NO-JIRA: externaloidc: return errors when node statuses cannot be used to determine oidc state

pkg/controllers/common/external_oidc.go

@@ -12,6 +12,7 @@ import (
 	"github.com/openshift/library-go/pkg/controller/factory"
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -67,19 +68,38 @@ func (c *AuthConfigChecker) OIDCAvailable() (bool, error) {
 		return false, fmt.Errorf("getting kubeapiservers.operator.openshift.io/cluster: %v", err)
 	}
 
+	if len(kas.Status.NodeStatuses) == 0 {
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; no node statuses found")
+	}
+
 	observedRevisions := sets.New[int32]()
+	nodesWithEmptyRevision := false
 	for _, nodeStatus := range kas.Status.NodeStatuses {
-		observedRevisions.Insert(nodeStatus.CurrentRevision)
+		if nodeStatus.CurrentRevision > 0 {
+			klog.Infof("[debug-801] node '%s' is on revision %d", nodeStatus.NodeName, nodeStatus.CurrentRevision)
+			observedRevisions.Insert(nodeStatus.CurrentRevision)
+		} else {
+			nodesWithEmptyRevision = true
+		}
+	}
+
+	if nodesWithEmptyRevision {
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; some nodes do not have a valid CurrentRevision")
 	}
 
 	if observedRevisions.Len() == 0 {
-		return false, nil
+		return false, fmt.Errorf("determining observed revisions in kubeapiservers.operator.openshift.io/cluster; no observed revisions found")
+	}
+
+	if !c.kasNamespaceConfigMapsInformer.HasSynced() {
+		return false, fmt.Errorf("configmaps informer has not synced yet")
 	}
 
 	for _, revision := range observedRevisions.UnsortedList() {
 		// ensure every observed revision includes an auth-config revisioned configmap
 		_, err := c.kasConfigMapLister.ConfigMaps("openshift-kube-apiserver").Get(fmt.Sprintf("auth-config-%d", revision))
 		if errors.IsNotFound(err) {
+			klog.Infof("[debug-801] configmap auth-config-%d not found; informer HasSynced=%v", revision, c.kasNamespaceConfigMapsInformer.HasSynced())
 			return false, nil
 		} else if err != nil {
 			return false, fmt.Errorf("getting configmap openshift-kube-apiserver/auth-config-%d: %v", revision, err)
@@ -96,6 +116,7 @@ func (c *AuthConfigChecker) OIDCAvailable() (bool, error) {
 		if !strings.Contains(cm.Data["config.yaml"], `"oauthMetadataFile":""`) ||
 			strings.Contains(cm.Data["config.yaml"], `"authentication-token-webhook-config-file":`) ||
 			!strings.Contains(cm.Data["config.yaml"], `"authentication-config":["/etc/kubernetes/static-pod-resources/configmaps/auth-config/auth-config.json"]`) {
+			klog.Infof("[debug-801] configmap config-%d does not contain expected OIDC config", revision)
 			return false, nil
 		}
 	}

pkg/controllers/common/external_oidc_test.go

@@ -32,7 +32,29 @@ func TestExternalOIDCConfigAvailable(t *testing.T) {
 			name:            "no node statuses observed",
 			authType:        configv1.AuthenticationTypeOIDC,
 			expectAvailable: false,
-			expectError:     false,
+			expectError:     true,
+		},
+		{
+			name:     "some node revisions are zero",
+			authType: configv1.AuthenticationTypeOIDC,
+			nodeStatuses: []operatorv1.NodeStatus{
+				{CurrentRevision: 10},
+				{CurrentRevision: 10},
+				{CurrentRevision: 0},
+			},
+			expectAvailable: false,
+			expectError:     true,
+		},
+		{
+			name:     "node revisions are zero",
+			authType: configv1.AuthenticationTypeOIDC,
+			nodeStatuses: []operatorv1.NodeStatus{
+				{CurrentRevision: 0},
+				{CurrentRevision: 0},
+				{CurrentRevision: 0},
+			},
+			expectAvailable: false,
+			expectError:     true,
 		},
 		{
 			name:       "oidc disabled, no rollout",

pkg/libs/endpointaccessible/endpoint_accessible_controller.go

@@ -12,6 +12,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog/v2"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
 	applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1"
@@ -78,14 +79,20 @@ func humanizeError(err error) error {
 
 func (c *endpointAccessibleController) sync(ctx context.Context, syncCtx factory.SyncContext) error {
 	if c.endpointCheckDisabledFunc != nil {
+		klog.Infof("[debug-801] found non-nil endpointCheckDisabledFunc")
 		if skip, err := c.endpointCheckDisabledFunc(); err != nil {
+			klog.Errorf("[debug-801] endpointCheckDisabledFunc returned an error: %v", err)
 			return err
 		} else if skip {
 			// Server-Side-Apply with an empty operator status for the specific field manager
 			// will effectively remove any conditions owned by it since the list type in the
 			// API definition is 'map'
+			klog.Infof("[debug-801] endpointCheckDisabledFunc returned true; skipping endpoint check")
 			return c.operatorClient.ApplyOperatorStatus(ctx, c.controllerInstanceName, applyoperatorv1.OperatorStatus())
 		}
+		klog.Infof("[debug-801] endpointCheckDisabledFunc returned false; will not skip endpoint check")
+	} else {
+		klog.Infof("[debug-801] endpointCheckDisabledFunc is nil; will not skip endpoint check")
 	}
 
 	endpoints, err := c.endpointListFn()