Skip to content

Comments

OCPBUGS-77000, OCPBUGS-77013: OLM prompts for GCP Workload Identity parameters during Kiali Operato…#16051

Open
cajieh wants to merge 1 commit intoopenshift:mainfrom
cajieh:olm-prompt-gcp-no-gcp-token-auth-support
Open

OCPBUGS-77000, OCPBUGS-77013: OLM prompts for GCP Workload Identity parameters during Kiali Operato…#16051
cajieh wants to merge 1 commit intoopenshift:mainfrom
cajieh:olm-prompt-gcp-no-gcp-token-auth-support

Conversation

@cajieh
Copy link
Contributor

@cajieh cajieh commented Feb 23, 2026
edited
Loading

Bug:

On GCP Workload Identity Federation (WIF) clusters, the Console incorrectly prompts users for GCP Workload Identity parameters during operator installation (e.g., Kiali Operator), even when the operator explicitly declares it does not support GCP token authentication via features.operators.openshift.io/token-auth-gcp: "false".

Root Cause: ThegetInfrastructureFeaturesfunction in operator-hub-utils.ts used inconsistent logic for GCP compared to AWS and Azure:

AWS/Azure: Checked !== 'false' (opt-out)

GCP: Only checked if cluster was GCP WIF, ignoring the annotation entirely.

Fix: Changed all three cloud providers to use opt-in logic (=== 'true') for token authentication feature detection.

The `token-auth-{xxx} Annotations behavior change from opt-out to opt-in:

Annotation Value Before (opt-out) After (opt-in)
'true' Prompt shown Prompt shown
'false' No prompt No prompt
Missing/undefined Prompt shown No prompt

Previously (opt-out): Prompts were shown by default unless explicitly disabled.
Now (opt-in): Prompts are hidden by default unless explicitly enabled.
This prevents irrelevant prompts from appearing when the feature is not supported.

Kiali Operator : token-auth-GCP="false"

Before:

Screenshot 2026-02-23 at 2 51 30 PM

After:

Screenshot 2026-02-23 at 12 51 09 PM

Regression testing

Loki Operator : token-auth-GCP="true"

Screenshot 2026-02-23 at 4 14 46 PM

It would be good to verify this change for AWS and Azure.
cc: @yapei

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 23, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 23, 2026

@cajieh: This pull request references Jira Issue OCPBUGS-77000, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

…r installation despite no GCP token-auth support

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from Leo6Leo and spadgett February 23, 2026 17:02
@cajieh
Copy link
Contributor Author

cajieh commented Feb 23, 2026

/jira refresh

@openshift-ci openshift-ci bot added component/olm Related to OLM approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 23, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 23, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The changes refine the TokenAuthGCP feature resolution logic in the operator hub utilities by introducing a gcpTokenAuthIsSupported flag that evaluates both the cluster type (GCP WIF) and the TokenAuthGCP annotation state. This replaces direct reliance on clusterIsGCPWIF in the feature resolution condition. The test suite is expanded with two new test cases validating that the TokenAuthGCP feature is properly excluded when the annotation is explicitly set to false, covering both standalone and legacy infrastructure feature scenarios.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title references OCPBUGS-77000 and OCPBUGS-77013, and directly addresses the core issue: OLM incorrectly prompting for GCP WIF parameters when token-auth support is absent. This matches the changeset which adds logic to exclude TokenAuthGCP feature based on annotation state.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 23, 2026

@cajieh: An error was encountered updating to the POST state for bug OCPBUGS-77000 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. No response returned: Post "https://issues.redhat.com/rest/api/2/issue/17894093/transitions": POST https://issues.redhat.com/rest/api/2/issue/17894093/transitions giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 23, 2026

@cajieh: An error was encountered updating to the POST state for bug OCPBUGS-77000 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.

Full error message. Error marking step #38842851 finished: root cause: Tried to update an entity that does not exist.: request failed. Please analyze the request body for more details. Status code: 400:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

…r installation despite no GCP token-auth support

Summary by CodeRabbit

Release Notes

  • Bug Fixes

  • Improved handling of TokenAuthGCP feature resolution on GCP WIF clusters by respecting explicit annotation settings to ensure accurate feature availability.

  • Tests

  • Added test coverage for TokenAuthGCP feature exclusion scenarios on GCP WIF clusters.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 23, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 23, 2026

@cajieh: This pull request references Jira Issue OCPBUGS-77000, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

Before:

Screenshot 2026-02-23 at 2 51 48 PM

After:

Screenshot 2026-02-23 at 12 51 09 PM

…r installation despite no GCP token-auth support

Summary by CodeRabbit

Release Notes

  • Bug Fixes

  • Improved handling of TokenAuthGCP feature resolution on GCP WIF clusters by respecting explicit annotation settings to ensure accurate feature availability.

  • Tests

  • Added test coverage for TokenAuthGCP feature exclusion scenarios on GCP WIF clusters.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from yapei February 23, 2026 19:54
@cajieh
OLM prompts for GCP Workload Identity parameters during Kiali Operato…
1df2b45 
…r installation despite no GCP token-auth support
@cajieh cajieh force-pushed the olm-prompt-gcp-no-gcp-token-auth-support branch from b83ba0e to 1df2b45 Compare February 23, 2026 21:02
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 24, 2026

@cajieh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@cajieh cajieh changed the title OCPBUGS-77000: OLM prompts for GCP Workload Identity parameters during Kiali Operato… OCPBUGS-77000, OCPBUGS-77013: OLM prompts for GCP Workload Identity parameters during Kiali Operato… Feb 24, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Feb 24, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 24, 2026

@cajieh: This pull request references Jira Issue OCPBUGS-77000, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-77013, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bug:

On GCP Workload Identity Federation (WIF) clusters, the Console incorrectly prompts users for GCP Workload Identity parameters during operator installation (e.g., Kiali Operator), even when the operator explicitly declares it does not support GCP token authentication via features.operators.openshift.io/token-auth-gcp: "false".

Root Cause: The getInfrastructureFeatures function in operator-hub-utils.ts used inconsistent logic for GCP compared to AWS and Azure:

AWS/Azure: Checked !== 'false' (opt-out)

GCP: Only checked if cluster was GCP WIF, ignoring the annotation entirely.

Fix: Changed all three cloud providers to use opt-in logic (=== 'true') for token authentication feature detection.

The `token-auth-{xxx} Annotations behavior change from opt-out to opt-in:

Annotation Value Before (opt-out) After (opt-in)
'true' Prompt shown Prompt shown
'false' No prompt No prompt
Missing/undefined Prompt shown No prompt

Previously (opt-out): Prompts were shown by default unless explicitly disabled.
Now (opt-in): Prompts are hidden by default unless explicitly enabled.
This prevents irrelevant prompts from appearing when the feature is not supported.

Kiali Operator : token-auth-GCP="false"

Before:

Screenshot 2026-02-23 at 2 51 30 PM

After:

Screenshot 2026-02-23 at 12 51 09 PM

Regression testing

Loki Operator : token-auth-GCP="true"

Screenshot 2026-02-23 at 4 14 46 PM

It would be good to verify this change for AWS and Azure.
cc: @yapei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@cajieh
Copy link
Contributor Author

cajieh commented Feb 24, 2026

/label acknowledge-critical-fixes-only

@openshift-ci openshift-ci bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Feb 24, 2026
jhadvig
jhadvig approved these changes Feb 24, 2026
View reviewed changes
Copy link
Member

@jhadvig jhadvig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @cajieh 👍
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 24, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cajieh, jhadvig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cajieh
Copy link
Contributor Author

cajieh commented Feb 24, 2026

/verified later @yapei

@openshift-ci-robot openshift-ci-robot added verified-later verified Signifies that the PR passed pre-merge verification criteria labels Feb 24, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 24, 2026

@cajieh: This PR has been marked to be verified later by @yapei.

Details

In response to this:

/verified later @yapei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@cajieh
Copy link
Contributor Author

cajieh commented Feb 24, 2026

/jira refresh

@cajieh
Copy link
Contributor Author

cajieh commented Feb 24, 2026

/retest

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 24, 2026

@cajieh: This pull request references Jira Issue OCPBUGS-77000, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

This pull request references Jira Issue OCPBUGS-77013, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@cajieh
Copy link
Contributor Author

cajieh commented Feb 24, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 24, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 24, 2026

@cajieh: This pull request references Jira Issue OCPBUGS-77000, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

This pull request references Jira Issue OCPBUGS-77013, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (jiazha@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 24, 2026

@cajieh: This pull request references Jira Issue OCPBUGS-77000, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

This pull request references Jira Issue OCPBUGS-77013, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (jiazha@redhat.com), skipping review request.

Details

In response to this:

Bug:

On GCP Workload Identity Federation (WIF) clusters, the Console incorrectly prompts users for GCP Workload Identity parameters during operator installation (e.g., Kiali Operator), even when the operator explicitly declares it does not support GCP token authentication via features.operators.openshift.io/token-auth-gcp: "false".

Root Cause: ThegetInfrastructureFeaturesfunction in operator-hub-utils.ts used inconsistent logic for GCP compared to AWS and Azure:

AWS/Azure: Checked !== 'false' (opt-out)

GCP: Only checked if cluster was GCP WIF, ignoring the annotation entirely.

Fix: Changed all three cloud providers to use opt-in logic (=== 'true') for token authentication feature detection.

The `token-auth-{xxx} Annotations behavior change from opt-out to opt-in:

Annotation Value Before (opt-out) After (opt-in)
'true' Prompt shown Prompt shown
'false' No prompt No prompt
Missing/undefined Prompt shown No prompt

Previously (opt-out): Prompts were shown by default unless explicitly disabled.
Now (opt-in): Prompts are hidden by default unless explicitly enabled.
This prevents irrelevant prompts from appearing when the feature is not supported.

Kiali Operator : token-auth-GCP="false"

Before:

Screenshot 2026-02-23 at 2 51 30 PM

After:

Screenshot 2026-02-23 at 12 51 09 PM

Regression testing

Loki Operator : token-auth-GCP="true"

Screenshot 2026-02-23 at 4 14 46 PM

It would be good to verify this change for AWS and Azure.
cc: @yapei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhadvig jhadvig jhadvig approved these changes

@Leo6Leo Leo6Leo Awaiting requested review from Leo6Leo

@spadgett spadgett Awaiting requested review from spadgett

@yapei yapei Awaiting requested review from yapei

Assignees

@jhadvig jhadvig

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. component/olm Related to OLM jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria verified-later

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cajieh @openshift-ci-robot @jhadvig