externaloidc: return errors when node statuses cannot be used to determine oidc state

liouk · liouk · commit 4d280bd034e7 · 2025-10-23T11:14:42.000+02:00
diff --git a/pkg/controllers/common/external_oidc.go b/pkg/controllers/common/external_oidc.go
@@ -67,13 +67,26 @@ func (c *AuthConfigChecker) OIDCAvailable() (bool, error) {
 		return false, fmt.Errorf("getting kubeapiservers.operator.openshift.io/cluster: %v", err)
 	}
 
+	if len(kas.Status.NodeStatuses) == 0 {
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; no node statuses found")
+	}
+
 	observedRevisions := sets.New[int32]()
+	nodesWithEmptyRevision := false
 	for _, nodeStatus := range kas.Status.NodeStatuses {
-		observedRevisions.Insert(nodeStatus.CurrentRevision)
+		if nodeStatus.CurrentRevision > 0 {
+			observedRevisions.Insert(nodeStatus.CurrentRevision)
+		} else {
+			nodesWithEmptyRevision = true
+		}
+	}
+
+	if nodesWithEmptyRevision {
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
 	}
 
 	if observedRevisions.Len() == 0 {
-		return false, nil
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; no observed revisions found")
 	}
 
 	for _, revision := range observedRevisions.UnsortedList() {
diff --git a/pkg/controllers/common/external_oidc_test.go b/pkg/controllers/common/external_oidc_test.go
@@ -32,7 +32,29 @@ func TestExternalOIDCConfigAvailable(t *testing.T) {
 			name:            "no node statuses observed",
 			authType:        configv1.AuthenticationTypeOIDC,
 			expectAvailable: false,
-			expectError:     false,
+			expectError:     true,
+		},
+		{
+			name:     "some node revisions are zero",
+			authType: configv1.AuthenticationTypeOIDC,
+			nodeStatuses: []operatorv1.NodeStatus{
+				{CurrentRevision: 10},
+				{CurrentRevision: 10},
+				{CurrentRevision: 0},
+			},
+			expectAvailable: false,
+			expectError:     true,
+		},
+		{
+			name:     "node revisions are zero",
+			authType: configv1.AuthenticationTypeOIDC,
+			nodeStatuses: []operatorv1.NodeStatus{
+				{CurrentRevision: 0},
+				{CurrentRevision: 0},
+				{CurrentRevision: 0},
+			},
+			expectAvailable: false,
+			expectError:     true,
 		},
 		{
 			name:       "oidc disabled, no rollout",
