CNTRLPLANE-3629: features: promote ExternalOIDCExternalClaimsSourcing to TechPreviewNoUpgrade

[everettraven]

No description provided.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@everettraven: This pull request references CNTRLPLANE-3629 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 982e1776-c701-4d7e-bfa9-be682e7cb0c3

📥 Commits

Reviewing files that changed from the base of the PR and between a41e2c7 and 6996475.

⛔ Files ignored due to path filters (1)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*

📒 Files selected for processing (5)

• features.md
• features/features.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

💤 Files with no reviewable changes (3)

• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml

✅ Files skipped from review due to trivial changes (1)

• features.md

🚧 Files skipped from review as they are similar to previous changes (1)

• features/features.go

---

📝 Walkthrough

Walkthrough

FeatureGateExternalOIDCExternalClaimsSourcing is enabled for TechPreviewNoUpgrade by expanding the code gate condition, updating the TechPreviewNoUpgrade payload manifests to list it as enabled, and adding the externalClaimsSources schema to the Authentication CRD. The feature table entry is also repositioned in features.md.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided, so there is no meaningful description to evaluate.	Add a brief PR description summarizing the feature-gate promotion and CRD manifest updates.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly states the main change: promoting ExternalOIDCExternalClaimsSourcing to TechPreviewNoUpgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Touched files are docs/YAML/config only; none contain Ginkgo specs or dynamic test-title strings.
Test Structure And Quality	✅ Passed	No Ginkgo test code changed; the PR only updates docs, feature flags, and CRD YAML, so this test-structure check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only updates feature/manifests and a YAML test fixture, with no MicroShift-unsafe test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PASS: The PR only changes feature-gate docs/manifests and a CRD schema; no Ginkgo e2e tests or SNO-sensitive test logic were added.
Topology-Aware Scheduling Compatibility	✅ Passed	Only feature-gate docs/manifests and an Authentication CRD schema changed; no deployment/controller scheduling constraints were added.
Ote Binary Stdout Contract	✅ Passed	PR only changes feature-gate definitions/manifests; no main/TestMain/BeforeSuite/RunSpecs or stdout logging changes were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes feature gates and CRD/schema manifests, with no IPv4-only code or external connectivity paths.
No-Weak-Crypto	✅ Passed	Touched files only adjust feature-gate metadata and CRD schema; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons found.
Container-Privileges	✅ Passed	PASS: The touched files are feature-gate and CRD schema updates, and a direct scan found no privileged, hostPID, hostNetwork, allowPrivilegeEscalation, or SYS_ADMIN settings.
No-Sensitive-Data-In-Logs	✅ Passed	No logging code or logger calls were added in the touched files; changes are only feature-gate manifests and CRD/schema text.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

Hello @everettraven! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

Looks like we removed the TPNU jobs I would have used to test that this doesn't introduce any regressions in TPNU. Will need to update that.

[everettraven]

/payload-job periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview

/payload-job periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-revertoauth-techpreview

[openshift-ci]

@everettraven: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview
• periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-revertoauth-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4d95c5f0-6b21-11f1-8854-ae90a324338d-0

[everettraven]

Missed one:

/payload-job periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-upstream-parity

[openshift-ci]

@everettraven: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-upstream-parity

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ffb3b650-6b41-11f1-9ec4-77f2a1ad7df7-0

[everettraven]

Looks like we have a test case to remove/skip: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-api-2893-periodics-e2e-aws-external-oidc-configure-techpreview/2067614916172320768

[everettraven]

/payload-job-with-prs periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview openshift/origin#31314

[openshift-ci]

@everettraven: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/cce98770-6b48-11f1-9b34-4683d9c5c4ec-0

[everettraven]

/payload-job-with-prs periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview openshift/origin#31314

[openshift-ci]

@everettraven: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[everettraven]

/payload-job-with-prs periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview openshift/origin#31314

[openshift-ci]

@everettraven: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-cluster-authentication-operator-release-5.0-periodics-e2e-aws-external-oidc-configure-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5c07aa70-6e3e-11f1-99e0-ca645b3cefbc-0

[openshift-ci]

@everettraven: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.