OCPBUGS-81741: Watch Network and Infrastructure in proxyconfig controller

[jluhrsen]

The proxyconfig controller reads Network.Status.ClusterNetwork and Infrastructure.Status to compute Proxy.Status.NoProxy, but only watched Proxy and ConfigMaps. Network or Infrastructure changes would not trigger reconciliation, leaving proxy status stale.

Add watches for Network and Infrastructure resources to ensure reconciliation occurs when these resources change.

Also add Proxy status subresource support to fake client and unit tests covering reconciliation logic.

Co-authored-by: Claude Code <noreply@anthropic.com)

Summary by CodeRabbit

• Tests

  • Added comprehensive unit tests for proxy reconciliation, validating status updates when network or infrastructure change, empty-spec behavior, and handling missing resources.

• Improvements

  • Controller now watches Network and Infrastructure and more predictably handles cluster-scoped events to keep proxy status in sync.

• Chores

  • Test harness and fake client extended to include proxy status subresource for more realistic test scenarios.

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-81741, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The proxyconfig controller reads Network.Status.ClusterNetwork and Infrastructure.Status to compute Proxy.Status.NoProxy, but only watched Proxy and ConfigMaps. Network or Infrastructure changes would not trigger reconciliation, leaving proxy status stale.

Add watches for Network and Infrastructure resources to ensure reconciliation occurs when these resources change.

Also add Proxy status subresource support to fake client and unit tests covering reconciliation logic.

Co-authored-by: Claude Code <noreply@anthropic.com)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 063413ae-9533-4cae-bf09-a80c87b6c7d0

📥 Commits

Reviewing files that changed from the base of the PR and between fc3adac and 9818f9c.

📒 Files selected for processing (3)

• pkg/client/fake/fake_client.go
• pkg/controller/proxyconfig/controller.go
• pkg/controller/proxyconfig/controller_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/controller/proxyconfig/controller.go
• pkg/controller/proxyconfig/controller_test.go

---

Walkthrough

Adds Proxy to the fake client's status subresources, registers watches for configv1.Network and configv1.Infrastructure in the proxy controller, adjusts reconcile dispatch/logging for cluster-scoped requests, and adds tests verifying Proxy.Status.NoProxy updates and error handling.

Changes

Proxy status and watches

Layer / File(s)	Summary
Fake client: include Proxy in status subresources pkg/client/fake/fake_client.go	NewFakeClient constructs a configv1.Proxy and passes it to the fake client builder's WithStatusSubresource, enabling Proxy status handling in tests.
Controller: watch Network and Infrastructure; reconcile dispatch pkg/controller/proxyconfig/controller.go	add(mgr, r) registers watches for configv1.Network and configv1.Infrastructure; reconcile entry logic treats cluster-scoped requests via empty request.Namespace, ignores unrelated cluster-scoped objects, and uses names.PROXY_CONFIG for proxy logs.
Tests: init and reconciliation scenarios pkg/controller/proxyconfig/controller_test.go	Adds test scaffolding that registers configv1 types and tests ensuring ReconcileProxyConfig.Reconcile updates Proxy.Status.NoProxy for Network CIDR changes and Infrastructure APIServerInternalURL hostname changes; also covers empty Proxy spec and missing-resource error cases.

Sequence Diagram(s)

sequenceDiagram
  participant Network as Network (configv1)
  participant Infrastructure as Infrastructure (configv1)
  participant Controller as Controller
  participant Reconciler as Reconciler
  participant Proxy as Proxy (configv1)

  Note over Network,Infrastructure: Resource change events
  Network->>Controller: change event (ClusterNetwork)
  Infrastructure->>Controller: change event (APIServerInternalURL)

  Controller->>Reconciler: Enqueue reconcile request
  Reconciler->>Network: Read ClusterNetwork CIDRs
  Reconciler->>Infrastructure: Read APIServerInternalURL
  Reconciler->>Proxy: Update Status.NoProxy (CIDRs + hostname)
  Proxy->>Reconciler: Status updated

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Tests use standard Go testing, not Ginkgo. All 13 context operations use context.TODO() without timeouts despite performing cluster I/O operations (Get/Update/Reconcile).	Replace context.TODO() with context.WithTimeout() on all cluster I/O operations to add appropriate timeouts as required by the check.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding watches for Network and Infrastructure resources in the proxyconfig controller.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only standard Go tests (func Test*), no Ginkgo-style test names (It(), Describe(), etc.) present. Custom check targets Ginkgo tests only; not applicable to this PR.
Microshift Test Compatibility	✅ Passed	The new tests are standard Go unit tests using testing.T, not Ginkgo e2e tests. The check applies specifically to Ginkgo e2e tests with It(), Describe(), etc., which are not present here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only unit tests (using testing.T), not Ginkgo e2e tests. SNO compatibility check only applies to new Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no scheduling constraints. Changes limited to controller wiring and test infrastructure only. No deployment manifests, pod specs, or topology constraints modified.
Ote Binary Stdout Contract	✅ Passed	All logging in modified files uses Go's log package and klog, which default to stderr. Test file is standard Go testing (testing.T), not OTE/Ginkgo. No stdout writes found in process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new test file (controller_test.go) uses standard Go testing, not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests (with It(), Describe(), etc.), so it is not applicable here.
No-Weak-Crypto	✅ Passed	No weak cryptography, custom crypto implementations, or unsafe secret comparisons detected. Changes involve only proxy controller logic, watches, and tests with no cryptographic code.
Container-Privileges	✅ Passed	PR modifies only Go source files (.go), not container/K8s manifests (YAML/JSON). Check is not applicable to this codebase change.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposed in logs. HTTPProxy/HTTPSProxy values (may contain auth) are never logged. Only safe metadata (object Name, Namespace) and error messages are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope

... [truncated 17357 characters] ...

red in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jluhrsen
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

pkg/controller/proxyconfig/controller_test.go (1)

220-228: Also assert that the old API hostname is removed.

Right now this test only proves the new hostname was added. It would still pass if reconciliation appended the new host without dropping the stale one.

Suggested assertion

 	if !strings.Contains(proxy.Status.NoProxy, updatedAPIServer) {
 		t.Errorf("Expected proxy.Status.NoProxy to contain updated API server %s, got: %s",
 			updatedAPIServer, proxy.Status.NoProxy)
 	}
+	if strings.Contains(proxy.Status.NoProxy, initialAPIServer) {
+		t.Errorf("proxy.Status.NoProxy still contains old API server %s, got: %s",
+			initialAPIServer, proxy.Status.NoProxy)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/proxyconfig/controller_test.go` around lines 220 - 228, The
test currently only asserts that proxy.Status.NoProxy contains updatedAPIServer;
also assert that the previous API hostname is removed by checking that
strings.Contains(proxy.Status.NoProxy, oldAPIServer) is false (use whatever
variable name holds the pre-update hostname in this test), i.e., add an
assertion after fetching proxy that proxy.Status.NoProxy does NOT contain the
old API hostname to ensure reconciliation replaced rather than appended the
host.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/controller/proxyconfig/controller_test.go`:
- Around line 220-228: The test currently only asserts that proxy.Status.NoProxy
contains updatedAPIServer; also assert that the previous API hostname is removed
by checking that strings.Contains(proxy.Status.NoProxy, oldAPIServer) is false
(use whatever variable name holds the pre-update hostname in this test), i.e.,
add an assertion after fetching proxy that proxy.Status.NoProxy does NOT contain
the old API hostname to ensure reconciliation replaced rather than appended the
host.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 41e9f990-8f6b-40f0-b896-52eb993948a5

📥 Commits

Reviewing files that changed from the base of the PR and between bdbba59 and 16d068b.

📒 Files selected for processing (3)

• pkg/client/fake/fake_client.go
• pkg/controller/proxyconfig/controller.go
• pkg/controller/proxyconfig/controller_test.go

[jluhrsen]

/retest

[jluhrsen]

/jira refresh

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-81741, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jluhrsen]

@danwinship @tssurya @kyrtapz @pliurh looking for someone to check on this. it's been sitting idle on my open bug list for a while now. haven't really followed up to find a reviewer yet.

I've verified the fix manually and passed this through coderabbit review (locally). should be good for a human to look now.

[jluhrsen]

/retest

[jluhrsen]

/retest

[jluhrsen]

/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade

[danwinship]

(oops, I reviewed this the other day but I guess I forgot to hit "submit")

[danwinship]

This should require a change to Reconcile() too shouldn't it? (It checks what kind of object it's reconciling.)

Assuming that's correct, that means this patch doesn't actually work at all, which makes me feel like it probably ought to have had a corresponding e2e test?

[jluhrsen]

Thanks @danwinship . I tested this fix with a live cluster so I am pretty confident in the change, but obviously don't know this code base like you do.

But, I think it works because Reconcile() is interested in the "Name" which I guess always will be "cluster" for these.

I think an e2e might be complicated, but if you need one figured out to validate this even further, I try to figure it out.

[danwinship]

huh... you should fix Reconcile so that the switch does something that actually looks like it should work, rather than than something that just coincidentally happens to work. Possibly just split out the "configmap" and "not a configmap" cases.

[jluhrsen]

ok, I think I see what you mean. I gave it another try to hopefully make it a little more clear

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/proxyconfig/controller.go`:
- Line 117: The log call using log.Println in the proxyconfig controller (the
line that currently reads "Ignoring unknown cluster-scoped object,
reconciliation will be skipped", "request", request) should be changed to use
log.Printf with a format specifier so the request is rendered correctly; update
the logging in the reconcile/controller function where that log.Println appears
(reference the log.Println call) to something like log.Printf("Ignoring unknown
cluster-scoped object, reconciliation will be skipped: request=%v", request) so
the request value is formatted into the message.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f179ee0c-097c-4ca1-b085-57f324f1b0c9

📥 Commits

Reviewing files that changed from the base of the PR and between 74e43ba and 67eeb38.

📒 Files selected for processing (3)

• pkg/client/fake/fake_client.go
• pkg/controller/proxyconfig/controller.go
• pkg/controller/proxyconfig/controller_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/client/fake/fake_client.go
• pkg/controller/proxyconfig/controller_test.go

[jluhrsen]

/retest

[openshift-ci]

@jluhrsen: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade	74e43ba	link	false	/test 4.22-upgrade-from-stable-4.21-e2e-azure-ovn-upgrade
ci/prow/security	9818f9c	link	false	/test security
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	9818f9c	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.