Description

The console-operator currently assumes that only a single external OIDC provider is configured and selects the first matching client configuration it finds. With the introduction of the ExternalOIDCMultipleIdPs feature gate, this assumption is no longer valid.

The operator must be updated to support multiple OIDC providers where Console is configured as a client, and generate a consolidated configuration that can be consumed by the Console.

Scope

• Read all spec.oidcProviders entries from:
  • Authentication.config.openshift.io (standalone)
  • HostedCluster (HyperShift)

• Select providers where Console is configured as a client

• Generate a single providers configuration file containing all relevant providers

• Write the configuration to a ConfigMap

• Mount the ConfigMap into the Console deployment

• Pass the configuration path to Console via a new flag

All behavior must be gated behind ExternalOIDCMultipleIdPs.

Acceptance Criteria

• console-operator processes multiple OIDC providers instead of a single entry

• Providers where Console is a client are included in generated config

• A providers config file is generated and stored in a ConfigMap

• ConfigMap is mounted into the Console deployment

• Console is started with --user-auth-oidc-providers-file

• All logic is gated by ExternalOIDCMultipleIdPs

Non-Goals

• Console-side parsing or auth flow changes

• UI changes

• Backward compatibility without the feature gate