openshift
CNTRLPLANE-332: Add uid and extra claim mappings for external OIDC configuration
Adds uid and extra fields to the authentications.config.openshift.io CRD's external OIDC provider claim mapping configuration options, allowing users to specify how the uid and extra UserInfo values should be populated from a given authentication token.
Hello @everettraven! Some important instructions when contributing to openshift/api: API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
@everettraven: This pull request references CNTRLPLANE-332 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.
In response to this:
Adds:
- A new TechPreview feature-gate
ExternalOIDCWithUIDAndExtraMappings(still needs to be linked to a proper EP for this. Maybe the existing OIDC one is sufficient?)- Adds
uidandextrafields to theauthentications.config.openshift.ioCRD's external OIDC provider configuration options, gated by the newExternalOIDCWithUIDAndExtraMappingsfeature-gate
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@everettraven: This pull request references CNTRLPLANE-332 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.
In response to this:
Adds
uidandextrafields to theauthentications.config.openshift.ioCRD's external OIDC provider configuration options
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@everettraven: This pull request references CNTRLPLANE-332 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.
In response to this:
Adds
uidandextrafields to theauthentications.config.openshift.ioCRD's external OIDC provider claim mapping configuration options, allowing users to specify how theuidandextraUserInfovalues should be populated from a given authentication token.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
This PR must not merge until the changes are consumed and thoroughly tested. Holding.
/hold
In-progress HyperShift PR consuming the changes: https://github.com/openshift/hypershift/pull/5840
@sjenning: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:
/test build
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial
/test e2e-aws-serial-techpreview
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test images
/test integration
/test lint
/test minor-e2e-upgrade-minor
/test minor-images
/test unit
/test verify
/test verify-client-go
/test verify-crd-schema
/test verify-deps
/test verify-feature-promotion
The following commands are available to trigger optional jobs:
/test e2e-azure
/test e2e-gcp
/test okd-scos-e2e-aws-ovn
/test okd-scos-images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-openshift-api-master-build
pull-ci-openshift-api-master-e2e-aws-ovn
pull-ci-openshift-api-master-e2e-aws-ovn-hypershift
pull-ci-openshift-api-master-e2e-aws-ovn-techpreview
pull-ci-openshift-api-master-e2e-aws-serial
pull-ci-openshift-api-master-e2e-aws-serial-techpreview
pull-ci-openshift-api-master-e2e-azure
pull-ci-openshift-api-master-e2e-gcp
pull-ci-openshift-api-master-e2e-upgrade
pull-ci-openshift-api-master-e2e-upgrade-out-of-change
pull-ci-openshift-api-master-images
pull-ci-openshift-api-master-integration
pull-ci-openshift-api-master-lint
pull-ci-openshift-api-master-minor-e2e-upgrade-minor
pull-ci-openshift-api-master-minor-images
pull-ci-openshift-api-master-okd-scos-e2e-aws-ovn
pull-ci-openshift-api-master-unit
pull-ci-openshift-api-master-verify
pull-ci-openshift-api-master-verify-client-go
pull-ci-openshift-api-master-verify-crd-schema
pull-ci-openshift-api-master-verify-deps
pull-ci-openshift-api-master-verify-feature-promotion
In response to this:
/retest e2e-aws-ovn-hypershift
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@sjenning It looks like e2e-aws-ovn-hypershift is failing due to the OLM community catalog not coming up correctly. Looks like it is permafailing on that.
The lint check is currently expected to fail because of my comment about intentionally not setting a maximum length
@everettraven yes, there is a break in hypershift CI atm. Waiting on https://github.com/openshift/hypershift/pull/5881 to fix it.
@everettraven: This PR was included in a payload test run from openshift/hypershift#5840 trigger 4 job(s) of type blocking for the ci release of OCP 4.19
- periodic-ci-openshift-release-master-ci-4.19-upgrade-from-stable-4.18-e2e-aws-ovn-upgrade
- periodic-ci-openshift-release-master-ci-4.19-upgrade-from-stable-4.18-e2e-azure-ovn-upgrade
- periodic-ci-openshift-release-master-ci-4.19-e2e-gcp-ovn-upgrade
- periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-ovn
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/cb5c9ea0-0a33-11f0-8c09-1b0434e6e3a5-0
/hold
New fields must be gated. We support having a field gated on A or on B, by separating with the standard controller-tools semi-colon. See https://github.com/openshift/api/pull/2253/files#r2017618426 for an example.
@everettraven: This PR was included in a payload test run from openshift/hypershift#5840 trigger 4 job(s) of type blocking for the ci release of OCP 4.19
- periodic-ci-openshift-release-master-ci-4.19-upgrade-from-stable-4.18-e2e-aws-ovn-upgrade
- periodic-ci-openshift-release-master-ci-4.19-upgrade-from-stable-4.18-e2e-azure-ovn-upgrade
- periodic-ci-openshift-release-master-ci-4.19-e2e-gcp-ovn-upgrade
- periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-ovn
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/6f211ab0-0bfc-11f0-87b2-e5e70c1f99a6-0
New fields are now gated as TP and should be ready to merge pending another review against the new changes. Canceling the hold.
/hold cancel
/lgtm
/hold
This MUST not be merged until https://github.com/openshift/hypershift/pull/5976 is complete.
Adding these fields without the fix could lead to HyperShift promoting these new fields and then removing them later when the fix is implemented, which is not desirable
https://github.com/openshift/hypershift/pull/5976 has merged. Removing hold.
/hold cancel
/retest-required
Remaining retests: 0 against base HEAD 8fcc4e71758aefadc7bf7da355ca8619bcc1d34d and 2 for PR HEAD 39c38ba6b2a3fda23bf212ec54dbe2b88cb35736 in total