AROSLSRE-687: propagate HCP Azure resource ID annotation to control plane namespace

[ashishmax31]

What this PR does / why we need it:

Add a new annotation constant HCPAzureResourceIDAnnotation that carries
the Azure resource ID set by Cluster Service on the HostedCluster CR.
The hostedcluster controller now propagates this annotation to the
hosted control plane namespace for Azure platform clusters.

Fixes
https://redhat.atlassian.net/browse/AROSLSRE-687

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• [x ] Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Azure HostedClusters now propagate an Azure resource ID annotation into their hosted control plane namespace for Azure-based clusters; the annotation is added when present and removed when absent, preserving other namespace annotations.

• Tests

  • Added unit tests covering propagation, removal, non-Azure behavior, and preservation of existing namespace annotations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds the exported constant HCPAzureResourceIDAnnotation with value "azure.microsoft.com/hcp-cluster-azure-resource-id". The HostedCluster controller reconciliation propagates that annotation from an Azure-platform HostedCluster CR to the hosted control plane Namespace: it initializes namespace.Annotations if nil, writes the annotation value when present on the HostedCluster, and removes the annotation from the Namespace when the HostedCluster no longer has it. Non-Azure platforms are not affected; other Namespace annotations are preserved.

Sequence Diagram(s)

sequenceDiagram
  participant HC as HostedCluster CR
  participant Ctrl as HostedCluster Controller
  participant API as Kubernetes API (ControlPlane Namespace)

  HC->>Ctrl: Reconcile event / Read HostedCluster
  Ctrl->>Ctrl: Check platform == Azure?
  alt Azure platform
    alt annotation present on HC
      Ctrl->>API: GET ControlPlane Namespace
      API-->>Ctrl: Namespace object
      Ctrl->>Ctrl: Ensure namespace.Annotations initialized
      Ctrl->>API: PATCH/UPDATE Namespace with HCPAzureResourceIDAnnotation
      API-->>Ctrl: 200 OK
    else annotation absent on HC
      Ctrl->>API: GET ControlPlane Namespace
      API-->>Ctrl: Namespace object
      Ctrl->>Ctrl: Remove HCPAzureResourceIDAnnotation from Namespace.Annotations (if present)
      Ctrl->>API: PATCH/UPDATE Namespace
      API-->>Ctrl: 200 OK
    end
  else Non-Azure platform
    Ctrl-->>API: No annotation written or removed
  end

Loading

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test uses NewWithT instead of NewGomegaWithT (inconsistent with 18 existing tests), lacks meaningful assertion failure messages without explanatory strings.	Use NewGomegaWithT(t) for consistency; add meaningful failure messages to assertions like "failed to propagate Azure resource ID annotation".

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: propagating an Azure resource ID annotation to the control plane namespace, which aligns with all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All new test names in TestPropagateAzureResourceIDAnnotation are static strings without dynamic content, timestamps, UUIDs, or generated identifiers. Test titles are descriptive and deterministic.
Microshift Test Compatibility	✅ Passed	Added test (TestPropagateAzureResourceIDAnnotation) is a standard Go unit test, not a Ginkgo e2e test. The custom check only applies to Ginkgo e2e tests, which are not present in this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. The PR only adds a standard Go unit test (TestPropagateAzureResourceIDAnnotation) using testing.T, which is outside the scope of this SNO compatibility check.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds annotation constant and propagates Azure resource ID metadata to namespace; no scheduling constraints (affinity, replicas, nodeSelector, etc.) are introduced.
Ote Binary Stdout Contract	✅ Passed	PR is for HyperShift operator codebase (API types, controller, and unit tests), not an OTE binary. Check is not applicable to non-OTE projects.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR contains only standard Go unit tests in hostedcluster_controller_test.go with no IPv4 or connectivity assumptions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`:
- Around line 6583-6590: The test currently duplicates the Azure resourceID
annotation propagation logic inline; instead invoke the real reconciliation path
(call HostedClusterReconciler.Reconcile or the production helper used by the
controller) using the fake client with the test's HostedCluster (hcluster) and
Namespace (ns) fixtures, then fetch the Namespace from the fake client and
assert that ns.Annotations[hyperv1.HCPAzureResourceIDAnnotation] matches the
HostedCluster annotation; update the test to remove the inline propagation block
and reference HostedClusterReconciler.Reconcile (or the controller helper
function) and the hcluster/ns fixtures so the assertion verifies controller
behavior end-to-end.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 1413-1421: The reconcile currently only copies
hyperv1.HCPAzureResourceIDAnnotation from the HostedCluster to the
controlPlaneNamespace when present, but never deletes it when the source
annotation is removed; update the logic in the reconcile block handling
hcluster.Spec.Platform == hyperv1.AzurePlatform (around the
controlPlaneNamespace update) to check for the annotation on the HostedCluster
and if missing remove hyperv1.HCPAzureResourceIDAnnotation from
controlPlaneNamespace (ensure controlPlaneNamespace.Annotations is non-nil
before modifying), then persist the change (e.g., via the existing client
update/patch call used for controlPlaneNamespace) so stale values are cleared.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: a1bf189c-2644-4dbd-8566-929d11783745

📥 Commits

Reviewing files that changed from the base of the PR and between 6daa9ce and 621ee27.

⛔ Files ignored due to path filters (1)

• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (3)

• api/hypershift/v1beta1/hostedcluster_types.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go

[codecov]

Codecov Report

❌ Patch coverage is 84.61538% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.45%. Comparing base (860b695) to head (bc1bb38).
⚠️ Report is 38 commits behind head on main.

Files with missing lines	Patch %	Lines
...trollers/hostedcluster/hostedcluster_controller.go	84.61%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8312      +/-   ##
==========================================
+ Coverage   41.27%   41.45%   +0.18%     
==========================================
  Files         755      756       +1     
  Lines       93446    93660     +214     
==========================================
+ Hits        38566    38823     +257     
+ Misses      52148    52114      -34     
+ Partials     2732     2723       -9     

Files with missing lines	Coverage Δ
...trollers/hostedcluster/hostedcluster_controller.go	45.63% <84.61%> (+0.87%)	⬆️

... and 11 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.87% <ø> (+<0.01%)	⬆️
cpo-hostedcontrolplane	43.50% <ø> (ø)
cpo-other	42.79% <ø> (ø)
hypershift-operator	51.59% <84.61%> (+0.59%)	⬆️
other	31.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[JoelSpeed]

/approve

For API

[jparrill]

/retitle AROSLSRE-687: propagate HCP Azure resource ID annotation to control plane namespace

[openshift-ci-robot]

@ashishmax31: This pull request references AROSLSRE-687 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Add a new annotation constant HCPAzureResourceIDAnnotation that carries
the Azure resource ID set by Cluster Service on the HostedCluster CR.
The hostedcluster controller now propagates this annotation to the
hosted control plane namespace for Azure platform clusters.

Fixes
https://redhat.atlassian.net/browse/AROSLSRE-687

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• [x ] Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• Azure HostedClusters now propagate an Azure resource ID annotation into their hosted control plane namespace for Azure-based clusters, improving resource tracking and identification.

• Tests

• Added unit tests covering propagation, removal, non-Azure behavior, and preservation of other namespace annotations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jparrill]

Dropped a comment. Thanks!

[jparrill]

/approve

[jparrill]

You will need to force push in order to retest the env test for KAS.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashishmax31, JoelSpeed, jparrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jparrill]
• api/OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jparrill]

Dropped some comments. Thanks

[ashishmax31]

@jparrill Addressed the review comments. PTAL

[ashishmax31]

/test images

[ashishmax31]

/retest

[bryan-cox]

We should use the IsAroHcp check here or whatever is replacing it. Actually why not just move that check up on L1400?

cc @muraee

[ashishmax31]

@jparrill asked to handle this case too: #8312 (comment)

Tiny thing: if a namespace somehow already has this annotation but the cluster isn't Azure, the early return leaves it sitting there forever. Platform type is immutable in practice so it's not really a bug, but a delete before the return would be strictly cleaner. Up to you.

If we move the check up then it'll be ugly to add this check

[ashishmax31]

There is no IsAroHcp method on the HostedCluster

[bryan-cox]

There is. We use it all over the place. Here's an example -

hypershift/hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go

Line 169 in e25a87a

if azureutil.IsAroHCP() {

[ashishmax31]

Done

[hypershift-jira-solve-ci]

Now I can see the full picture. The alignment issues are in multiple places:

1. Struct field definitions (lines 7149-7153): Fields like name, isAroHCP, etc., use spaces for column alignment
2. Struct literal initializations: Fields like name:····· and nsAnnotations:······nil use spaces for alignment padding
3. The "some-other-annotation": "preserved" line also uses spaces for alignment

go fmt would convert all this space-based alignment to tab-based alignment. I have all the evidence needed for the report.

Test Failure Analysis Complete

Job Information

• Prow Job: verify / Verify (GitHub Actions workflow Verify)
• Build ID: 26949433907 / job 79510628424
• Target: PR AROSLSRE-687: propagate HCP Azure resource ID annotation to control plane namespace #8312 — AROSLSRE-687: propagate HCP Azure resource ID annotation to control plane namespace
• Commit: c98e0a5

Test Failure Analysis

Error

hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go: needs update
##[error]Process completed with exit code 1.

Summary

The Verify workflow failed because the test file hostedcluster_controller_test.go was not properly formatted with go fmt before being committed. The make fmt step (which runs go fmt ./...) reformatted the file during CI, and the subsequent git update-index --refresh dirty-tree check detected the modification and failed the build. The CI log confirms go fmt printed the filename — meaning it changed the file — and then the git check caught the uncommitted diff.

Root Cause

The newly added TestPropagateAzureResourceIDAnnotation function in hostedcluster_controller_test.go uses spaces for struct field alignment in multiple places, whereas go fmt normalizes these to tabs.

Specifically, the struct type definition uses space-padded alignment:

tests := []struct {
    name               string      // 15 spaces between name and type
    isAroHCP           bool        // 11 spaces
    hcluster           *hyperv1.HostedCluster  // 11 spaces
    nsAnnotations      map[string]string       // 6 spaces
    expectedAnnotation string      // 1 space
}

And the struct literal initializations also use space-based alignment:

name:     "..."          // 5 spaces after name:
nsAnnotations:      nil  // 6 spaces after nsAnnotations:

go fmt converts all of this inter-column space padding to tabs. The Verify workflow runs make fmt → make vet → git update-index --refresh in sequence. When make fmt executed go fmt ./..., it reformatted the file (confirmed by the CI log printing the filename), and the subsequent git dirty-tree check failed because the working tree no longer matched the committed content.

The author likely used an editor that inserted spaces for alignment instead of tabs, or manually padded fields for visual alignment without running go fmt before committing.

Recommendations

1. Run go fmt ./... locally before pushing. This will normalize the struct field alignment in the test file from spaces to tabs.
2. Run the full verify suite locally (make generate update && make fmt && make vet) and check for a clean git tree before pushing — this replicates exactly what CI does.
3. Configure your editor to use gofmt/goimports on save for .go files. Most Go-aware editors (VS Code with Go extension, GoLand, vim-go) support this natively.
4. No code logic changes needed — the test logic is correct, only the whitespace formatting needs to be fixed.

Evidence

Evidence	Detail
Failed step	Run git update-index --refresh — detects uncommitted modifications after make fmt
go fmt output	CI log shows go fmt printed hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go — confirming it reformatted the file
git update-index output	hostedcluster_controller_test.go: needs update — file differs from committed content
Formatting issue location	Struct field definitions at lines ~7149-7153 use spaces (not tabs) for column alignment
Formatting issue location	Struct literal field initializers (e.g., name:·····, nsAnnotations:······nil) use spaces for padding
Workflow definition	.github/workflows/verify-reusable.yaml runs: make generate update → make staticcheck → make fmt → make vet → git update-index --refresh
PR files affected	hostedcluster_controller_test.go — only the newly added test function has the formatting issue

---

[openshift-ci]

@ashishmax31: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bryan-cox]

Can't this be simplified to just see if it is ARO HCP and then either set it or delete the annotation?