openshift · liouk · Jan 9, 2026
diff --git a/test/extended/apiserver/security_context.go b/test/extended/apiserver/security_context.go
@@ -12,9 +12,18 @@ import (
 	e2e "k8s.io/kubernetes/test/e2e/framework"
 	admissionapi "k8s.io/pod-security-admission/api"
 
+	configv1 "github.com/openshift/api/config/v1"
 	exutil "github.com/openshift/origin/test/extended/util"
 )
 
+type itemUnderTest struct {
+	namespace            string
+	containerName        string
+	expectedHostPath     string
+	expectHostNetwork    bool
+	requireHostPathMount bool
+}
+
 var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() {
 	defer g.GinkgoRecover()
 	ctx := context.Background()
@@ -40,13 +49,7 @@ var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() {
 			g.Skip("Hypershift control plane pods are not accessible from hosted cluster")
 		}
 
-		checkItems := []struct {
-			namespace            string
-			containerName        string
-			expectedHostPath     string
-			expectHostNetwork    bool
-			requireHostPathMount bool
-		}{
+		checkItems := []itemUnderTest{
 			{
 				namespace:            "openshift-kube-apiserver",
 				containerName:        "kube-apiserver",
@@ -61,13 +64,18 @@ var _ = g.Describe("[sig-auth][Feature:ControlPlaneSecurity]", func() {
 				expectHostNetwork:    false,
 				requireHostPathMount: false,
 			},
-			{
+		}
+
+		authn, err := oc.AdminConfigClient().ConfigV1().Authentications().Get(ctx, "cluster", metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+		if len(authn.Spec.Type) == 0 || authn.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth {
+			checkItems = append(checkItems, itemUnderTest{
 				namespace:            "openshift-oauth-apiserver",
 				containerName:        "oauth-apiserver",
 				expectedHostPath:     "",
 				expectHostNetwork:    false,
 				requireHostPathMount: false,
-			},
+			})
 		}
 
 		for _, checkItem := range checkItems {

diff --git a/test/extended/apiserver/tls.go b/test/extended/apiserver/tls.go
@@ -24,6 +24,10 @@ const (
 	namespace = "apiserver-tls-test"
 )
 
+type serverUnderTest struct {
+	name, namespace, port string
+}
+
 // This test only checks whether components are serving the proper TLS version based
 // on the expected version set in the TLS profile config. It is a part of the
 // openshift/conformance/parallel test suite, and it is expected that there are jobs
@@ -69,18 +73,21 @@ var _ = g.Describe("[sig-api-machinery][Feature:APIServer]", func() {
 			g.Skip("Only intermediate or modern profiles are tested")
 		}
 
-		targets := []struct {
-			name, namespace, port string
-		}{
+		targets := []serverUnderTest{
 			{"apiserver", "openshift-kube-apiserver", "443"},
-			{"oauth-openshift", "openshift-authentication", "443"},
 			{"kube-controller-manager", "openshift-kube-controller-manager", "443"},
 			{"scheduler", "openshift-kube-scheduler", "443"},
 			{"api", "openshift-apiserver", "443"},
-			{"api", "openshift-oauth-apiserver", "443"},
 			{"machine-config-controller", "openshift-machine-config-operator", "9001"},
 		}
 
+		authn, err := oc.AdminConfigClient().ConfigV1().Authentications().Get(ctx, "cluster", metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+		if len(authn.Spec.Type) == 0 || authn.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth {
+			targets = append(targets, serverUnderTest{"oauth-openshift", "openshift-authentication", "443"})
+			targets = append(targets, serverUnderTest{"api", "openshift-oauth-apiserver", "443"})
+		}
+
 		g.By("Verifying TLS behavior for core control plane components")
 		for _, target := range targets {
 			g.By(fmt.Sprintf("Checking %s/%s on port %s", target.namespace, target.name, target.port))