OCPBUGS-74627: Fix infrastructure resource name filtering in watch predicate

[jstuever]

OCPBUGS-74627: CCO should only process the infrastructure resource named "cluster", not other infrastructure resources like "cloud-provider-config" that may exist in the cluster.

This change updates the infraResourcePredicate to check that the infrastructure resource name is "cluster" before processing create and update events. This prevents CCO from incorrectly processing infrastructure resources with other names.

Also adds comprehensive tests to verify the predicate correctly filters infrastructure resources by name.

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Bug Fixes

  • Refined infrastructure event filtering so only the "cluster" infrastructure with resource tags triggers processing on Create/Update, reducing unnecessary reconciliations from unrelated infra changes.

• Tests

  • Added unit tests that validate detection and handling of infrastructure resource tags and tag-change scenarios to ensure correct filter behavior.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-74627, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

OCPBUGS-74627: CCO should only process the infrastructure resource named "cluster", not other infrastructure resources like "cloud-provider-config" that may exist in the cluster.

This change updates the infraResourcePredicate to check that the infrastructure resource name is "cluster" before processing create and update events. This prevents CCO from incorrectly processing infrastructure resources with other names.

Also adds comprehensive tests to verify the predicate correctly filters infrastructure resources by name.

Assisted-by: Claude Sonnet 4.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The Infrastructure event predicate in the credentialsrequest controller is tightened to only target the Infrastructure resource named "cluster" and to require presence of AWS resource tags on Create and Update events. Two unit tests were added to validate tag-detection and tag-update helper functions.

Changes

Cohort / File(s)	Summary
Event Predicate Refinement pkg/operator/credentialsrequest/credentialsrequest_controller.go	Predicate for Infrastructure watch now filters to the resource named cluster and requires resource tags for Create and Update events; Delete events remain ignored. Comments updated to reflect the focused scope.
Helper Function Tests pkg/operator/credentialsrequest/credentialsrequest_controller_test.go	Added TestHasResourceTags and TestAreTagsUpdated to exercise helper logic for detecting AWS resource tags and detecting tag changes across old/new Infrastructure states.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Assertions in both new test functions lack meaningful failure messages, inconsistent with codebase patterns that include diagnostic context.	Add descriptive messages to assertion calls, e.g., assert.Equal(t, tt.expected, result, "hasResourceTags(%s) returned unexpected value", tt.name)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing infrastructure resource name filtering in the watch predicate to process only the 'cluster' resource, which is the core purpose of the PR.
Stable And Deterministic Test Names	✅ Passed	Pull request uses standard Go testing with static, descriptive test case names rather than Ginkgo framework, making the check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/operator/credentialsrequest/credentialsrequest_controller.go (1)

257-268: Deduplicate the Infrastructure resource name.

Line 262 and Line 268 add another "cluster" literal. The same singleton name is already hardcoded in pkg/operator/utils/utils.go, so keeping it inline here makes future drift between the watch predicate and the lookup path more likely. Prefer a dedicated constant for the Infrastructure resource name and reuse it in both places.

♻️ Suggested cleanup

 const (
 	controllerName      = "credreq"
 	labelControllerName = controllerName + "_labeller"
+	infrastructureResourceName = "cluster"
 
 	namespaceMissing = "NamespaceMissing"
 	namespaceExists  = "NamespaceExists"
@@
-			return e.Object.GetName() == "cluster" && hasResourceTags(e.Object)
+			return e.Object.GetName() == infrastructureResourceName && hasResourceTags(e.Object)
@@
-			return e.ObjectNew.GetName() == "cluster" && areTagsUpdated(e.ObjectOld, e.ObjectNew)
+			return e.ObjectNew.GetName() == infrastructureResourceName && areTagsUpdated(e.ObjectOld, e.ObjectNew)

Also update the types.NamespacedName{Name: "cluster"} lookup in pkg/operator/utils/utils.go to use the same constant.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/credentialsrequest/credentialsrequest_controller.go` around
lines 257 - 268, The predicate uses the literal "cluster" in
infraResourcePredicate (TypedFuncs[*configv1.Infrastructure] CreateFunc and
UpdateFunc) which duplicates the same singleton name used elsewhere; replace
these literals with a shared constant (e.g., InfrastructureName or
InfrastructureResourceName) defined in the utils package and reference that
constant in infraResourcePredicate, ensuring CreateFunc and UpdateFunc compare
against the constant and UpdateFunc continues to call
areTagsUpdated(e.ObjectOld, e.ObjectNew); also update the lookup that uses
types.NamespacedName{Name: "cluster"} in utils.go to use the same constant so
both the watch predicate and lookup share the single source of truth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/credentialsrequest/credentialsrequest_controller_test.go`:
- Around line 2078-2285: The tests currently miss cases for Infrastructure
objects whose .ObjectMeta.Name is not "cluster"; add regression cases to
TestHasResourceTags and TestAreTagsUpdated that use an infra with Name set to a
non-"cluster" value (e.g., "cloud-provider-config") and assert the expected
boolean results from hasResourceTags and areTagsUpdated, and also add a small
test that invokes the controller's Infrastructure predicate (the new predicate
added in the credentialsrequest controller) to ensure it rejects non-"cluster"
Infrastructure objects so the predicate behavior is explicitly verified.

---

Nitpick comments:
In `@pkg/operator/credentialsrequest/credentialsrequest_controller.go`:
- Around line 257-268: The predicate uses the literal "cluster" in
infraResourcePredicate (TypedFuncs[*configv1.Infrastructure] CreateFunc and
UpdateFunc) which duplicates the same singleton name used elsewhere; replace
these literals with a shared constant (e.g., InfrastructureName or
InfrastructureResourceName) defined in the utils package and reference that
constant in infraResourcePredicate, ensuring CreateFunc and UpdateFunc compare
against the constant and UpdateFunc continues to call
areTagsUpdated(e.ObjectOld, e.ObjectNew); also update the lookup that uses
types.NamespacedName{Name: "cluster"} in utils.go to use the same constant so
both the watch predicate and lookup share the single source of truth.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b905de42-8666-4137-a10b-485698957e8c

📥 Commits

Reviewing files that changed from the base of the PR and between b0297f0 and 9de98a4.

📒 Files selected for processing (2)

• pkg/operator/credentialsrequest/credentialsrequest_controller.go
• pkg/operator/credentialsrequest/credentialsrequest_controller_test.go

[jstuever]

/jira backport release-4.21,release-4.20

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: The following backport issues have been created:

• OCPBUGS-78199 for branch release-4.21
• OCPBUGS-78200 for branch release-4.20

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20

Details

In response to this:

/jira backport release-4.21,release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@openshift-ci-robot: once the present PR merges, I will cherry-pick it on top of release-4.20, release-4.21 in new PRs and assign them to you.

Details

In response to this:

@jstuever: The following backport issues have been created:

• OCPBUGS-78199 for branch release-4.21
• OCPBUGS-78200 for branch release-4.20

Queuing cherrypicks to the requested branches to be created after this PR merges:
/cherrypick release-4.21
/cherrypick release-4.20

In response to this:

/jira backport release-4.21,release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-74627, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianping-shu

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-74627, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianping-shu

Details

In response to this:

OCPBUGS-74627: CCO should only process the infrastructure resource named "cluster", not other infrastructure resources like "cloud-provider-config" that may exist in the cluster.

This change updates the infraResourcePredicate to check that the infrastructure resource name is "cluster" before processing create and update events. This prevents CCO from incorrectly processing infrastructure resources with other names.

Also adds comprehensive tests to verify the predicate correctly filters infrastructure resources by name.

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Bug Fixes

• Refined infrastructure event filtering so only the "cluster" infrastructure with resource tags triggers processing on Create/Update, reducing unnecessary reconciliations from unrelated infra changes.

• Tests

• Added unit tests that validate detection and handling of infrastructure resource tags and tag-change scenarios to ensure correct filter behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/credentialsrequest/credentialsrequest_controller.go`:
- Around line 257-268: Add a predicate-level regression test that asserts
infraResourcePredicate only allows events for Infrastructure objects named
"cluster" (and rejects others like "cloud-provider-config"); specifically,
construct TypedCreateEvent and TypedUpdateEvent inputs and verify
infraResourcePredicate.CreateFunc returns true only when e.Object.GetName() ==
"cluster" and hasResourceTags(e.Object) is true, and
infraResourcePredicate.UpdateFunc returns true only when e.ObjectNew.GetName()
== "cluster" and areTagsUpdated(e.ObjectOld, e.ObjectNew) is true; include
negative cases where name != "cluster" to ensure the name gate prevents
processing regardless of tag helpers.
- Around line 267-268: The UpdateFunc predicate currently enqueues only when
areTagsUpdated(e.ObjectOld, e.ObjectNew) is true, which misses present->absent
transitions; update the predicate in the UpdateFunc for
event.TypedUpdateEvent[*configv1.Infrastructure] so it returns true when the
object is the "cluster" AND either areTagsUpdated(old,new) OR tags were removed
(i.e., detect a present->absent change). Implement this by adding a small helper
(e.g., tagsRemoved(old, new)) or by extending areTagsUpdated to treat removal as
an update, and reference the UpdateFunc closure, areTagsUpdated, and the
TypedUpdateEvent[*configv1.Infrastructure] event to locate where to change the
logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 98dcd8ff-7b29-4ec6-a3ff-5e78bcb3cdcc

📥 Commits

Reviewing files that changed from the base of the PR and between 9de98a4 and 985e356.

📒 Files selected for processing (2)

• pkg/operator/credentialsrequest/credentialsrequest_controller.go
• pkg/operator/credentialsrequest/credentialsrequest_controller_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/credentialsrequest/credentialsrequest_controller_test.go

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.30%. Comparing base (b0297f0) to head (985e356).

Files with missing lines	Patch %	Lines
...redentialsrequest/credentialsrequest_controller.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #985      +/-   ##
==========================================
+ Coverage   46.20%   46.30%   +0.09%     
==========================================
  Files          98       98              
  Lines       12253    12253              
==========================================
+ Hits         5662     5674      +12     
+ Misses       5941     5929      -12     
  Partials      650      650              

Files with missing lines	Coverage Δ
...redentialsrequest/credentialsrequest_controller.go	45.86% <0.00%> (+1.62%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@jstuever: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	985e356	link	true	/test e2e-aws-ovn
ci/prow/e2e-upgrade	985e356	link	true	/test e2e-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.