fix: Update fields descriptions to reflect OpenShift external OIDC support (#2112)

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

Author: tolusha

api/v2/checluster_types.go

@@ -594,44 +594,49 @@ type WorkspaceSecurityConfig struct {
 // Authentication settings.
 type Auth struct {
 	// Public URL of the Identity Provider server.
+	// For OpenShift with built-in OAuth, this field is not used, as OpenShift provides its own OAuth server.
 	// +optional
 	IdentityProviderURL string `json:"identityProviderURL,omitempty"`
-	// Name of the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+	// Defined the OIDC client id.
+	// For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
 	// +optional
 	OAuthClientName string `json:"oAuthClientName,omitempty"`
-	// Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
-	// For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
-	// key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
-	// resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
+	// Defines the OAuth client secret.
+	// It can either be a plain text secret value or the name of a Kubernetes secret
+	// containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
+	// as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
+	// For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
 	// +optional
 	OAuthSecret string `json:"oAuthSecret,omitempty"`
-	// Access Token Scope.
-	// This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
+	// Defines the scope requested from the OIDC provider.
+	// For OpenShift with built-in OAuth, the scope `user:full` is used by default.
 	// +optional
 	OAuthScope string `json:"oAuthScope,omitempty"`
-	// Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+	// Inactivity timeout for tokens in seconds.
+	// This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
 	// 0 means tokens for this client never time out.
 	// +optional
 	OAuthAccessTokenInactivityTimeoutSeconds *int32 `json:"oAuthAccessTokenInactivityTimeoutSeconds,omitempty"`
-	// Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+	// Access token max age in seconds.
+	// This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
 	// 0 means no expiration.
 	// +optional
 	OAuthAccessTokenMaxAgeSeconds *int32 `json:"oAuthAccessTokenMaxAgeSeconds,omitempty"`
-	// Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
-	// Default value is `id_token`.
-	// This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
+	// Identity token type to be passed to upstream services. Defaults to `id_token`.
+	// For OpenShift with built-in OAuth, defaults to `access_token`.
 	// +optional
 	// +kubebuilder:validation:Enum=id_token;access_token
 	IdentityToken string `json:"identityToken,omitempty"`
 	// Gateway settings.
 	// +optional
 	// +kubebuilder:default:={configLabels: {app: che, component: che-gateway-config}}
 	Gateway Gateway `json:"gateway,omitempty"`
-	// Advance authorization settings. Determines which users and groups are allowed to access Che.
-	// User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
-	// and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
+	// Advanced authorization settings. Determines which users and groups are allowed to access Che.
+	// A user is allowed to access Che if the user is in the `allowUsers` list or is a member of a group in the `allowGroups` list,
+	// and is not in the `denyUsers` list nor a member of a group in the `denyGroups` list.
 	// If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
-	// if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
+	// If `denyUsers` and `denyGroups` are empty, then no users are denied access to Che.
+	// Note: group-based authorization (`allowGroups` and `denyGroups`) is currently supported on OpenShift only.
 	// +optional
 	AdvancedAuthorization *AdvancedAuthorization `json:"advancedAuthorization,omitempty"`
 }

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2026-03-25T12:21:22Z"
+    createdAt: "2026-04-02T11:48:45Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.116.0-957.next
+  name: eclipse-che.v7.117.0-958.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1144,7 +1144,7 @@ spec:
       name: gateway-authorization-sidecar-k8s
     - image: quay.io/che-incubator/header-rewrite-proxy:latest
       name: gateway-header-sidecar
-  version: 7.116.0-957.next
+  version: 7.117.0-958.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -10685,11 +10685,12 @@ spec:
                       properties:
                         advancedAuthorization:
                           description: |-
-                            Advance authorization settings. Determines which users and groups are allowed to access Che.
-                            User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
-                            and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
+                            Advanced authorization settings. Determines which users and groups are allowed to access Che.
+                            A user is allowed to access Che if the user is in the `allowUsers` list or is a member of a group in the `allowGroups` list,
+                            and is not in the `denyUsers` list nor a member of a group in the `denyGroups` list.
                             If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
-                            if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
+                            If `denyUsers` and `denyGroups` are empty, then no users are denied access to Che.
+                            Note: group-based authorization (`allowGroups` and `denyGroups`) is currently supported on OpenShift only.
                           properties:
                             allowGroups:
                               description: List of groups allowed to access Che (currently
@@ -11101,44 +11102,49 @@ spec:
                               type: object
                           type: object
                         identityProviderURL:
-                          description: Public URL of the Identity Provider server.
+                          description: |-
+                            Public URL of the Identity Provider server.
+                            For OpenShift with built-in OAuth, this field is not used, as OpenShift provides its own OAuth server.
                           type: string
                         identityToken:
                           description: |-
-                            Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
-                            Default value is `id_token`.
-                            This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
+                            Identity token type to be passed to upstream services. Defaults to `id_token`.
+                            For OpenShift with built-in OAuth, defaults to `access_token`.
                           enum:
                             - id_token
                             - access_token
                           type: string
                         oAuthAccessTokenInactivityTimeoutSeconds:
                           description: |-
-                            Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+                            Inactivity timeout for tokens in seconds.
+                            This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
                             0 means tokens for this client never time out.
                           format: int32
                           type: integer
                         oAuthAccessTokenMaxAgeSeconds:
                           description: |-
-                            Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+                            Access token max age in seconds.
+                            This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
                             0 means no expiration.
                           format: int32
                           type: integer
                         oAuthClientName:
-                          description: Name of the OpenShift `OAuthClient` resource
-                            used to set up identity federation on the OpenShift side.
+                          description: |-
+                            Defined the OIDC client id.
+                            For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
                           type: string
                         oAuthScope:
                           description: |-
-                            Access Token Scope.
-                            This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
+                            Defines the scope requested from the OIDC provider.
+                            For OpenShift with built-in OAuth, the scope `user:full` is used by default.
                           type: string
                         oAuthSecret:
                           description: |-
-                            Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
-                            For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
-                            key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
-                            resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
+                            Defines the OAuth client secret.
+                            It can either be a plain text secret value or the name of a Kubernetes secret
+                            containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
+                            as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
+                            For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
                           type: string
                       type: object
                     domain:

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -10635,11 +10635,12 @@ spec:
                     properties:
                       advancedAuthorization:
                         description: |-
-                          Advance authorization settings. Determines which users and groups are allowed to access Che.
-                          User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
-                          and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
+                          Advanced authorization settings. Determines which users and groups are allowed to access Che.
+                          A user is allowed to access Che if the user is in the `allowUsers` list or is a member of a group in the `allowGroups` list,
+                          and is not in the `denyUsers` list nor a member of a group in the `denyGroups` list.
                           If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
-                          if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
+                          If `denyUsers` and `denyGroups` are empty, then no users are denied access to Che.
+                          Note: group-based authorization (`allowGroups` and `denyGroups`) is currently supported on OpenShift only.
                         properties:
                           allowGroups:
                             description: List of groups allowed to access Che (currently
@@ -11046,44 +11047,49 @@ spec:
                             type: object
                         type: object
                       identityProviderURL:
-                        description: Public URL of the Identity Provider server.
+                        description: |-
+                          Public URL of the Identity Provider server.
+                          For OpenShift with built-in OAuth, this field is not used, as OpenShift provides its own OAuth server.
                         type: string
                       identityToken:
                         description: |-
-                          Identity token to be passed to upstream. There are two types of tokens supported: `id_token` and `access_token`.
-                          Default value is `id_token`.
-                          This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
+                          Identity token type to be passed to upstream services. Defaults to `id_token`.
+                          For OpenShift with built-in OAuth, defaults to `access_token`.
                         enum:
                         - id_token
                         - access_token
                         type: string
                       oAuthAccessTokenInactivityTimeoutSeconds:
                         description: |-
-                          Inactivity timeout for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+                          Inactivity timeout for tokens in seconds.
+                          This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
                           0 means tokens for this client never time out.
                         format: int32
                         type: integer
                       oAuthAccessTokenMaxAgeSeconds:
                         description: |-
-                          Access token max age for tokens to set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
+                          Access token max age in seconds.
+                          This field is specific to OpenShift with built-in OAuth. It is set on the `OAuthClient` resource.
                           0 means no expiration.
                         format: int32
                         type: integer
                       oAuthClientName:
-                        description: Name of the OpenShift `OAuthClient` resource
-                          used to set up identity federation on the OpenShift side.
+                        description: |-
+                          Defined the OIDC client id.
+                          For OpenShift with built-in OAuth, this is the name of the `OAuthClient` resource used to set up identity federation.
                         type: string
                       oAuthScope:
                         description: |-
-                          Access Token Scope.
-                          This field is specific to Che installations made for Kubernetes only and ignored for OpenShift.
+                          Defines the scope requested from the OIDC provider.
+                          For OpenShift with built-in OAuth, the scope `user:full` is used by default.
                         type: string
                       oAuthSecret:
                         description: |-
-                          Name of the secret set in the OpenShift `OAuthClient` resource used to set up identity federation on the OpenShift side.
-                          For Kubernetes, this can either be the plain text oAuthSecret value, or the name of a kubernetes secret which contains a
-                          key `oAuthSecret` and the value is the secret. NOTE: this secret must exist in the same namespace as the `CheCluster`
-                          resource and contain the label `app.kubernetes.io/part-of=che.eclipse.org`.
+                          Defines the OAuth client secret.
+                          It can either be a plain text secret value or the name of a Kubernetes secret
+                          containing a key `oAuthSecret` with the secret value. The Kubernetes secret must exist in the same namespace
+                          as the `CheCluster` resource and have the label `app.kubernetes.io/part-of=che.eclipse.org`.
+                          For OpenShift with built-in OAuth, this is the secret set in the `OAuthClient` resource used to set up identity federation.
                         type: string
                     type: object
                   domain: