OCPBUGS-81741: Watch Network and Infrastructure in proxyconfig controller

[jluhrsen]

The proxyconfig controller reads Network.Status.ClusterNetwork and Infrastructure.Status to compute Proxy.Status.NoProxy, but only watched Proxy and ConfigMaps. Network or Infrastructure changes would not trigger reconciliation, leaving proxy status stale.

Add watches for Network and Infrastructure resources to ensure reconciliation occurs when these resources change.

Also add Proxy status subresource support to fake client and unit tests covering reconciliation logic.

Co-authored-by: Claude Code <noreply@anthropic.com)

Summary by CodeRabbit

Release Notes

• Tests

  • Added comprehensive unit test suite for proxy configuration reconciliation, validating status updates when network and infrastructure resources are modified.

• Improvements

  • Enhanced proxy controller to monitor and respond to Network and Infrastructure resource changes in addition to existing watchers.

[openshift-ci-robot]

@jluhrsen: This pull request references Jira Issue OCPBUGS-81741, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The proxyconfig controller reads Network.Status.ClusterNetwork and Infrastructure.Status to compute Proxy.Status.NoProxy, but only watched Proxy and ConfigMaps. Network or Infrastructure changes would not trigger reconciliation, leaving proxy status stale.

Add watches for Network and Infrastructure resources to ensure reconciliation occurs when these resources change.

Also add Proxy status subresource support to fake client and unit tests covering reconciliation logic.

Co-authored-by: Claude Code <noreply@anthropic.com)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The pull request extends the proxy configuration controller to watch configv1.Network and configv1.Infrastructure resources, triggering reconciliation when these objects change. The fake client now includes proxy as a status subresource. Comprehensive unit tests validate reconciliation behavior across various resource states.

Changes

Cohort / File(s)	Summary
Fake Client Enhancement pkg/client/fake/fake_client.go	Added configv1.Proxy to the status subresource targets passed to the fake client builder, alongside existing configv1.ClusterOperator.
Controller Watch Registration pkg/controller/proxyconfig/controller.go	Registered watches for configv1.Network and configv1.Infrastructure resources in the reconciler's add() function, enqueuing the reconciler when these objects change.
Test Suite pkg/controller/proxyconfig/controller_test.go	Added comprehensive unit tests validating that reconciliation correctly populates Proxy.Status.NoProxy based on Network.Status.ClusterNetwork CIDR(s) and Infrastructure.Status.APIServerInternalURL, including error handling for missing resources.

Sequence Diagram(s)

sequenceDiagram
    participant Network as Network<br/>(configv1)
    participant Infra as Infrastructure<br/>(configv1)
    participant Controller as Controller
    participant Reconciler as Reconciler
    participant Proxy as Proxy<br/>(configv1)
    
    Note over Network,Proxy: Event Trigger
    Network->>Controller: Resource changed event
    Infra->>Controller: Resource changed event
    
    Note over Network,Proxy: Reconciliation Flow
    Controller->>Reconciler: Enqueue reconciliation request
    Reconciler->>Network: Read ClusterNetwork CIDRs
    Reconciler->>Infra: Read APIServerInternalURL
    Reconciler->>Proxy: Update Status.NoProxy<br/>(CIDRs + hostname)
    Proxy->>Reconciler: Status updated

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Tests violate single responsibility principle by testing multiple distinct behaviors within single test functions and lack organized setup/cleanup structure.	Split multi-behavior tests into distinct test cases and consider migrating to Ginkgo/Gomega patterns or document standard Go testing approach consistently.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding watches for Network and Infrastructure resources in the proxyconfig controller, which is the primary modification across all three files.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable test names applies to Ginkgo declarations. The file uses standard Go testing framework with stable descriptive test names, making the check not applicable.
Microshift Test Compatibility	✅ Passed	The PR adds unit tests using standard Go testing patterns, not Ginkgo e2e tests. The MicroShift compatibility check applies only to new Ginkgo e2e tests, which are not present in this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request adds standard Go unit tests using the testing package, not Ginkgo e2e tests, making this check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes only affect controller reconciliation logic and test infrastructure with no deployment manifests, scheduling constraints, or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations detected. Process-level init() function only calls configv1.AddToScheme() which produces no stdout output. All logging calls are in non-process-level methods.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds standard Go unit tests using controller-runtime's fake client, not Ginkgo e2e tests. The tests operate entirely in-memory with mock objects and make no actual network connections.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope

... [truncated 17356 characters] ...

ired in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jluhrsen
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

pkg/controller/proxyconfig/controller_test.go (1)

220-228: Also assert that the old API hostname is removed.

Right now this test only proves the new hostname was added. It would still pass if reconciliation appended the new host without dropping the stale one.

Suggested assertion

 	if !strings.Contains(proxy.Status.NoProxy, updatedAPIServer) {
 		t.Errorf("Expected proxy.Status.NoProxy to contain updated API server %s, got: %s",
 			updatedAPIServer, proxy.Status.NoProxy)
 	}
+	if strings.Contains(proxy.Status.NoProxy, initialAPIServer) {
+		t.Errorf("proxy.Status.NoProxy still contains old API server %s, got: %s",
+			initialAPIServer, proxy.Status.NoProxy)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/proxyconfig/controller_test.go` around lines 220 - 228, The
test currently only asserts that proxy.Status.NoProxy contains updatedAPIServer;
also assert that the previous API hostname is removed by checking that
strings.Contains(proxy.Status.NoProxy, oldAPIServer) is false (use whatever
variable name holds the pre-update hostname in this test), i.e., add an
assertion after fetching proxy that proxy.Status.NoProxy does NOT contain the
old API hostname to ensure reconciliation replaced rather than appended the
host.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/controller/proxyconfig/controller_test.go`:
- Around line 220-228: The test currently only asserts that proxy.Status.NoProxy
contains updatedAPIServer; also assert that the previous API hostname is removed
by checking that strings.Contains(proxy.Status.NoProxy, oldAPIServer) is false
(use whatever variable name holds the pre-update hostname in this test), i.e.,
add an assertion after fetching proxy that proxy.Status.NoProxy does NOT contain
the old API hostname to ensure reconciliation replaced rather than appended the
host.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 41e9f990-8f6b-40f0-b896-52eb993948a5

📥 Commits

Reviewing files that changed from the base of the PR and between bdbba59 and 16d068b.

📒 Files selected for processing (3)

• pkg/client/fake/fake_client.go
• pkg/controller/proxyconfig/controller.go
• pkg/controller/proxyconfig/controller_test.go

[openshift-ci]

@jluhrsen: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	16d068b	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-rhcos10-techpreview	16d068b	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/lint	16d068b	link	true	/test lint
ci/prow/e2e-aws-ovn-upgrade	16d068b	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-windows	16d068b	link	true	/test e2e-aws-ovn-windows
ci/prow/security	16d068b	link	false	/test security
ci/prow/hypershift-e2e-aks	16d068b	link	true	/test hypershift-e2e-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.