NO-JIRA: fix(awseps): cache local zone ID in non-shared VPC case

[sjenning]

This PR caches the local zone ID when not using a shared VPC to avoid a AWS Route53 ListHostedZones call on every reconcile.

---

Note

Caches and reuses the Route53 local hosted zone ID via clientBuilder to avoid repeated lookups, adding getter/setter and updating reconciliation logic.

• Controllers (AWS PrivateLink):
  • Caching: Persist localZoneID in clientBuilder and avoid resetting it when not using Shared VPC.
  • API updates: Rename localHostedZoneID() to getLocalHostedZoneID(); add setLocalHostedZoneID(string).
  • Reconcile changes: Perform lookupZoneID once and store via setLocalHostedZoneID; subsequent reconciles use getLocalHostedZoneID() instead of calling Route53 each time.

^{Written by Cursor Bugbot for commit 6237410. This will update automatically on new commits. Configure here.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This pull request refactors the AWS client builder in the awsprivatelink controller to replace direct method access to local hosted zone ID with a getter/setter API pattern. The previous localHostedZoneID() method is replaced with getLocalHostedZoneID() and setLocalHostedZoneID() methods, with all internal call sites updated accordingly.

Changes

Cohort / File(s)	Summary
AWS PrivateLink Controller Refactoring control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go	Replaced direct field access method localHostedZoneID() with getter getLocalHostedZoneID() and setter setLocalHostedZoneID(zoneID string). Updated all call sites to use the new accessor methods. Logic now triggers lookup when ID is empty and stores result via setter.
Dependency Manifest go.mod	Manifest file analyzed; no changes documented.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify all call sites to localHostedZoneID() have been updated to use getLocalHostedZoneID() or setLocalHostedZoneID() as appropriate
• Confirm the encapsulation logic around initialization and lookup of hosted zone ID is correct, particularly around the empty ID check triggering a new lookup
• Ensure no logic errors were introduced during the method extraction and refactoring

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sjenning]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sjenning]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@sjenning: This pull request explicitly references no jira issue.

Details

In response to this:

This PR caches the local zone ID when not using a shared VPC to avoid a AWS Route53 ListHostedZones call on every reconcile.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go (1)

701-709: Consider clearing cached zone ID when transitioning from shared to non-shared VPC.

The caching logic works correctly for the primary use case (non-shared VPC). However, when transitioning from shared VPC to non-shared VPC, the localZoneID field retains its value from the shared VPC configuration (set on line 305) rather than being cleared and re-looked up.

In setFromHCP (lines 306-309), consider explicitly clearing b.localZoneID = "" in the else branch to ensure a fresh lookup occurs when switching to non-shared VPC mode.

Apply this diff to ensure zone ID is re-looked up when transitioning to non-shared VPC:

 	} else {
 		b.assumeSharedVPCEndpointRoleARN = ""
 		b.assumeSharedVPCRoute53RoleARN = ""
+		b.localZoneID = ""
 	}

Note: While this scenario (shared→non-shared transition) may be rare in practice, clearing the cached value ensures correctness if such transitions occur.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 30a1781 and 6237410.

📒 Files selected for processing (1)

• control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Red Hat Konflux / control-plane-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-release-mce-211-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-cli-mce-211-on-pull-request

🔇 Additional comments (2)

control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go (2)

254-259: LGTM: Thread-safe getter implementation.

The method correctly uses mutex protection to safely read the cached zone ID.

---

261-266: LGTM: Thread-safe setter implementation.

The method correctly uses mutex protection to safely update the cached zone ID.

[csrwng]

/lgtm

[csrwng]

/test e2e-aws-minimal

[sjenning]

/verified by e2e artifacts

[openshift-ci-robot]

@sjenning: This PR has been marked as verified by e2e artifacts.

Details

In response to this:

/verified by e2e artifacts

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sjenning: This pull request explicitly references no jira issue.

Details

In response to this:

This PR caches the local zone ID when not using a shared VPC to avoid a AWS Route53 ListHostedZones call on every reconcile.

---

[!NOTE]
^{Cursor Bugbot is generating a summary for commit 6237410. Configure here.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cursor]

Bug: Stale zone ID used after SharedVPC removal

When transitioning from SharedVPC to non-SharedVPC, the cached localZoneID from the SharedVPC spec is not cleared because the b.localZoneID = "" line was removed from the else branch in setFromHCP. This means that after such a transition, getLocalHostedZoneID() returns the old SharedVPC zone ID instead of empty string, causing the lookupZoneID call to be skipped. DNS records would then be created in the wrong hosted zone. The warnOnDifferentValues function will log a warning but the stale value is still used.

Additional Locations (1)

• control-plane-operator/controllers/awsprivatelink/awsprivatelink_controller.go#L700-L709

 

[sjenning]

we do not support transitioning to/from shared VPC

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6f8612e and 2 for PR HEAD 6237410 in total

[sjenning]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c33b48b and 1 for PR HEAD 6237410 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD ff985bc and 0 for PR HEAD 6237410 in total

[openshift-ci-robot]

/hold

Revision 6237410 was retested 3 times: holding

[sjenning]

/retest-required

[sjenning]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 780f88b and 2 for PR HEAD 6237410 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 351f6ae and 1 for PR HEAD 6237410 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD da2f23d and 0 for PR HEAD 6237410 in total

[openshift-ci-robot]

/hold

Revision 6237410 was retested 3 times: holding

[bryan-cox]

/retest

[bryan-cox]

/test e2e-aks

[bryan-cox]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c1d28e3 and 2 for PR HEAD 6237410 in total

[bryan-cox]

/test e2e-aks-4-21

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 941f016 and 1 for PR HEAD 6237410 in total

[bryan-cox]

/test e2e-aks-4-21

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 4df061e and 0 for PR HEAD 6237410 in total

[openshift-ci]

@sjenning: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.