OCPBUGS-77268: reconcile HCP when pull secret is unavailable

[rafael-azevedo]

What this PR does / why we need it:

When the pull secret is missing or invalid, the HostedCluster reconciler exits before reaching reconcileHostedControlPlane. This prevents RequestServingNodeAdditionalSelector and other spec fields from being propagated to the HCP, breaking HA scheduling for request-serving nodes.

Log the error and call reconcileHostedControlPlane before returning so pod placement decisions continue during a pull secret outage. The error is still returned to trigger a requeue for full reconciliation once the pull secret is restored.

JIRA: OCPBUGS-77268

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-77268

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

  • When a pull secret fetch fails, reconciliation now logs the error and triggers a recovery reconcile of the control plane so pod placement decisions (nodeSelector, autoscaling, node-termination handler) and certificate-related metadata are still processed.

• Tests

  • Added unit and parallel e2e tests simulating pull-secret unavailability to verify propagation of nodeSelector, annotations and release image to the control plane and recovery after restoration.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

When pull-secret fetching fails during HostedCluster reconciliation, the controller logs the failure and attempts a recovery reconcile of the HostedControlPlane. The recovery recomputes annotation-driven state (autoscaling, AWS node-termination handler, and KAS serving-cert hashes) while disabling stale-certificate checks, then performs a createOrUpdate of the HostedControlPlane with those annotations. If annotation computation fails, that error is returned; if the HostedControlPlane reconcile fails it is logged but the original pull-secret error is still returned. New unit and e2e tests cover missing or corrupted pull-secret scenarios.

Sequence Diagram(s)

sequenceDiagram
    participant Reconciler
    participant API_Server as "API Server (Secrets/CRs)"
    participant AnnotationLogic as "Annotation Computation"
    participant HostedControlPlane as "HostedControlPlane (createOrUpdate)"

    Reconciler->>API_Server: Get pull secret
    API_Server-->>Reconciler: error (pull secret missing/corrupt)
    Reconciler-->>Reconciler: log "failed to get pull secret"
    Reconciler->>AnnotationLogic: compute autoscaling/node-termination/cert-hash annotations (disable stale cert check)
    AnnotationLogic-->>Reconciler: annotations or error
    alt annotations computed
        Reconciler->>HostedControlPlane: reconcile HostedControlPlane with annotations
        HostedControlPlane-->>Reconciler: success or error (logged)
        Reconciler-->>Reconciler: return original pull-secret error
    else annotation computation failed
        AnnotationLogic-->>Reconciler: error
        Reconciler-->>Reconciler: return annotation error
    end

Loading

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (3 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	E2E test uses maps.Clone to backup entire NodeSelector and Annotations maps, then unconditionally restores them, violating test isolation principles and risking flakiness if other reconcilers update unrelated keys.	Refactor to capture and restore only test-owned keys ('ocpbugs-77268-test' and RequestServingNodeAdditionalSelectorAnnotation) rather than entire map snapshots to maintain test isolation.
Microshift Test Compatibility	⚠️ Warning	The new TestPullSecretUnavailable test uses HyperShift-specific CRDs (HostedCluster, HostedControlPlane) not available on MicroShift without protective skip mechanisms.	Add [Skipped:MicroShift] label or use exutil.IsMicroShiftCluster() with g.Skip() to prevent test execution on MicroShift.
Ote Binary Stdout Contract	❓ Inconclusive	Unable to definitively locate and examine the specific code changes in hostedcluster_controller.go, hostedcluster_controller_test.go, and chaos_test.go to verify stdout contract compliance.	Access the specific modified code sections to verify that logging uses proper infrastructure (klog/logr) and that suite-level Ginkgo setup code does not emit warnings to stdout.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Both test names added in this PR are static, descriptive, and follow Go testing conventions without dynamic information.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The TestPullSecretUnavailable e2e test validates reconciliation behavior and field propagation at the Kubernetes API level without requiring multiple nodes or pod scheduling across distinct workers.
Topology-Aware Scheduling Compatibility	✅ Passed	PR does not introduce scheduling constraints assuming standard HA topology; enables existing nodeSelector propagation across all topologies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The TestPullSecretUnavailable test contains no IPv4 assumptions or external connectivity requirements. It operates entirely within the cluster using Kubernetes API operations.
Title check	✅ Passed	The title clearly and specifically describes the main change: reconciling HostedControlPlane when pull secret is unavailable, which aligns perfectly with the core logic changes across all three modified files.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 86.95652% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.43%. Comparing base (36dfb1b) to head (f1af3b1).

Files with missing lines	Patch %	Lines
...trollers/hostedcluster/hostedcluster_controller.go	86.95%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8352      +/-   ##
==========================================
+ Coverage   40.40%   40.43%   +0.02%     
==========================================
  Files         755      755              
  Lines       93235    93256      +21     
==========================================
+ Hits        37675    37708      +33     
+ Misses      52858    52850       -8     
+ Partials     2702     2698       -4     

Files with missing lines	Coverage Δ
...trollers/hostedcluster/hostedcluster_controller.go	44.28% <86.95%> (+0.59%)	⬆️

Flag	Coverage Δ
cmd-support	34.44% <ø> (ø)
cpo-hostedcontrolplane	41.76% <ø> (ø)
cpo-other	40.31% <ø> (ø)
hypershift-operator	50.82% <86.95%> (+0.09%)	⬆️
other	31.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go (1)

668-693: Reduce duplication and avoid shadowing the outer hcp.

The new fallback block largely repeats the HCP-reconcile logic at lines 1825–1844 (autoscaler check, NTH check, createOrUpdate + reconcileHostedControlPlane with the same cert-renewal closure). It also redeclares hcp with := (line 672), shadowing the outer hcp from line 385; the main path at line 1833 uses = to reassign. Consider extracting a small helper (e.g., r.reconcileHostedControlPlaneObject(ctx, log, hcluster, controlPlaneNamespace, defaultToControlPlaneV2)) and calling it from both sites — this would also make it easier to keep the V2 flag and error-aggregation behavior consistent across paths.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`
around lines 668 - 693, The fallback error path duplicates the HCP-reconcile
logic and shadows the outer hcp; extract a helper method on the reconciler
(e.g., r.reconcileHostedControlPlaneObject(ctx, log, hcluster,
controlPlaneNamespace, defaultToControlPlaneV2)) that performs the autoscaler
and NTH checks (isAutoscalingNeeded, isAWSNodeTerminationHandlerNeeded), calls
createOrUpdate and reconcileHostedControlPlane with the same cert-renewal
closure (shouldCheckForStaleCerts, kasServingCertHashFromSecret,
kasServingCertHashFromEndpoint, kasHostAndPortFromHCP), and returns any errors;
replace the duplicated block with a call to that helper and ensure you assign to
the existing hcp variable (use = not :=) so you don’t shadow the outer variable
and so V2 flag and error aggregation remain consistent across both code paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`:
- Around line 342-343: The test currently only asserts the presence of the
annotation on updatedHCP using
HaveKey(hyperv1.RequestServingNodeAdditionalSelectorAnnotation); update the
assertion to verify the annotation value as well (e.g., use Gomega's
HaveKeyWithValue or compare
updatedHCP.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation]
to the expected selector string/variable). Locate the assertion around
updatedHCP and replace the HaveKey check with a value equality check referencing
hyperv1.RequestServingNodeAdditionalSelectorAnnotation and the expected selector
used earlier in the test.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 689-692: When hcpErr is non-nil the code currently returns the
wrapped HCP error and drops the original pull-secret error (err); change this so
the controller still returns the original err for requeue while preserving or
surfacing hcpErr: log hcpErr (or aggregate it into the returned error while
keeping err as the primary error) instead of returning only hcpErr. Locate the
block using variables hcpErr and err (in the hostedcluster reconcile flow) and
replace the return so you either call the controller logger to record hcpErr or
return a combined error that wraps hcpErr but keeps err as the returned value
(e.g., log hcpErr then return err).
- Line 685: The call currently uses a hardcoded false
(shouldCheckForStaleCerts(hcluster, false)) which forces stale-cert checks on V2
clusters during a pull-secret error path; instead, on this error path skip the
stale-cert check entirely: detect the pull-secret-unavailable condition where
this line runs and do not call shouldCheckForStaleCerts or the subsequent
kasServingCertHashFromSecret/kasServingCertHashFromEndpoint work; otherwise,
when the pull secret is available, obtain the correct defaultToControlPlaneV2
value (derive it the same way the main reconcile does from the CPO image labels
or HCP annotations) and pass that into shouldCheckForStaleCerts so behavior
matches normal reconciliation.

In `@test/e2e/chaos_test.go`:
- Around line 500-504: Replace the weak corruption payload which may be treated
as a benign auth config by assigning a structurally-invalid but still
syntactically valid docker config JSON to pullSecret.Data[".dockerconfigjson"];
specifically, change the value written before calling mgtClient.Update so the
JSON uses incorrect structure/types for a docker config (for example an "auths"
field with the wrong value type) to reliably trigger the pull-secret failure
path in the chaos_test where pullSecret is updated via mgtClient.Update.
- Around line 509-526: The current assertion only checks ReleaseImage and can
pass without reconcileHostedControlPlane running; after corrupting the pull
secret, mutate a field on the source HostedCluster that is known to be
propagated to the HostedControlPlane (e.g. update
hostedCluster.Spec.<propagatedField>), then use the existing
e2eutil.EventuallyObject / predicate flow that reads the HostedControlPlane (h
:= &hyperv1.HostedControlPlane{} via mgtClient.Get) to assert that
h.Spec.<propagatedField> equals the new value, ensuring
reconcileHostedControlPlane actually applied the update.

---

Nitpick comments:
In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 668-693: The fallback error path duplicates the HCP-reconcile
logic and shadows the outer hcp; extract a helper method on the reconciler
(e.g., r.reconcileHostedControlPlaneObject(ctx, log, hcluster,
controlPlaneNamespace, defaultToControlPlaneV2)) that performs the autoscaler
and NTH checks (isAutoscalingNeeded, isAWSNodeTerminationHandlerNeeded), calls
createOrUpdate and reconcileHostedControlPlane with the same cert-renewal
closure (shouldCheckForStaleCerts, kasServingCertHashFromSecret,
kasServingCertHashFromEndpoint, kasHostAndPortFromHCP), and returns any errors;
replace the duplicated block with a call to that helper and ensure you assign to
the existing hcp variable (use = not :=) so you don’t shadow the outer variable
and so V2 flag and error aggregation remain consistent across both code paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c1d7ffc1-6089-4045-b310-bed495c8ac4a

📥 Commits

Reviewing files that changed from the base of the PR and between e7e828e and f5ff5b8.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

[rafael-azevedo]

/test e2e-aws

[coderabbitai]

🧹 Nitpick comments (2)

hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go (2)

309-310: Nit: defer mockCtrl.Finish() is redundant.

gomock.NewController(t) registers a t.Cleanup for Finish() since gomock v1.5.0, so the explicit defer is dead code. Other tests in this file have already dropped it (e.g. TestHasBeenAvailable at Line 110, TestValidateReleaseImage at Line 2355). Drop for consistency.

 	mockCtrl := gomock.NewController(t)
-	defer mockCtrl.Finish()
 	mockedProvider := releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides(mockCtrl)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`
around lines 309 - 310, Remove the redundant explicit defer call to
mockCtrl.Finish() after creating the gomock controller with mockCtrl :=
gomock.NewController(t); NewController already registers t.Cleanup to call
Finish(), so delete the line "defer mockCtrl.Finish()" in the test (the mockCtrl
variable and its NewController(t) call should remain).

---

309-311: Mock provider has no expectations — fine today, but brittle.

mockedProvider is constructed without any EXPECT().Lookup(...).AnyTimes() (unlike every other test in this file). This works only as long as the missing-pull-secret path errors out before any call into the release provider. If a future change reorders validation or release-image lookup ahead of GetPullSecretBytes, this test will start panicking with a gomock "unexpected call" rather than failing meaningfully.

Adding a permissive default would make the test resilient:

Suggested hardening

 	mockedProvider := releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides(mockCtrl)
+	mockedProvider.EXPECT().
+		Lookup(gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(testutils.InitReleaseImageOrDie("4.15.0"), nil).AnyTimes()
+	mockedProvider.EXPECT().GetRegistryOverrides().Return(nil).AnyTimes()
+	mockedProvider.EXPECT().GetOpenShiftImageRegistryOverrides().Return(nil).AnyTimes()
+	mockedProvider.EXPECT().GetMirroredReleaseImage().Return("").AnyTimes()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`
around lines 309 - 311, The test constructs mockedProvider via
releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides but sets no
default expectations, which makes the test brittle; add a permissive default
expectation on mockedProvider.Lookup (or the Lookup method used by release
provider) using mockedProvider.EXPECT().Lookup(gomock.Any(),
gomock.Any()).AnyTimes().Return(<sensible default return values>, nil) so any
unexpected lookup calls won't cause gomock panics; place this right after the
mockedProvider creation near the mockCtrl setup and ensure the returned values
match the signature expected by code paths (so GetPullSecretBytes and other
validation can run without triggering unexpected-call errors).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`:
- Around line 309-310: Remove the redundant explicit defer call to
mockCtrl.Finish() after creating the gomock controller with mockCtrl :=
gomock.NewController(t); NewController already registers t.Cleanup to call
Finish(), so delete the line "defer mockCtrl.Finish()" in the test (the mockCtrl
variable and its NewController(t) call should remain).
- Around line 309-311: The test constructs mockedProvider via
releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides but sets no
default expectations, which makes the test brittle; add a permissive default
expectation on mockedProvider.Lookup (or the Lookup method used by release
provider) using mockedProvider.EXPECT().Lookup(gomock.Any(),
gomock.Any()).AnyTimes().Return(<sensible default return values>, nil) so any
unexpected lookup calls won't cause gomock panics; place this right after the
mockedProvider creation near the mockCtrl setup and ensure the returned values
match the signature expected by code paths (so GetPullSecretBytes and other
validation can run without triggering unexpected-call errors).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d47c7540-abd2-44c5-ac0a-8d68c70d3c46

📥 Commits

Reviewing files that changed from the base of the PR and between f5ff5b8 and adcbbe4.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e/chaos_test.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[rafael-azevedo]

/test e2e-aws

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2048885532125040640 | Cost: $3.868621550000001 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-04-29T13:02:50Z
• View Job
• View Job History

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go (1)

681-687: ⚠️ Potential issue | 🟠 Major

Skip stale-cert checks on the pull-secret fallback path.

Line 685 still hardcodes false into shouldCheckForStaleCerts, so this recovery path can run cert-hash logic for already-available clusters during a pull-secret outage. That makes the fallback reconcile depend on unrelated secret/endpoint checks and can even stamp a restart annotation, which defeats the goal of “best-effort HCP propagation while the pull secret is broken.”

🛠️ Suggested change

 		_, hcpErr := createOrUpdate(ctx, r.Client, hcp, func() error {
-			return reconcileHostedControlPlane(hcp, hcluster, isAutoscalingNeeded, isAWSNodeTerminationHandlerNeeded,
-				annotationsForCertRenewal(log,
-					hcp,
-					shouldCheckForStaleCerts(hcluster, false),
-					r.kasServingCertHashFromSecret(ctx, hcp),
-					r.kasServingCertHashFromEndpoint(kasHostAndPortFromHCP(hcp))))
+			return reconcileHostedControlPlane(
+				hcp,
+				hcluster,
+				isAutoscalingNeeded,
+				isAWSNodeTerminationHandlerNeeded,
+				func() (map[string]string, error) { return nil, nil },
+			)
 		})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`
around lines 681 - 687, The pull-secret fallback path is still calling
shouldCheckForStaleCerts with a hardcoded false which causes cert-hash logic to
run; update the call inside the createOrUpdate reconcile for the
HostedControlPlane (the reconcileHostedControlPlane(...) invocation that builds
annotationsForCertRenewal) to pass the flag that skips stale-cert checks (call
shouldCheckForStaleCerts(hcluster, true) instead of false) so the fallback path
does not perform kasServingCertHashFromSecret/kasServingCertHashFromEndpoint
checks or stamp restart annotations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/chaos_test.go`:
- Around line 462-528: The test only mutates and asserts Spec.NodeSelector but
the regression covers the request-serving selector annotation; update the test
to also mutate hostedCluster.ObjectMeta.Annotations (set the
RequestServingNodeAdditionalSelector annotation key to a test value) right after
changing Spec.NodeSelector, then add an EventuallyObject check (similar to the
HCP NodeSelector check) that fetches the HostedControlPlane and verifies the
propagated RequestServingNodeAdditionalSelector (or the HCP field that holds
that selector) contains the test value; modify the predicate used in
e2eutil.EventuallyObject (or add a new call) to look for the annotation/field on
the HostedControlPlane and fail the test until propagation is observed.
- Around line 479-545: After capturing the original pull secret data (variable
pullSecret and originalData) and before mutating anything, register a t.Cleanup
closure that restores pullSecret.Data[".dockerconfigjson"] using originalData
and reverts the hostedCluster.Spec.NodeSelector change (capture a copy of the
original nodeSelector map or its value for key "ocpbugs-77268-test"), and have
the closure call mgtClient.Get/Update to restore both the secret and the
hostedCluster NodeSelector; this ensures rollback runs on any test failure—refer
to pullSecret, originalData, hostedCluster.Spec.NodeSelector, and the
NodeSelector key "ocpbugs-77268-test" to locate where to add the t.Cleanup.

---

Duplicate comments:
In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 681-687: The pull-secret fallback path is still calling
shouldCheckForStaleCerts with a hardcoded false which causes cert-hash logic to
run; update the call inside the createOrUpdate reconcile for the
HostedControlPlane (the reconcileHostedControlPlane(...) invocation that builds
annotationsForCertRenewal) to pass the flag that skips stale-cert checks (call
shouldCheckForStaleCerts(hcluster, true) instead of false) so the fallback path
does not perform kasServingCertHashFromSecret/kasServingCertHashFromEndpoint
checks or stamp restart annotations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e11a95e2-637a-4ed4-89d6-541e854c5b50

📥 Commits

Reviewing files that changed from the base of the PR and between adcbbe4 and 831514a.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

[coderabbitai]

♻️ Duplicate comments (2)

test/e2e/chaos_test.go (2)

462-465: ⚠️ Potential issue | 🟡 Minor

Comment says annotation is validated, but the test never asserts it.

Lines 462-465 state this covers RequestServingNodeAdditionalSelector, but the body only mutates/asserts Spec.NodeSelector. This can stay green while annotation propagation regresses.

Proposed test hardening

 		if hostedCluster.Spec.NodeSelector == nil {
 			hostedCluster.Spec.NodeSelector = map[string]string{}
 		}
+		if hostedCluster.Annotations == nil {
+			hostedCluster.Annotations = map[string]string{}
+		}
 		hostedCluster.Spec.NodeSelector["ocpbugs-77268-test"] = "true"
+		hostedCluster.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation] = `{"topology.kubernetes.io/zone":"us-east-1a"}`
 		err = mgtClient.Update(ctx, hostedCluster)
 		g.Expect(err).NotTo(HaveOccurred(), "failed to update hostedcluster NodeSelector")
@@
 				func(h *hyperv1.HostedControlPlane) (done bool, reasons string, err error) {
 					val, ok := h.Spec.NodeSelector["ocpbugs-77268-test"]
 					if !ok || val != "true" {
 						return false, "NodeSelector not yet propagated to HCP", nil
 					}
+					if h.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation] != hostedCluster.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation] {
+						return false, "RequestServingNodeAdditionalSelector not yet propagated to HCP", nil
+					}
 					return true, "NodeSelector propagated to HCP", nil
 				},

Also applies to: 495-528

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/chaos_test.go` around lines 462 - 465, The test
TestPullSecretUnavailable mentions RequestServingNodeAdditionalSelector but
never mutates or asserts it—update the test to mutate the HostedCluster's
RequestServingNodeAdditionalSelector (in addition to Spec.NodeSelector) and then
assert that the HostedControlPlane receives the expected annotation/selector
value; ensure you change the same pattern in the other similar block (the
duplicated assertion block) so both Spec.NodeSelector and
RequestServingNodeAdditionalSelector are modified and verified for propagation
to the HostedControlPlane.

---

479-545: ⚠️ Potential issue | 🟠 Major

Register rollback with t.Cleanup before mutating resources.

If any assertion fails before Line 530, cleanup won’t run and the test can leave the pull secret corrupted.

Suggested fix

 		originalData := pullSecret.Data[".dockerconfigjson"]
 		g.Expect(originalData).NotTo(BeEmpty(), "pull secret should have .dockerconfigjson data")
+		originalNodeSelector := map[string]string{}
+		for k, v := range hostedCluster.Spec.NodeSelector {
+			originalNodeSelector[k] = v
+		}
+
+		t.Cleanup(func() {
+			latestSecret := &corev1.Secret{}
+			if err := mgtClient.Get(ctx, crclient.ObjectKey{
+				Namespace: hostedCluster.Namespace,
+				Name:      hostedCluster.Spec.PullSecret.Name,
+			}, latestSecret); err == nil {
+				latestSecret.Data[".dockerconfigjson"] = originalData
+				_ = mgtClient.Update(ctx, latestSecret)
+			}
+
+			latestHC := &hyperv1.HostedCluster{}
+			if err := mgtClient.Get(ctx, crclient.ObjectKeyFromObject(hostedCluster), latestHC); err == nil {
+				latestHC.Spec.NodeSelector = originalNodeSelector
+				_ = mgtClient.Update(ctx, latestHC)
+			}
+		})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/chaos_test.go` around lines 479 - 545, Register a rollback with
t.Cleanup before you corrupt the pull secret so restoration always runs: capture
originalData and the hostedCluster reference, then call t.Cleanup(func(){ fetch
the latest pullSecret and hostedCluster via mgtClient using ctx, restore
pullSecret.Data[".dockerconfigjson"]=originalData and update it, remove the test
key from hostedCluster.Spec.NodeSelector and update it; log or ignore errors
inside cleanup to avoid masking test failures }). Do this immediately after
reading originalData and before mutating pullSecret or hostedCluster
(references: pullSecret, originalData, hostedCluster, mgtClient, ctx,
hostedCluster.Spec.NodeSelector, t.Cleanup).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/e2e/chaos_test.go`:
- Around line 462-465: The test TestPullSecretUnavailable mentions
RequestServingNodeAdditionalSelector but never mutates or asserts it—update the
test to mutate the HostedCluster's RequestServingNodeAdditionalSelector (in
addition to Spec.NodeSelector) and then assert that the HostedControlPlane
receives the expected annotation/selector value; ensure you change the same
pattern in the other similar block (the duplicated assertion block) so both
Spec.NodeSelector and RequestServingNodeAdditionalSelector are modified and
verified for propagation to the HostedControlPlane.
- Around line 479-545: Register a rollback with t.Cleanup before you corrupt the
pull secret so restoration always runs: capture originalData and the
hostedCluster reference, then call t.Cleanup(func(){ fetch the latest pullSecret
and hostedCluster via mgtClient using ctx, restore
pullSecret.Data[".dockerconfigjson"]=originalData and update it, remove the test
key from hostedCluster.Spec.NodeSelector and update it; log or ignore errors
inside cleanup to avoid masking test failures }). Do this immediately after
reading originalData and before mutating pullSecret or hostedCluster
(references: pullSecret, originalData, hostedCluster, mgtClient, ctx,
hostedCluster.Spec.NodeSelector, t.Cleanup).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fd265325-9904-41af-8a72-f07c0845e64d

📥 Commits

Reviewing files that changed from the base of the PR and between 831514a and 804ff63.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/chaos_test.go`:
- Around line 493-495: The test currently saves and later restores entire maps
via maps.Clone(hostedCluster.Spec.NodeSelector) and
maps.Clone(hostedCluster.Annotations), which can wipe other reconcilers'
updates; change this to capture only the test-owned keys (the node selector key
"ocpbugs-77268-test" in hostedCluster.Spec.NodeSelector and the annotation key
RequestServingNodeAdditionalSelectorAnnotation in hostedCluster.Annotations),
and in both the cleanup block and the explicit recovery path update the cluster
by setting or deleting only those individual keys (restore the saved value if
present, or delete the key if it was absent) instead of replacing the whole map;
locate uses of hostedCluster, maps.Clone, and the cleanup/recovery blocks and
modify them accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 46ca9f78-947c-4c96-a2b7-42876b92bf8d

📥 Commits

Reviewing files that changed from the base of the PR and between 804ff63 and 508ff9e.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

✅ Files skipped from review due to trivial changes (1)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[rafael-azevedo]

/retest

[rafael-azevedo]

/test e2e-aws

[rafael-azevedo]

/test e2e-aws

[rafael-azevedo]

/retest

[rafael-azevedo]

/test e2e-aws

[rafael-azevedo]

/test e2e-aws

[cblecker]

Review of the test changes — a few suggestions on the e2e cleanup pattern and unit test assertions.

[cblecker]

The t.Cleanup here and the manual restoration at the end of the test body (lines 616-640) both restore the same state. Do we need both? Would it work to consolidate into just t.Cleanup (adding the recovery EventuallyObject wait there too) to avoid doing the restoration twice on the happy path?

[cblecker]

nit: The controller wraps this as "failed to get pull secret: %w". A tighter assertion would avoid false positives if a different code path happens to mention "pull secret" in its error:

Suggested change

	g.Expect(err.Error()).To(ContainSubstring("pull secret"), "When pull secret is missing the error should mention pull secret")
	g.Expect(err.Error()).To(ContainSubstring("failed to get pull secret"), "When pull secret is missing the error should mention pull secret")

[cblecker]

This validates the happy path (no error, no NodePools → autoscaling not needed). But the recovery path also has error-defaulting logic that defaults isAutoscalingNeeded = true and isAWSNodeTerminationHandlerNeeded = true on error. Would it be worth adding a test case that exercises those defaults?

[rafael-azevedo]

/test e2e-aws

[cblecker]

/jira refresh

[openshift-ci-robot]

@cblecker: This pull request references Jira Issue OCPBUGS-77268, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cblecker]

/jira refresh

[openshift-ci-robot]

@cblecker: This pull request references Jira Issue OCPBUGS-77268, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (jiezhao@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cblecker]

/lgtm

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[cblecker]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[rafael-azevedo]

/test e2e-aws
/test e2e-aws-4-22

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2057449891684159488 | Cost: $3.9958917500000006 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[hypershift-jira-solve-ci]

Now I have the complete picture. Let me generate the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aws
• Build ID: 2057449891684159488
• Target: e2e-aws
• PR: OCPBUGS-77268: reconcile HCP when pull secret is unavailable #8352 (OCPBUGS-77268: reconcile HCP when pull secret is unavailable)
• Result: 160 tests, 41 failures, 20 skipped

Test Failure Analysis

Error

EnsureNoCrashingPods: Container manager in pod capi-provider has a restartCount > 0 (6);
Leader election failure detected in multiple control plane components (capi-provider, cluster-api,
cluster-storage-operator, control-plane-operator, hosted-cluster-config-operator, control-plane-pki-operator);
ValidateHostedCluster: Failed to get *v1beta1.HostedCluster: dial tcp 44.199.140.217:6443:
i/o timeout / connection refused / TLS handshake timeout

DONE 160 tests, 20 skipped, 41 failures

Summary

All 41 failures are pre-existing flakes unrelated to PR #8352. The new test added by this PR (TestPullSecretUnavailable) passed successfully. The failures fall into two categories: (1) EnsureNoCrashingPods failures across 11 hosted clusters due to leader election churn and container restarts in control plane components (capi-provider, cluster-api, cluster-storage-operator, control-plane-operator, hosted-cluster-config-operator), and (2) ValidateHostedCluster timeouts in 12 tests caused by management cluster kube-apiserver instability (117 connection errors targeting 44.199.140.217:6443 — the management cluster ELB). These are infrastructure-level issues affecting all hosted clusters simultaneously, not a regression from the PR's code changes.

Root Cause

The failures are caused by management cluster kube-apiserver instability during the test run, which is an infrastructure-level flake unrelated to PR #8352.

Evidence of infrastructure instability:

• 117 connection errors (i/o timeout, connection refused, TLS handshake timeout, connection reset by peer) all targeting the same management cluster endpoint ae3ab96aca33c4105a2861e5f9f8b66a-b1d774b1195e568b.elb.us-east-1.amazonaws.com:6443 (IP 44.199.140.217)
• Connection errors started at approximately 14:09:15Z and affected all running tests simultaneously
• All 13 failing top-level test suites created hosted clusters that worked (clusters were created, kubeconfig was published, guest API connections succeeded) — the failures only occurred during the validation phase

EnsureNoCrashingPods failures (11 test suites):
The control plane pods (capi-provider, cluster-api, cluster-storage-operator, control-plane-operator, etc.) experienced restarts and leader election failures. The capi-provider manager container exited with exitCode: 0 and reason: Completed — it lost its leader lease and shut down gracefully, then restarted. This is leader election churn caused by management cluster API latency, not a crash bug. The EnsureNoCrashingPods check flags any container with restartCount > 0, catching these benign leader election restarts.

ValidateHostedCluster timeouts (12 test suites):
Tests timed out waiting for hosted cluster conditions to become valid because the management cluster API was intermittently unreachable. For example, TestCreateClusterHABreakGlassCredentials failed with controlPlaneVersion state is Partial, expected Completed after a 20-minute timeout, while TestNodePoolAutoscalingScaleFromZero failed with NoWorkerNodesAvailable and ClusterOperatorsNotAvailable because the hosted cluster couldn't fully come up during management API disruption.

PR #8352 is not the cause:

• TestPullSecretUnavailable (the new e2e test added by this PR) passed in 1525.92s
• TestHAEtcdChaos (existing test in the same file chaos_test.go modified by this PR) passed
• The controller changes (hostedcluster_controller.go) only affect behavior when the pull secret is unavailable — all normal reconciliation paths are unchanged
• 11 other test suites passed fully, confirming the code changes don't cause regressions

Recommendations

1. Retest / retry the job: These are infrastructure flakes caused by management cluster API instability. A rerun should pass if the management cluster is stable.

2. No code changes needed in PR OCPBUGS-77268: reconcile HCP when pull secret is unavailable #8352: The PR's changes are correct and the new test validates the fix properly. The 41 failures are all in pre-existing tests unrelated to the pull secret recovery path.

3. Consider tracking the EnsureNoCrashingPods flake: The leader election churn pattern (containers exiting with code 0 due to lease loss, then restarting) is a known source of noise in HyperShift CI. The EnsureNoCrashingPods check could potentially distinguish between crash-loops (exitCode != 0) and graceful leader election restarts (exitCode 0, reason Completed) to reduce false positives.

Evidence

Evidence	Detail
TestPullSecretUnavailable	✅ PASSED (1525.92s) — new test from PR #8352
TestHAEtcdChaos	✅ PASSED — existing test in modified file chaos_test.go
Management API errors	117 connection errors to 44.199.140.217:6443 (i/o timeout, connection refused, TLS handshake, connection reset)
EnsureNoCrashingPods	11 test suites failed; capi-provider manager: restartCount=6, exitCode=0, reason=Completed (leader election churn)
Crash patterns	manager (11 occurrences), hosted-cluster-config-operator (6), aws-ebs-csi-driver-operator (5), control-plane-pki-operator (5), cluster-storage-operator (4)
ValidateHostedCluster timeouts	12 test suites timed out waiting for cluster conditions; all due to management API connectivity
Passed top-level tests	11 test suites passed fully, including TestPullSecretUnavailable, TestHAEtcdChaos, TestExternalOIDC, TestOLM, TestUpgradeHyperShiftOperator
Failed top-level tests	13 test suites had failures, all with EnsureNoCrashingPods and/or management API timeout patterns
PR files changed	hostedcluster_controller.go (pull secret recovery path), hostedcluster_controller_test.go (unit tests), chaos_test.go (e2e test)

---

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@rafael-azevedo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-4-22	cfdbf0f	link	true	/test e2e-aws-4-22
ci/prow/e2e-aws	cfdbf0f	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.