openshift, breaking: remove ca_certs, deprecate validate_cert

docs/source/reference/changelog.md

@@ -30,17 +30,22 @@ command line for details.
   reading and adding entries must now use set logic and not list logic.
 - [Google] Authentication state's `google_groups` is now a set, not a list.
 - [CILogon] {attr}`.CILogonOAuthenticator.allowed_idps` is now required config,
-  and `shown_idps`, `username_claim`, `additional_username_claims` must no
-  longer be configured.
+  and `shown_idps`, `username_claim`, `additional_username_claims` are removed.
 - [Okpy] The public functions `OkpyOAuthenticator.get_auth_request` and
-  `OkpyOAuthenticator.get_user_info_request` was removed.
+  `OkpyOAuthenticator.get_user_info_request` are removed.
+- [OpenShift] The config `ca_certs` is removed but
+  {attr}`.OpenShiftOAuthenticator.http_request_kwargs` can still be configured
+  with a `ca_certs` key for the same result. OpenShift's default `ca_certs`
+  remains unchanged.
 
 ### Deprecations
 
 - [Generic, Auth0] `username_key` is deprecated and is being replaced by
   {attr}`.OAuthenticator.username_claim`.
 - [Generic] {attr}`.GenericOAuthenticator.extra_params` is deprecated and is
   being replaced by {attr}`.OAuthenticator.token_params`.
+- [OpenShift] {attr}`.OpenShiftOAuthenticator.validate_cert` is deprecated and
+  is being replaced by {attr}`.OAuthenticator.validate_server_cert`.
 
 ### Highlights
 

oauthenticator/openshift.py

@@ -25,6 +25,13 @@ def _login_service_default(self):
     def _username_claim_default(self):
         return "name"
 
+    @default("http_request_kwargs")
+    def _http_request_kwargs_default(self):
+        ca_cert_file = "/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+        if self.validate_server_cert and os.path.exists(ca_cert_file):
+            return {"ca_certs": ca_cert_file}
+        return {}
+
     openshift_url = Unicode(
         os.environ.get('OPENSHIFT_URL')
         or 'https://openshift.default.svc.cluster.local',
@@ -53,34 +60,6 @@ def _username_claim_default(self):
         """,
     )
 
-    ca_certs = Unicode(
-        config=True,
-        help="""
-        Path to a certificate authority (CA) certificate file. Used to trust the
-        certificates from a specific CA.
-        """,
-    )
-
-    # FIXME: validate_cert is defined here, but OAuthenticator also defines
-    #        validate_server_cert. If both should exist separately its too
-    #        confusing without further documentation, and if only one should
-    #        exist the one here should be deprecated in favor of the other.
-    #
-    validate_cert = Bool(
-        True,
-        config=True,
-        help="""
-        Set to False to disable certificate validation.
-        """,
-    )
-
-    @default("ca_certs")
-    def _ca_certs_default(self):
-        ca_cert_file = "/run/secrets/kubernetes.io/serviceaccount/ca.crt"
-        if self.validate_cert and os.path.exists(ca_cert_file):
-            return ca_cert_file
-        return ''
-
     openshift_auth_api_url = Unicode(
         config=True,
         help="""
@@ -131,6 +110,29 @@ def _openshift_rest_api_url_default(self):
     def _userdata_url_default(self):
         return f"{self.openshift_rest_api_url}/apis/user.openshift.io/v1/users/~"
 
+    # _deprecated_oauth_aliases is used by deprecation logic in OAuthenticator
+    _deprecated_oauth_aliases = {
+        "ca_certs": ("http_request_kwargs", "16.0.0", False),
+        "validate_cert": ("validate_server_cert", "16.0.0"),
+        **OAuthenticator._deprecated_oauth_aliases,
+    }
+    ca_certs = Unicode(
+        config=True,
+        help="""
+        .. versionremoved:: 16.0
+
+           Use :attr:`http_request_kwargs`.
+        """,
+    )
+    validate_cert = Bool(
+        config=True,
+        help="""
+        .. deprecated:: 16.0
+
+           Use :attr:`validate_server_cert`.
+        """,
+    )
+
     def user_info_to_username(self, user_info):
         """
         Overrides OAuthenticator.user_info_to_username instead of setting