OCPBUGS-66251: OADP restore results in htpasswd no longer being applied as volume

[mehabhalodiya]

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Description

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

✅ Changes Made & Tests Created

1. Fixed Error Handling (deployment.go & config.go)

The Root Cause:

The previous code was silently ignoring errors from ConvertIdentityProviders() using _, volumeMountInfo, _ := ...
When IDP conversion failed (e.g., during transient OADP restore conditions), no volumes were added
Result: HTPasswd secret was never mounted to the oauth-openshift deployment

The Fix:

_, volumeMountInfo, err := ConvertIdentityProviders(...)
if err != nil {
    // Return error to trigger reconciliation retry
    return fmt.Errorf("failed to convert identity providers: %w", err)
}

This ensures:
✅ Errors are not silently ignored
✅ Reconciliation retries automatically on failure
✅ When OADP-restored secrets become available, conversion succeeds
✅ IDP volumes are properly added to the deployment

2. Comprehensive Testing

Created deployment_test.go with tests verifying:

✅ HTPasswd IDP volumes are added to deployment
Test: When HTPasswd IDP is configured, it should add IDP volumes to deployment

• Verifies IDP secret volume is added
• Verifies volume mount is added to oauth-openshift container

✅ Handles missing secrets correctly (OADP restore scenario)
Test: When HTPasswd IDP secret is missing, it should still add volume reference

• Volume reference is created even if secret doesn't exist yet
• Pod will wait for secret (important for OADP restore timing)

✅ Supports multiple IDPs
Test: When multiple IDPs are configured, it should add all IDP volumes

• Tests HTPasswd + GitHub IDPs
• Verifies all volumes are properly added

✅ OADP Restore Scenario Test
Test: TestAdaptDeploymentOADPRestoreScenario

• Simulates post-OADP-restore environment
• Verifies deployment gets IDP volumes when secret exists
• Validates volume mounts are under /etc/oauth/idp path

Created config_test.go verifying:

✅ OAuth config includes IDPs

• HTPasswd IDP is added to OAuth server config
• Multiple IDPs are all included
• Empty IDP list results in no IDPs in config

3. Test Results
All tests pass successfully:

• TestAdaptDeploymentWithHTPasswdIDP - PASS
  • When HTPasswd IDP is configured - PASS
  • When HTPasswd IDP secret is missing - PASS
  • When multiple IDPs are configured - PASS
  • When no IDPs are configured - PASS
• TestAdaptDeploymentOADPRestoreScenario - PASS
• TestAdaptOAuthConfigWithHTPasswd - PASS
• All existing tests continue to pass
• Linting: 0 issues

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Added etcd backup capability for hosted clusters with S3 and Azure Blob storage support.
  • Introduced Azure Private Link topology for private cluster networking.
  • Added control plane version tracking and status visibility.
  • Enabled AutoNode provisioner support with observed node/claim counts.
  • Added AWS spot instance and Elastic IP allocation configuration for load balancers.
  • Introduced node CIDR allocation controls via allocateNodeCIDRs field.
  • Enhanced GCP platform with workload identity federation and resource labeling.

• API Changes

  • New CRDs: AzurePrivateLinkService and HCPEtcdBackup.
  • Extended AWS platform with spot market type and termination handler queue options.
  • Azure topology and private endpoint configuration options.

• Infrastructure

  • Updated base container images for Go toolchain and UBI minimal.
  • Added new CI/CD workflows for API validation, envtest, and documentation.
  • Enhanced Makefile with additional build targets and artifact management.

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 902530cd-dda8-435c-a6a5-7377b4d5b4b3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This pull request introduces significant infrastructure and API enhancements to the HyperShift project. Major changes include: new etcd backup and Azure Private Link Service CRD types; expanded platform support for Azure topology/private configurations, GCP workload identity, and AWS spot instances; enhanced validation rules across multiple CRD manifests; updated Tekton pipeline definitions with improved task bundling; extended Makefile with new test targets (envtest, backup-restore); new GitHub Actions workflows for CI/CD (lint, verify, test, docs, envtest); base container image updates; and comprehensive documentation additions including Claude skills and command guides. API schemas are tightened with stricter immutability constraints, cross-field validations, and required field changes.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go`:
- Around line 95-118: When identityProviders > 0, removeIDPVolumeMounts must run
regardless of whether ConvertIdentityProviders returned volumes to avoid leaving
stale mounts; change the block handling ConvertIdentityProviders so that after
calling removeIDPVolumes(deployment) and calling ConvertIdentityProviders(...)
you always call removeIDPVolumeMounts(deployment) before inspecting
volumeMountInfo.Volumes, then only append volumeMountInfo.Volumes and update
container mounts via util.UpdateContainer(ComponentName, ...) if
len(volumeMountInfo.Volumes) > 0. Ensure the same functions (removeIDPVolumes,
removeIDPVolumeMounts, ConvertIdentityProviders, util.UpdateContainer,
ComponentName, deployment) are used and no other behavior changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the ConvertIdentityProviders function
fd -t f -e go -path "*oauth*" control-plane-operator/controllers/hostedcontrolplane/v2 | head -20

Repository: openshift/hypershift

Length of output: 232

---

🏁 Script executed:

#!/bin/bash
# Search for ConvertIdentityProviders implementation
rg "func ConvertIdentityProviders" -A 50 --type go

Repository: openshift/hypershift

Length of output: 11465

---

🏁 Script executed:

#!/bin/bash
# Also search for the removeIDPVolumes and removeIDPVolumeMounts functions
rg "func (.*)?removeIDPVolumes|func (.*)?removeIDPVolumeMounts" -A 15 --type go

Repository: openshift/hypershift

Length of output: 3071

---

Fix dangling IDP mounts when volume conversion fails.

When ConvertIdentityProviders produces zero volumes (e.g., all providers fail conversion), removeIDPVolumes runs unconditionally, but removeIDPVolumeMounts is skipped because volumeMountInfo.Volumes is empty. This leaves stale mounts referencing volumes that no longer exist, creating an inconsistent pod spec. Move removeIDPVolumeMounts outside the conditional to always clean up mounts alongside volumes.

✅ Suggested adjustment

-			removeIDPVolumes(deployment)
-			
-			_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
+			removeIDPVolumes(deployment)
+			removeIDPVolumeMounts(deployment)
+
+			_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
 			// Ignore the error here, since we don't want to fail the deployment if the identity providers are invalid
 			// A condition will be set on the HC to indicate the error
 			if len(volumeMountInfo.Volumes) > 0 {
-				// Remove any existing IDP volume mounts before adding new ones
-				removeIDPVolumeMounts(deployment)
-				
 				deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volumeMountInfo.Volumes...)
 				util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
 					c.VolumeMounts = append(c.VolumeMounts, volumeMountInfo.VolumeMounts.ContainerMounts(ComponentName)...)
 				})
 			}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	identityProviders := configuration.OAuth.IdentityProviders
	if len(identityProviders) > 0 {
	// Remove any existing IDP volumes to ensure clean state after restore
	// This is important for OADP restore scenarios where the deployment
	// might be restored with stale volume configurations
	removeIDPVolumes(deployment)
	_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
	// Ignore the error here, since we don't want to fail the deployment if the identity providers are invalid
	// A condition will be set on the HC to indicate the error
	if len(volumeMountInfo.Volumes) > 0 {
	// Remove any existing IDP volume mounts before adding new ones
	removeIDPVolumeMounts(deployment)
	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volumeMountInfo.Volumes...)
	util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
	c.VolumeMounts = append(c.VolumeMounts, volumeMountInfo.VolumeMounts.ContainerMounts(ComponentName)...)
	})
	}
	} else {
	// If no identity providers are configured, ensure any stale IDP volumes are removed
	removeIDPVolumes(deployment)
	removeIDPVolumeMounts(deployment)
	}
	identityProviders := configuration.OAuth.IdentityProviders
	if len(identityProviders) > 0 {
	// Remove any existing IDP volumes to ensure clean state after restore
	// This is important for OADP restore scenarios where the deployment
	// might be restored with stale volume configurations
	removeIDPVolumes(deployment)
	removeIDPVolumeMounts(deployment)
	_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
	// Ignore the error here, since we don't want to fail the deployment if the identity providers are invalid
	// A condition will be set on the HC to indicate the error
	if len(volumeMountInfo.Volumes) > 0 {
	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volumeMountInfo.Volumes...)
	util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
	c.VolumeMounts = append(c.VolumeMounts, volumeMountInfo.VolumeMounts.ContainerMounts(ComponentName)...)
	})
	}
	} else {
	// If no identity providers are configured, ensure any stale IDP volumes are removed
	removeIDPVolumes(deployment)
	removeIDPVolumeMounts(deployment)
	}

🤖 Prompt for AI Agents

In `@control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go`
around lines 95 - 118, When identityProviders > 0, removeIDPVolumeMounts must
run regardless of whether ConvertIdentityProviders returned volumes to avoid
leaving stale mounts; change the block handling ConvertIdentityProviders so that
after calling removeIDPVolumes(deployment) and calling
ConvertIdentityProviders(...) you always call removeIDPVolumeMounts(deployment)
before inspecting volumeMountInfo.Volumes, then only append
volumeMountInfo.Volumes and update container mounts via
util.UpdateContainer(ComponentName, ...) if len(volumeMountInfo.Volumes) > 0.
Ensure the same functions (removeIDPVolumes, removeIDPVolumeMounts,
ConvertIdentityProviders, util.UpdateContainer, ComponentName, deployment) are
used and no other behavior changes.

[jparrill]

/assign @jparrill

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

• Added GCP Workload Identity Federation support with resource labeling

• AWS Network Load Balancer now supports Elastic IP allocation and subnet configuration

• Node pool auto-scaling supports scale-from-zero on AWS

• OKD now supported as a platform option

• Infrastructure Updates

• Upgraded Go runtime from 1.24 to 1.25

• Updated OpenShift platform from 4.21 to 4.22

• Enhanced multi-architecture CLI builds

• Refreshed container base images

• Documentation

• Expanded contributor guidelines with detailed workflows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jparrill]

/test e2e-aks

[jparrill]

/test e2e-aws

[jparrill]

/test e2e-aws-upgrade-hypershift-operator

[jparrill]

/test e2e-kubevirt-aws-ovn-reduced

[jparrill]

/test e2e-v2-aws

[jparrill]

Thanks for the PR!, one question, how are you testing this?, do you need some help to make sure this fully works?

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (mbhalodi@redhat.com), skipping review request.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

✅ Changes Made & Tests Created

1. Fixed Error Handling (deployment.go & config.go)

The Root Cause:

The previous code was silently ignoring errors from ConvertIdentityProviders() using _, volumeMountInfo, _ := ...
When IDP conversion failed (e.g., during transient OADP restore conditions), no volumes were added
Result: HTPasswd secret was never mounted to the oauth-openshift deployment

The Fix:

_, volumeMountInfo, err := ConvertIdentityProviders(...)
if err != nil {
   // Return error to trigger reconciliation retry
   return fmt.Errorf("failed to convert identity providers: %w", err)
}

This ensures:
✅ Errors are not silently ignored
✅ Reconciliation retries automatically on failure
✅ When OADP-restored secrets become available, conversion succeeds
✅ IDP volumes are properly added to the deployment

2. Comprehensive Testing

Created deployment_test.go with tests verifying:

✅ HTPasswd IDP volumes are added to deployment
Test: When HTPasswd IDP is configured, it should add IDP volumes to deployment

• Verifies IDP secret volume is added
• Verifies volume mount is added to oauth-openshift container

✅ Handles missing secrets correctly (OADP restore scenario)
Test: When HTPasswd IDP secret is missing, it should still add volume reference

• Volume reference is created even if secret doesn't exist yet
• Pod will wait for secret (important for OADP restore timing)

✅ Supports multiple IDPs
Test: When multiple IDPs are configured, it should add all IDP volumes

• Tests HTPasswd + GitHub IDPs
• Verifies all volumes are properly added

✅ OADP Restore Scenario Test
Test: TestAdaptDeploymentOADPRestoreScenario

• Simulates post-OADP-restore environment
• Verifies deployment gets IDP volumes when secret exists
• Validates volume mounts are under /etc/oauth/idp path

Created config_test.go verifying:

✅ OAuth config includes IDPs

• HTPasswd IDP is added to OAuth server config
• Multiple IDPs are all included
• Empty IDP list results in no IDPs in config

3. Test Results
All tests pass successfully:

• TestAdaptDeploymentWithHTPasswdIDP - PASS
  • When HTPasswd IDP is configured - PASS
  • When HTPasswd IDP secret is missing - PASS
  • When multiple IDPs are configured - PASS
  • When no IDPs are configured - PASS
• TestAdaptDeploymentOADPRestoreScenario - PASS
• TestAdaptOAuthConfigWithHTPasswd - PASS
• All existing tests continue to pass
• Linting: 0 issues

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 21.05263% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 34.75%. Comparing base (783f795) to head (c3d1589).
⚠️ Report is 301 commits behind head on main.

Files with missing lines	Patch %	Lines
.../controllers/hostedcontrolplane/v2/oauth/config.go	25.00%	8 Missing and 1 partial ⚠️
...trollers/hostedcontrolplane/v2/oauth/deployment.go	14.28%	5 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7628      +/-   ##
==========================================
+ Coverage   34.63%   34.75%   +0.11%     
==========================================
  Files         767      767              
  Lines       93186    93196      +10     
==========================================
+ Hits        32277    32389     +112     
+ Misses      58236    58116     -120     
- Partials     2673     2691      +18     

Files with missing lines	Coverage Δ
...trollers/hostedcontrolplane/v2/oauth/deployment.go	17.89% <14.28%> (+17.89%)	⬆️
.../controllers/hostedcontrolplane/v2/oauth/config.go	42.30% <25.00%> (+42.30%)	⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mehabhalodiya
Once this PR has been reviewed and has the lgtm label, please ask for approval from jparrill. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@mehabhalodiya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aks-4-21	cf02839	link	true	/test e2e-aks-4-21
ci/prow/docs-preview	3f75e61	link	false	/test docs-preview
ci/prow/e2e-aws	717712a	link	true	/test e2e-aws
ci/prow/e2e-aks-override	d0e1de7	link	true	/test e2e-aks-override
ci/prow/e2e-v2-gke	d0e1de7	link	false	/test e2e-v2-gke
ci/prow/e2e-aws-override	d0e1de7	link	true	/test e2e-aws-override
ci/prow/e2e-gke	d0e1de7	link	false	/test e2e-gke

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

Now I have the complete and definitive picture. Here is the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: tide (merge automation)
• Build ID: N/A — no CI test job was triggered
• PR: #7628 — OCPBUGS-66251: OADP restore results in htpasswd no longer being applied as volume
• Branch: oadp-oauth → main
• State: ERROR (merge conflict)

Test Failure Analysis

Error

tide: Not mergeable. PR has a merge conflict.
GitHub merge state: CONFLICTING (mergeStateStatus: DIRTY)

Summary

No Prow CI test jobs failed. The "error" state is reported by Tide (Prow's merge automation), which detected that PR #7628 has unresolvable merge conflicts with the main branch. The PR was created on Feb 3, 2026, and its branch has not been rebased since. Meanwhile, at least three significant refactors have landed on main that modify the same files (control-plane-operator/controllers/hostedcontrolplane/v2/oauth/), making the branch unmergeable. All required Prow CI jobs (e2e-aws, e2e-aks, e2e-v2-aws, etc.) are stuck in "Waiting for pipeline condition to trigger" because Tide will not trigger them on a PR with merge conflicts.

Root Cause

The PR branch oadp-oauth is stale and conflicts with main. The PR modifies four files in the oauth package:

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth/config_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment_test.go

Since the PR was created (Feb 3, 2026), the following merges to main have modified the same directory, creating conflicts:

1. May 5, 2026 — PR CNTRLPLANE-3343: Extract support/k8sutil package from support/util #8396 (CNTRLPLANE-3343-util-refactor) modified config.go (6 changes) — import path and utility function refactoring.
2. Apr 27, 2026 — refactor: update all callers to import support/podspec modified deployment.go (18 changes) — moved podspec helpers to a new support/podspec package, changing imports and function calls throughout the oauth deployment code.
3. Apr 30, 2026 — fix(test): address PR review feedback for test isolation and API design modified test files in the oauth directory.

The deployment.go conflict (18 lines changed by the podspec refactor) is the most significant, as the PR also modifies deployment.go to add htpasswd volume mounting logic. The config.go conflict from the util refactor compounds this.

Because GitHub reports mergeable: CONFLICTING, Tide sets the PR status to error with "Not mergeable. PR has a merge conflict." This prevents all CI jobs from being triggered — the 6 pending Prow jobs (e2e-aks, e2e-aws, e2e-aws-upgrade-hypershift-operator, e2e-azure-self-managed, e2e-kubevirt-aws-ovn-reduced, e2e-v2-aws) are all blocked with "Waiting for pipeline condition to trigger."

Recommendations

1. Rebase the branch onto current main: The PR author needs to rebase oadp-oauth onto the latest main and resolve conflicts, particularly in:

   • deployment.go — reconcile the htpasswd volume mount changes with the new support/podspec import structure
   • config.go — reconcile with the support/k8sutil refactor
   • deployment_test.go / config_test.go — update tests to match the new imports and patterns

2. After rebase, push the updated branch: This will clear the merge conflict state and allow Tide to trigger the pending CI jobs.

3. Consider enabling branch auto-updates: The PR is over 3 months old. If this is a long-lived PR, periodically rebasing on main (or merging main into the branch) will prevent recurring conflict accumulation.

Evidence

Evidence	Detail
Tide status	error: "Not mergeable. PR has a merge conflict."
GitHub merge state	mergeable: CONFLICTING, mergeStateStatus: DIRTY
PR created	Feb 3, 2026 — branch not rebased since
PR head commit	c3d1589 (unchanged since creation)
Conflicting merge #1	PR #8396 (May 5, 2026) — config.go util refactor, 6 line changes
Conflicting merge #2	support/podspec refactor (Apr 27, 2026) — deployment.go, 18 line changes
Conflicting merge #3	Test fixes (Apr 30, 2026) — idp_convert_test.go, 4 line changes
Blocked CI jobs	6 jobs pending: e2e-aks, e2e-aws, e2e-aws-upgrade-hypershift-operator, e2e-azure-self-managed, e2e-kubevirt-aws-ovn-reduced, e2e-v2-aws
Passed CI jobs	security, verify-deps, okd-scos-images, images (ran on older BaseSHA)
PR files modified	oauth/config.go, oauth/config_test.go, oauth/deployment.go, oauth/deployment_test.go

---