HYPERFLEET-839 - fix: require explicit NAMESPACE to prevent Pub/Sub c…

[ma-hill]

Summary

Removes hardcoded default namespace of hyperfleet-e2e in deploy-clm.sh to enforce that users must set NAMESPACE via .env or --namespace flag. This prevents GCP Pub/Sub topic/subscription collisions when multiple users run tests concurrently.

Changes

• Set default NAMESPACE = hyperfleet-e2e-$USER in env.example
• Update documentation to reflect required namespace flag
• Verified that it looks like tests already specify a unique namespace of hyperlfeet-e2e-<build_id>

Test Plan

• deploy-clm.sh scripts successful
• make test passes
• make e2e passes
• make lint passes
• E2E tests passed (if cross-component or major changes)

Jira Issue

• HYPERFLEET-839

Summary by CodeRabbit

• Documentation
  • Updated deployment guides and examples to use user-scoped, unique namespace defaults/placeholders.
  • Added guidance on namespace uniqueness, troubleshooting, and manual cleanup to avoid Pub/Sub conflicts.
• Chores
  • Deployment tooling now requires an explicit namespace (env or CLI) and validates format and length.
  • Default namespace behavior adjusted to include the invoking user when not otherwise specified.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign crizzo71 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The PR makes namespace handling user-specific and stricter: deploy-scripts/.env.example now defaults NAMESPACE to hyperfleet-e2e-$(echo ${USER:-default} | tr '[:upper:]' '[:lower:]'). deploy-clm.sh no longer provides an internal default, requires NAMESPACE be set (env or --namespace), and enforces DNS-1123 label rules plus a 63-character max, exiting with usage on failure. deploy-scripts/README.md examples and commands were updated to use per-user or explicit <unique_namespace> values and adjusted a load balancer IP extraction to use $NAMESPACE.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: requiring explicit NAMESPACE configuration to prevent Pub/Sub collisions, which is the core objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy-scripts/README.md`:
- Around line 180-184: The README example for running
./deploy-scripts/deploy-clm.sh shows a broken multi-line shell command: the line
with "--namespace pr-123" is missing a trailing backslash, causing the next
option lines to be treated as a separate command; update the example so each
continued line ends with a backslash (e.g., add a "\" after "--namespace
pr-123") so the full invocation of deploy-clm.sh with --action, --namespace,
--api-image-repo and --api-image-tag is executed as one multi-line command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6699e988-d74b-4d63-87a0-2b50afe0694b

📥 Commits

Reviewing files that changed from the base of the PR and between 8fb3eaa and b8846a7.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy-scripts/.env.example`:
- Line 12: The NAMESPACE export uses unguarded $USER expansion which can trigger
an "unbound variable" under set -u; update the export for NAMESPACE (the line
that currently reads export NAMESPACE="${NAMESPACE:-hyperfleet-e2e-$USER}") to
use safe parameter expansion such as export
NAMESPACE="${NAMESPACE:-hyperfleet-e2e-${USER:-unknown}}" (or ${USER:-} if you
prefer empty) so that missing USER won’t abort deploy-clm.sh.

In `@deploy-scripts/deploy-clm.sh`:
- Around line 360-366: The script currently only checks NAMESPACE presence; add
DNS-1123 format validation (lowercase alphanumerics and hyphens, no
leading/trailing hyphen, max 63 chars) right after the existing empty check. In
the block around the NAMESPACE check, validate length (<=63) and match the regex
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$; if it fails, call log_error with a clear
message about invalid namespace format and then print_usage and exit 1 (same
flow as the empty-case). Reference: NAMESPACE variable and existing
log_error/print_usage usage in deploy-clm.sh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 357fd5ee-da38-4294-8f22-f05f7ff8e918

📥 Commits

Reviewing files that changed from the base of the PR and between b8846a7 and c96407b.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

✅ Files skipped from review due to trivial changes (1)

• deploy-scripts/README.md

[pnguyen44]

Missing trailing backslash. This breaks the multi-line shell example. The image repo and tag lines would be interpreted as a separate command instead of arguments to deploy-clm.sh.

[pnguyen44]

$USER can contain uppercase characters on some systems, which would produce an invalid Kubernetes namespace (DNS-1123 requires lowercase). Consider lowercasing it here or adding DNS-1123 validation in the script to catch this early.

[ma-hill]

Addressed and added a check for namespace names that must be valid RFC 1123 DNS labels.

[coderabbitai]

🧹 Nitpick comments (1)

deploy-scripts/.env.example (1)

12-12: ⚡ Quick win

Sanitize and bound the USER suffix before composing NAMESPACE.

Line 12 lowercases USER, but it still allows characters/length that fail the DNS-1123 check in deploy-scripts/deploy-clm.sh (Line 368). This can make the default .env value fail on first run for valid system usernames like john_doe or long IDs.

Suggested patch

-export NAMESPACE="${NAMESPACE:-hyperfleet-e2e-$(echo ${USER:-default} | tr '[:upper:]' '[:lower:]')}"
+export NAMESPACE="${NAMESPACE:-hyperfleet-e2e-$(printf '%s' "${USER:-default}" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/-/g; s/^-+|-+$//g; s/^$/default/; s/^(.{48}).*$/\1/')}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy-scripts/.env.example` at line 12, Sanitize and bound the USER suffix
used to build NAMESPACE: when exporting NAMESPACE (the export NAMESPACE= line),
lower-case the USER, replace any chars not in [a-z0-9-] with '-', strip
leading/trailing '-' and enforce a maximum suffix length so the full name
(prefix "hyperfleet-e2e-") stays within the DNS-1123 63-char label limit (i.e.,
cap the suffix to 63 minus the prefix length); ensure an empty result falls back
to "default"; apply this change in the .env.example export NAMESPACE line and
verify it satisfies the DNS-1123 check used in deploy-clm.sh.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deploy-scripts/.env.example`:
- Line 12: Sanitize and bound the USER suffix used to build NAMESPACE: when
exporting NAMESPACE (the export NAMESPACE= line), lower-case the USER, replace
any chars not in [a-z0-9-] with '-', strip leading/trailing '-' and enforce a
maximum suffix length so the full name (prefix "hyperfleet-e2e-") stays within
the DNS-1123 63-char label limit (i.e., cap the suffix to 63 minus the prefix
length); ensure an empty result falls back to "default"; apply this change in
the .env.example export NAMESPACE line and verify it satisfies the DNS-1123
check used in deploy-clm.sh.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 85cd9844-f0f0-4082-9f38-9899c6b94688

📥 Commits

Reviewing files that changed from the base of the PR and between c96407b and 84e60fa.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• deploy-scripts/README.md

[rafabene]

Tip

nit — non-blocking suggestion

Category: Inconsistency

Two small doc issues with the namespace examples:

1. The README mixes <unique_namespace> (placeholder) and hyperfleet-e2e-$USER (literal) without a consistent rule. For example, Quick Start install uses the placeholder but Quick Start uninstall uses the literal. Consider standardizing — either use <unique_namespace> everywhere with a note explaining the convention, or use hyperfleet-e2e-$USER everywhere for copy-pasteable examples.

2. Option 2 step 3 (line 87) adds --namespace hyperfleet-e2e-$USER to the .env-based workflow, but the whole point of Option 2 is that NAMESPACE is configured in .env. The --namespace CLI flag overrides the .env value, making step 2's config irrelevant. The script's own help text shows the correct pattern:

# Install with .env defaults
deploy-clm.sh --action install

Consider reverting line 87 to just ./deploy-clm.sh --action install (no --namespace) to match the .env-based intent.

[rafabene]

Impact warnings

The following files are NOT in this PR but still reference the old hardcoded hyperfleet-e2e namespace and may need updating:

• docs/runbook.md — kubectl commands use hardcoded namespace (e.g., kubectl get pods -n hyperfleet-e2e, kubectl logs -n hyperfleet-e2e deployment/hyperfleet-api)
• deploy-scripts/lib/gcp.sh — comment examples reference hardcoded namespace (e.g., hyperfleet-e2e-clusters, hyperfleet-e2e-nodepools)

These are outside the PR scope — just flagging for awareness so the migration away from the hardcoded namespace is complete.