OCPBUGS-56851: make multiline comments for oidc one line for better crd gen and better oc explain description format

[ehearne-redhat]

This change specifically targets OIDC-specific comments to ensure oc explain, based on CRD generation, will render the Description field in an optimal format i.e. no disjointed lines.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @ehearne-redhat! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-56851, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xingxingxia

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This change specifically targets OIDC-specific comments to ensure oc explain, based on CRD generation, will render the Description field in an optimal format i.e. no disjointed lines.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates documentation strings and reflows comment text across generated Go files, OpenAPI outputs, and multiple CRD YAMLs. It adds a new OpenAPI definition AcceptRisk and introduces Update.acceptRisks, riskNames, and conditions fields in the OpenAPI schema. One CRD (OKD) changes oidcProviders.username.prefix from a string to an object with a required prefixString. Aside from these schema additions and the single CRD structural change, all other edits are textual and do not alter existing public type signatures or validation rules.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main objective: converting multiline OIDC comments to single-line format for improved CRD generation and oc explain output formatting.
Description check	✅ Passed	The description is directly related to the changeset, explaining the intent to improve oc explain Description field formatting by converting multiline OIDC comments to single-line format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ehearne-redhat]

@ShazaAldawamneh could you review when you have the chance? :)

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@config/v1/types_authentication.go`:
- Around line 293-296: Update the comment that currently says "must differ from
the value of `url`" to reference `issuerURL` instead so it matches the JSON
field name and existing validation message; locate the block describing
discoveryURL (identifier: discoveryURL) and replace `url` with `issuerURL` to
keep the docstring consistent with issuerURL/validation text.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 36664f7 and 28a3711.

📒 Files selected for processing (1)

• config/v1/types_authentication.go

🧰 Additional context used

🧬 Code graph analysis (1)

config/v1/types_authentication.go (1)

config/v1/zz_generated.swagger_doc_generated.go (8)

• TokenIssuer (525-527)
• TokenClaimMappings (484-486)
• TokenClaimValidationRule (514-516)
• ConfigMapNameReference (86-88)
• UsernameClaimMapping (554-556)
• PrefixedClaimMapping (464-466)
• TokenClaimOrExpressionMapping (494-496)
• SecretNameReference (230-232)

🔇 Additional comments (8)

config/v1/types_authentication.go (8)

201-251: LGTM!

The comment reformatting for the OIDCProvider struct fields successfully consolidates the multiline descriptions into single-line comments. This will improve oc explain output formatting as intended.

---

310-350: LGTM!

The reformatted comments for TokenClaimMappings fields (username, groups, uid, extra) are clear and maintain the original semantic meaning while achieving the single-line format goal.

---

468-524: LGTM!

The OIDCClientConfig struct field comments are well-reformatted. The descriptions for componentName, componentNamespace, clientID, clientSecret, and extraScopes remain clear and informative.

---

526-582: LGTM!

The OIDCClientStatus struct comments are properly reformatted to single-line style while maintaining clarity.

---

584-610: LGTM!

The OIDCClientReference struct field comments are correctly reformatted.

---

612-661: LGTM!

The UsernameClaimMapping and UsernamePrefixPolicy documentation changes properly consolidate the multiline descriptions while preserving the detailed examples and behavior documentation for prefix handling.

---

731-753: LGTM!

The TokenClaimValidationRule struct comments are properly reformatted. The descriptions for the type and requiredClaim fields remain clear.

---

796-816: LGTM!

The TokenUserValidationRule struct comments are properly reformatted to single-line format.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[ehearne-redhat]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[JoelSpeed]

/assign @everettraven

[ehearne-redhat]

/test verify

[qodo-code-review]

PR-Agent: could not fine a component named verify in a supported language in this PR.

[JoelSpeed]

Verify should only fail on this repo if you have out of date generation, I can see in the logs it's showing a diff so you'll need to investigate this

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from everettraven. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml (1)

375-386: Update description to match enum: remove CEL references from OKD variant.

The description mentions "Allowed values are 'RequiredClaim' and 'CEL'" but the enum constraint only permits RequiredClaim. This inconsistency exists because CEL support is intentionally excluded from the OKD feature set (unlike CustomNoUpgrade, DevPreviewNoUpgrade, and TechPreviewNoUpgrade variants which do include it). Update the description to remove CEL references and only document RequiredClaim for accuracy.

[everettraven]

Overall, this looks good to me. I've just got a few comments related to using sentences as our natural breakpoints for balancing comment and generated documentation readability.

Do we have a visual representation of the difference that we can show this change makes?

[ehearne-redhat]

Hey @everettraven - I spun up a kind cluster and applied the old and new CRD authentications . This is an example but I can get more if needed.

OLD

ehearne-mac:api ehearne$ kubectl explain authentication.spec.oidcProviders.claimMappings.extra
GROUP:      config.openshift.io
KIND:       Authentication
VERSION:    v1

FIELD: extra <[]Object>


DESCRIPTION:
    extra is an optional field for configuring the mappings
    used to construct the extra attribute for the cluster identity.
    When omitted, no extra attributes will be present on the cluster identity.
    key values for extra mappings must be unique.
    A maximum of 32 extra attribute mappings may be provided.
    ExtraMapping allows specifying a key and CEL expression
    to evaluate the keys' value. It is used to create additional
    mappings and attributes added to a cluster identity from
    a provided authentication token.
...

NEW:

ehearne-mac:api ehearne$ kubectl explain authentication.spec.oidcProviders.claimMappings.extra
GROUP:      config.openshift.io
KIND:       Authentication
VERSION:    v1

FIELD: extra <[]Object>


DESCRIPTION:
    extra is an optional field for configuring the mappings used to construct
    the extra attribute for the cluster identity.
    When omitted, no extra attributes will be present on the cluster identity.
    
    key values for extra mappings must be unique.
    A maximum of 32 extra attribute mappings may be provided.
    ExtraMapping allows specifying a key and CEL expression
    to evaluate the keys' value. It is used to create additional
    mappings and attributes added to a cluster identity from
    a provided authentication token.
...

[everettraven]

@ehearne-redhat Thanks for that! Do we have a list of what looked to be the worst offenders that we can verify look better with these changes?

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

payload-manifests/crds/0000_10_config-operator_01_authentications-OKD.crd.yaml (1)

377-387: Fix doc/schema mismatch for claimValidationRules.type in OKD variant.

The description mentions "Allowed values are 'RequiredClaim' and 'CEL'", but the enum only lists RequiredClaim and the cel field is absent from the schema. This mismatch does not exist in other variants (TechPreviewNoUpgrade, CustomNoUpgrade, DevPreviewNoUpgrade) which correctly include CEL in both the enum and schema. The OKD variant should have its description updated to remove CEL references.

Suggested fix

-                              Allowed values are "RequiredClaim" and "CEL".
-
-                              When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.
-
-                              When set to 'CEL', the Kubernetes API server will be configured to validate the incoming JWT against the configured CEL expression.
+                              Allowed values are "RequiredClaim".
+
+                              When set to 'RequiredClaim', the Kubernetes API server will be configured to validate that the incoming JWT contains the required claim and that its value matches the required value.

[ehearne-redhat]

Hey @everettraven - I don't have a specific list to hand. However, I believe the ones that were the big offenders were UsernameClaimMapping.Claim, and maybe OIDCClientConfig.ComponentNamespace .

What I'll do is, I'll compile a list of all these changes old vs new, and pick out a few which demonstrate this change best.

[openshift-ci]

@ehearne-redhat: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.