Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2172

New status condition to indicate when external auth IdP is ready

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • Hide

      10/15/25

      • Color Status: Green
      • Status summary:
        • Dev Complete - still needs QE to be done
      Show
      10/15/25 Color Status: Green Status summary: Dev Complete - still needs QE to be done
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • 8
    • None
    • None
    • None
    • None
    • None
    • None

      Overview

      For XCMSTRAT-574, to support external auth IdP to be created 
      asynchronous in ARO-HCP, the external auth IdP needs to support the following status: pending, installing, ready, error

      pending - the external IdP config POST request is received by Cluster Service and persisted in the DB
      installing - a worker updates the manifestwork with the external auth IdP config in the HostedCluster resource
      ready - the external auth IdP config is applied by the control plane operator, the client secret has been created on the guest cluster, and the api-server pods rolled-over
      error - the external auth IdP config failed to apply, with an error message indicating the failure, and whenever the error is recoverable
       
      To support this feature, one or more status conditions on the HostedCluster resource are required to allow CS to show that the external auth IdP config provided by the customer is ready, or failed to apply due to error(s). 

      ARO-HCP also supports patching the external auth IdP. The status condition should reset when the external auth IdP is updated in the hosted cluster.

      When the external auth IdP information is removed from the hosted cluster, the status condition should indicate if the updated configuration applied successfully or failed.

      Updates 26.06.2025

      (slack-discussion)

      1. This feature will focus on delivering a condition reflecting the existence of the day-2 client secret(s) only as part of 4.20.
      2. Reflecting the health status of OIDC Client is a more involved work that will be done on a later feature.
      3. The acceptance criteria below is updated to reflect that

      Acceptance Criteria

      • When creating/updating the oidc provider configuration in the HostedCluster resource (day-1)
        • The HostedCluster exposes a status condition reflecting that the client secret(s) don't exist.
      • When the end-user creates all client secrets on the hosted cluster (day-2)
        • The exposed HostedCluster status condition will change to reflect that all client secret(s) exist.
      • If one or more client secrets don't exist on the hosted cluster
        • The exposed HostedCluster status condition will still reflect that client secret(s) don't exist.
        • It should be possible to identify, through the exposed condition, which client secrets are still missing.

              davegord@redhat.com Dave Gordon
              phwu@redhat.com Philip Wu
              None
              Ahmed Abdalla Abdelrehim, Liangquan Li, Salvatore Dario Minonne
              None
              XiuJuan Wang XiuJuan Wang
              Matthew Werner Matthew Werner
              Senthamilarasu S Senthamilarasu S
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: