Scenario 3: OAuth Server Not Deployed

Objective: Confirm that the OAuth server and OAuth API server are NOT deployed when external OIDC is configured.

Code path: support/util/oauth.go — HCPOAuthEnabled() returns false when authentication.Type == OIDC

Overall Scenario 3: PASS — All 3 checks verified.

Step	Check	Result	Evidence
1	No `oauth-openshift` deployment in control plane namespace	PASS	Deployment removed after OIDC reconciliation (was present before patch)
2	No `openshift-oauth-apiserver` deployment	PASS	Deployment removed after OIDC reconciliation (was present before patch)
3	No OAuth pods running	PASS	`grep -i oauth` returns no results

Commands & Outputs

Before OIDC patch (OAuth was deployed)

$ oc get deployment -n clusters-brcox-sm-dev-hc | grep -i oauth

oauth-openshift                      1/1     1            1           20d
openshift-oauth-apiserver            1/1     1            1           20d

After OIDC reconciliation (OAuth removed)

$ oc get deployment -n clusters-brcox-sm-dev-hc | grep -i oauth

# (no output — deployments removed)

Note: The OAuth server was automatically removed by the CPO after the HostedControlPlane received the authentication.type: OIDC configuration. The gating logic in support/util/oauth.go:ConfigOAuthEnabled() correctly returned false, causing both oauth-openshift and openshift-oauth-apiserver deployments to be cleaned up.

← Scenario 2 Scenario 4 →