NO-JIRA: om: add a test for the oauth-apiserver controller

pkg/cmd/mom/output_resources_command.go

@@ -30,6 +30,7 @@ func runOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso
 				libraryoutputresources.ExactConfigMap("openshift-authentication", "audit"),
 				libraryoutputresources.ExactConfigMap("openshift-authentication", "v4-0-config-system-trusted-ca-bundle"),
 				libraryoutputresources.ExactDeployment("openshift-authentication", "oauth-openshift"),
+				libraryoutputresources.ExactDeployment("openshift-oauth-apiserver", "apiserver"),
 				libraryoutputresources.ExactSecret("openshift-authentication", "v4-0-config-system-session"),
 				libraryoutputresources.ExactSecret("openshift-authentication", "v4-0-config-system-ocp-branding-template"),
 				libraryoutputresources.ExactService("openshift-authentication", "oauth-openshift"),

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/c5b3-body-cluster.yaml

@@ -0,0 +1,30 @@
+apiVersion: operator.openshift.io/v1
+kind: Authentication
+metadata:
+  name: cluster
+status:
+  conditions:
+  - lastTransitionTime: "2024-10-14T22:38:20Z"
+    message: no apiserver.openshift-oauth-apiserver pods available on any node.
+    reason: NoPod
+    status: "False"
+    type: APIServerDeploymentAvailable
+  - lastTransitionTime: "2025-09-09T00:08:37Z"
+    reason: AsExpected
+    status: "False"
+    type: APIServerDeploymentDegraded
+  - lastTransitionTime: "2024-10-14T22:38:20Z"
+    message: 'deployment/apiserver.openshift-oauth-apiserver: 0/1 pods have been updated
+      to the latest generation and 0/1 pods are available'
+    reason: PodsUpdating
+    status: "True"
+    type: APIServerDeploymentProgressing
+  - lastTransitionTime: "2025-09-09T00:08:37Z"
+    status: "False"
+    type: APIServerWorkloadDegraded
+  generations:
+  - group: apps
+    lastGeneration: 0
+    name: apiserver
+    namespace: openshift-oauth-apiserver
+    resource: deployments

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/c5b3-metadata-cluster.yaml

@@ -0,0 +1,9 @@
+action: ApplyStatus
+controllerInstanceName: OAuthAPIServerController-WorkloadWorkloadController
+fieldManager: OAuthAPIServerController-Workload
+generateName: ""
+name: cluster
+resourceType:
+  Group: operator.openshift.io
+  Resource: authentications
+  Version: v1

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/c5b3-options-cluster.yaml

@@ -0,0 +1,2 @@
+fieldManager: OAuthAPIServerController-Workload
+force: true

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/638b-body-authentication-operator.17fe72c59b829800.a1874ea9.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+count: 1
+eventTime: null
+firstTimestamp: "2024-10-14T22:38:20Z"
+involvedObject:
+  kind: Deployment
+  name: authentication-operator
+  namespace: openshift-authentication-operator
+kind: Event
+lastTimestamp: "2024-10-14T22:38:20Z"
+message: Created Deployment.apps/apiserver -n openshift-oauth-apiserver because it
+  was missing
+metadata:
+  name: authentication-operator.17fe72c59b829800.a1874ea9
+  namespace: openshift-authentication-operator
+reason: DeploymentCreated
+reportingComponent: ""
+reportingInstance: ""
+source:
+  component: cluster-authentication-operator-run-once-sync-context
+type: Normal

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/Create/namespaces/openshift-authentication-operator/core/events/638b-metadata-authentication-operator.17fe72c59b829800.a1874ea9.yaml

@@ -0,0 +1,9 @@
+action: Create
+controllerInstanceName: ""
+generateName: ""
+name: authentication-operator.17fe72c59b829800.a1874ea9
+namespace: openshift-authentication-operator
+resourceType:
+  Group: ""
+  Resource: events
+  Version: v1

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/Create/namespaces/openshift-oauth-apiserver/apps/deployments/7350-body-apiserver.yaml

@@ -0,0 +1,215 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    openshiftapiservers.operator.openshift.io/operator-pull-spec: ""
+    operator.openshift.io/spec-hash: b8ea01ab9a9bcf14e72373c020dfae9a968e1b8e5cd4b467a3fc6ae9fdbacff1
+  labels:
+    apiserver: "true"
+    app: openshift-oauth-apiserver
+    revision: "1"
+  name: apiserver
+  namespace: openshift-oauth-apiserver
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      apiserver: "true"
+      app: openshift-oauth-apiserver
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        openshift.io/required-scc: privileged
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+      labels:
+        apiserver: "true"
+        app: openshift-oauth-apiserver
+        oauth-apiserver-anti-affinity: "true"
+        revision: "1"
+      name: openshift-oauth-apiserver
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                apiserver: "true"
+                app: openshift-oauth-apiserver
+                oauth-apiserver-anti-affinity: "true"
+            topologyKey: kubernetes.io/hostname
+      containers:
+      - args:
+        - |
+          if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then
+            echo "Copying system trust bundle"
+            cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          fi
+          exec oauth-apiserver start \
+            --secure-port=8443 \
+            --audit-log-path=/var/log/oauth-apiserver/audit.log \
+            --audit-log-format=json \
+            --audit-log-maxsize=100 \
+            --audit-log-maxbackup=10 \
+            --audit-policy-file=/var/run/configmaps/audit/policy.yaml \
+            --etcd-cafile=/var/run/configmaps/etcd-serving-ca/ca-bundle.crt \
+            --etcd-keyfile=/var/run/secrets/etcd-client/tls.key \
+            --etcd-certfile=/var/run/secrets/etcd-client/tls.crt \
+            --etcd-healthcheck-timeout=9s \
+            --etcd-readycheck-timeout=9s \
+            --shutdown-delay-duration=50s \
+            --shutdown-send-retry-after=true \
+            --tls-private-key-file=/var/run/secrets/serving-cert/tls.key \
+            --tls-cert-file=/var/run/secrets/serving-cert/tls.crt \
+            --enable-priority-and-fairness=false \
+            --api-audiences=https://kubernetes.default.svc \
+            --cors-allowed-origins='//127\.0\.0\.1(:|$)' \
+            --cors-allowed-origins='//localhost(:|$)' \
+            --etcd-servers=https://10.0.0.3:2379 \
+            --etcd-servers=https://10.0.0.4:2379 \
+            --etcd-servers=https://10.0.0.5:2379 \
+            --tls-cipher-suites=TLS_AES_128_GCM_SHA256 \
+            --tls-cipher-suites=TLS_AES_256_GCM_SHA384 \
+            --tls-cipher-suites=TLS_CHACHA20_POLY1305_SHA256 \
+            --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
+            --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \
+            --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
+            --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \
+            --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
+            --tls-cipher-suites=TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
+            --tls-min-version=VersionTLS12 \
+            --v=2
+        command:
+        - /bin/bash
+        - -ec
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: livez?exclude=etcd
+            port: 8443
+            scheme: HTTPS
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 10
+        name: oauth-apiserver
+        ports:
+        - containerPort: 8443
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: readyz?exclude=etcd&exclude=etcd-readiness
+            port: 8443
+            scheme: HTTPS
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 10
+        resources:
+          requests:
+            cpu: 150m
+            memory: 200Mi
+        securityContext:
+          privileged: true
+          runAsUser: 0
+        startupProbe:
+          failureThreshold: 30
+          httpGet:
+            path: livez
+            port: 8443
+            scheme: HTTPS
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 10
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /var/run/configmaps/audit
+          name: audit-policies
+        - mountPath: /var/run/secrets/etcd-client
+          name: etcd-client
+        - mountPath: /var/run/configmaps/etcd-serving-ca
+          name: etcd-serving-ca
+        - mountPath: /var/run/configmaps/trusted-ca-bundle
+          name: trusted-ca-bundle
+        - mountPath: /var/run/secrets/serving-cert
+          name: serving-cert
+        - mountPath: /var/run/secrets/encryption-config
+          name: encryption-config
+        - mountPath: /var/log/oauth-apiserver
+          name: audit-dir
+      initContainers:
+      - command:
+        - sh
+        - -c
+        - chmod 0700 /var/log/oauth-apiserver && touch /var/log/oauth-apiserver/audit.log
+          && chmod 0600 /var/log/oauth-apiserver/*
+        imagePullPolicy: IfNotPresent
+        name: fix-audit-permissions
+        resources:
+          requests:
+            cpu: 15m
+            memory: 50Mi
+        securityContext:
+          privileged: true
+          runAsUser: 0
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /var/log/oauth-apiserver
+          name: audit-dir
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      priorityClassName: system-node-critical
+      serviceAccountName: oauth-apiserver-sa
+      terminationGracePeriodSeconds: 120
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 120
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 120
+      volumes:
+      - configMap:
+          name: audit-1
+        name: audit-policies
+      - name: etcd-client
+        secret:
+          secretName: etcd-client
+      - configMap:
+          name: etcd-serving-ca
+        name: etcd-serving-ca
+      - name: serving-cert
+        secret:
+          secretName: serving-cert
+      - configMap:
+          items:
+          - key: ca-bundle.crt
+            path: tls-ca-bundle.pem
+          name: trusted-ca-bundle
+          optional: true
+        name: trusted-ca-bundle
+      - name: encryption-config
+        secret:
+          optional: true
+          secretName: encryption-config-1
+      - hostPath:
+          path: /var/log/oauth-apiserver
+        name: audit-dir
+status: {}

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/Management/Create/namespaces/openshift-oauth-apiserver/apps/deployments/7350-metadata-apiserver.yaml

@@ -0,0 +1,9 @@
+action: Create
+controllerInstanceName: OAuthAPIServerController-WorkloadWorkloadController
+generateName: ""
+name: apiserver
+namespace: openshift-oauth-apiserver
+resourceType:
+  Group: apps
+  Resource: deployments
+  Version: v1

test-data/apply-configuration/overall/oauth-apiserver-creation-minimal/expected-output/controller-results.yaml

@@ -0,0 +1,81 @@
+controllerResults:
+- controllerName: APIServerStaticResources-StaticResources
+  status: Skipped
+- controllerName: NamespaceFinalizerController_openshift-oauth-apiserver
+  status: Skipped
+- controllerName: OAuthAPIServerController-WorkloadWorkloadController
+  status: Succeeded
+- controllerName: RevisionController
+  status: Skipped
+- controllerName: SecretRevisionPruneController
+  status: Skipped
+- controllerName: TODO-authRouteCheckController
+  status: Skipped
+- controllerName: TODO-authServiceCheckController
+  status: Skipped
+- controllerName: TODO-authServiceEndpointCheckController
+  status: Skipped
+- controllerName: TODO-authenticatorCertRequester
+  status: Skipped
+- controllerName: TODO-configObserver
+  status: Skipped
+- controllerName: TODO-configOverridesController
+  status: Skipped
+- controllerName: TODO-customRouteController
+  status: Skipped
+- controllerName: TODO-deploymentController
+  status: Skipped
+- controllerName: TODO-ingressStateController
+  status: Skipped
+- controllerName: TODO-logLevelController
+  status: Skipped
+- controllerName: TODO-managementStateController
+  status: Skipped
+- controllerName: TODO-metadataController
+  status: Skipped
+- controllerName: TODO-oauthClientsSwitchedController
+  status: Skipped
+- controllerName: TODO-other-configObserver
+  status: Skipped
+- controllerName: TODO-other-externalOIDCController
+  status: Skipped
+- controllerName: TODO-payloadConfigController
+  status: Skipped
+- controllerName: TODO-proxyConfigController
+  status: Skipped
+- controllerName: TODO-resourceSyncer
+  status: Skipped
+- controllerName: TODO-routerCertsController
+  status: Skipped
+- controllerName: TODO-serviceCAController
+  status: Skipped
+- controllerName: TODO-staleConditions
+  status: Skipped
+- controllerName: TODO-staticResourceController
+  status: Skipped
+- controllerName: TODO-trustDistributionController
+  status: Skipped
+- controllerName: TODO-webhookAuthController
+  status: Skipped
+- controllerName: TODO-webhookCertsApprover
+  status: Skipped
+- controllerName: TODO-wellKnownReadyController
+  status: Skipped
+- controllerName: TODO-workersAvailableController
+  status: Skipped
+- controllerName: auditPolicyController
+  status: Skipped
+- controllerName: authentication
+  status: Skipped
+- controllerName: openshift-apiserver-APIService
+  status: Skipped
+- controllerName: openshift-oauth-apiserver-EncryptionCondition
+  status: Skipped
+- controllerName: openshift-oauth-apiserver-EncryptionKey
+  status: Skipped
+- controllerName: openshift-oauth-apiserver-EncryptionMigration
+  status: Skipped
+- controllerName: openshift-oauth-apiserver-EncryptionPrune
+  status: Skipped
+- controllerName: openshift-oauth-apiserver-EncryptionState
+  status: Skipped