Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@config/v1/types_authentication.go`:
- Around line 352-371: The TokenClaimMapping struct currently makes Claim
required which, combined with the mutual-exclusion rule, prevents Expression
from ever being set; change Claim to optional and make the XNOR rule into an
XOR. Remove the +required annotation and change the JSON tag for Claim to
include omitempty (e.g., json:"claim,omitempty"), and update the
openshift:validation rule to an XOR such as rule="has(self.claim) !=
has(self.expression)" so exactly one of Claim or Expression can be provided
(keep Expression's existing omitempty and feature-gate annotations).
- Around line 605-635: Remove the unconditional field-level XValidation on the
Claim field (delete the
+kubebuilder:validation:XValidation:rule="has(self.claim)" annotation) and
instead enforce exclusive-or at the struct level when the feature gate is
enabled: update the existing FeatureGateAwareXValidation (on type
UsernameClaimMapping) to a rule that requires exactly one of claim or expression
when ExternalOIDCWithUpstreamParity is enabled (e.g. rule="has(self.claim) !=
has(self.expression)" with an appropriate message). Keep the MinLength/MaxLength
tags on Claim and Expression but do not require Claim unconditionally.
In `@config/v1/zz_generated.swagger_doc_generated.go`:
- Around line 468-471: The swagger doc for TokenClaimMapping
(map_TokenClaimMapping) incorrectly marks "claim" as required despite supporting
expression-only mappings; update the source Go type comment for
TokenClaimMapping to indicate that "claim" is optional and that "claim" and
"expression" are mutually exclusive (describe that either claim or expression
may be provided, not both), then re-run the swagger generation script to
regenerate zz_generated.swagger_doc_generated.go so the map_TokenClaimMapping
entry reflects the optional claim and mutual exclusion with expression.
- Around line 549-552: The Swagger comment for UsernameClaimMapping (seen in
map_UsernameClaimMapping) is missing the new validation rules: add documentation
that expression has a max length (match the enforced length), and that when
prefixPolicy is "Prefix" the claim field is required and claim itself has a
non-empty/<=256 char constraint; update the source struct/type comment for
UsernameClaimMapping (the comment above its Go type or fields: claim,
expression, prefixPolicy, prefix) to include these sentences and regenerate the
swagger docs so the generated map_UsernameClaimMapping includes the new length
and dependency text.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml`:
- Around line 267-293: The property-level validation on the claim field (the
x-kubernetes-validations entry with message "claim must be set") makes
expression-only configs impossible; remove that per-property required validation
from the claim schema and instead enforce mutual exclusivity/requirement at the
object level with a oneOf/anyOf rule that requires exactly one of claim or
expression (reference the schema object that contains the claim and expression
properties and the expression property itself); apply the same change to the
duplicate block mentioned (the other claim/expression pair).
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml`:
- Around line 267-293: The property-level validation on the 'claim' field (the
x-kubernetes-validations rule with message "claim must be set") makes
'expression' unusable; remove that field-level requirement and replace it with a
single object-level validation that enforces exactly one of 'claim' or
'expression' (e.g., a oneOf / CEL rule at the parent object) so configs can
specify either claim-only or expression-only but not both; update the schema
entries that reference 'claim' and 'expression' (the two sibling properties
shown) to drop the has(self.claim) rule and add the new object-level one-of
validation.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml`:
- Around line 267-293: The current property-level x-kubernetes-validations on
claim ("claim must be set") forces claim and prevents expression-only configs;
remove the claim-level "must be set" validation and instead add an object-level
x-kubernetes-validations rule that enforces exactly one of claim or expression
is present (e.g., use a CEL rule like (has(self.claim) + has(self.expression))
== 1 with an appropriate message), and apply the same change for the duplicate
block that appears later for the other mapping. Ensure the claim and expression
property schemas keep their type, minLength and maxLength constraints but no
longer require claim alone.
---
Outside diff comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml`:
- Around line 189-218: Remove the unconditional required: - claim for the
mapping object and instead enforce mutual exclusivity and presence by adding a
oneOf that requires either claim or expression; specifically, replace the
top-level required: [claim] with a oneOf containing two subschemas (one with
required: [claim], the other with required: [expression]) so that exactly one is
provided, keep the existing x-kubernetes-validations rule or remove it (it
becomes redundant) and leave prefix as-is; this targets the schema that defines
claim, expression and prefix so look for the object containing those properties
and update its required/oneOf accordingly.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml`:
- Around line 189-218: The schema currently mandates claim in the required list
while also forbidding claim+expression via x-kubernetes-validations, which
prevents using expression alone; update the CRD so that claim is not
unconditionally required and replace the required: - claim rule with a oneOf (or
an equivalent x-kubernetes-validation) that enforces either claim is set XOR
expression is set (e.g., a oneOf referencing presence of self.claim or
self.expression) and keep the existing mutually-exclusive validation
(x-kubernetes-validations rule: '!(has(self.claim) && has(self.expression))') to
ensure only one is provided; modify the block around the claim/expression/prefix
properties and the required/type definitions to reflect this change.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml`:
- Around line 189-218: Remove the unconditional required: - claim and instead
enforce a mutual-exclusion plus presence rule so CEL-only mapping is possible;
keep the existing x-kubernetes-validations rule that forbids both claim and
expression (rule: '!(has(self.claim) && has(self.expression))') and add a second
validation that requires at least one be set (e.g. message: 'either claim or
expression must be set' with rule: '(has(self.claim) || has(self.expression))'),
referencing the same object schema containing the claim and expression fields so
either can be used alone.
---
Nitpick comments:
In
`@config/v1/tests/authentications.config.openshift.io/ExternalOIDCWithUpstreamParity.yaml`:
- Around line 459-553: Add a negative test case that validates the new rule
requiring a literal claim when prefixPolicy is set to Prefix: create a YAML test
similar to the existing cases but set claimMappings.username.expression (e.g.
expression: "has(claims.upn) ? claims.upn : claims.oid") and set prefixPolicy:
Prefix in the provider spec, and assert an expectedError like "claim must be
provided when prefixPolicy is Prefix" (adjust text to match validator). Place it
alongside the other OIDC tests referencing prefixPolicy, Prefix, and
claimMappings.username.expression so the validator for prefixPolicy +
expression-only username mapping is exercised.

Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@config/v1/types_authentication.go`:
- Around line 609-637: The UsernameClaimMapping validation has inverted CEL
rules and malformed kubebuilder markers: update the FeatureGateAwareXValidation
CEL expressions on the UsernameClaimMapping type so the rules require presence
(change rule="!has(self.claim)" to rule="has(self.claim)" for the claim-required
case and change rule="!has(self.claim) && !has(self.expression)" to
rule="has(self.claim) || has(self.expression)" for the claim-or-expression
case), and fix the kubebuilder markers on the Claim and Expression fields by
replacing MinLength:=1 with MinLength=1 (keep MaxLength values unchanged) so
Claim and Expression enforce non-empty lengths as intended.
- Around line 352-374: The feature-gate CEL annotations on TokenClaimMapping are
inverted and Claim lacks omitempty; update the annotations and JSON tag: in the
struct TokenClaimMapping change the first FeatureGateAwareXValidation rule to
require the claim when that gate is active (use rule="has(self.claim)" with the
same message), change the ExternalOIDCWithUpstreamParity rule to require at
least one of claim or expression (use rule="has(self.claim) ||
has(self.expression)", message="claim or expression must be specified"), and add
`omitempty` to the Claim json tag (change `Claim string `json:"claim"` to `Claim
string `json:"claim,omitempty"` ) so Go clients do not serialize empty claims.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml`:
- Around line 269-270: Fix the grammatical error in the CRD description text by
changing "a optional field" to "an optional field" in the description string
found in the CRD manifest (the authentications-DevPreviewNoUpgrade CRD content
where the sentence reads 'claim is a optional field that configures the JWT
token claim...'); update that description line in the YAML so it reads "claim is
an optional field that configures the JWT token claim whose value is assigned to
the cluster identity field associated with this mapping."
---
Outside diff comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml`:
- Around line 267-337: The validation currently only forbids both claim and
expression being set (x-kubernetes-validations rule '!(has(self.claim) &&
has(self.expression))'), which still allows neither to be set; change the
validation to require exactly one be present by replacing the rule with
'has(self.claim) != has(self.expression)' (or an equivalent XOR) and update the
message to reflect "exactly one of claim or expression must be set"; target the
x-kubernetes-validations entry that references claim and expression to make this
change.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml`:
- Around line 267-337: The username mapping x-kubernetes-validation currently
only forbids both claim and expression being set (rule '!(has(self.claim) &&
has(self.expression))') but allows neither; change the validation to require
exactly one of them (mirror the uid rule) by replacing the rule with logic like
"has(self.claim) ? !has(self.expression) : has(self.expression)" so the username
mapping (fields claim and expression) enforces precisely one is present when
ExternalOIDCWithUpstreamParity applies.
---
Duplicate comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml`:
- Around line 189-218: The schema currently forces claim via required: [claim],
which prevents expression-only mappings; remove the unconditional required: -
claim and instead enforce presence rules via x-kubernetes-validations: keep the
mutual exclusion validation (rule: '!(has(self.claim) && has(self.expression))')
and add a new validation requiring at least one be present (e.g. message:
"either claim or expression must be set", rule: 'has(self.claim) ||
has(self.expression)'). Update the object definition around
claim/expression/prefix to drop the required entry and rely on those two
validations to allow expression-only configs.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml`:
- Around line 213-218: Remove the mandatory "claim" requirement from the groups
PrefixedClaimMapping and change its validation to require exactly one of claim
or expression; specifically, delete the required: - claim entry and replace the
x-kubernetes-validations mutual-exclusion rule ('!(has(self.claim) &&
has(self.expression))') with a "precisely one" rule such as
'count([has(self.claim), has(self.expression)]) == 1' (apply this change to the
PrefixedClaimMapping for groups where fields "claim" and "expression" are
defined).
- Around line 335-337: The x-kubernetes-validations rule for username currently
only forbids both fields via '!(has(self.claim) && has(self.expression))' so it
permits neither; update the validation to enforce exactly-one semantics by
replacing the rule with an expression that requires XOR between self.claim and
self.expression (i.e., has(self.claim) != has(self.expression)) or an equivalent
"one and only one" boolean expression, keeping the message consistent, and
mirror the same exact-one logic already used for the uid mapping to ensure the
username validation enforces precisely one of claim or expression.
In
`@payload-manifests/crds/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml`:
- Around line 189-218: The CRD currently forces claim to be mandatory by listing
it under required, which prevents expression-only mappings; remove the required:
- claim entry (i.e., delete the required array or at least remove "claim" from
it) so that the existing x-kubernetes-validations rule ('!(has(self.claim) &&
has(self.expression))') can still prevent both being set while allowing
expression-only configs; update the schema section containing the claim,
expression, prefix, required, and x-kubernetes-validations entries accordingly.

Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@config/v1/types_authentication.go`:
- Line 356: The CEL rule in the
+openshift:validation:FeatureGateAwareXValidation annotation for
TokenClaimMapping contains unescaped double quotes in orValue(""), which breaks
the quoted rule string; update the rule value used by the
FeatureGateAwareXValidation annotation (the annotation name
+openshift:validation:FeatureGateAwareXValidation and the rule referencing
ExternalOIDCWithUpstreamParity) to escape the inner quotes (use orValue(\"\"))
so the outer string remains intact and the validation is emitted.
- Line 613: The CEL validation uses has(self.claim) which is always true because
UsernameClaimMapping.Claim is not omitempty; update the
FeatureGateAwareXValidation rule on UsernameClaimMapping to mirror
TokenClaimMapping by checking non-empty value instead of presence — replace
has(self.claim) with size(self.?claim.orValue("")) > 0 (and keep the existing
expression check logic: size(self.?claim.orValue("")) > 0 ?
!has(self.expression) : has(self.expression)); target the rule string associated
with UsernameClaimMapping in types_authentication.go.
---
Duplicate comments:
In `@config/v1/types_authentication.go`:
- Around line 610-612: The validation tags on UsernameClaimMapping are inverted
(they use !has(self.claim)) and therefore accept objects missing claim and
reject valid ones; update the three FeatureGateAwareXValidation rules for
UsernameClaimMapping to use has(self.claim) (not !has(self.claim)) so the
presence of claim is required under the same feature gates as TokenClaimMapping
(mirror the behavior of the rules at TokenClaimMapping lines ~353–355) and keep
the same messages and featureGate values.
- Line 623: The kubebuilder marker on the UsernameClaimMapping Claim field is
malformed—replace the incorrect delimiter `MaxLength:=256` with `MaxLength=256`
so controller-gen recognizes the constraint; locate the marker near the
UsernameClaimMapping type (the comment referencing "must not exceed 256
characters" / Claim field) in types_authentication.go and update the annotation
to `+kubebuilder:validation:MaxLength=256`.