DNM/REFACTOR EFFORT: OCPBUGS-81741: Watch Network and Infrastructure in proxyconfig controller

[jluhrsen]

Summary by CodeRabbit

Release Notes

• New Features

  • Proxy controller now monitors Network and Infrastructure resources to dynamically update proxy status with cluster connectivity information.

• Tests

  • Added tests verifying proxy status updates reflect Network and Infrastructure resource changes.

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-81741, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The proxyconfig controller gains watches on configv1.Network and configv1.Infrastructure, enqueuing Proxy reconcile requests on changes. The monolithic Reconcile() is split into reconcileProxy(), reconcileAdditionalTrustBundle(), and desiredTrustBundle() helpers. A new test file covers enqueueProxy mapping and NoProxy status updates. The fake client adds configv1.Proxy as a status subresource.

Changes

proxyconfig Controller: Network/Infrastructure watches, reconcile refactor, and tests

Layer / File(s)	Summary
Controller watches and Reconcile dispatch pkg/controller/proxyconfig/controller.go	add() registers watches for configv1.Network and configv1.Infrastructure via enqueueProxy. Reconcile() initializes trustBundle and branches to reconcileProxy or reconcileAdditionalTrustBundle by request type.
reconcileProxy, reconcileAdditionalTrustBundle, and desiredTrustBundle helpers pkg/controller/proxyconfig/controller.go	reconcileProxy() fetches Proxy, delegates to desiredTrustBundle, loads cluster objects, and syncs proxy status. reconcileAdditionalTrustBundle() validates and merges the trust bundle ConfigMap then delegates to desiredTrustBundle. desiredTrustBundle() selects system-bundle-only vs. merged ConfigMap path and returns the result.
Tests and fake client Proxy status-subresource support pkg/client/fake/fake_client.go, pkg/controller/proxyconfig/controller_test.go	fake_client.go adds configv1.Proxy to WithStatusSubresource. New tests assert enqueueProxy mapping and verify Proxy.Status.NoProxy updates when Network or Infrastructure dependencies change, with helper functions and object factories.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Weak-Crypto	❌ Error	Non-constant-time string equality comparison of certificate bundle data in configMapsEqual() function using == operator instead of bytes.Equal or crypto/subtle.ConstantTimeCompare.	Replace a.Data[key] == b.Data[key] with bytes.Equal([]byte(a.Data[key]), []byte(b.Data[key])) or use crypto/subtle.ConstantTimeCompare for timing-safe comparison of certificate data.
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	TestReconcileUpdatesProxyStatusFromDependencies violates single responsibility principle by testing 6 distinct behaviors (initial reconciliation, Network CIDR update, APIServer update) in one test...	Split TestReconcileUpdatesProxyStatusFromDependencies into separate tests: TestReconcileIncludesNetworkCIDRInNoProxy, TestReconcileNetworkUpdateRefreshesNoProxy, and TestReconcileInfrastructureUpdateRefreshesNoProxy.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly references watching Network and Infrastructure in the proxyconfig controller, which directly matches the main changes across the three modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR adds only standard Go tests (TestEnqueueProxy, TestReconcileUpdatesProxyStatusFromDependencies) with descriptive, static names. No Ginkgo test patterns (It, Describe, Context, When) are used...
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added. The new tests (TestEnqueueProxy, TestReconcileUpdatesProxyStatusFromDependencies) are Go unit tests using standard testing.T, not Ginkgo framework tests. Check not ap...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds unit tests in controller_test.go using standard Go testing.T patterns, not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests, which are not present in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies controller reconciliation logic and tests only. No deployment manifests, pod templates, affinity rules, node selectors, or topology-dependent scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes detected. All logging (log.Printf, log.Println, klog.Warningf) is in method receivers, not process-level code. Test init() only registers API types without stdout wri...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds a unit test file, not Ginkgo e2e tests. The custom check is specifically for Ginkgo e2e tests, so it does not apply to this PR.
Container-Privileges	✅ Passed	This PR only modifies Go source code files (fake_client.go, controller.go, controller_test.go). The container-privileges check is not applicable as no container manifests or K8s security contexts a...
No-Sensitive-Data-In-Logs	✅ Passed	No logging of passwords, tokens, API keys, PII, session IDs, CA bundle content, or customer data detected. All logging statements safely log only object names, namespaces, and error messages.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope

... [truncated 17357 characters] ...

red in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jluhrsen
Once this PR has been reviewed and has the lgtm label, please assign knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/controller/proxyconfig/controller.go (1)

230-268: ⚖️ Poor tradeoff

Duplicate validation and merge when trustedCA is set.

When the ConfigMap matches proxy.Spec.TrustedCA.Name, validateTrustedCA and mergeTrustBundlesToConfigMap are called here (lines 231, 243), then called again inside desiredTrustBundle (lines 308, 319). The first merge result is discarded.

Consider passing the already-validated data to desiredTrustBundle or refactoring to avoid duplicate work.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/proxyconfig/controller.go` around lines 230 - 268, The
validateTrustedCA and mergeTrustBundlesToConfigMap functions are being called
twice unnecessarily: once in the current code block (validateTrustedCA and
mergeTrustBundlesToConfigMap) and again inside the desiredTrustBundle function,
with the first result being discarded. Refactor the desiredTrustBundle function
to accept the already-validated proxyData and systemData parameters that were
computed earlier, eliminating the duplicate validation and merge operations, or
alternatively restructure the code to only perform these operations once and
reuse the results in desiredTrustBundle.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/proxyconfig/controller.go`:
- Around line 188-195: In the error handling block where r.client.Get fails for
the cluster config, replace the references to clusterConfigMap.Namespace and
clusterConfigMap.Name with the literal hardcoded values "kube-system" and
"cluster-config-v1" respectively. Since the Get operation failed, the
clusterConfigMap struct was never populated, so these fields are empty strings.
Update all three places where the namespace and name are logged: the log.Printf
call, the status message in r.status.MaybeSetDegraded, and the returned error
message.

---

Nitpick comments:
In `@pkg/controller/proxyconfig/controller.go`:
- Around line 230-268: The validateTrustedCA and mergeTrustBundlesToConfigMap
functions are being called twice unnecessarily: once in the current code block
(validateTrustedCA and mergeTrustBundlesToConfigMap) and again inside the
desiredTrustBundle function, with the first result being discarded. Refactor the
desiredTrustBundle function to accept the already-validated proxyData and
systemData parameters that were computed earlier, eliminating the duplicate
validation and merge operations, or alternatively restructure the code to only
perform these operations once and reuse the results in desiredTrustBundle.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ec4ca8cc-5198-4ba3-83b9-e6457b3a4ff9

📥 Commits

Reviewing files that changed from the base of the PR and between c376140 and 3c535d3.

📒 Files selected for processing (3)

• pkg/client/fake/fake_client.go
• pkg/controller/proxyconfig/controller.go
• pkg/controller/proxyconfig/controller_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Log message uses unpopulated struct fields on Get failure.

When Get fails, clusterConfigMap.Namespace and clusterConfigMap.Name are empty strings since the struct wasn't populated. The log would show Failed to get configmap '/': instead of the intended namespace/name.

Proposed fix

-	if err := r.client.Get(ctx, types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"},
-		clusterConfigMap); err != nil {
-		log.Printf("Failed to get configmap '%s/%s': %v", clusterConfigMap.Namespace, clusterConfigMap.Name, err)
+	clusterConfigKey := types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}
+	if err := r.client.Get(ctx, clusterConfigKey, clusterConfigMap); err != nil {
+		log.Printf("Failed to get configmap '%s/%s': %v", clusterConfigKey.Namespace, clusterConfigKey.Name, err)
 		r.status.MaybeSetDegraded(statusmanager.ProxyConfig, "ClusterConfigError",
-			fmt.Sprintf("Error getting cluster config configmap '%s/%s': %v.", clusterConfigMap.Namespace,
-				clusterConfigMap.Name, err))
-		return nil, fmt.Errorf("failed to get configmap '%s/%s': %v", clusterConfigMap.Namespace, clusterConfigMap.Name, err)
+			fmt.Sprintf("Error getting cluster config configmap '%s/%s': %v.", clusterConfigKey.Namespace,
+				clusterConfigKey.Name, err))
+		return nil, fmt.Errorf("failed to get configmap '%s/%s': %v", clusterConfigKey.Namespace, clusterConfigKey.Name, err)
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if err := r.client.Get(ctx, types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"},
	clusterConfigMap); err != nil {
	log.Printf("Failed to get configmap '%s/%s': %v", clusterConfigMap.Namespace, clusterConfigMap.Name, err)
	r.status.MaybeSetDegraded(statusmanager.ProxyConfig, "ClusterConfigError",
	fmt.Sprintf("Error getting cluster config configmap '%s/%s': %v.", clusterConfigMap.Namespace,
	clusterConfigMap.Name, err))
	return nil, fmt.Errorf("failed to get configmap '%s/%s': %v", clusterConfigMap.Namespace, clusterConfigMap.Name, err)
	}
	clusterConfigKey := types.NamespacedName{Name: "cluster-config-v1", Namespace: "kube-system"}
	if err := r.client.Get(ctx, clusterConfigKey, clusterConfigMap); err != nil {
	log.Printf("Failed to get configmap '%s/%s': %v", clusterConfigKey.Namespace, clusterConfigKey.Name, err)
	r.status.MaybeSetDegraded(statusmanager.ProxyConfig, "ClusterConfigError",
	fmt.Sprintf("Error getting cluster config configmap '%s/%s': %v.", clusterConfigKey.Namespace,
	clusterConfigKey.Name, err))
	return nil, fmt.Errorf("failed to get configmap '%s/%s': %v", clusterConfigKey.Namespace, clusterConfigKey.Name, err)
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/proxyconfig/controller.go` around lines 188 - 195, In the
error handling block where r.client.Get fails for the cluster config, replace
the references to clusterConfigMap.Namespace and clusterConfigMap.Name with the
literal hardcoded values "kube-system" and "cluster-config-v1" respectively.
Since the Get operation failed, the clusterConfigMap struct was never populated,
so these fields are empty strings. Update all three places where the namespace
and name are logged: the log.Printf call, the status message in
r.status.MaybeSetDegraded, and the returned error message.

[openshift-ci]

@jluhrsen: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	3c535d3	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	3c535d3	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-hypershift-conformance	3c535d3	link	true	/test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-azure-ovn-upgrade	3c535d3	link	true	/test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-fdp-qe	3c535d3	link	true	/test e2e-aws-ovn-fdp-qe
ci/prow/e2e-aws-ovn-rhcos10-techpreview	3c535d3	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-upgrade	3c535d3	link	true	/test e2e-aws-ovn-upgrade
ci/prow/lint	3c535d3	link	true	/test lint
ci/prow/e2e-gcp-ovn	3c535d3	link	true	/test e2e-gcp-ovn
ci/prow/e2e-ovn-ipsec-step-registry	3c535d3	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-aws-ovn-upgrade-ipsec	3c535d3	link	true	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/hypershift-e2e-aks	3c535d3	link	true	/test hypershift-e2e-aks
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	3c535d3	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	3c535d3	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/e2e-gcp-ovn-upgrade	3c535d3	link	true	/test e2e-gcp-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.