openshift · openshift-cherrypick-robot · Oct 13, 2025 · Oct 13, 2025 · Oct 14, 2025
diff --git a/manifests/08_clusteroperator.yaml b/manifests/08_clusteroperator.yaml
@@ -49,5 +49,3 @@ status:
   versions:
   - name: operator
     version: "0.0.1-snapshot"
-  - name: oauth-openshift
-    version: "0.0.1-snapshot_openshift"
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -474,6 +474,11 @@ func prepareOauthAPIServerOperator(
 		statusControllerOptions = append(statusControllerOptions, apiservercontrollerset.WithStatusControllerPdbCompatibleHighInertia("(APIServer|OAuthServer)"))
 	}
 
+	// configure version removal so it removes versions it doesn't know about.
+	statusControllerOptions = append(statusControllerOptions, func(ss *status.StatusSyncer) *status.StatusSyncer {
+		return ss.WithVersionRemoval()
+	})
+
 	const apiServerConditionsPrefix = "APIServer"
 
 	apiServerControllers, err := apiservercontrollerset.NewAPIServerControllerSet(

diff --git a/test/e2e-oidc/external_oidc_test.go b/test/e2e-oidc/external_oidc_test.go
@@ -704,6 +704,7 @@ func (tc *testClient) validateOAuthState(t *testing.T, ctx context.Context, requ
 		validationErrs = append(validationErrs, validateOAuthResources(ctx, dynamicClient, requireMissing)...)
 		validationErrs = append(validationErrs, validateOAuthRoutes(ctx, tc.routeClient, tc.configClient, requireMissing)...)
 		validationErrs = append(validationErrs, validateOAuthControllerConditions(tc.operatorClient, requireMissing)...)
+		validationErrs = append(validationErrs, validateOperandVersions(ctx, tc.configClient, requireMissing)...)
 		return len(validationErrs) == 0, nil
 	})
 
@@ -849,6 +850,33 @@ func validateOAuthControllerConditions(operatorClient v1helpers.OperatorClient,
 	return nil
 }
 
+func validateOperandVersions(ctx context.Context, cfgClient *configclient.Clientset, requireMissing bool) []error {
+	operands := sets.New("oauth-apiserver", "oauth-openshift")
+
+	authnClusterOperator, err := cfgClient.ConfigV1().ClusterOperators().Get(ctx, "authentication", metav1.GetOptions{})
+	if err != nil {
+		return []error{fmt.Errorf("fetching authentication ClusterOperator: %w", err)}
+	}
+
+	foundOperands := []string{}
+	for _, version := range authnClusterOperator.Status.Versions {
+		if operands.Has(version.Name) {
+			foundOperands = append(foundOperands, version.Name)
+		}
+	}
+
+	if requireMissing && len(foundOperands) > 0 {
+		return []error{fmt.Errorf("authentication ClusterOperator status has operands %v in versions when they should be unset", foundOperands)}
+	}
+
+	foundSet := sets.New(foundOperands...)
+	if !requireMissing && !foundSet.Equal(operands) {
+		return []error{fmt.Errorf("authentication ClusterOperator status expected to have operands %v in versions but got %v", operands.UnsortedList(), foundOperands)}
+	}
+
+	return nil
+}
+
 func (tc *testClient) testOIDCAuthentication(t *testing.T, ctx context.Context, kcClient *test.KeycloakClient, usernameClaim, usernamePrefix string, expectAuthSuccess bool) {
 	// re-authenticate to ensure we always have a fresh token
 	var err error