders is empty, the desired sets are empty and all labeled resources are removed.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/OCPBUGS-34027

Special notes for your reviewer:

  • The cleanup runs on every reconcile loop of reconcileAuthOIDC, comparing labeled resources against the desired set derived from the current HCP spec
  • IsNotFound errors during deletion are safely ignored (resource may have been deleted concurrently)
  • The desiredSecrets.Insert for ARO HCP day-2 secrets is placed before the early continue, so those secrets are tracked but not copied — this prevents them from being incorrectly garbage collected

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Always review AI generated responses prior to use.
Generated with Claude Code via openshift-developer plugin


Note: This PR was auto-generated by the jira-agent periodic CI job in response to OCPBUGS-34027. See the full report for token usage, cost breakdown, and detailed phase output.

Summary by CodeRabbit

  • Bug Fixes
    • OIDC-related ConfigMaps and Secrets are now cleaned up when no longer needed.
    • Updated OIDC configurations remove stale resources while preserving unrelated resources.
    • Azure/ARO HCP day-2 secrets are no longer unnecessarily copied.
    • OIDC resources now receive consistent labels for reliable management.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 16, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@hypershift-jira-solve-ci[bot]: This pull request references Jira Issue OCPBUGS-34027, which is invalid:

  • expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.21.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

When external OIDC authentication is removed from a HostedControlPlane (e.g. OIDCProviders cleared or auth type changed back to OAuth), the HCCO was not cleaning up the previously-created ConfigMaps and Secrets in the guest cluster's openshift-config namespace. This left stale OIDC resources behind.

This fix adds a garbage-collection mechanism to reconcileAuthOIDC:

  1. Labels managed resources: All OIDC ConfigMaps and Secrets created by HCCO are now labeled with hypershift.openshift.io/oidc-config-resource: "true" so they can be identified as managed resources.
  2. Tracks desired state: Builds sets of desired ConfigMap and Secret names from the current HCP spec.
  3. Cleans up stale resources: After reconciling the desired resources, lists all labeled resources in openshift-config and deletes any that are no longer in the desired set. When OIDCProviders is empty, the desired sets are empty and all labeled resources are removed.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/OCPBUGS-34027

Special notes for your reviewer:

  • The cleanup runs on every reconcile loop of reconcileAuthOIDC, comparing labeled resources against the desired set derived from the current HCP spec
  • IsNotFound errors during deletion are safely ignored (resource may have been deleted concurrently)
  • The desiredSecrets.Insert for ARO HCP day-2 secrets is placed before the early continue, so those secrets are tracked but not copied — this prevents them from being incorrectly garbage collected

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Always review AI generated responses prior to use.
Generated with Claude Code via openshift-developer plugin

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

The OIDC reconciler now labels copied issuer CA ConfigMaps and client Secrets, tracks desired resource names, and removes stale labeled resources from openshift-config. It continues to skip hosted-cluster-sourced day-2 secrets. Tests now cover labeling, cleanup after provider or OAuth changes, stale-resource deletion, and preservation of unlabeled resources.

Sequence Diagram(s)

sequenceDiagram
  participant reconcileAuthOIDC
  participant HostedClusterClient
  participant openshift-config
  reconcileAuthOIDC->>HostedClusterClient: Read issuer CA ConfigMap and OIDC client Secrets
  reconcileAuthOIDC->>openshift-config: Create or update labeled OIDC resources
  reconcileAuthOIDC->>openshift-config: List labeled ConfigMaps and Secrets
  reconcileAuthOIDC->>openshift-config: Delete resources absent from desired name sets
Loading
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: cleanup of OIDC auth resources when external auth is removed.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Test names in TestReconcileAuthOIDC are static string literals in t.Run table keys; no generated, timestamped, or runtime-derived titles were found.
Test Structure And Quality ✅ Passed The new OIDC cases are isolated table-driven subtests with fake clients, no cluster waits/timeouts, and they follow existing repo test patterns.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only changes OIDC ConfigMap/Secret reconciliation and tests; no pod specs, replicas, affinity, tolerations, or node selectors were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Added test is a standard Go unit test, not Ginkgo/e2e, and it shows no hardcoded IPv4 or external connectivity assumptions.
No-Weak-Crypto ✅ Passed The PR only adds label/set-based OIDC resource cleanup; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were introduced.
Container-Privileges ✅ Passed PR only changes OIDC reconciliation Go code/tests; no container/K8s manifest fields like privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation were added.
No-Sensitive-Data-In-Logs ✅ Passed New OIDC cleanup logs only resource names/namespaces; no secret contents, tokens, PII, or customer data are logged in the changed code/tests.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hypershift-jira-solve-ci[bot]
Once this PR has been reviewed and has the lgtm label, please assign bryan-cox for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
openshift-ci Bot requested review from Nirshal and sdminonne July 16, 2026 11:00
@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release and removed do-not-merge/needs-area labels Jul 16, 2026
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 70.21277% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.13%. Comparing base (4fa09b1) to head (b179588).
⚠️ Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
...rconfigoperator/controllers/resources/resources.go 70.21% 8 Missing and 6 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9017      +/-   ##
==========================================
+ Coverage   44.11%   44.13%   +0.02%     
==========================================
  Files         772      772              
  Lines       96227    96292      +65     
==========================================
+ Hits        42449    42501      +52     
- Misses      50832    50839       +7     
- Partials     2946     2952       +6     
Files with missing lines Coverage Δ
...rconfigoperator/controllers/resources/resources.go 58.01% <70.21%> (+0.48%) ⬆️

... and 1 file with indirect coverage changes

Flag Coverage Δ
cmd-support 38.24% <ø> (ø)
cpo-hostedcontrolplane 46.17% <ø> (ø)
cpo-other 45.31% <70.21%> (+0.17%) ⬆️
hypershift-operator 54.09% <ø> (ø)
other 32.12% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go (1)

1557-1561: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Cover transitions to hosted-cluster-sourced day-2 secrets.

Add cases that verify an old labeled HCCO copy is deleted and an existing unlabeled guest secret is preserved when this branch starts skipping the secret. The current case only verifies that no new copy is created.

As per coding guidelines, “Unit test any code changes and additions.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go`
around lines 1557 - 1561, Extend the unit tests covering the ARO HCP and
HostedClusterSourcedAnnotation branch in the secret reconciliation flow: verify
that an existing HCCO-copied secret with the identifying label is deleted, while
an existing guest secret without that label is preserved when reconciliation
begins skipping the copy. Retain the current assertion that no new copy is
created, and add coverage for both transition cases.

Source: Coding guidelines

control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go (1)

2315-2315: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use the required test-case description format.

Rename these cases to When ... it should ..., for example: When OIDC providers are removed, it should clean up all labeled resources.

As per coding guidelines, always use the “When ... it should ...” format when creating unit tests.

Also applies to: 2358-2358, 2397-2397, 2480-2480

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go`
at line 2315, Rename the affected test-case descriptions in the resources test
table to follow the required “When ... it should ...” format, including the OIDC
provider removal cases and the cases at the other referenced locations. Preserve
each case’s existing behavior and only update the descriptions.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go`:
- Line 2315: Rename the affected test-case descriptions in the resources test
table to follow the required “When ... it should ...” format, including the OIDC
provider removal cases and the cases at the other referenced locations. Preserve
each case’s existing behavior and only update the descriptions.

In
`@control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go`:
- Around line 1557-1561: Extend the unit tests covering the ARO HCP and
HostedClusterSourcedAnnotation branch in the secret reconciliation flow: verify
that an existing HCCO-copied secret with the identifying label is deleted, while
an existing guest secret without that label is preserved when reconciliation
begins skipping the copy. Retain the current assertion that no new copy is
created, and add coverage for both transition cases.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ee285f4c-6196-4ae3-98ec-83483ee1b6c5

📥 Commits

Reviewing files that changed from the base of the PR and between 40917eb and b179588.

📒 Files selected for processing (2)
  • control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
  • control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@hypershift-jira-solve-ci[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant