OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms

[vsolanki12]

What this PR does / why we need it:

On non-cloud platforms (Agent, KubeVirt, OpenStack, None), the HCP router Service was unconditionally created as LoadBalancer. Since these platforms lack a cloud LB controller, the Service stays pending forever, blocking InfrastructureReady and preventing the hosted control plane from becoming available.

Three code paths are fixed:

• ReconcileRouterService: use NodePort for non-cloud platforms instead of unconditional LoadBalancer
• reconcileRouterServiceStatus: add NodePort guard before calling CollectLBMessageIfNotProvisioned
• kas.ReconcileServiceStatus: add NodePort guard in the Route case

Which issue(s) this PR fixes:

Fixes OCPBUGS-77856

Special notes for your reviewer:

• PowerVS is intentionally left as LoadBalancer since it has cloud LB support via IBM Cloud VPC.
• LoadBalancerSourceRanges on NodePort services is harmless — Kubernetes ignores this field for non-LoadBalancer types.
• The etcd-upload/s3_uploader_mock.go build failure in CI is a pre-existing issue on main, unrelated to this PR.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

  • Router service now defaults to NodePort on non-cloud platforms and LoadBalancer on cloud platforms, and preserves an explicitly set service type.
  • CIDR source-range restrictions are applied only for external services that resolve to LoadBalancer.
  • Route publishing correctly returns the service ClusterIP/port for NodePort-backed services and empty/zero when unassigned.

• Tests

  • Added tests for platform-dependent NodePort vs LoadBalancer behavior and NodePort route publishing scenarios.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-77856, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

On non-cloud platforms (Agent, KubeVirt, OpenStack, None), the HCP router Service was unconditionally created as LoadBalancer. Since these platforms lack a cloud LB controller, the Service stays pending forever, blocking InfrastructureReady and preventing the hosted control plane from becoming available.

Three code paths are fixed:

• ReconcileRouterService: use NodePort for non-cloud platforms instead of unconditional LoadBalancer
• reconcileRouterServiceStatus: add NodePort guard before calling CollectLBMessageIfNotProvisioned
• kas.ReconcileServiceStatus: add NodePort guard in the Route case

Which issue(s) this PR fixes:

Fixes OCPBUGS-77856

Special notes for your reviewer:

• PowerVS is intentionally left as LoadBalancer since it has cloud LB support via IBM Cloud VPC.
• LoadBalancerSourceRanges on NodePort services is harmless — Kubernetes ignores this field for non-LoadBalancer types.
• The etcd-upload/s3_uploader_mock.go build failure in CI is a pre-existing issue on main, unrelated to this PR.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 73a86610-3f0c-44ba-be66-d0f3ebcbd77c

📥 Commits

Reviewing files that changed from the base of the PR and between fb5f71e and d926fc8.

📒 Files selected for processing (6)

• control-plane-operator/controllers/hostedcontrolplane/infra/infra.go
• control-plane-operator/controllers/hostedcontrolplane/infra/infra_test.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router_test.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service_test.go

---

📝 Walkthrough

Walkthrough

ReconcileRouterService now sets svc.Spec.Type based on HostedControlPlane platform: ServiceTypeNodePort for AgentPlatform, KubevirtPlatform, and NonePlatform; ServiceTypeLoadBalancer for other platforms. The LoadBalancerSourceRanges population is only applied when the service is external, not ARO HCP, and svc.Spec.Type == LoadBalancer. reconcileRouterServiceStatus now handles NodePort services by returning svc.Spec.ClusterIP when the first port has an assigned NodePort (empty host if not assigned). ReconcileServiceStatus (Route publishing) returns the Route hostname and port 443 early for NodePort services with an assigned NodePort. Tests were added/updated for these cases.

Sequence Diagram(s)

sequenceDiagram
    participant Reconciler
    participant HCP as "HostedControlPlane"
    participant K8sAPI as "Kubernetes API"
    participant Service as "Service"
    Note over Reconciler,HCP: Platform-aware service type selection
    Reconciler->>HCP: read hcp.Spec.Platform.Type
    alt platform is Agent/Kubevirt/None
        Reconciler->>Service: set spec.type = NodePort
    else other platforms
        Reconciler->>Service: set spec.type = LoadBalancer
    end
    Reconciler->>K8sAPI: apply Service

Loading

sequenceDiagram
    participant Reconciler
    participant K8sAPI as "Kubernetes API"
    participant Service as "Service"
    participant RoutePub as "Route publishing"
    Note over Reconciler,Service: ReconcileServiceStatus (Route publishing case)
    Reconciler->>K8sAPI: get Service
    alt Service.spec.type == NodePort and Service.spec.ports[0].nodePort != 0
        Reconciler->>RoutePub: read strategy.Route.Hostname
        Reconciler->>Reconciler: set port = 443
        Reconciler-->>Caller: return host, port (early)
    else
        Reconciler->>K8sAPI: collect LoadBalancer status/messages
        Reconciler-->>Caller: return LB-derived host/port or empty host
    end

Loading

Possibly related PRs

• openshift/hypershift#8469: Updates e2e AllowedCIDRs test and waiting logic related to LoadBalancerSourceRanges propagation and router/KAS service targeting; closely related to the router service type and CIDR propagation changes.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	router_test.go uses fmt.Sprintf to dynamically construct test names with platform variables: "When platform is %s it should use NodePort/LoadBalancer" violates test name stability requirements.	Replace fmt.Sprintf with static test names like "should use NodePoint for non-cloud platforms" and "should use LoadBalancer for cloud platforms".
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: using NodePort for HCP router Service on non-cloud platforms, which directly aligns with the primary objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Structure And Quality	✅ Passed	Tests use standard Go testing package, not Ginkgo, making the check inapplicable. Tests follow best practices with table-driven approaches and meaningful assertion messages.
Microshift Test Compatibility	✅ Passed	PR adds only standard Go unit tests (using testing.T), not Ginkgo e2e tests. Custom check applies only to Ginkgo e2e tests with Describe/Context/It patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds standard Go unit tests (not Ginkgo e2e tests) to controller test files. These use testing.T and t.Run(), not Ginkgo syntax (It/Describe/Context/When). The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes only modify Kubernetes Service resources (type, ports, annotations). No pod affinity, topology spread constraints, nodeSelectors, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	Modified files are controller logic and unit tests, not OTE binaries. No process-level stdout writes (fmt.Print, klog, etc.) detected in main/init/suite setup code; no OTE contract violations found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR adds only standard Go unit tests (func TestXxx(t *testing.T) pattern) in control-plane-operator package, not Ginkgo e2e tests that would run in IPv6-only disconnected CI.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-77856, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

What this PR does / why we need it:

On non-cloud platforms (Agent, KubeVirt, OpenStack, None), the HCP router Service was unconditionally created as LoadBalancer. Since these platforms lack a cloud LB controller, the Service stays pending forever, blocking InfrastructureReady and preventing the hosted control plane from becoming available.

Three code paths are fixed:

• ReconcileRouterService: use NodePort for non-cloud platforms instead of unconditional LoadBalancer
• reconcileRouterServiceStatus: add NodePort guard before calling CollectLBMessageIfNotProvisioned
• kas.ReconcileServiceStatus: add NodePort guard in the Route case

Which issue(s) this PR fixes:

Fixes OCPBUGS-77856

Special notes for your reviewer:

• PowerVS is intentionally left as LoadBalancer since it has cloud LB support via IBM Cloud VPC.
• LoadBalancerSourceRanges on NodePort services is harmless — Kubernetes ignores this field for non-LoadBalancer types.
• The etcd-upload/s3_uploader_mock.go build failure in CI is a pre-existing issue on main, unrelated to this PR.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

• Improved router service configuration to use appropriate service types based on hosting platform (NodePort for non-cloud platforms, LoadBalancer for cloud platforms).

• Enhanced NodePort service handling for proper route publishing with correct host and port configuration.

• Tests

• Added test coverage for platform-specific router service type behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.43%. Comparing base (a62eefd) to head (d926fc8).
⚠️ Report is 185 commits behind head on main.

Files with missing lines	Patch %	Lines
...ator/controllers/hostedcontrolplane/kas/service.go	45.45%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8439      +/-   ##
==========================================
+ Coverage   37.44%   40.43%   +2.98%     
==========================================
  Files         751      755       +4     
  Lines       91969    93254    +1285     
==========================================
+ Hits        34435    37703    +3268     
+ Misses      54894    52849    -2045     
- Partials     2640     2702      +62     

Files with missing lines	Coverage Δ
...ator/controllers/hostedcontrolplane/infra/infra.go	50.98% <100.00%> (+0.44%)	⬆️
...r/controllers/hostedcontrolplane/ingress/router.go	60.00% <100.00%> (+6.31%)	⬆️
...ator/controllers/hostedcontrolplane/kas/service.go	42.26% <45.45%> (+1.33%)	⬆️

... and 71 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.44% <ø> (+1.80%)	⬆️
cpo-hostedcontrolplane	41.86% <75.00%> (+5.38%)	⬆️
cpo-other	40.31% <ø> (+2.58%)	⬆️
hypershift-operator	50.72% <ø> (+2.79%)	⬆️
other	31.58% <ø> (+3.80%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/kas/service.go`:
- Around line 170-173: The NodePort branch dereferences strategy.Route without
checking for nil, which can panic; update the NodePort handling in service.go so
you first check if strategy.Route is non-nil (and optionally that
strategy.Route.Hostname is non-empty) before reading strategy.Route.Hostname and
assigning host/port—e.g. wrap the host = strategy.Route.Hostname and port = 443
assignments inside an if strategy.Route != nil { ... } block (keeping the
existing svc.Spec.Ports and NodePort checks intact) so no nil dereference
occurs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 34176f5e-a42c-4fab-9813-0c0e14dc16ec

📥 Commits

Reviewing files that changed from the base of the PR and between a62eefd and ccc8bcb.

📒 Files selected for processing (4)

• control-plane-operator/controllers/hostedcontrolplane/infra/infra.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router_test.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service.go

[vsolanki12]

/auto-cc

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

control-plane-operator/controllers/hostedcontrolplane/kas/service.go (1)

169-182: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Add nil guards for strategy.Route on both lines 172 and 180.

Following up on the previous discussion: you're correct that line 180 also dereferences strategy.Route.Hostname without a nil check, which creates the same risk. The pattern in ReconcileKonnectivityServerServiceStatus (line 394) demonstrates that strategy.Route can indeed be nil even when strategy.Type == hyperv1.Route, so relying on an implicit API contract isn't safe.

For consistency and safety, both the new NodePort branch (line 172) and the existing LoadBalancer branch (line 180) should add defensive nil checks, following the established pattern in this file.

🔒 Proposed fix to harden both branches

 	case hyperv1.Route:
 		if svc.Spec.Type == corev1.ServiceTypeNodePort {
 			if len(svc.Spec.Ports) > 0 && svc.Spec.Ports[0].NodePort != 0 {
-				host = strategy.Route.Hostname
-				port = 443
+				if strategy.Route != nil && strategy.Route.Hostname != "" {
+					host = strategy.Route.Hostname
+					port = 443
+				}
 			}
 			return
 		}
 		if message, err := k8sutil.CollectLBMessageIfNotProvisioned(svc, messageCollector); err != nil || message != "" {
 			return host, port, message, err
 		}
-		host = strategy.Route.Hostname
+		if strategy.Route != nil && strategy.Route.Hostname != "" {
+			host = strategy.Route.Hostname
+		}
 		port = 443

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@control-plane-operator/controllers/hostedcontrolplane/kas/service.go` around
lines 169 - 182, In the hyperv1.Route case inside service.go, add defensive nil
checks for strategy.Route before dereferencing strategy.Route.Hostname in both
the NodePort branch and the LoadBalancer branch: in the NodePort branch (where
svc.Spec.Type == corev1.ServiceTypeNodePort) check if strategy.Route == nil and
return early (matching the file's established pattern) instead of using
strategy.Route.Hostname, and do the same before setting host =
strategy.Route.Hostname in the LoadBalancer path (after the
k8sutil.CollectLBMessageIfNotProvisioned call); reference the case hyperv1.Route
block, strategy.Route.Hostname, svc.Spec.Type == corev1.ServiceTypeNodePort, and
k8sutil.CollectLBMessageIfNotProvisioned to locate where to insert the nil
guards.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@control-plane-operator/controllers/hostedcontrolplane/kas/service.go`:
- Around line 169-182: In the hyperv1.Route case inside service.go, add
defensive nil checks for strategy.Route before dereferencing
strategy.Route.Hostname in both the NodePort branch and the LoadBalancer branch:
in the NodePort branch (where svc.Spec.Type == corev1.ServiceTypeNodePort) check
if strategy.Route == nil and return early (matching the file's established
pattern) instead of using strategy.Route.Hostname, and do the same before
setting host = strategy.Route.Hostname in the LoadBalancer path (after the
k8sutil.CollectLBMessageIfNotProvisioned call); reference the case hyperv1.Route
block, strategy.Route.Hostname, svc.Spec.Type == corev1.ServiceTypeNodePort, and
k8sutil.CollectLBMessageIfNotProvisioned to locate where to insert the nil
guards.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c00ce44a-273b-4d01-a53f-6741571f8800

📥 Commits

Reviewing files that changed from the base of the PR and between d8ef2fb and 96922b5.

📒 Files selected for processing (6)

• control-plane-operator/controllers/hostedcontrolplane/infra/infra.go
• control-plane-operator/controllers/hostedcontrolplane/infra/infra_test.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router_test.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• control-plane-operator/controllers/hostedcontrolplane/ingress/router_test.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service_test.go
• control-plane-operator/controllers/hostedcontrolplane/infra/infra.go
• control-plane-operator/controllers/hostedcontrolplane/infra/infra_test.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router.go

[jparrill]

Please @vsolanki12 do you mind address the reviews from Coderrabit bot?

[jparrill]

Hey, strategy.Route is an optional pointer — if it's ever nil here we'd get a panic. I noticed that ReconcileKonnectivityServerServiceStatus in this same file does check for nil before accessing .Hostname. Might be worth adding the same guard here just to be safe:

if strategy.Route != nil {
    host = strategy.Route.Hostname
    port = 443
}

(line 180 below has the same pre-existing issue, but that's a separate thing)

[vsolanki12]

Thank you, Added the nil check on both line 172 and line 180 as per the suggestion.

[jparrill]

I might be wrong here, but doesn't OpenStack have LB support through Octavia? If there are existing HyperShift-on-OpenStack deployments where the LB actually works today, switching them to NodePort would break things.

Have you checked with the OpenStack folks whether their management clusters typically have a cloud-controller-manager configured? If they do, we might want to leave OpenStack out of this list.

Also, I see the same four-platform grouping in support/netutil/visibility.go:LabelHCPRoutes(). Not necessarily for this PR, but eventually it could be worth extracting a shared helper so the two lists don't drift apart when someone adds a new platform.

• Slack thread

[mandre]

OpenStack indeed supports LB through Octavia, but because OpenStack being OpenStack, you have no guarantee the service is enabled. This shouldn't be a problem for RH OpenStack, where Octavia is generally enabled.
So, perhaps the logic for OpenStack should be updated to dynamically check for an Octavia endoint?

[vsolanki12]

Thank you @jparrill @mandre for highlighting this. Currently, I have removed OpenStack from the NodePort list. it will keep using LoadBalancer as before. Since Octavia availability varies across OpenStack deployments. Might be it need a separate PR since it needs runtime infrastructure checks.

[jparrill]

Small thing — now that some services will be NodePort, LoadBalancerSourceRanges (line 98) gets set on them too. Kubernetes ignores it for non-LB types so it won't break anything, but it's a bit confusing if someone inspects the service. Maybe worth gating this on svc.Spec.Type == corev1.ServiceTypeLoadBalancer?

[vsolanki12]

Thanks for highlighting this, I have made the changes as per suggestion.

[jparrill]

Dropped some comments. Thanks!

[vsolanki12]

/retest

[vsolanki12]

/test e2e-azure-v2-self-managed

[jparrill]

nit: this platform list will need updating if a new non-cloud platform is added. Not blocking, just noting it's not centralized with LabelHCPRoutes() in support/netutil/visibility.go.

[jparrill]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jparrill, vsolanki12

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jparrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vsolanki12]

/test e2e-azure-v2-self-managed

[csrwng]

My main concern with this change is that we will change the Service type for an existing HostedCluster. That could be unexpected on an upgrade. My preference would be to set the service type if creating the service. If an existing service, leave the type alone.

[vsolanki12]

Thank you @csrwng , wrapped the type assignment in a svc.Spec.Type == "" check so it only applies on initial creation. Existing services will keep their current type on upgrade. Added a test to verify an existing LoadBalancer service on a non-cloud platform stays LoadBalancer after reconcile.

[openshift-ci]

@vsolanki12: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main & Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main
• Build ID: hypershift-operator-main-enterprise-contract-6mfv5 / hypershift-operator-enterprise-contract-645br
• PR: #8439 — OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms
• Pipeline Namespace: crt-redhat-acm-tenant
• Snapshot: hypershift-operator-20260522-092514-000

Test Failure Analysis

Error

Enterprise Contract verify task FAILURE:
  254 success(es), 24 warning(s), 2 failure(s)

Root failure from build attestation:
  Task: ecosystem-cert-preflight-checks
  Result: {"result":"FAILURE","successes":6,"failures":2,"warnings":0}
  Note: "Task preflight is a FAILURE: Refer to Tekton task logs for more information"

Summary

These two Enterprise Contract (EC) failures are not caused by PR #8439's code changes. They are a pre-existing infrastructure issue caused by a Konflux EC policy enforcement change that occurred between 06:55 and 08:46 UTC on May 22, 2026. Prior to this policy update, the 2 ecosystem-cert-preflight-checks failures were treated as non-blocking warnings (EC conclusion: neutral); after the update, they became blocking failures (EC conclusion: failure). Every PR built after the policy change — including unrelated PRs #8406, #8522, and #8439 — fails identically with 254 successes, 24 warnings, and 2 failures.

Root Cause

The root cause is a Konflux Enterprise Contract policy enforcement change combined with pre-existing container image compliance gaps in the hypershift-operator-main Containerfile.

Policy change timeline:

• At 06:55 UTC, PR GCP-688: Port v1 E2E validations to envtest, unit tests, and v2 Ginkgo specs #8511's EC check completed as neutral (warning only) despite having 2 identical preflight failures
• Between 06:55 and 08:46 UTC, the hypershift-operator-enterprise-contract and hypershift-operator-main-enterprise-contract IntegrationTestScenario policies in the crt-redhat-acm-tenant Konflux namespace were updated to enforce ecosystem-cert-preflight-checks results as blocking
• At 08:46 UTC and after, all PRs began failing with the same 2 EC violations

Pre-existing compliance gaps (confirmed from build attestations):
The ecosystem-cert-preflight-checks task runs Red Hat container certification checks. The Containerfile.operator has 2 likely failures:

1. No USER directive — The Containerfile has no USER statement, so the container runs as root by default, failing the RunAsNonRoot preflight check
2. Missing required label — The Containerfile is missing the vendor label (expected: "Red Hat, Inc.") or the release label (expected: a build release number), which are required for Red Hat container certification

These same 2 preflight failures exist in:

• The main branch push build (d24af10, all 3 architectures)
• PR GCP-688: Port v1 E2E validations to envtest, unit tests, and v2 Ginkgo specs #8511's build (neutral EC conclusion at 06:55 UTC)
• PR OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms #8439's build (failure EC conclusion at 09:35 UTC)
• The control-plane-operator-main build (which also has 2 preflight failures but uses a different EC policy that still treats them as non-blocking)

Why the control-plane-operator passes: The control-plane-operator-enterprise-contract IntegrationTestScenario uses a different EC policy configuration that either exempts or downgrades preflight check failures, resulting in 484 successes and 0 failures even though its build attestation shows the identical 2 preflight failures.

Recommendations

1. No action needed on PR OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms #8439 — The code changes (NodePort for HCP router Service on non-cloud platforms) are unrelated to the Enterprise Contract failures. All unit tests, lint, verify, and Prow CI checks pass.

2. Short-term: Request EC policy revert or exemption — Contact the Konflux/EC policy team (likely the ACM/MCE pipeline owners in the crt-redhat-acm-tenant namespace) to either:

   • Revert the policy change that promoted preflight failures to blocking
   • Add an exemption for the hypershift-operator-main component until the Containerfile is fixed

3. Medium-term: Fix the Containerfile compliance gaps — Update Containerfile.operator to address the 2 preflight failures:

   • Add USER 65534 (or appropriate non-root UID) after the COPY --from=builder stage
   • Add LABEL vendor="Red Hat, Inc." and LABEL release="1" (or use a build-arg for dynamic release numbering)

4. Verify fix scope — The same fixes should be checked for Containerfile.control-plane which has the same 2 preflight failures (currently not blocking due to different EC policy, but will likely become blocking when policies are aligned)

Evidence

Evidence	Detail
PR #8439 EC conclusion	failure — 254 successes, 24 warnings, 2 failures (completed 09:35 UTC)
PR #8511 EC conclusion	neutral — identical 2 preflight failures (completed 06:55 UTC) → treated as warning
PR #8522 EC conclusion	failure — identical 2 preflight failures (completed 08:46 UTC) → first failure after policy change
PR #8406 EC conclusion	failure — identical 2 preflight failures (completed 09:05 UTC)
Policy change window	Between 06:55 and 08:46 UTC on May 22, 2026
Failing task	ecosystem-cert-preflight-checks: {"result":"FAILURE","successes":6,"failures":2}
Same failures on main branch push	Base commit d24af10 push build: identical 2 preflight failures on all 3 architectures
CPO comparison	control-plane-operator-main has identical 2 preflight failures but uses different EC policy → passes as SUCCESS (484 successes)
Other task failures (non-blocking)	sast-shell-check: 38 ShellCheck warnings (SC1083) — treated as warnings, not blocking
Containerfile.operator gaps	No USER directive (RunAsNonRoot), missing vendor/release labels
PR #8439 code changes	Unrelated — modifies router Service type logic for non-cloud platforms (infra.go, router.go, kas/service.go + tests)

---