CNTRLPLANE-3010: Add API-side validation to enforce prefixPolicy is not set when username expression is used

[ShazaAldawamneh]

Add a FeatureGateAwareXValidation rule to the UsernameClaimMapping type in the authentications.config.openshift.io CRD to reject configurations where prefixPolicy is set to Prefix when a username expression is also set.

Previously, this validation was only enforced at runtime in the CAO and HyperShift generation code. This change moves the validation to the API admission layer, providing stronger validation at resource creation/update time before the resource is persisted.

A prefixPolicy of Prefix is not applicable when using an expression-based username mapping since prefixes should be set directly within the expression itself if needed.

New test cases are added to the ExternalOIDCWithUpstreamParity CRD validation tests to cover:

• Rejecting configurations where expression is set and prefixPolicy is Prefix
• Allowing configurations where expression is set and prefixPolicy is NoPrefix

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-3010 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add a FeatureGateAwareXValidation rule to the UsernameClaimMapping type in the authentications.config.openshift.io CRD to reject configurations where prefixPolicy is set to Prefix when a username expression is also set.

Previously, this validation was only enforced at runtime in the CAO and HyperShift generation code. This change moves the validation to the API admission layer, providing stronger validation at resource creation/update time before the resource is persisted.

A prefixPolicy of Prefix is not applicable when using an expression-based username mapping since prefixes should be set directly within the expression itself if needed.

New test cases are added to the ExternalOIDCWithUpstreamParity CRD validation tests to cover:

• Rejecting configurations where expression is set and prefixPolicy is Prefix
• Allowing configurations where expression is set and prefixPolicy is NoPrefix

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5a77ae11-405f-4a1b-8e06-400ac692a53d

📥 Commits

Reviewing files that changed from the base of the PR and between ef9ca32 and 7594ed4.

⛔ Files ignored due to path filters (4)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (4)

• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml

✅ Files skipped from review due to trivial changes (1)

• payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• config/v1/types_authentication.go
• payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml

---

📝 Walkthrough

Walkthrough

Added validation rules (gated by the ExternalOIDCWithUpstreamParity feature) that restrict combinations of OIDC claim-mapping fields: if a mapping uses a non-empty expression, username.prefixPolicy must not be set to Prefix, and groups.prefix must not be set. The rules were added as XValidation annotations in Go types, as CEL x-kubernetes-validations in multiple CRD manifests, and three new tests were added covering accepted and rejected configurations.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.3)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hello @ShazaAldawamneh! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@ShazaAldawamneh: This pull request references CNTRLPLANE-3010 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add a FeatureGateAwareXValidation rule to the UsernameClaimMapping type in the authentications.config.openshift.io CRD to reject configurations where prefixPolicy is set to Prefix when a username expression is also set.

Previously, this validation was only enforced at runtime in the CAO and HyperShift generation code. This change moves the validation to the API admission layer, providing stronger validation at resource creation/update time before the resource is persisted.

A prefixPolicy of Prefix is not applicable when using an expression-based username mapping since prefixes should be set directly within the expression itself if needed.

New test cases are added to the ExternalOIDCWithUpstreamParity CRD validation tests to cover:

• Rejecting configurations where expression is set and prefixPolicy is Prefix
• Allowing configurations where expression is set and prefixPolicy is NoPrefix

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

Hey @ShazaAldawamneh - I left one question of curiosity but besides that I don't have any concerns :)

I will point out that you may need to manually trigger jobs stuck on Waiting for pipeline condition to trigger job .

[everettraven]

We could probably simplify this expression a bit to something like:

Suggested change

	// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? !has(self.prefixPolicy) || self.prefixPolicy != 'Prefix' : true",message="prefixPolicy must not be set to 'Prefix' when expression is set"
	// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="size(self.?expression.orValue("")) > 0 && (self.?prefixPolicy.orValue("") == "" || self.?prefixPolicy.orValue("") == "NoPrefix")",message="prefixPolicy must not be set to 'Prefix' when expression is set"

[everettraven]

Similar comment here, I think we could do something like:

Suggested change

	// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="has(self.expression) && size(self.expression) > 0 ? !has(self.prefix) : true",message="prefix must not be set when expression is set"
	// +openshift:validation:FeatureGateAwareXValidation:featureGate=ExternalOIDCWithUpstreamParity,rule="size(self.?expression.orValue("") > 0 && size(self.?prefix.orValue("")) == 0",message="prefix must not be set when expression is set"

[ehearne-redhat]

/lgtm

Changes look good to me. Tests are passing fine. Issue was resolved with self.prefixpolicy . So, I'm happy with it.

However, I am unsure whether these other tests will run after the lgtm. I hope so, so that we can get a definitive response on the viability of this. :)

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[ehearne-redhat]

/lgtm cancel

[ehearne-redhat]

noticed that bryce had some concerns. :)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liouk]

Just a couple of doc related observations.

[liouk]

Current doc doesn't explain the expectation of the value of this field based on whether the expression is set or not, maybe worth adding something related.

[liouk]

Similarly, should we add some text about what is expected in Prefix when the expression is set?

[openshift-ci]

@ShazaAldawamneh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.