OCPBUGS-83754: fix(config/v1): define constants for authentication types as typed constants by ingvagabund · Pull Request #2814 · openshift/api

ingvagabund · 2026-04-18T11:08:52Z

Without defining the string literals as typed constants the generated openapi schema produces SchemaProps Enum property with an empty list instead of a list of the string literals.

With this fix the generated openapi diff:

diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go
index 7d5f0064a..5fe7cf567 100644
--- a/pkg/openapi/zz_generated.openapi.go
+++ b/pkg/openapi/zz_generated.openapi.go
@@ -21060,11 +21060,11 @@ func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.Referenc
                                Properties: map[string]spec.Schema{
                                        "type": {
                                                SchemaProps: spec.SchemaProps{
-                                                       Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
+                                                       Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.\n\n\nPossible enum values:\n - `\"RequiredClaim\"`",
                                                        Default:     "",
                                                        Type:        []string{"string"},
                                                        Format:      "",
-                                                       Enum:        []interface{}{},
+                                                       Enum:        []interface{}{"RequiredClaim"},
                                                },
                                        },
                                        "requiredClaim": {
@@ -21324,11 +21324,11 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal
                                        },
                                        "prefixPolicy": {
                                                SchemaProps: spec.SchemaProps{
-                                                       Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
+                                                       Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"\n\n\nPossible enum values:\n - `\"\"` let's the cluster assign prefixes. If the username claim is email, there is no prefix If the username claim is anything else, it is prefixed by the issuerURL\n - `\"NoPrefix\"` means the username claim value will not have any prefix\n - `\"Prefix\"` means the prefix value must be specified. It cannot be empty",
                                                        Default:     "",
                                                        Type:        []string{"string"},
                                                        Format:      "",
-                                                       Enum:        []interface{}{},
+                                                       Enum:        []interface{}{"", "NoPrefix", "Prefix"},
                                                },
                                        },
                                        "prefix": {

openshift-merge-bot · 2026-04-18T11:08:55Z

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

openshift-ci-robot · 2026-04-18T11:08:59Z

@ingvagabund: This pull request references Jira Issue OCPBUGS-83754, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (5.0.0) matches configured target version for branch (5.0.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Without defining the string literals as typed constants the generated openapi schema produces SchemaProps Enum property with an empty list instead of a list of the string literals.

With this fix the generated openapi diff:

diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go
index 7d5f0064a..5fe7cf567 100644
--- a/pkg/openapi/zz_generated.openapi.go
+++ b/pkg/openapi/zz_generated.openapi.go
@@ -21060,11 +21060,11 @@ func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.Referenc
                               Properties: map[string]spec.Schema{
                                       "type": {
                                               SchemaProps: spec.SchemaProps{
-                                                       Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
+                                                       Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.\n\n\nPossible enum values:\n - `\"RequiredClaim\"`",
                                                       Default:     "",
                                                       Type:        []string{"string"},
                                                       Format:      "",
-                                                       Enum:        []interface{}{},
+                                                       Enum:        []interface{}{"RequiredClaim"},
                                               },
                                       },
                                       "requiredClaim": {
@@ -21324,11 +21324,11 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal
                                       },
                                       "prefixPolicy": {
                                               SchemaProps: spec.SchemaProps{
-                                                       Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
+                                                       Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"\n\n\nPossible enum values:\n - `\"\"` let's the cluster assign prefixes. If the username claim is email, there is no prefix If the username claim is anything else, it is prefixed by the issuerURL\n - `\"NoPrefix\"` means the username claim value will not have any prefix\n - `\"Prefix\"` means the prefix value must be specified. It cannot be empty",
                                                       Default:     "",
                                                       Type:        []string{"string"},
                                                       Format:      "",
-                                                       Enum:        []interface{}{},
+                                                       Enum:        []interface{}{"", "NoPrefix", "Prefix"},
                                               },
                                       },
                                       "prefix": {

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2026-04-18T11:09:01Z

Hello @ingvagabund! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

coderabbitai · 2026-04-18T11:09:11Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 27b26e90-2459-49c6-af80-ff7d94a54ff1

📥 Commits

Reviewing files that changed from the base of the PR and between 45788ff and a9c7893.

⛔ Files ignored due to path filters (2)

openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (1)

config/v1/types_authentication.go

🚧 Files skipped from review as they are similar to previous changes (1)

config/v1/types_authentication.go

📝 Walkthrough

Walkthrough

The change updates constant declarations in config/v1/types_authentication.go. The UsernamePrefixPolicy exported values are converted from a var block to a const block (NoOpinion, NoPrefix, Prefix). Two TokenValidationRuleType exports (TokenValidationRuleTypeRequiredClaim, TokenValidationRuleTypeCEL) are changed to be explicitly typed as TokenValidationRuleType while retaining their string literal values.

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: converting authentication type string literals to typed constants in config/v1.
Description check	✅ Passed	The description clearly explains the motivation (fixing empty Enum lists in OpenAPI schema) and provides a concrete diff demonstrating the fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable Ginkgo test names is not applicable. The PR only modifies constant declarations in a non-test file, introducing no Ginkgo tests.
Test Structure And Quality	✅ Passed	The PR modifies type definitions in config/v1/types_authentication.go, converting constants from var to const blocks. No Ginkgo test code changes are present, so test quality requirements do not apply.
Microshift Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. Changes are limited to type definitions in config/v1/types_authentication.go.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies config/v1/types_authentication.go, a type definitions file, not a Ginkgo e2e test file. No e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	Modified file contains only type definitions for authentication configuration; no topology-aware scheduling constraints detected.
Ote Binary Stdout Contract	✅ Passed	PR only modifies const/var declarations in types_authentication.go with no stdout-writing code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not introduce any new Ginkgo e2e tests. The changes are purely to type definitions and constants in the authentication configuration module to improve OpenAPI schema generation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

JoelSpeed · 2026-04-20T09:57:18Z

Need to update the codegen, but otherwise LGTM

…nstants Without defining the string literals as typed constants the generated openapi schema produces SchemaProps Enum property with an empty list instead of a list of the string literals.

openshift-ci · 2026-04-20T11:34:39Z

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

ingvagabund · 2026-04-20T12:42:47Z

/verified by CI

openshift-ci-robot · 2026-04-20T12:43:04Z

@ingvagabund: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

everettraven

/lgtm

openshift-merge-bot · 2026-04-20T13:17:56Z

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

The changed files don't match any pipeline_run_if_changed patterns
All files match pipeline_skip_if_only_changed patterns
No pipeline-controlled jobs are defined for the master branch

Use /test ? to see all available tests.

openshift-ci · 2026-04-20T13:19:07Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2026-04-20T13:22:20Z

@ingvagabund: Jira Issue Verification Checks: Jira Issue OCPBUGS-83754
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-83754 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Without defining the string literals as typed constants the generated openapi schema produces SchemaProps Enum property with an empty list instead of a list of the string literals.

With this fix the generated openapi diff:

diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go
index 7d5f0064a..5fe7cf567 100644
--- a/pkg/openapi/zz_generated.openapi.go
+++ b/pkg/openapi/zz_generated.openapi.go
@@ -21060,11 +21060,11 @@ func schema_openshift_api_config_v1_TokenClaimValidationRule(ref common.Referenc
                               Properties: map[string]spec.Schema{
                                       "type": {
                                               SchemaProps: spec.SchemaProps{
-                                                       Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.",
+                                                       Description: "type is an optional field that configures the type of the validation rule.\n\nAllowed values are 'RequiredClaim' and omitted (not provided or an empty string).\n\nWhen set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.\n\nDefaults to 'RequiredClaim'.\n\n\nPossible enum values:\n - `\"RequiredClaim\"`",
                                                       Default:     "",
                                                       Type:        []string{"string"},
                                                       Format:      "",
-                                                       Enum:        []interface{}{},
+                                                       Enum:        []interface{}{"RequiredClaim"},
                                               },
                                       },
                                       "requiredClaim": {
@@ -21324,11 +21324,11 @@ func schema_openshift_api_config_v1_UsernameClaimMapping(ref common.ReferenceCal
                                       },
                                       "prefixPolicy": {
                                               SchemaProps: spec.SchemaProps{
-                                                       Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"",
+                                                       Description: "prefixPolicy is an optional field that configures how a prefix should be applied to the value of the JWT claim specified in the 'claim' field.\n\nAllowed values are 'Prefix', 'NoPrefix', and omitted (not provided or an empty string).\n\nWhen set to 'Prefix', the value specified in the prefix field will be prepended to the value of the JWT claim. The prefix field must be set when prefixPolicy is 'Prefix'.\n\nWhen set to 'NoPrefix', no prefix will be prepended to the value of the JWT claim.\n\nWhen omitted, this means no opinion and the platform is left to choose any prefixes that are applied which is subject to change over time. Currently, the platform prepends `{issuerURL}#` to the value of the JWT claim when the claim is not 'email'. As an example, consider the following scenario:\n   `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`,\n   the JWT claims include \"username\":\"userA\" and \"email\":\"userA@myoidc.tld\",\n   and `claim` is set to:\n   - \"username\": the mapped value will be \"https://myoidc.tld#userA\"\n   - \"email\": the mapped value will be \"userA@myoidc.tld\"\n\n\nPossible enum values:\n - `\"\"` let's the cluster assign prefixes. If the username claim is email, there is no prefix If the username claim is anything else, it is prefixed by the issuerURL\n - `\"NoPrefix\"` means the username claim value will not have any prefix\n - `\"Prefix\"` means the prefix value must be specified. It cannot be empty",
                                                       Default:     "",
                                                       Type:        []string{"string"},
                                                       Format:      "",
-                                                       Enum:        []interface{}{},
+                                                       Enum:        []interface{}{"", "NoPrefix", "Prefix"},
                                               },
                                       },
                                       "prefix": {

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Apr 18, 2026

openshift-ci bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 18, 2026

openshift-ci bot requested review from JoelSpeed and everettraven April 18, 2026 11:09

ingvagabund force-pushed the define-enums-as-consts branch from 2873deb to 45788ff Compare April 20, 2026 10:14

fix(config/v1): define constants for authentication types as typed co…

a9c7893

…nstants Without defining the string literals as typed constants the generated openapi schema produces SchemaProps Enum property with an empty list instead of a list of the string literals.

ingvagabund force-pushed the define-enums-as-consts branch from 45788ff to a9c7893 Compare April 20, 2026 10:19

openshift-ci bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Apr 20, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Apr 20, 2026

everettraven approved these changes Apr 20, 2026

View reviewed changes

openshift-ci bot assigned everettraven Apr 20, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 20, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 20, 2026

openshift-merge-bot bot merged commit ba89f07 into openshift:master Apr 20, 2026
16 checks passed

ingvagabund deleted the define-enums-as-consts branch April 20, 2026 13:24

Conversation

ingvagabund commented Apr 18, 2026

Uh oh!

openshift-merge-bot bot commented Apr 18, 2026

Uh oh!

openshift-ci-robot commented Apr 18, 2026

Uh oh!

openshift-ci bot commented Apr 18, 2026

Uh oh!

coderabbitai bot commented Apr 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Uh oh!

JoelSpeed commented Apr 20, 2026

Uh oh!

openshift-ci bot commented Apr 20, 2026

Uh oh!

ingvagabund commented Apr 20, 2026

Uh oh!

openshift-ci-robot commented Apr 20, 2026

Uh oh!

everettraven left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-merge-bot bot commented Apr 20, 2026

Uh oh!

openshift-ci bot commented Apr 20, 2026

Uh oh!

Uh oh!

openshift-ci-robot commented Apr 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

coderabbitai bot commented Apr 18, 2026 •

edited

Loading