OCPBUGS-77268: reconcile HCP when pull secret is unavailable

[rafael-azevedo]

What this PR does / why we need it:

When the pull secret is missing or invalid, the HostedCluster reconciler exits before reaching reconcileHostedControlPlane. This prevents RequestServingNodeAdditionalSelector and other spec fields from being propagated to the HCP, breaking HA scheduling for request-serving nodes.

Log the error and call reconcileHostedControlPlane before returning so pod placement decisions continue during a pull secret outage. The error is still returned to trigger a requeue for full reconciliation once the pull secret is restored.

JIRA: OCPBUGS-77268

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-77268

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

  • When a pull secret fetch fails, reconciliation now logs the error and triggers a recovery reconcile of the control plane so pod placement decisions (nodeSelector, autoscaling, node-termination handler) and certificate-related metadata are still processed.

• Tests

  • Added unit and parallel e2e tests simulating pull-secret unavailability to verify propagation of nodeSelector, annotations and release image to the control plane and recovery after restoration.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

When pull-secret fetching fails during HostedCluster reconciliation, the controller logs the failure and attempts a recovery reconcile of the HostedControlPlane. The recovery recomputes annotation-driven state (autoscaling, AWS node-termination handler, and KAS serving-cert hashes) while disabling stale-certificate checks, then performs a createOrUpdate of the HostedControlPlane with those annotations. If annotation computation fails, that error is returned; if the HostedControlPlane reconcile fails it is logged but the original pull-secret error is still returned. New unit and e2e tests cover missing or corrupted pull-secret scenarios.

Sequence Diagram(s)

sequenceDiagram
    participant Reconciler
    participant API_Server as "API Server (Secrets/CRs)"
    participant AnnotationLogic as "Annotation Computation"
    participant HostedControlPlane as "HostedControlPlane (createOrUpdate)"

    Reconciler->>API_Server: Get pull secret
    API_Server-->>Reconciler: error (pull secret missing/corrupt)
    Reconciler-->>Reconciler: log "failed to get pull secret"
    Reconciler->>AnnotationLogic: compute autoscaling/node-termination/cert-hash annotations (disable stale cert check)
    AnnotationLogic-->>Reconciler: annotations or error
    alt annotations computed
        Reconciler->>HostedControlPlane: reconcile HostedControlPlane with annotations
        HostedControlPlane-->>Reconciler: success or error (logged)
        Reconciler-->>Reconciler: return original pull-secret error
    else annotation computation failed
        AnnotationLogic-->>Reconciler: error
        Reconciler-->>Reconciler: return annotation error
    end

Loading

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (3 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	E2E test uses maps.Clone to backup entire NodeSelector and Annotations maps, then unconditionally restores them, violating test isolation principles and risking flakiness if other reconcilers update unrelated keys.	Refactor to capture and restore only test-owned keys ('ocpbugs-77268-test' and RequestServingNodeAdditionalSelectorAnnotation) rather than entire map snapshots to maintain test isolation.
Microshift Test Compatibility	⚠️ Warning	The new TestPullSecretUnavailable test uses HyperShift-specific CRDs (HostedCluster, HostedControlPlane) not available on MicroShift without protective skip mechanisms.	Add [Skipped:MicroShift] label or use exutil.IsMicroShiftCluster() with g.Skip() to prevent test execution on MicroShift.
Ote Binary Stdout Contract	❓ Inconclusive	Unable to definitively locate and examine the specific code changes in hostedcluster_controller.go, hostedcluster_controller_test.go, and chaos_test.go to verify stdout contract compliance.	Access the specific modified code sections to verify that logging uses proper infrastructure (klog/logr) and that suite-level Ginkgo setup code does not emit warnings to stdout.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Both test names added in this PR are static, descriptive, and follow Go testing conventions without dynamic information.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The TestPullSecretUnavailable e2e test validates reconciliation behavior and field propagation at the Kubernetes API level without requiring multiple nodes or pod scheduling across distinct workers.
Topology-Aware Scheduling Compatibility	✅ Passed	PR does not introduce scheduling constraints assuming standard HA topology; enables existing nodeSelector propagation across all topologies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The TestPullSecretUnavailable test contains no IPv4 assumptions or external connectivity requirements. It operates entirely within the cluster using Kubernetes API operations.
Title check	✅ Passed	The title clearly and specifically describes the main change: reconciling HostedControlPlane when pull secret is unavailable, which aligns perfectly with the core logic changes across all three modified files.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 86.95652% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.29%. Comparing base (7461f85) to head (51caaea).
⚠️ Report is 28 commits behind head on main.

Files with missing lines	Patch %	Lines
...trollers/hostedcluster/hostedcluster_controller.go	86.95%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8352      +/-   ##
==========================================
+ Coverage   41.27%   41.29%   +0.02%     
==========================================
  Files         755      755              
  Lines       93446    93467      +21     
==========================================
+ Hits        38566    38596      +30     
+ Misses      52148    52142       -6     
+ Partials     2732     2729       -3     

Files with missing lines	Coverage Δ
...trollers/hostedcluster/hostedcluster_controller.go	45.27% <86.95%> (+0.50%)	⬆️

Flag	Coverage Δ
cmd-support	34.86% <ø> (ø)
cpo-hostedcontrolplane	43.50% <ø> (ø)
cpo-other	42.79% <ø> (ø)
hypershift-operator	51.08% <86.95%> (+0.07%)	⬆️
other	31.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go (1)

668-693: Reduce duplication and avoid shadowing the outer hcp.

The new fallback block largely repeats the HCP-reconcile logic at lines 1825–1844 (autoscaler check, NTH check, createOrUpdate + reconcileHostedControlPlane with the same cert-renewal closure). It also redeclares hcp with := (line 672), shadowing the outer hcp from line 385; the main path at line 1833 uses = to reassign. Consider extracting a small helper (e.g., r.reconcileHostedControlPlaneObject(ctx, log, hcluster, controlPlaneNamespace, defaultToControlPlaneV2)) and calling it from both sites — this would also make it easier to keep the V2 flag and error-aggregation behavior consistent across paths.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`
around lines 668 - 693, The fallback error path duplicates the HCP-reconcile
logic and shadows the outer hcp; extract a helper method on the reconciler
(e.g., r.reconcileHostedControlPlaneObject(ctx, log, hcluster,
controlPlaneNamespace, defaultToControlPlaneV2)) that performs the autoscaler
and NTH checks (isAutoscalingNeeded, isAWSNodeTerminationHandlerNeeded), calls
createOrUpdate and reconcileHostedControlPlane with the same cert-renewal
closure (shouldCheckForStaleCerts, kasServingCertHashFromSecret,
kasServingCertHashFromEndpoint, kasHostAndPortFromHCP), and returns any errors;
replace the duplicated block with a call to that helper and ensure you assign to
the existing hcp variable (use = not :=) so you don’t shadow the outer variable
and so V2 flag and error aggregation remain consistent across both code paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`:
- Around line 342-343: The test currently only asserts the presence of the
annotation on updatedHCP using
HaveKey(hyperv1.RequestServingNodeAdditionalSelectorAnnotation); update the
assertion to verify the annotation value as well (e.g., use Gomega's
HaveKeyWithValue or compare
updatedHCP.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation]
to the expected selector string/variable). Locate the assertion around
updatedHCP and replace the HaveKey check with a value equality check referencing
hyperv1.RequestServingNodeAdditionalSelectorAnnotation and the expected selector
used earlier in the test.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 689-692: When hcpErr is non-nil the code currently returns the
wrapped HCP error and drops the original pull-secret error (err); change this so
the controller still returns the original err for requeue while preserving or
surfacing hcpErr: log hcpErr (or aggregate it into the returned error while
keeping err as the primary error) instead of returning only hcpErr. Locate the
block using variables hcpErr and err (in the hostedcluster reconcile flow) and
replace the return so you either call the controller logger to record hcpErr or
return a combined error that wraps hcpErr but keeps err as the returned value
(e.g., log hcpErr then return err).
- Line 685: The call currently uses a hardcoded false
(shouldCheckForStaleCerts(hcluster, false)) which forces stale-cert checks on V2
clusters during a pull-secret error path; instead, on this error path skip the
stale-cert check entirely: detect the pull-secret-unavailable condition where
this line runs and do not call shouldCheckForStaleCerts or the subsequent
kasServingCertHashFromSecret/kasServingCertHashFromEndpoint work; otherwise,
when the pull secret is available, obtain the correct defaultToControlPlaneV2
value (derive it the same way the main reconcile does from the CPO image labels
or HCP annotations) and pass that into shouldCheckForStaleCerts so behavior
matches normal reconciliation.

In `@test/e2e/chaos_test.go`:
- Around line 500-504: Replace the weak corruption payload which may be treated
as a benign auth config by assigning a structurally-invalid but still
syntactically valid docker config JSON to pullSecret.Data[".dockerconfigjson"];
specifically, change the value written before calling mgtClient.Update so the
JSON uses incorrect structure/types for a docker config (for example an "auths"
field with the wrong value type) to reliably trigger the pull-secret failure
path in the chaos_test where pullSecret is updated via mgtClient.Update.
- Around line 509-526: The current assertion only checks ReleaseImage and can
pass without reconcileHostedControlPlane running; after corrupting the pull
secret, mutate a field on the source HostedCluster that is known to be
propagated to the HostedControlPlane (e.g. update
hostedCluster.Spec.<propagatedField>), then use the existing
e2eutil.EventuallyObject / predicate flow that reads the HostedControlPlane (h
:= &hyperv1.HostedControlPlane{} via mgtClient.Get) to assert that
h.Spec.<propagatedField> equals the new value, ensuring
reconcileHostedControlPlane actually applied the update.

---

Nitpick comments:
In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 668-693: The fallback error path duplicates the HCP-reconcile
logic and shadows the outer hcp; extract a helper method on the reconciler
(e.g., r.reconcileHostedControlPlaneObject(ctx, log, hcluster,
controlPlaneNamespace, defaultToControlPlaneV2)) that performs the autoscaler
and NTH checks (isAutoscalingNeeded, isAWSNodeTerminationHandlerNeeded), calls
createOrUpdate and reconcileHostedControlPlane with the same cert-renewal
closure (shouldCheckForStaleCerts, kasServingCertHashFromSecret,
kasServingCertHashFromEndpoint, kasHostAndPortFromHCP), and returns any errors;
replace the duplicated block with a call to that helper and ensure you assign to
the existing hcp variable (use = not :=) so you don’t shadow the outer variable
and so V2 flag and error aggregation remain consistent across both code paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c1d7ffc1-6089-4045-b310-bed495c8ac4a

📥 Commits

Reviewing files that changed from the base of the PR and between e7e828e and f5ff5b8.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

[rafael-azevedo]

/test e2e-aws

[coderabbitai]

🧹 Nitpick comments (2)

hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go (2)

309-310: Nit: defer mockCtrl.Finish() is redundant.

gomock.NewController(t) registers a t.Cleanup for Finish() since gomock v1.5.0, so the explicit defer is dead code. Other tests in this file have already dropped it (e.g. TestHasBeenAvailable at Line 110, TestValidateReleaseImage at Line 2355). Drop for consistency.

 	mockCtrl := gomock.NewController(t)
-	defer mockCtrl.Finish()
 	mockedProvider := releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides(mockCtrl)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`
around lines 309 - 310, Remove the redundant explicit defer call to
mockCtrl.Finish() after creating the gomock controller with mockCtrl :=
gomock.NewController(t); NewController already registers t.Cleanup to call
Finish(), so delete the line "defer mockCtrl.Finish()" in the test (the mockCtrl
variable and its NewController(t) call should remain).

---

309-311: Mock provider has no expectations — fine today, but brittle.

mockedProvider is constructed without any EXPECT().Lookup(...).AnyTimes() (unlike every other test in this file). This works only as long as the missing-pull-secret path errors out before any call into the release provider. If a future change reorders validation or release-image lookup ahead of GetPullSecretBytes, this test will start panicking with a gomock "unexpected call" rather than failing meaningfully.

Adding a permissive default would make the test resilient:

Suggested hardening

 	mockedProvider := releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides(mockCtrl)
+	mockedProvider.EXPECT().
+		Lookup(gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(testutils.InitReleaseImageOrDie("4.15.0"), nil).AnyTimes()
+	mockedProvider.EXPECT().GetRegistryOverrides().Return(nil).AnyTimes()
+	mockedProvider.EXPECT().GetOpenShiftImageRegistryOverrides().Return(nil).AnyTimes()
+	mockedProvider.EXPECT().GetMirroredReleaseImage().Return("").AnyTimes()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`
around lines 309 - 311, The test constructs mockedProvider via
releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides but sets no
default expectations, which makes the test brittle; add a permissive default
expectation on mockedProvider.Lookup (or the Lookup method used by release
provider) using mockedProvider.EXPECT().Lookup(gomock.Any(),
gomock.Any()).AnyTimes().Return(<sensible default return values>, nil) so any
unexpected lookup calls won't cause gomock panics; place this right after the
mockedProvider creation near the mockCtrl setup and ensure the returned values
match the signature expected by code paths (so GetPullSecretBytes and other
validation can run without triggering unexpected-call errors).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go`:
- Around line 309-310: Remove the redundant explicit defer call to
mockCtrl.Finish() after creating the gomock controller with mockCtrl :=
gomock.NewController(t); NewController already registers t.Cleanup to call
Finish(), so delete the line "defer mockCtrl.Finish()" in the test (the mockCtrl
variable and its NewController(t) call should remain).
- Around line 309-311: The test constructs mockedProvider via
releaseinfo.NewMockProviderWithOpenShiftImageRegistryOverrides but sets no
default expectations, which makes the test brittle; add a permissive default
expectation on mockedProvider.Lookup (or the Lookup method used by release
provider) using mockedProvider.EXPECT().Lookup(gomock.Any(),
gomock.Any()).AnyTimes().Return(<sensible default return values>, nil) so any
unexpected lookup calls won't cause gomock panics; place this right after the
mockedProvider creation near the mockCtrl setup and ensure the returned values
match the signature expected by code paths (so GetPullSecretBytes and other
validation can run without triggering unexpected-call errors).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d47c7540-abd2-44c5-ac0a-8d68c70d3c46

📥 Commits

Reviewing files that changed from the base of the PR and between f5ff5b8 and adcbbe4.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e/chaos_test.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[rafael-azevedo]

/test e2e-aws

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2048885532125040640 | Cost: $3.868621550000001 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-04-29T13:02:50Z
• View Job
• View Job History

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go (1)

681-687: ⚠️ Potential issue | 🟠 Major

Skip stale-cert checks on the pull-secret fallback path.

Line 685 still hardcodes false into shouldCheckForStaleCerts, so this recovery path can run cert-hash logic for already-available clusters during a pull-secret outage. That makes the fallback reconcile depend on unrelated secret/endpoint checks and can even stamp a restart annotation, which defeats the goal of “best-effort HCP propagation while the pull secret is broken.”

🛠️ Suggested change

 		_, hcpErr := createOrUpdate(ctx, r.Client, hcp, func() error {
-			return reconcileHostedControlPlane(hcp, hcluster, isAutoscalingNeeded, isAWSNodeTerminationHandlerNeeded,
-				annotationsForCertRenewal(log,
-					hcp,
-					shouldCheckForStaleCerts(hcluster, false),
-					r.kasServingCertHashFromSecret(ctx, hcp),
-					r.kasServingCertHashFromEndpoint(kasHostAndPortFromHCP(hcp))))
+			return reconcileHostedControlPlane(
+				hcp,
+				hcluster,
+				isAutoscalingNeeded,
+				isAWSNodeTerminationHandlerNeeded,
+				func() (map[string]string, error) { return nil, nil },
+			)
 		})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`
around lines 681 - 687, The pull-secret fallback path is still calling
shouldCheckForStaleCerts with a hardcoded false which causes cert-hash logic to
run; update the call inside the createOrUpdate reconcile for the
HostedControlPlane (the reconcileHostedControlPlane(...) invocation that builds
annotationsForCertRenewal) to pass the flag that skips stale-cert checks (call
shouldCheckForStaleCerts(hcluster, true) instead of false) so the fallback path
does not perform kasServingCertHashFromSecret/kasServingCertHashFromEndpoint
checks or stamp restart annotations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/chaos_test.go`:
- Around line 462-528: The test only mutates and asserts Spec.NodeSelector but
the regression covers the request-serving selector annotation; update the test
to also mutate hostedCluster.ObjectMeta.Annotations (set the
RequestServingNodeAdditionalSelector annotation key to a test value) right after
changing Spec.NodeSelector, then add an EventuallyObject check (similar to the
HCP NodeSelector check) that fetches the HostedControlPlane and verifies the
propagated RequestServingNodeAdditionalSelector (or the HCP field that holds
that selector) contains the test value; modify the predicate used in
e2eutil.EventuallyObject (or add a new call) to look for the annotation/field on
the HostedControlPlane and fail the test until propagation is observed.
- Around line 479-545: After capturing the original pull secret data (variable
pullSecret and originalData) and before mutating anything, register a t.Cleanup
closure that restores pullSecret.Data[".dockerconfigjson"] using originalData
and reverts the hostedCluster.Spec.NodeSelector change (capture a copy of the
original nodeSelector map or its value for key "ocpbugs-77268-test"), and have
the closure call mgtClient.Get/Update to restore both the secret and the
hostedCluster NodeSelector; this ensures rollback runs on any test failure—refer
to pullSecret, originalData, hostedCluster.Spec.NodeSelector, and the
NodeSelector key "ocpbugs-77268-test" to locate where to add the t.Cleanup.

---

Duplicate comments:
In `@hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go`:
- Around line 681-687: The pull-secret fallback path is still calling
shouldCheckForStaleCerts with a hardcoded false which causes cert-hash logic to
run; update the call inside the createOrUpdate reconcile for the
HostedControlPlane (the reconcileHostedControlPlane(...) invocation that builds
annotationsForCertRenewal) to pass the flag that skips stale-cert checks (call
shouldCheckForStaleCerts(hcluster, true) instead of false) so the fallback path
does not perform kasServingCertHashFromSecret/kasServingCertHashFromEndpoint
checks or stamp restart annotations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e11a95e2-637a-4ed4-89d6-541e854c5b50

📥 Commits

Reviewing files that changed from the base of the PR and between adcbbe4 and 831514a.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

[coderabbitai]

♻️ Duplicate comments (2)

test/e2e/chaos_test.go (2)

462-465: ⚠️ Potential issue | 🟡 Minor

Comment says annotation is validated, but the test never asserts it.

Lines 462-465 state this covers RequestServingNodeAdditionalSelector, but the body only mutates/asserts Spec.NodeSelector. This can stay green while annotation propagation regresses.

Proposed test hardening

 		if hostedCluster.Spec.NodeSelector == nil {
 			hostedCluster.Spec.NodeSelector = map[string]string{}
 		}
+		if hostedCluster.Annotations == nil {
+			hostedCluster.Annotations = map[string]string{}
+		}
 		hostedCluster.Spec.NodeSelector["ocpbugs-77268-test"] = "true"
+		hostedCluster.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation] = `{"topology.kubernetes.io/zone":"us-east-1a"}`
 		err = mgtClient.Update(ctx, hostedCluster)
 		g.Expect(err).NotTo(HaveOccurred(), "failed to update hostedcluster NodeSelector")
@@
 				func(h *hyperv1.HostedControlPlane) (done bool, reasons string, err error) {
 					val, ok := h.Spec.NodeSelector["ocpbugs-77268-test"]
 					if !ok || val != "true" {
 						return false, "NodeSelector not yet propagated to HCP", nil
 					}
+					if h.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation] != hostedCluster.Annotations[hyperv1.RequestServingNodeAdditionalSelectorAnnotation] {
+						return false, "RequestServingNodeAdditionalSelector not yet propagated to HCP", nil
+					}
 					return true, "NodeSelector propagated to HCP", nil
 				},

Also applies to: 495-528

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/chaos_test.go` around lines 462 - 465, The test
TestPullSecretUnavailable mentions RequestServingNodeAdditionalSelector but
never mutates or asserts it—update the test to mutate the HostedCluster's
RequestServingNodeAdditionalSelector (in addition to Spec.NodeSelector) and then
assert that the HostedControlPlane receives the expected annotation/selector
value; ensure you change the same pattern in the other similar block (the
duplicated assertion block) so both Spec.NodeSelector and
RequestServingNodeAdditionalSelector are modified and verified for propagation
to the HostedControlPlane.

---

479-545: ⚠️ Potential issue | 🟠 Major

Register rollback with t.Cleanup before mutating resources.

If any assertion fails before Line 530, cleanup won’t run and the test can leave the pull secret corrupted.

Suggested fix

 		originalData := pullSecret.Data[".dockerconfigjson"]
 		g.Expect(originalData).NotTo(BeEmpty(), "pull secret should have .dockerconfigjson data")
+		originalNodeSelector := map[string]string{}
+		for k, v := range hostedCluster.Spec.NodeSelector {
+			originalNodeSelector[k] = v
+		}
+
+		t.Cleanup(func() {
+			latestSecret := &corev1.Secret{}
+			if err := mgtClient.Get(ctx, crclient.ObjectKey{
+				Namespace: hostedCluster.Namespace,
+				Name:      hostedCluster.Spec.PullSecret.Name,
+			}, latestSecret); err == nil {
+				latestSecret.Data[".dockerconfigjson"] = originalData
+				_ = mgtClient.Update(ctx, latestSecret)
+			}
+
+			latestHC := &hyperv1.HostedCluster{}
+			if err := mgtClient.Get(ctx, crclient.ObjectKeyFromObject(hostedCluster), latestHC); err == nil {
+				latestHC.Spec.NodeSelector = originalNodeSelector
+				_ = mgtClient.Update(ctx, latestHC)
+			}
+		})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/chaos_test.go` around lines 479 - 545, Register a rollback with
t.Cleanup before you corrupt the pull secret so restoration always runs: capture
originalData and the hostedCluster reference, then call t.Cleanup(func(){ fetch
the latest pullSecret and hostedCluster via mgtClient using ctx, restore
pullSecret.Data[".dockerconfigjson"]=originalData and update it, remove the test
key from hostedCluster.Spec.NodeSelector and update it; log or ignore errors
inside cleanup to avoid masking test failures }). Do this immediately after
reading originalData and before mutating pullSecret or hostedCluster
(references: pullSecret, originalData, hostedCluster, mgtClient, ctx,
hostedCluster.Spec.NodeSelector, t.Cleanup).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/e2e/chaos_test.go`:
- Around line 462-465: The test TestPullSecretUnavailable mentions
RequestServingNodeAdditionalSelector but never mutates or asserts it—update the
test to mutate the HostedCluster's RequestServingNodeAdditionalSelector (in
addition to Spec.NodeSelector) and then assert that the HostedControlPlane
receives the expected annotation/selector value; ensure you change the same
pattern in the other similar block (the duplicated assertion block) so both
Spec.NodeSelector and RequestServingNodeAdditionalSelector are modified and
verified for propagation to the HostedControlPlane.
- Around line 479-545: Register a rollback with t.Cleanup before you corrupt the
pull secret so restoration always runs: capture originalData and the
hostedCluster reference, then call t.Cleanup(func(){ fetch the latest pullSecret
and hostedCluster via mgtClient using ctx, restore
pullSecret.Data[".dockerconfigjson"]=originalData and update it, remove the test
key from hostedCluster.Spec.NodeSelector and update it; log or ignore errors
inside cleanup to avoid masking test failures }). Do this immediately after
reading originalData and before mutating pullSecret or hostedCluster
(references: pullSecret, originalData, hostedCluster, mgtClient, ctx,
hostedCluster.Spec.NodeSelector, t.Cleanup).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fd265325-9904-41af-8a72-f07c0845e64d

📥 Commits

Reviewing files that changed from the base of the PR and between 831514a and 804ff63.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/chaos_test.go`:
- Around line 493-495: The test currently saves and later restores entire maps
via maps.Clone(hostedCluster.Spec.NodeSelector) and
maps.Clone(hostedCluster.Annotations), which can wipe other reconcilers'
updates; change this to capture only the test-owned keys (the node selector key
"ocpbugs-77268-test" in hostedCluster.Spec.NodeSelector and the annotation key
RequestServingNodeAdditionalSelectorAnnotation in hostedCluster.Annotations),
and in both the cleanup block and the explicit recovery path update the cluster
by setting or deleting only those individual keys (restore the saved value if
present, or delete the key if it was absent) instead of replacing the whole map;
locate uses of hostedCluster, maps.Clone, and the cleanup/recovery blocks and
modify them accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 46ca9f78-947c-4c96-a2b7-42876b92bf8d

📥 Commits

Reviewing files that changed from the base of the PR and between 804ff63 and 508ff9e.

📒 Files selected for processing (3)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller_test.go
• test/e2e/chaos_test.go

✅ Files skipped from review due to trivial changes (1)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[rafael-azevedo]

/retest

[rafael-azevedo]

/test e2e-aws

[joshbranham]

/retest-required

[rafael-azevedo]

/verified by @rafael-azevedo

[openshift-ci-robot]

@rafael-azevedo: This PR has been marked as verified by @rafael-azevedo.

Details

In response to this:

/verified by @rafael-azevedo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rafael-azevedo]

/retest-required

[rafael-azevedo]

/test e2e-aws

[rafael-azevedo]

/verified by @rafael-azevedo

[openshift-ci-robot]

@rafael-azevedo: No Jira issue with key OCPBUGS-77268 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

/verified by @rafael-azevedo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cblecker]

confirmed a clean rebase. reapplying..
/lgtm

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[cblecker]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aks-4-22
• Build ID: 2062249123502886912
• Target: e2e-aks-4-22
• PR: OCPBUGS-77268: reconcile HCP when pull secret is unavailable #8352 (OCPBUGS-77268: reconcile HCP when pull secret is unavailable)
• Failed Step: hypershift-azure-run-e2e (test phase)
• Result: 298 tests, 34 skipped, 7 failures

Test Failure Analysis

Error

0/16 nodes are available: 1 node(s) had untolerated taint {CriticalAddonsOnly: true},
12 Too many pods, 3 Insufficient memory. preemption: not eligible due to preemptionPolicy=Never.

Failed tests:
- TestNodePool/HostedCluster2/ValidateHostedCluster: Degraded=True: UnavailableReplicas(hosted-cluster-config-operator deployment has 1 unavailable replicas)
- TestNodePool/HostedCluster0/ValidateHostedCluster: controlPlaneVersion state is Partial, expected Completed
- TestCreateClusterHABreakGlassCredentials/ValidateHostedCluster: UnavailableReplicas([kube-controller-manager deployment has 1 unavailable replicas, openshift-controller-manager deployment has 1 unavailable replicas])

Summary

The failures are caused by AKS management cluster node resource exhaustion — not by the PR changes. With 10 hosted clusters running in parallel on 16 AKS nodes, the nodes hit pod count and memory limits, leaving critical control-plane pods (hosted-cluster-config-operator, kube-controller-manager, openshift-controller-manager) in Pending/Unschedulable state. The PR's new test TestPullSecretUnavailable passed successfully. This job has a ~29% historical failure rate due to this same infrastructure pressure pattern.

Root Cause

The e2e test suite runs 10 hosted clusters concurrently (with --test.parallel=20) on a 16-node AKS management cluster. During this run, the nodes became saturated:

• 12 of 16 nodes hit their pod count limit ("Too many pods")
• 3 of 16 nodes ran out of memory ("Insufficient memory")
• 1 node had a CriticalAddonsOnly taint that control-plane pods couldn't tolerate

This prevented scheduling of control-plane pods in 3 of the 10 hosted clusters:

1. node-pool-c5js7 (TestNodePool/HostedCluster2): The hosted-cluster-config-operator pod remained Pending with Unschedulable reason since 19:39:08 UTC, causing the deployment to report 1 unavailable replica and the HostedCluster to remain Degraded=True with controlPlaneVersion=Partial.

2. ha-break-glass-creds-gqhs7 (TestCreateClusterHABreakGlassCredentials): Both kube-controller-manager and openshift-controller-manager pods were Pending/Unschedulable with the same "Too many pods / Insufficient memory" message, causing Available=False and Degraded=True.

3. node-pool-x5gqs (TestNodePool/HostedCluster0): The cluster stalled at controlPlaneVersion=Partial with a client rate limiter timeout, also likely due to resource pressure.

This is unrelated to the PR changes. The PR adds:

• A code change in hostedcluster_controller.go (+24/-1) to continue reconciling HCP when pull secret is unavailable
• A unit test in hostedcluster_controller_test.go (+189)
• A new e2e test TestPullSecretUnavailable (+160) which uses NonePlatform with NodePoolReplicas=0 — an extremely lightweight cluster (only 4 pods: 2× cluster-api + 2× control-plane-operator), created in 2 seconds

The new test passed (683.37s, of which 670s was teardown). The 7 other tests that also passed (TestCreateCluster, TestAutoscaling, TestUpgradeControlPlane, etc.) created similarly heavy Azure-backed clusters. The failures are in the subset of clusters that were unlucky in the scheduling lottery on already-saturated nodes.

Recommendations

1. Retest the PR — this is infrastructure flakiness, not a code regression. The e2e-aks-4-22 job has a ~29% historical failure rate (8,555 failures out of ~29,368 completed runs). A /retest should pass.

2. No code changes needed — the PR's TestPullSecretUnavailable test is well-designed:

   • Uses NonePlatform with 0 node pool replicas (minimal resource footprint)
   • Creates/destroys quickly (2s create, ~670s teardown)
   • Only adds 4 pods to the management cluster
   • The test itself passed cleanly

3. Consider filing a separate issue for the chronic AKS node resource exhaustion in e2e-aks-4-22 — the 29% failure rate suggests the test suite consistently over-subscribes the 16-node AKS cluster when all 10 hosted clusters run simultaneously with HA configurations.

Evidence

Evidence	Detail
Scheduling error	0/16 nodes are available: 1 node(s) had untolerated taint {CriticalAddonsOnly: true}, 12 Too many pods, 3 Insufficient memory
HCCO pod status	Pending / Unschedulable since 2026-06-03T19:39:08Z (pod hosted-cluster-config-operator-647577448c-7gw6b)
KCM pod status	Pending / Unschedulable (pod kube-controller-manager-594d77b8b7-pk96n in BreakGlass cluster)
Cluster count	10 hosted clusters running in parallel on 16 AKS nodes
Test parallelism	--test.parallel=20
PR test result	TestPullSecretUnavailable: PASS (683.37s)
PR test footprint	NonePlatform, NodePoolReplicas=0, created in 2s, only 4 pods
Historical flake rate	~29% failure rate (8,555/29,368 completed runs)
Failed HCs	node-pool-c5js7 (Degraded: HCCO unavailable), ha-break-glass-creds-gqhs7 (KCM+OCM unavailable), node-pool-x5gqs (Partial version)
Passed HCs	create-cluster-8b6pl, autoscaling-gvgw9, custom-config-k275f, azure-scheduler-g2nfk, control-plane-upgrade-6fjxs, ha-etcd-chaos-2nnlg, pull-secret-unavailable-g9k5k
Artifacts	.work/prow-job-analyze-test-failure/2062249123502886912/logs/

---

[cblecker]

/retest

[cblecker]

/verified by @rafael-azevedo

[openshift-ci-robot]

@cblecker: This PR has been marked as verified by @rafael-azevedo.

Details

In response to this:

/verified by @rafael-azevedo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@rafael-azevedo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@rafael-azevedo: Jira Issue Verification Checks: Jira Issue OCPBUGS-77268
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-77268 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What this PR does / why we need it:

When the pull secret is missing or invalid, the HostedCluster reconciler exits before reaching reconcileHostedControlPlane. This prevents RequestServingNodeAdditionalSelector and other spec fields from being propagated to the HCP, breaking HA scheduling for request-serving nodes.

Log the error and call reconcileHostedControlPlane before returning so pod placement decisions continue during a pull secret outage. The error is still returned to trigger a requeue for full reconciliation once the pull secret is restored.

JIRA: OCPBUGS-77268

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-77268

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

• When a pull secret fetch fails, reconciliation now logs the error and triggers a recovery reconcile of the control plane so pod placement decisions (nodeSelector, autoscaling, node-termination handler) and certificate-related metadata are still processed.

• Tests

• Added unit and parallel e2e tests simulating pull-secret unavailability to verify propagation of nodeSelector, annotations and release image to the control plane and recovery after restoration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-06-06-100407