OCPCLOUD-3442: Migrate four controllers to per-controller condition reporting

[stefanonardo]

Summary

• Migrate CoreCluster, InfraCluster, Kubeconfig, and SecretSync controllers from ClusterOperatorStatusClient (merge-patch, shared top-level conditions) to ControllerResultGenerator (server-side apply, per-controller prefixed conditions)
• Each controller now reports its own Available and Progressing conditions on the ClusterOperator object, which are aggregated into top-level conditions by the ClusterOperator controller
• Delete ClusterOperatorStatusClient and GetClusterOperatorStatusClient — no remaining consumers

Depends on #574

Test plan

• make build passes
• make lint reports 0 issues
• Unit tests pass for all affected packages: corecluster, infracluster, kubeconfig, secretsync, clusteroperator
• Condition assertions added to all four controllers verifying Available/Progressing are written to ClusterOperator on success and error paths
• ClusterOperator aggregation tests updated with all six sub-controllers

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Centralized ClusterOperator status aggregation with automatic operator-version updates when components are up-to-date.
• Bug Fixes
  • Preserve LastTransitionTime when merging conditions and detect/correct stale operator-version entries.
• Refactor
  • Unified reconcile/result flow and standardized status-writing across controllers for more consistent status reporting and requeue behavior.
• Tests
  • Expanded suites validating aggregated conditions, version behavior, and many reconcile permutations.
• Chores
  • Build: added a code-generation step into verify/build targets.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@stefanonardo: This pull request references OCPCLOUD-3442 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Migrate CoreCluster, InfraCluster, Kubeconfig, and SecretSync controllers from ClusterOperatorStatusClient (merge-patch, shared top-level conditions) to ControllerResultGenerator (server-side apply, per-controller prefixed conditions)
• Each controller now reports its own Available and Progressing conditions on the ClusterOperator object, which are aggregated into top-level conditions by the ClusterOperator controller
• Delete ClusterOperatorStatusClient and GetClusterOperatorStatusClient — no remaining consumers

Depends on #574

Test plan

• make build passes
• make lint reports 0 issues
• Unit tests pass for all affected packages: corecluster, infracluster, kubeconfig, secretsync, clusteroperator
• Condition assertions added to all four controllers verifying Available/Progressing are written to ClusterOperator on success and error paths
• ClusterOperator aggregation tests updated with all six sub-controllers

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR centralizes ClusterOperator status handling by replacing per-controller ClusterOperatorStatusClient usage with operatorstatus.ControllerResultGenerator and operatorstatus.ReconcileResult, converts Reason to an int-backed enum with generated String(), updates controllers/tests to the new pattern, rewires startup code, and adds a generate target plus stringer tool.

Changes

Operator status management refactor

Layer / File(s)	Summary
Build & codegen tooling Makefile, go.mod	Add generate target (runs go generate ./...) and declare golang.org/x/tools/cmd/stringer in go.mod tools.
Core operatorstatus refactor pkg/operatorstatus/controller_status.go, pkg/operatorstatus/reason_string.go, pkg/operatorstatus/watch_predicates.go	Convert Reason to int-backed enum with generated String(), add operatorVersion in ReconcileResult and WithUpdateOperatorVersion, export MergeConditions and SubConditionType, and refactor WriteClusterOperatorStatus to merge conditions and conditionally patch versions.
Operatorstatus tests & predicates pkg/operatorstatus/controller_status_test.go, pkg/operatorstatus/watch_predicates.go	Migrate tests to envtest, add createClusterOperator/seedOperatorVersion, update assertions to use Reason*.String(), and add ClusterOperatorStatusChanged predicate.

ClusterOperatorController aggregation

Layer / File(s)	Summary
ClusterOperatorController aggregation pkg/controllers/clusteroperator/clusteroperator_controller.go	Redesign to embed client.Client, add ReleaseVersion, aggregate sub-controller conditions, merge with existing conditions, and server-side-apply patch only when changed.
ClusterOperatorController tests pkg/controllers/clusteroperator/clusteroperator_controller_test.go, pkg/controllers/clusteroperator/suite_test.go	Refactor to table-driven rollup aggregation tests; update envtest lifecycle and add helpers for composing/overriding sub-controller conditions.

Sub-controller migration to ResultGenerator pattern

Layer / File(s)	Summary
CoreClusterController pkg/controllers/corecluster/corecluster_controller.go, pkg/controllers/corecluster/corecluster_controller_test.go	Embed client.Client, add ManagedNamespace, use internal reconcile returning ReconcileResult, then write status via WriteClusterOperatorStatus; tests assert sub-condition outcomes.
InfraClusterController pkg/controllers/infracluster/infracluster_controller.go, pkg/controllers/infracluster/infracluster_controller_test.go	Embed client.Client, export ResultGenerator, return ReconcileResult from reconcile helper and write status centrally; tests verify Available/Progressing conditions.
KubeconfigReconciler pkg/controllers/kubeconfig/kubeconfig.go, pkg/controllers/kubeconfig/kubeconfig_test.go	Introduce internal reconcile returning ReconcileResult; convert token-secret-missing path to WaitingOnExternal with 1-minute requeue; tests write and verify ClusterOperator status conditions.
InstallerController pkg/controllers/installer/installer_controller.go	Rename/export result generator and switch reconcile return paths to ResultGenerator.*.
RevisionController pkg/controllers/revision/revision_controller.go, pkg/controllers/revision/revision_controller_test.go	Export ResultGenerator; on up-to-date revisions call WithUpdateOperatorVersion(r.ReleaseVersion) to update operator version; tests assert status.versions behavior and add cases for correcting stale versions.
UserDataSecretController (secretsync) pkg/controllers/secretsync/secret_sync_controller.go, pkg/controllers/secretsync/secret_sync_controller_test.go	Embed client.Client, remove bespoke condition helpers and configv1 import, use ResultGenerator/ReconcileResult, and update tests to assert ClusterOperator conditions (including ephemeral error when source secret missing).

Entry point wiring and common options

Layer / File(s)	Summary
capi-operator startup cmd/capi-operator/main.go	Add errInfrastructurePlatformStatusNotSet, move feature-gate retrieval earlier, add nil-check for infra platform status, and pass Client/ReleaseVersion/IsUnsupportedPlatform into ClusterOperatorController.
capi-controllers startup cmd/capi-controllers/main.go	Construct controllers with runtime Client/Scheme/Config and ManagedNamespace where applicable instead of ClusterOperatorStatusClient.
common options cleanup pkg/commoncmdoptions/commonoptions.go	Remove GetClusterOperatorStatusClient method and prune imports (configv1, operatorstatus, util).

Build system and test helpers

Layer / File(s)	Summary
Build system code generation Makefile, go.mod	Add generate target and stringer tool; wire generate into verify and build.
Test condition matcher pkg/test/conditions.go	toMatcher special-cases fmt.Stringer and matches based on the string representation to support stringified enum comparisons.

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.64% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: migrating four controllers to per-controller condition reporting, directly matching the core objective of this PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are stable and deterministic. No dynamic information in 91 test titles across 6 modified test files.
Test Structure And Quality	✅ Passed	Tests meet 4/5 requirements: single responsibility, proper BeforeEach/AfterEach, timeouts on Eventually, consistent patterns. Assertions lack helper messages but use By() blocks for context.
Microshift Test Compatibility	✅ Passed	PR adds/modifies Ginkgo unit tests in pkg/controllers, not e2e tests. Check applies only to new e2e tests per instructions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only unit tests (Ginkgo with envtest) in pkg//\_test.go, not e2e tests. SNO check applies to openshift/origin e2e tests only. Not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR refactors controller condition-reporting code; no new scheduling constraints, affinity rules, topology spread constraints, or topology-aware logic added.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. Main binaries have no fmt.Print/log.Print statements; klog is configured to stderr via klog.LogToStderr().
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	All test modifications are unit tests using envtest isolation. No IPv4 addresses, no external connectivity, and no IPv6-incompatible patterns found.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in PR changes.
Container-Privileges	✅ Passed	No Kubernetes/container manifests in PR scope. Changes are Go source code and Makefile only. Check not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logged. All new logging safely logs status messages, object names, timestamps, and errors without exposing tokens, passwords, API keys, or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign racheljpg for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controllers/kubeconfig/kubeconfig_test.go`:
- Around line 159-160: The test mutates the server-managed field by calling
tokenSecret.SetCreationTimestamp(...) and then cl.Update(ctx, tokenSecret);
remove the SetCreationTimestamp call and only modify fields that are
client-editable (e.g., annotations) so the test updates tokenSecret via
cl.Update(...) without touching metadata.creationTimestamp; locate the
tokenSecret variable and the SetCreationTimestamp invocation in
kubeconfig_test.go and delete that mutation, ensuring subsequent cl.Update(ctx,
tokenSecret) only changes annotations or other writable fields.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c0c49503-59cf-4e6c-b87f-ccc4dd58187f

📥 Commits

Reviewing files that changed from the base of the PR and between 3f1aa11 and eae2e85.

⛔ Files ignored due to path filters (2)

• vendor/golang.org/x/tools/cmd/stringer/stringer.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (26)

• Makefile
• cmd/capi-controllers/main.go
• cmd/capi-operator/main.go
• go.mod
• pkg/commoncmdoptions/commonoptions.go
• pkg/controllers/clusteroperator/clusteroperator_controller.go
• pkg/controllers/clusteroperator/clusteroperator_controller_test.go
• pkg/controllers/clusteroperator/suite_test.go
• pkg/controllers/common_consts.go
• pkg/controllers/corecluster/corecluster_controller.go
• pkg/controllers/corecluster/corecluster_controller_test.go
• pkg/controllers/infracluster/infracluster_controller.go
• pkg/controllers/infracluster/infracluster_controller_test.go
• pkg/controllers/installer/installer_controller.go
• pkg/controllers/kubeconfig/kubeconfig.go
• pkg/controllers/kubeconfig/kubeconfig_test.go
• pkg/controllers/revision/revision_controller.go
• pkg/controllers/revision/revision_controller_test.go
• pkg/controllers/secretsync/secret_sync_controller.go
• pkg/controllers/secretsync/secret_sync_controller_test.go
• pkg/operatorstatus/controller_status.go
• pkg/operatorstatus/controller_status_test.go
• pkg/operatorstatus/operator_status.go
• pkg/operatorstatus/reason_string.go
• pkg/operatorstatus/watch_predicates.go
• pkg/test/conditions.go

💤 Files with no reviewable changes (3)

• pkg/controllers/common_consts.go
• pkg/operatorstatus/operator_status.go
• pkg/commoncmdoptions/commonoptions.go

[stefanonardo]

/hold

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/controllers/clusteroperator/clusteroperator_controller_test.go (1)

94-343: ⚡ Quick win

Use should ... phrasing for table entry names.

Most updated Entry(...) descriptions are "when ..."; switch them to "should ... when ..." to match the test naming convention used in this repo.

As per coding guidelines: Use descriptive test names in 'should...' format in Ginkgo tests (e.g., 'should do nothing').

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controllers/clusteroperator/clusteroperator_controller_test.go` around
lines 94 - 343, The table-driven test Entries in
clusteroperator_controller_test.go use "when ..." phrasing; update each
Entry(...) description to the repository's "should ... when ..." convention
(e.g., change "when all sub-controllers report success" to "should report
success when all sub-controllers report success") so all Entry(...) strings in
the DescribeTable/Entry block (look for the long DescribeTable block containing
Entry("when all sub-controllers report success", ..., defaultNodeTimeout) and
subsequent Entry calls) follow the "should ..." naming pattern while keeping the
rest of each Entry invocation unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controllers/clusteroperator/clusteroperator_controller_test.go`:
- Around line 184-187: The test claims to exercise the "missing sub-conditions"
path but instead sets InstallerControllerAvailable/Progressing to Unknown;
replace the explicit subCondition entries with a helper that removes those types
so the conditions are actually absent. Add the helper function
withoutConditionTypes(base
[]*configv1apply.ClusterOperatorStatusConditionApplyConfiguration, types
...string) []*configv1apply.ClusterOperatorStatusConditionApplyConfiguration (as
shown in the comment) and change the test invocation from
withOverrides(allSubControllersSuccessful(), subCondition(...),
subCondition(...)) to
withOverrides(withoutConditionTypes(allSubControllersSuccessful(),
"InstallerControllerAvailable", "InstallerControllerProgressing")) so
getSubcontrollerCondition is exercised for absent conditions.

---

Nitpick comments:
In `@pkg/controllers/clusteroperator/clusteroperator_controller_test.go`:
- Around line 94-343: The table-driven test Entries in
clusteroperator_controller_test.go use "when ..." phrasing; update each
Entry(...) description to the repository's "should ... when ..." convention
(e.g., change "when all sub-controllers report success" to "should report
success when all sub-controllers report success") so all Entry(...) strings in
the DescribeTable/Entry block (look for the long DescribeTable block containing
Entry("when all sub-controllers report success", ..., defaultNodeTimeout) and
subsequent Entry calls) follow the "should ..." naming pattern while keeping the
rest of each Entry invocation unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a7aeda83-7ff2-4d11-acaa-2f829b7ae886

📥 Commits

Reviewing files that changed from the base of the PR and between eae2e85 and 583d1d8.

📒 Files selected for processing (13)

• cmd/capi-controllers/main.go
• pkg/commoncmdoptions/commonoptions.go
• pkg/controllers/clusteroperator/clusteroperator_controller.go
• pkg/controllers/clusteroperator/clusteroperator_controller_test.go
• pkg/controllers/corecluster/corecluster_controller.go
• pkg/controllers/corecluster/corecluster_controller_test.go
• pkg/controllers/infracluster/infracluster_controller.go
• pkg/controllers/infracluster/infracluster_controller_test.go
• pkg/controllers/kubeconfig/kubeconfig.go
• pkg/controllers/kubeconfig/kubeconfig_test.go
• pkg/controllers/secretsync/secret_sync_controller.go
• pkg/controllers/secretsync/secret_sync_controller_test.go
• pkg/operatorstatus/operator_status.go

💤 Files with no reviewable changes (2)

• pkg/commoncmdoptions/commonoptions.go
• pkg/operatorstatus/operator_status.go

🚧 Files skipped from review as they are similar to previous changes (8)

• cmd/capi-controllers/main.go
• pkg/controllers/infracluster/infracluster_controller_test.go
• pkg/controllers/kubeconfig/kubeconfig_test.go
• pkg/controllers/secretsync/secret_sync_controller_test.go
• pkg/controllers/clusteroperator/clusteroperator_controller.go
• pkg/controllers/infracluster/infracluster_controller.go
• pkg/controllers/corecluster/corecluster_controller_test.go
• pkg/controllers/secretsync/secret_sync_controller.go

[mdbooth]

This should probably be WaitingOnExternal.

You should also check if this controller watches the Infrastructure object (check in SetupWithManager). If it doesn't we'll either need to watch it or also add a RequeueAfter here. Polling should be fine in this case if we don't already have a watch: we don't really expect this to happen.

[stefanonardo]

we don' watch it, I'll requeue it after 1 minute

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controllers/kubeconfig/kubeconfig.go (1)

147-162: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Return a waiting result after clearing the token secret.

This branch deliberately empties the token data so another controller can repopulate it. Returning Success() here briefly reports Available=True/Progressing=False before the next reconcile flips back to WaitingOnExternal, which makes the ClusterOperator condition false-green during refresh.

Suggested fix

 		if err := r.Update(ctx, tokenSecret); err != nil {
 			return ResultGenerator.Error(fmt.Errorf("unable to clear token secret data: %w", err))
 		}
 
-		return ResultGenerator.Success()
+		return ResultGenerator.WaitingOnExternal("token secret population").WithRequeueAfter(1 * time.Minute)
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controllers/kubeconfig/kubeconfig.go` around lines 147 - 162, The code
clears tokenSecret.Data and sets tokenRefreshAnnotationKey then returns
ResultGenerator.Success(), which briefly marks the operator Available=true;
instead return a waiting result so the operator reflects that it is waiting for
the external token controller to repopulate the secret: after calling
r.Update(ctx, tokenSecret) replace the Success() return with
ResultGenerator.WaitingOnExternal() (or the appropriate Waiting result used
elsewhere) so reconcile reports a waiting state until the token is restored;
update references around tokenSecret, tokenRefreshAnnotationKey, r.Update, and
ResultGenerator accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/controllers/kubeconfig/kubeconfig.go`:
- Around line 147-162: The code clears tokenSecret.Data and sets
tokenRefreshAnnotationKey then returns ResultGenerator.Success(), which briefly
marks the operator Available=true; instead return a waiting result so the
operator reflects that it is waiting for the external token controller to
repopulate the secret: after calling r.Update(ctx, tokenSecret) replace the
Success() return with ResultGenerator.WaitingOnExternal() (or the appropriate
Waiting result used elsewhere) so reconcile reports a waiting state until the
token is restored; update references around tokenSecret,
tokenRefreshAnnotationKey, r.Update, and ResultGenerator accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 265a4a4f-618d-4950-b037-566ee03e1f5b

📥 Commits

Reviewing files that changed from the base of the PR and between cbd5749 and 181c66b.

📒 Files selected for processing (13)

• cmd/capi-controllers/main.go
• pkg/commoncmdoptions/commonoptions.go
• pkg/controllers/clusteroperator/clusteroperator_controller.go
• pkg/controllers/clusteroperator/clusteroperator_controller_test.go
• pkg/controllers/corecluster/corecluster_controller.go
• pkg/controllers/corecluster/corecluster_controller_test.go
• pkg/controllers/infracluster/infracluster_controller.go
• pkg/controllers/infracluster/infracluster_controller_test.go
• pkg/controllers/kubeconfig/kubeconfig.go
• pkg/controllers/kubeconfig/kubeconfig_test.go
• pkg/controllers/secretsync/secret_sync_controller.go
• pkg/controllers/secretsync/secret_sync_controller_test.go
• pkg/operatorstatus/operator_status.go

💤 Files with no reviewable changes (2)

• pkg/operatorstatus/operator_status.go
• pkg/commoncmdoptions/commonoptions.go

🚧 Files skipped from review as they are similar to previous changes (10)

• pkg/controllers/secretsync/secret_sync_controller_test.go
• cmd/capi-controllers/main.go
• pkg/controllers/kubeconfig/kubeconfig_test.go
• pkg/controllers/corecluster/corecluster_controller_test.go
• pkg/controllers/infracluster/infracluster_controller.go
• pkg/controllers/infracluster/infracluster_controller_test.go
• pkg/controllers/clusteroperator/clusteroperator_controller_test.go
• pkg/controllers/secretsync/secret_sync_controller.go
• pkg/controllers/clusteroperator/clusteroperator_controller.go
• pkg/controllers/corecluster/corecluster_controller.go

[stefanonardo]

/test unit

[openshift-ci]

@stefanonardo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.