Skip to content

CNTRLPLANE-3745: Add AuthenticationComponentProxy API for component-scoped proxy#2909

Open
tchap wants to merge 1 commit into
openshift:masterfrom
tchap:cao-proxy
Open

CNTRLPLANE-3745: Add AuthenticationComponentProxy API for component-scoped proxy#2909
tchap wants to merge 1 commit into
openshift:masterfrom
tchap:cao-proxy

Conversation

@tchap

@tchap tchap commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Add a feature-gated proxy field to operator.openshift.io/v1 AuthenticationSpec, allowing component-scoped proxy configuration for the OAuth server and cluster authentication operator without requiring a cluster-wide proxy.

The API includes httpProxy, httpsProxy, noProxy and trustedCA.
Gated behind the AuthenticationComponentProxy feature gate.

The relevant EP: proxy-support-for-integrated-auth-stack.md

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 29, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 29, 2026

Copy link
Copy Markdown

@tchap: This pull request references CNTRLPLANE-3745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add a feature-gated proxy field to operator.openshift.io/v1 AuthenticationSpec, allowing component-scoped proxy configuration for the OAuth server and cluster authentication operator without requiring a cluster-wide proxy.

The API includes httpProxy, httpsProxy, noProxy and trustedCA.
Gated behind the AuthenticationComponentProxy feature gate.

The relevant EP: proxy-support-for-integrated-auth-stack.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

AuthenticationSpec adds an optional proxy field with new proxy and trustedCA types. The Authentication CRD schema adds spec.proxy with URL, list, and required-field validation. The CRD test file adds acceptance and rejection cases for the new proxy rules.

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding a component-scoped proxy API for Authentication.
Description check ✅ Passed The description is directly related to the proxy field, feature gate, and API scope introduced by the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All added test names are static, descriptive strings; none include dynamic values, generated IDs, dates, nodes, namespaces, or IPs.
Test Structure And Quality ✅ Passed PASS: The CRD test YAML uses one behavior per case, has no cluster setup/cleanup or waits, and matches existing Authentication test-file patterns.
Microshift Test Compatibility ✅ Passed The added file is an envtest CRD fixture for Authentication; it uses no MicroShift-banned APIs/resources or runtime assumptions.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only a CRD validation YAML was added; no Ginkgo e2e tests or multi-node/SNO assumptions are present.
Topology-Aware Scheduling Compatibility ✅ Passed API/schema/test-only changes; no deployment, controller, or pod scheduling fields (node selectors, affinity, spread constraints, replicas, tolerations) were added.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only adds API type definitions and CRD/test YAML; no main/init/TestMain/RunSpecs or stdout logging was introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The added test YAML uses only example/internal hostnames and has no IPv4 literals, IP parsing, or external connectivity; no Ginkgo e2e test code was added.
No-Weak-Crypto ✅ Passed Changed files only add proxy schema/test validation; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were added.
Container-Privileges ✅ Passed Touched files are API/CRD/test schema only; none add privileged, host* namespaces, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed Touched files only add proxy API schema/test YAML; no log statements or runtime code emitting secrets/PII were introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Hello @tchap! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci Bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jun 29, 2026
@openshift-ci openshift-ci Bot requested review from JoelSpeed and everettraven June 29, 2026 15:09
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_authentication.go`:
- Around line 58-60: The field comments for the authentication proxy settings
are missing documentation for the minimum validation constraints. Update the
comments on the `httpProxy`, `httpsProxy`, and `noProxy` fields in
`types_authentication.go` so they explicitly reflect `MinLength=1` and
`MinItems=1` alongside the existing max constraints; use brief wording like
“must be non-empty” for the string fields and “must contain at least one entry”
for the list field. Keep the existing `MaxLength`/`MaxItems` descriptions intact
and ensure the comment text matches the validation markers on each field.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 65e9d68b-295c-4ffe-9bea-83347ececc28

📥 Commits

Reviewing files that changed from the base of the PR and between 7841260 and e09ef40.

⛔ Files ignored due to path filters (8)
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • openapi/openapi.json is excluded by !openapi/**
  • operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/AuthenticationComponentProxy.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.model_name.go is excluded by !**/zz_generated*
  • operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
📒 Files selected for processing (2)
  • operator/v1/types_authentication.go
  • payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml

Comment thread operator/v1/types_authentication.go
@tchap tchap force-pushed the cao-proxy branch 2 times, most recently from 8a0f0c6 to ce3fd4e Compare June 29, 2026 15:57

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@operator/v1/tests/authentications.operator.openshift.io/AuthenticationComponentProxy.yaml`:
- Around line 107-146: Add mirrored validation coverage in
AuthenticationComponentProxy.yaml for the untested proxy branches. The current
cases only exercise httpProxy scheme/path/query/fragment failures; extend the
same style of tests for httpsProxy and add cases for “must be a valid URL” and
“must contain a hostname” on both proxy fields. Use the existing Authentication
proxy validation entries as the place to add these new negative tests so
regressions in generated schema validation are caught.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1956187e-f346-4508-8fb1-046bbc04d08f

📥 Commits

Reviewing files that changed from the base of the PR and between 8a0f0c6 and ce3fd4e.

⛔ Files ignored due to path filters (8)
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • openapi/openapi.json is excluded by !openapi/**
  • operator/v1/zz_generated.crd-manifests/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests/authentications.operator.openshift.io/AuthenticationComponentProxy.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.model_name.go is excluded by !**/zz_generated*
  • operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
📒 Files selected for processing (3)
  • operator/v1/tests/authentications.operator.openshift.io/AuthenticationComponentProxy.yaml
  • operator/v1/types_authentication.go
  • payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • payload-manifests/crds/0000_50_authentication_01_authentications-CustomNoUpgrade.crd.yaml
  • operator/v1/types_authentication.go

@tchap tchap force-pushed the cao-proxy branch 2 times, most recently from 3e9fdf7 to 5857480 Compare June 30, 2026 09:47
@openshift-ci openshift-ci Bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 30, 2026
@tchap tchap force-pushed the cao-proxy branch 2 times, most recently from 68ef608 to 8c2e4fa Compare June 30, 2026 12:31
Add a feature-gated proxy field to operator.openshift.io/v1
AuthenticationSpec, allowing component-scoped proxy configuration
for the OAuth server and cluster authentication operator without
requiring a cluster-wide proxy.

The API includes httpProxy, httpsProxy, noProxy and trustedCA.
Register the AuthenticationComponentProxy feature gate in
features.go, scoped to SelfManaged clusters only (TechPreviewNoUpgrade,
DevPreviewNoUpgrade).
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@tchap: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants