Overhaul status logic to correctly match spec

Progressing:
- Detect progress via generation and resource version changes, not provisioning status
- Report Progressing=True on operator version change
- Track root secret and infrastructure resource version changes
- Set Progressing=True with reason VersionChanged on operator version updates

Degraded:
- Suppress Degraded when Progressing is active
- Enforce 20-minute ProgressingTooLong timeout in status controller

Available:
- Only report Available=False on pod-identity-webhook when not progressing
- Clear stale Degraded/Available conditions on pod-identity-webhook during active rollout

(based on the spec from
https://github.com/openshift/api/blob/2757d677e9aaac40a9985e5a6a17b31c7c577ba8/config/v1/types_cluster_operator.go#L151)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Assisted-By: Claude Opus 4.6 <noreply@anthropic.com>"

Author: dlom

pkg/operator/credentialsrequest/actuator/actuator.go

@@ -82,6 +82,8 @@ func (a *DummyActuator) IsTimedTokenCluster(c client.Client, ctx context.Context
 }
 
 func (a *DummyActuator) Upgradeable(mode operatorv1.CloudCredentialsMode) *configv1.ClusterOperatorStatusCondition {
+	// Spec: Upgradeable=True means it is safe to upgrade. The DummyActuator
+	// always reports upgradeable since it performs no real cloud operations.
 	upgradeableCondition := &configv1.ClusterOperatorStatusCondition{
 		Status: configv1.ConditionTrue,
 		Type:   configv1.OperatorUpgradeable,

pkg/operator/credentialsrequest/credentialsrequest_controller.go

@@ -508,6 +508,12 @@ func (r *ReconcileSecretMissingLabel) GetConditions(logger log.FieldLogger) ([]c
 	}
 
 	if missing > 0 {
+		// Progressing is the correct condition here per the spec: after an upgrade
+		// introduces the labeling requirement, secrets created by prior versions won't
+		// have the label. The operator is moving from one steady state (unlabeled) to
+		// another (labeled) as a direct consequence of the version change, which fits
+		// the spec's "propagating config changes" language. The labeling should complete
+		// quickly; if it exceeds 20 minutes, ProgressingTooLong will fire.
 		return []configv1.ClusterOperatorStatusCondition{{
 			Type:    configv1.OperatorProgressing,
 			Status:  configv1.ConditionTrue,

pkg/operator/credentialsrequest/credentialsrequest_controller_test.go

@@ -342,10 +342,8 @@ func TestCredentialsRequestReconcile(t *testing.T) {
 					conditionType: configv1.OperatorProgressing,
 					status:        corev1.ConditionTrue,
 				},
-				{
-					conditionType: configv1.OperatorDegraded,
-					status:        corev1.ConditionTrue,
-				},
+				// Per the spec, Degraded is not reported during active progress.
+				// The 20-minute ProgressingTooLong timeout handles persistent failures.
 			},
 		},
 		{

pkg/operator/credentialsrequest/status.go

@@ -34,11 +34,36 @@ func (r *ReconcileCredentialsRequest) GetConditions(logger log.FieldLogger) ([]c
 	if err != nil {
 		return []configv1.ClusterOperatorStatusCondition{}, fmt.Errorf("failed to get operator state: %v", err)
 	}
+
+	// Fetch resource versions to detect cluster state changes that signal Progressing.
+	// AdminClient is used for the root secret because the main manager's Secret cache
+	// is label-filtered and does not include the root credential secret.
+	var rootSecretResourceVersion string
+	rootSecretLocation := r.Actuator.GetCredentialsRootSecretLocation()
+	rootSecret := &corev1.Secret{}
+	if err := r.AdminClient.Get(context.TODO(), rootSecretLocation, rootSecret); err != nil {
+		if !apierrors.IsNotFound(err) {
+			logger.WithError(err).Debug("error retrieving root credentials secret for status")
+		}
+	} else {
+		rootSecretResourceVersion = rootSecret.ResourceVersion
+	}
+
+	var infraResourceVersion string
+	infra, err := utils.GetInfrastructure(r.Client)
+	if err != nil {
+		logger.WithError(err).Debug("error retrieving infrastructure for status")
+	} else {
+		infraResourceVersion = infra.ResourceVersion
+	}
+
 	return computeStatusConditions(
 		r.Actuator,
 		mode,
 		credRequests,
 		r.platformType,
+		rootSecretResourceVersion,
+		infraResourceVersion,
 		logger), nil
 }
 
@@ -92,6 +117,8 @@ func computeStatusConditions(
 	mode operatorv1.CloudCredentialsMode,
 	credRequests []minterv1.CredentialsRequest,
 	clusterCloudPlatform configv1.PlatformType,
+	rootSecretResourceVersion string,
+	infraResourceVersion string,
 	logger log.FieldLogger) []configv1.ClusterOperatorStatusCondition {
 	operatorIsDisabled := mode == operatorv1.CloudCredentialsModeManual
 
@@ -125,6 +152,31 @@ func computeStatusConditions(
 		validCredRequests = append(validCredRequests, credRequests[i])
 	}
 
+	// Spec: Progressing means actively moving from one steady state to another,
+	// not reconciling a previously known state. Detect actual changes:
+	// - CR spec changed (Generation != LastSyncGeneration)
+	// - Root cloud credentials secret changed since last sync
+	// - Infrastructure resource changed since last sync
+	credRequestsProgressing := 0
+	logger.Debugf("%d cred requests", len(validCredRequests))
+
+	for _, cr := range validCredRequests {
+		specChanged := cr.Generation != cr.Status.LastSyncGeneration
+		// Match the reconciler's logic (credentialsrequest_controller.go):
+		// the controller treats a non-nil root secret with a resource version
+		// different from the stored one as a trigger to resync, even when the
+		// stored version is empty (legacy CR that hasn't backfilled yet).
+		rootSecretChanged := rootSecretResourceVersion != "" &&
+			rootSecretResourceVersion != cr.Status.LastSyncCloudCredsSecretResourceVersion
+		infraChanged := infraResourceVersion != "" &&
+			infraResourceVersion != cr.Status.LastSyncInfrastructureResourceVersion
+		if specChanged || rootSecretChanged || infraChanged {
+			credRequestsProgressing++
+		}
+	}
+
+	isProgressing := credRequestsProgressing > 0
+
 	for _, cr := range validCredRequests {
 		// Check for provision failure conditions:
 		foundFailure := false
@@ -141,6 +193,10 @@ func computeStatusConditions(
 		}
 	}
 
+	// Spec: Degraded means the component does not match its desired state over a
+	// period of time. Failing credentials requests indicate a persistent lower
+	// quality of service. Suppression during cluster upgrades is handled centrally
+	// in syncStatus via the ClusterVersion Progressing condition.
 	if failingCredRequests > 0 {
 		var degradedCondition configv1.ClusterOperatorStatusCondition
 		degradedCondition.Type = configv1.OperatorDegraded
@@ -152,26 +208,15 @@ func computeStatusConditions(
 		conditions = append(conditions, degradedCondition)
 	}
 
-	// Progressing should be true if the operator is making changes to the operand. In this case
-	// we will set true if any CredentialsRequests are not provisioned, or have failure conditions,
-	// as this indicates the controllers have work they are trying to do.
-	credRequestsNotProvisioned := 0
-	logger.Debugf("%d cred requests", len(validCredRequests))
-
-	for _, cr := range validCredRequests {
-		if !cr.Status.Provisioned {
-			credRequestsNotProvisioned = credRequestsNotProvisioned + 1
-		}
-	}
-
-	if credRequestsNotProvisioned > 0 || failingCredRequests > 0 {
+	// Spec: report Progressing=True only when actively rolling out.
+	if isProgressing {
 		var progressingCondition configv1.ClusterOperatorStatusCondition
 		progressingCondition.Type = configv1.OperatorProgressing
 		progressingCondition.Status = configv1.ConditionTrue
 		progressingCondition.Reason = reasonReconciling
 		progressingCondition.Message = fmt.Sprintf(
-			"%d of %d credentials requests provisioned, %d reporting errors.",
-			len(validCredRequests)-credRequestsNotProvisioned, len(validCredRequests), failingCredRequests)
+			"%d of %d credentials requests are progressing.",
+			credRequestsProgressing, len(validCredRequests))
 		conditions = append(conditions, progressingCondition)
 	}