OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms

[vsolanki12]

What this PR does / why we need it:

On non-cloud platforms (Agent, KubeVirt, OpenStack, None), the HCP router Service was unconditionally created as LoadBalancer. Since these platforms lack a cloud LB controller, the Service stays pending forever, blocking InfrastructureReady and preventing the hosted control plane from becoming available.

Three code paths are fixed:

• ReconcileRouterService: use NodePort for non-cloud platforms instead of unconditional LoadBalancer
• reconcileRouterServiceStatus: add NodePort guard before calling CollectLBMessageIfNotProvisioned
• kas.ReconcileServiceStatus: add NodePort guard in the Route case

Which issue(s) this PR fixes:

Fixes OCPBUGS-77856

Special notes for your reviewer:

• PowerVS is intentionally left as LoadBalancer since it has cloud LB support via IBM Cloud VPC.
• LoadBalancerSourceRanges on NodePort services is harmless — Kubernetes ignores this field for non-LoadBalancer types.
• The etcd-upload/s3_uploader_mock.go build failure in CI is a pre-existing issue on main, unrelated to this PR.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

  • Improved router service configuration to use appropriate service types based on hosting platform (NodePort for non-cloud platforms, LoadBalancer for cloud platforms).
  • Enhanced NodePort service handling for proper route publishing with correct host and port configuration.

• Tests

  • Added test coverage for platform-specific router service type behavior.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-77856, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

On non-cloud platforms (Agent, KubeVirt, OpenStack, None), the HCP router Service was unconditionally created as LoadBalancer. Since these platforms lack a cloud LB controller, the Service stays pending forever, blocking InfrastructureReady and preventing the hosted control plane from becoming available.

Three code paths are fixed:

• ReconcileRouterService: use NodePort for non-cloud platforms instead of unconditional LoadBalancer
• reconcileRouterServiceStatus: add NodePort guard before calling CollectLBMessageIfNotProvisioned
• kas.ReconcileServiceStatus: add NodePort guard in the Route case

Which issue(s) this PR fixes:

Fixes OCPBUGS-77856

Special notes for your reviewer:

• PowerVS is intentionally left as LoadBalancer since it has cloud LB support via IBM Cloud VPC.
• LoadBalancerSourceRanges on NodePort services is harmless — Kubernetes ignores this field for non-LoadBalancer types.
• The etcd-upload/s3_uploader_mock.go build failure in CI is a pre-existing issue on main, unrelated to this PR.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces platform-aware service type selection for the router service in the hosted control plane. When reconciling the router service, the service type is now conditionally assigned: NodePort is used for non-cloud platforms (AgentPlatform, KubevirtPlatform, OpenStackPlatform, NonePlatform), while LoadBalancer is used for cloud platforms. Corresponding changes were made to handle NodePort services in status reconciliation, where the ClusterIP is returned as the host instead of collecting load balancer information. Additional test coverage was added to verify service type behavior across platform categories.

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check requires Ginkgo test review (It blocks, BeforeEach/AfterEach) but PR adds standard Go unit tests (func TestXxx). Check and code patterns are mismatched.	Clarify if check applies to standard Go tests, or if Ginkgo tests were expected. The actual tests added are well-structured and follow codebase patterns, but assessment cannot confirm alignment with instructions meant for Ginkgo.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: using NodePort for the HCP router Service on non-cloud platforms, which directly addresses the core problem identified in the PR objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names use static enum constants, not generated values. Platform types are immutable and deterministic across all test runs.
Microshift Test Compatibility	✅ Passed	These are standard Go unit tests (func TestXxx), not Ginkgo e2e tests. The check applies only to Ginkgo patterns like It(), Describe(), etc., which are absent here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. New tests are standard Go unit tests (func TestXxx(t *testing.T)), not Ginkgo-based e2e tests. The check applies only to Ginkgo tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no topology-unsafe scheduling constraints. Changes are limited to Service type and status handling, benefiting multiple topologies by supporting NodePort on non-cloud platforms.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. PR contains only controller logic and unit tests with no process-level stdout writes. fmt.Sprintf is only used inside test execution blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new tests are standard Go unit tests using testing.T, not Ginkgo e2e tests. The check applies only to Ginkgo e2e tests (Describe, It, Context, When, etc.), so it's not applicable here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vsolanki12
Once this PR has been reviewed and has the lgtm label, please assign csrwng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-77856, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

What this PR does / why we need it:

On non-cloud platforms (Agent, KubeVirt, OpenStack, None), the HCP router Service was unconditionally created as LoadBalancer. Since these platforms lack a cloud LB controller, the Service stays pending forever, blocking InfrastructureReady and preventing the hosted control plane from becoming available.

Three code paths are fixed:

• ReconcileRouterService: use NodePort for non-cloud platforms instead of unconditional LoadBalancer
• reconcileRouterServiceStatus: add NodePort guard before calling CollectLBMessageIfNotProvisioned
• kas.ReconcileServiceStatus: add NodePort guard in the Route case

Which issue(s) this PR fixes:

Fixes OCPBUGS-77856

Special notes for your reviewer:

• PowerVS is intentionally left as LoadBalancer since it has cloud LB support via IBM Cloud VPC.
• LoadBalancerSourceRanges on NodePort services is harmless — Kubernetes ignores this field for non-LoadBalancer types.
• The etcd-upload/s3_uploader_mock.go build failure in CI is a pre-existing issue on main, unrelated to this PR.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes

• Improved router service configuration to use appropriate service types based on hosting platform (NodePort for non-cloud platforms, LoadBalancer for cloud platforms).

• Enhanced NodePort service handling for proper route publishing with correct host and port configuration.

• Tests

• Added test coverage for platform-specific router service type behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 35.29412% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 37.44%. Comparing base (a62eefd) to head (ccc8bcb).
⚠️ Report is 14 commits behind head on main.

Files with missing lines	Patch %	Lines
...ator/controllers/hostedcontrolplane/kas/service.go	0.00%	6 Missing ⚠️
...ator/controllers/hostedcontrolplane/infra/infra.go	16.66%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8439   +/-   ##
=======================================
  Coverage   37.44%   37.44%           
=======================================
  Files         751      751           
  Lines       91969    91984   +15     
=======================================
+ Hits        34435    34443    +8     
- Misses      54894    54900    +6     
- Partials     2640     2641    +1     

Files with missing lines	Coverage Δ
...r/controllers/hostedcontrolplane/ingress/router.go	59.59% <100.00%> (+5.91%)	⬆️
...ator/controllers/hostedcontrolplane/infra/infra.go	50.08% <16.66%> (-0.46%)	⬇️
...ator/controllers/hostedcontrolplane/kas/service.go	40.18% <0.00%> (-0.75%)	⬇️

Flag	Coverage Δ
cmd-support	32.63% <ø> (ø)
cpo-hostedcontrolplane	36.49% <35.29%> (+0.01%)	⬆️
cpo-other	37.73% <ø> (ø)
hypershift-operator	47.93% <ø> (ø)
other	27.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/kas/service.go`:
- Around line 170-173: The NodePort branch dereferences strategy.Route without
checking for nil, which can panic; update the NodePort handling in service.go so
you first check if strategy.Route is non-nil (and optionally that
strategy.Route.Hostname is non-empty) before reading strategy.Route.Hostname and
assigning host/port—e.g. wrap the host = strategy.Route.Hostname and port = 443
assignments inside an if strategy.Route != nil { ... } block (keeping the
existing svc.Spec.Ports and NodePort checks intact) so no nil dereference
occurs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 34176f5e-a42c-4fab-9813-0c0e14dc16ec

📥 Commits

Reviewing files that changed from the base of the PR and between a62eefd and ccc8bcb.

📒 Files selected for processing (4)

• control-plane-operator/controllers/hostedcontrolplane/infra/infra.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router.go
• control-plane-operator/controllers/hostedcontrolplane/ingress/router_test.go
• control-plane-operator/controllers/hostedcontrolplane/kas/service.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Guard against nil strategy.Route before dereference.

Line 172 can panic when strategy.Route is nil (strategy.Route.Hostname). Please add a nil check before reading hostname in this new NodePort Route branch.

Suggested fix

 	case hyperv1.Route:
 		if svc.Spec.Type == corev1.ServiceTypeNodePort {
 			if len(svc.Spec.Ports) > 0 && svc.Spec.Ports[0].NodePort != 0 {
-				host = strategy.Route.Hostname
-				port = 443
+				if strategy.Route != nil && strategy.Route.Hostname != "" {
+					host = strategy.Route.Hostname
+					port = 443
+				}
 			}
 			return
 		}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if svc.Spec.Type == corev1.ServiceTypeNodePort {
	if len(svc.Spec.Ports) > 0 && svc.Spec.Ports[0].NodePort != 0 {
	host = strategy.Route.Hostname
	port = 443
	if svc.Spec.Type == corev1.ServiceTypeNodePort {
	if len(svc.Spec.Ports) > 0 && svc.Spec.Ports[0].NodePort != 0 {
	if strategy.Route != nil && strategy.Route.Hostname != "" {
	host = strategy.Route.Hostname
	port = 443
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@control-plane-operator/controllers/hostedcontrolplane/kas/service.go` around
lines 170 - 173, The NodePort branch dereferences strategy.Route without
checking for nil, which can panic; update the NodePort handling in service.go so
you first check if strategy.Route is non-nil (and optionally that
strategy.Route.Hostname is non-empty) before reading strategy.Route.Hostname and
assigning host/port—e.g. wrap the host = strategy.Route.Hostname and port = 443
assignments inside an if strategy.Route != nil { ... } block (keeping the
existing svc.Spec.Ports and NodePort checks intact) so no nil dereference
occurs.

[vsolanki12]

How about the other factors, example Line 180 (host = strategy.Route.Hostname) is the existing code — it also accesses strategy.Route.Hostname without a nil check. If we add a nil guard on line 172 but the existing line 180 doesn't have one, we'd be inconsistent, and the existing code would still panic in that scenario.
In practice, when strategy.Type == hyperv1.Route, strategy.Route should always be populated — that's an API contract. Adding a nil check only in our new block while the original code doesn't have one doesn't add real safety.

what do you think in this prospective as well.

[coderabbitai]

@vsolanki12, that's a fair and thoughtful point. You're right that adding a guard at line 172 while line 180 remains unchecked creates internal inconsistency within ReconcileServiceStatus, and the API contract argument has real merit — callers are generally expected to populate strategy.Route when strategy.Type == Route.

That said, I'd note there are two clean ways to resolve this:

Option A — Accept the API contract, add no guard (your argument):
Keep both lines 172 and 180 without nil checks, relying on the contract that strategy.Route is always non-nil when strategy.Type == Route. This is internally consistent and the simpler approach.

Option B — Harden both, aligning with the pattern used elsewhere:
Looking at ReconcileKonnectivityServerServiceStatus in the same file, that function does include a nil check:

if strategy.Route != nil && strategy.Route.Hostname != "" {
    host = strategy.Route.Hostname
    port = 443
    return
}

So the codebase already has precedent for defensive nil checks on strategy.Route in service status functions. The most consistent approach across both functions would be to harden line 180 as well, not just line 172:

case hyperv1.Route:
    if svc.Spec.Type == corev1.ServiceTypeNodePort {
        if len(svc.Spec.Ports) > 0 && svc.Spec.Ports[0].NodePort != 0 {
            if strategy.Route != nil && strategy.Route.Hostname != "" {
                host = strategy.Route.Hostname
                port = 443
            }
        }
        return
    }
    if message, err := k8sutil.CollectLBMessageIfNotProvisioned(svc, messageCollector); err != nil || message != "" {
        return host, port, message, err
    }
    if strategy.Route != nil && strategy.Route.Hostname != "" {  // also guard existing line 180
        host = strategy.Route.Hostname
    }
    port = 443

Either option is defensible — Option A is fine if you're confident in caller discipline, but Option B brings ReconcileServiceStatus in line with how ReconcileKonnectivityServerServiceStatus already handles this. The choice is yours.

[vsolanki12]

/auto-cc

[hypershift-jira-solve-ci]

Now I have the complete picture. Here is the analysis:

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/patch
• Build ID: 74782385286
• PR: OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms #8439 — OCPBUGS-77856: fix: use NodePort for HCP router Service on non-cloud platforms
• Check: codecov/patch (GitHub App check, not a Prow CI job)
• Result: 35.29% patch coverage (target: 37.44%)

Test Failure Analysis

Error

Patch coverage is 35.29% with 11 lines in your changes missing coverage.
Target is 37.44%. Files:
  - kas/service.go: 0.00% patch coverage (6 lines missing)
  - infra/infra.go: 16.66% patch coverage (4 missing, 1 partial)

Summary

The codecov/patch check failed because 11 of the 17 new lines added in this PR have zero unit test coverage. The PR adds unit tests for ingress/router.go (100% covered), but adds no tests for the two other files it modifies: the new NodePort guard in kas/service.go (ReconcileServiceStatus function, Route strategy path) is entirely untested (0/6 lines), and the new NodePort guard in infra/infra.go (reconcileRouterServiceStatus function) is almost entirely untested (1/6 lines, with 1 partial). This drops the patch coverage to 35.29%, below Codecov's 37.44% target threshold.

Root Cause

The PR introduces three logically parallel code changes — all adding NodePort handling for non-cloud platforms — but only writes tests for one of them:

1. ingress/router.go — ReconcileRouterService: Adds a switch on hcp.Spec.Platform.Type to set ServiceTypeNodePort for Agent, KubeVirt, OpenStack, and None platforms. Two new test functions cover this fully (TestReconcileRouterService_NonCloudPlatformsUseNodePort and TestReconcileRouterService_CloudPlatformsUseLoadBalancer). ✅ 100% covered.

2. kas/service.go — ReconcileServiceStatus (lines 170–176): Adds a NodePort early-return guard in the hyperv1.Route case, returning strategy.Route.Hostname and port 443 when the service is NodePort. No test exists — the existing service_test.go only tests ReconcileService (a different function). ❌ 0% covered (6 lines).

3. infra/infra.go — reconcileRouterServiceStatus (lines 712–717): Adds a NodePort early-return guard, returning svc.Spec.ClusterIP as the host when the service is NodePort. No test covers the NodePort scenario — existing tests in infra_test.go do exercise this function but only with LoadBalancer service types. ❌ 16.66% covered (only the if svc.Spec.Type == check line is partially hit; the inner block is never reached).

The overall patch coverage (6 covered / 17 total = 35.29%) falls below the repository's Codecov target (37.44%), triggering the check failure.

Recommendations

1. Add unit tests for kas.ReconcileServiceStatus with NodePort + Route strategy: Create test cases in control-plane-operator/controllers/hostedcontrolplane/kas/service_test.go that call ReconcileServiceStatus with a corev1.Service of type NodePort (with a populated Ports[0].NodePort) and a ServicePublishingStrategy of type Route. Assert that host equals strategy.Route.Hostname and port equals 443.

2. Add unit tests for infra.reconcileRouterServiceStatus with NodePort service: Add test cases in control-plane-operator/controllers/hostedcontrolplane/infra/infra_test.go (or a new test file) that exercise reconcileRouterServiceStatus with a corev1.Service of type NodePort with a valid ClusterIP and Ports[0].NodePort. Assert that host equals the service's ClusterIP.

3. Consider edge cases: Both new code blocks check len(svc.Spec.Ports) > 0 && svc.Spec.Ports[0].NodePort != 0. Add negative test cases where Ports is empty or NodePort is 0 to verify the early-return correctly returns an empty host in those scenarios.

4. No code logic changes needed: The functional code itself is correct. This is purely a test coverage gap — only new tests need to be added.

Evidence

Evidence	Detail
Check run conclusion	failure — patch coverage 35.29% below 37.44% target
ingress/router.go patch coverage	100% — fully covered by TestReconcileRouterService_NonCloudPlatformsUseNodePort and TestReconcileRouterService_CloudPlatformsUseLoadBalancer
kas/service.go patch coverage	0.00% — 6 new lines (NodePort guard in Route case of ReconcileServiceStatus) with zero test coverage
infra/infra.go patch coverage	16.66% — 4 lines missing + 1 partial (NodePort guard in reconcileRouterServiceStatus)
kas/service_test.go	Exists but only tests ReconcileService, not ReconcileServiceStatus — no test reaches the new code path
infra/infra_test.go	Exists and calls reconcileRouterServiceStatus but no test uses a NodePort-type service — new code path unreachable
Lines missing (total)	11 of 17 new lines = 64.7% uncovered
Codecov report comment	Confirms files, line counts, and per-file patch percentages exactly matching the above analysis

---