Description : The `ConfigurationValid` status condition introduced in PR #67 (SPIRE-327) reports `status: True` with message "All configuration fields are valid" even when the SpireServer CR is missing {}required fields{} needed for deployment.

This creates a {}false positive{} where users believe their CR is ready for deployment, but the actual deployment fails with `CrashLoopBackOff` due to missing required configuration.

{}Root Cause:
PR #67's validation scope is limited to 5 optional fields (affinity, tolerations, nodeSelector, resources, labels) but does NOT validate required fields (caSubject, datastore, persistence). The success message "All configuration fields are valid" is misleading because it implies completeness validation.

 

Steps to Reproduce

Prerequisites

1. Set environment variables
   export APP_DOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
   export JWT_ISSUER_ENDPOINT=oidc-discovery.${APP_DOMAIN}
   export CLUSTER_NAME=test01

Ensure operator v1.0.0 is deployed
oc get csv -n zero-trust-workload-identity-manager

Should show: zero-trust-workload-identity-manager.v1.0.0### Step 1: Apply Minimal SpireServer CR (Missing Required Fields)

oc delete spireserver cluster --ignore-not-found=true

oc apply -f - <<EOF
apiVersion: operator.openshift.io/v1alpha1
kind: SpireServer
metadata:
  name: cluster
spec:
  trustDomain: $APP_DOMAIN
  clusterName: $CLUSTER_NAME
  jwtIssuer: https://$JWT_ISSUER_ENDPOINT
  # NOTE: Missing required fields:
  # - caSubject (required for CA certificate generation)
  # - datastore (required for SPIRE Server database)
  # - persistence (required for data storage)
  resources:
    requests:
      cpu: "100m"
      memory: "256Mi"
    limits:
      cpu: "200m"
      memory: "512Mi"
EOF

 

Step 2: Check ConfigurationValid Condition
oc get spireserver cluster -o jsonpath='

{.status.conditions[?(@.type=="ConfigurationValid")]}

' | jq

1. 1. 1. Step 3: Check Pod Status

Wait 30 seconds for pod creation
sleep 30

Check pod status
oc get pod spire-server-0 -n zero-trust-workload-identity-manager

Check container logs
oc logs spire-server-0 n zero-trust-workload-identity-manager -c spire-server --tail=20--

Expected Behavior

{}Option 1 (Preferred): Validate Required Fields{}

{   "lastTransitionTime": "2025-12-01T08:00:00Z",   "message": "Configuration validation failed: missing required fields: caSubject, datastore, persistence",   "reason": "ValidationFailed",   "status": "False",   "type": "ConfigurationValid" }

{}Option 2 (Quick Fix): Clearer Message{}

{   "lastTransitionTime": "2025-12-01T08:00:00Z",   "message": "Common configuration fields (affinity, tolerations, nodeSelector, resources, labels) are valid. Required fields validated separately.",   "reason": "ConfigurationValid",   "status": "True",   "type": "ConfigurationValid" }

{}Pod Status:{}

• Should either not be created (if validation fails)
• Or clear error message pointing to validation condition

—

Actual Behavior

ConfigurationValid Condition (Misleading ❌) {   "lastTransitionTime": "2025-12-01T08:11:54Z",   "message": "All configuration fields are valid",   "reason": "ConfigurationValid",   "status": "True",   "type": "ConfigurationValid" }### Pod Status (Crashes ❌)