WIP: poc: deploying upstream component

[everettraven]

Summary by CodeRabbit

• New Features
  • OAuth API Server external OIDC deployment can now use an alternate component image when a specific environment variable is set, including automatic injection of the appropriate authentication-path argument.
• Deployment Updates
  • OAuth API Server now always pulls its image on startup.
  • Container startup has been adjusted to run via the configured launcher while preserving existing CA bundle handling.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

In sync_openshift_oauth_apiserver.go, the os package is imported and the external OIDC deployment sync path is updated to read UPSTREAM_OIDC_COMPONENT_IMAGE from the environment. When set, it replaces the ${IMAGE} substitution target and prepends an --authenticate-path=/apis/oauth.openshift.io/v1/tokenreviews argument. The external OIDC deployment manifest is concurrently updated to use imagePullPolicy: Always and wrap the startup command with padlok run.

Changes

Conditional Image Override for External OIDC

Layer / File(s)	Summary
Image override logic in sync function pkg/operator/workload/sync_openshift_oauth_apiserver.go	Imports os and updates syncExternalOIDCDeployment to select imageToUse from UPSTREAM_OIDC_COMPONENT_IMAGE environment variable (falling back to c.targetImagePullSpec); when the override is active, prepends --authenticate-path=/apis/oauth.openshift.io/v1/tokenreviews before template substitution.
Deployment manifest configuration bindata/oauth-apiserver/externaloidc-deploy.yaml	Updates container image pull policy to Always and wraps the oauth-apiserver external-oidc startup command with padlok run, while preserving the trusted CA bundle copy initialization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Lines 354 and 358 log raw UPSTREAM_OIDC_COMPONENT_IMAGE environment variable values which contain image pull specs with internal registry hostnames, violating the no-sensitive-data-in-logs check.	Remove the environment variable values from logs: log only flag names/decisions without actual values, or use klog.V(2).Info() for debug-level logging without the env value itself.
Topology-Aware Scheduling Compatibility	⚠️ Warning	The externaloidc-deploy.yaml manifest and syncExternalOIDCDeployment function use nodeSelector targeting control-plane nodes and set replicas to master node count, which breaks on HyperShift (no CP...	Add ControlPlaneTopology checks in syncExternalOIDCDeployment to skip deployment on External/HyperShift; consider using WithControlPlaneNodeSelectorHook and WithTopologyAwareReplicasHook from library-go.
Title check	❓ Inconclusive	The title uses vague terms ('poc', 'deploying upstream component') that lack specificity about the actual changes made to the codebase.	Replace vague language with specific details about what is being changed, e.g., 'Add support for UPSTREAM_OIDC_COMPONENT_IMAGE override and padlok wrapper in external OIDC deployment'.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are stable and deterministic. Test titles use static, descriptive strings without dynamic values, UUIDs, timestamps, IP addresses, or generated suffixes.
Test Structure And Quality	✅ Passed	No Ginkgo test code was added or modified in this PR; the changes are limited to implementation code and deployment manifests. The check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes are limited to operational code in sync_openshift_oauth_apiserver.go and deployment YAML config, so MicroShift compatibility check is not appl...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests (It, Describe, Context, When) were added in this PR. Changes are limited to operator code and deployment YAML, so SNO compatibility check does not apply.
Ote Binary Stdout Contract	✅ Passed	The klog.Info calls in syncExternalOIDCDeployment are called during controller runtime (not process-level code like main/init), and klog is configured to write to stderr, not stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are to operator workload sync logic and YAML deployment configuration only, not test code.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR changes.
Container-Privileges	✅ Passed	File externaloidc-deploy.yaml has privileged: true and runAsUser: 0, but includes explicit justification comment explaining the need to copy trust bundles to system directories, consistent with exi...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rh-roman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

Note: this change isn't actually necessary. Just helpful for PoC-ing.

[everettraven]

Note: This isn't actually how we would do this, but this is sufficient for a PoC.

How we would really do this is likely another image pull spec environment variable that is injected by the CVO and used as the ${IMAGE} replacement.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

bindata/oauth-apiserver/externaloidc-deploy.yaml (1)

49-54: 🛠️ Refactor suggestion | 🟠 Major

Update test golden files to match the production manifest.

The production manifest at bindata/oauth-apiserver/externaloidc-deploy.yaml:49 uses exec padlok run (the external upstream OIDC component's entry point), but the test golden files still reference exec oauth-apiserver external-oidc. Since TestSyncOAuthAPIServerDeployment compares the generated deployment against these files using cmp.Diff(), the tests for scenarios 4, 5, and 6 will fail. Update pkg/operator/workload/testdata/sync_ds_scenario_{4,5,6}.yaml line 49 to use exec padlok run instead of exec oauth-apiserver external-oidc.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/oauth-apiserver/externaloidc-deploy.yaml` around lines 49 - 54, The
production manifest at bindata/oauth-apiserver/externaloidc-deploy.yaml has been
updated to use `exec padlok run` as the entry point command, but the test golden
files in pkg/operator/workload/testdata/ for scenarios 4, 5, and 6 still
reference the old `exec oauth-apiserver external-oidc` command. Update line 49
in sync_ds_scenario_4.yaml, sync_ds_scenario_5.yaml, and sync_ds_scenario_6.yaml
to replace `exec oauth-apiserver external-oidc` with `exec padlok run` to ensure
the TestSyncOAuthAPIServerDeployment test comparisons using cmp.Diff() will
pass.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go`:
- Around line 354-359: The code is logging the raw value of the
UPSTREAM_OIDC_COMPONENT_IMAGE environment variable in two places (the klog.Info
calls on lines 354 and 358), which can expose internal registry hostnames and
credentials. Remove the os.Getenv() calls from both klog.Info statements and
replace them with generic log messages that only indicate the variable was set
or is being used, such as "using upstream OIDC component image from environment"
or similar, without exposing the actual image reference value.

---

Outside diff comments:
In `@bindata/oauth-apiserver/externaloidc-deploy.yaml`:
- Around line 49-54: The production manifest at
bindata/oauth-apiserver/externaloidc-deploy.yaml has been updated to use `exec
padlok run` as the entry point command, but the test golden files in
pkg/operator/workload/testdata/ for scenarios 4, 5, and 6 still reference the
old `exec oauth-apiserver external-oidc` command. Update line 49 in
sync_ds_scenario_4.yaml, sync_ds_scenario_5.yaml, and sync_ds_scenario_6.yaml to
replace `exec oauth-apiserver external-oidc` with `exec padlok run` to ensure
the TestSyncOAuthAPIServerDeployment test comparisons using cmp.Diff() will
pass.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: de84751e-9acd-4829-8c2f-65fb9d3991e2

📥 Commits

Reviewing files that changed from the base of the PR and between 0291194 and 6662838.

📒 Files selected for processing (2)

• bindata/oauth-apiserver/externaloidc-deploy.yaml
• pkg/operator/workload/sync_openshift_oauth_apiserver.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid logging raw UPSTREAM_OIDC_COMPONENT_IMAGE values.

Line 354 and Line 358 emit the full env value; this can leak internal registry hostnames (and potentially credential-bearing image refs) into logs.

Suggested fix

-	klog.Info("UPSTREAM_OIDC_COMPONENT_IMAGE", os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"))
-	if upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"); len(upstreamImage) > 0 {
+	upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE")
+	if len(upstreamImage) > 0 {
 		imageToUse = upstreamImage

-		klog.Info("using UPSTREAM_OIDC_COMPONENT_IMAGE", os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"))
+		klog.V(2).Info("using UPSTREAM_OIDC_COMPONENT_IMAGE override")
 
 		// configure the API endpoint on the upstream component
 		args["authenticate-path"] = []string{"/apis/oauth.openshift.io/v1/tokenreviews"}
 	}

As per coding guidelines, "Flag logging that may expose ... internal hostnames ..." and "Never log secrets or credentials."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	klog.Info("UPSTREAM_OIDC_COMPONENT_IMAGE", os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"))
	if upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"); len(upstreamImage) > 0 {
	imageToUse = upstreamImage
	klog.Info("using UPSTREAM_OIDC_COMPONENT_IMAGE", os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"))
	upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE")
	if len(upstreamImage) > 0 {
	imageToUse = upstreamImage
	klog.V(2).Info("using UPSTREAM_OIDC_COMPONENT_IMAGE override")
	// configure the API endpoint on the upstream component
	args["authenticate-path"] = []string{"/apis/oauth.openshift.io/v1/tokenreviews"}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/workload/sync_openshift_oauth_apiserver.go` around lines 354 -
359, The code is logging the raw value of the UPSTREAM_OIDC_COMPONENT_IMAGE
environment variable in two places (the klog.Info calls on lines 354 and 358),
which can expose internal registry hostnames and credentials. Remove the
os.Getenv() calls from both klog.Info statements and replace them with generic
log messages that only indicate the variable was set or is being used, such as
"using upstream OIDC component image from environment" or similar, without
exposing the actual image reference value.

Source: Coding guidelines