fix: OCPBUGS-87162: Validate restore --hc-name matches backup namespaces

[dpateriya]

Summary

• Validate that the --hc-name / --hc-namespace provided to hypershift create oadp-restore match the cluster name stored in the backup's spec.includedNamespaces, preventing silently partial restores when mismatched
• Clarify --hc-name and --hc-namespace flag descriptions to indicate they must match the original backed-up cluster

Problem

When a user runs hypershift create oadp-restore --hc-name restore-example against a backup of cluster example, the CLI computes includedNamespaces: [clusters, clusters-restore-example]. Since clusters-restore-example doesn't exist in the backup (it has clusters-example), the Velero Restore completes successfully but only restores resources from the shared HC namespace — the entire control plane namespace is silently skipped.

The restore reports phase: Completed with itemsRestored: 19 even though no HostedControlPlane, deployments, statefulsets, or other control plane resources were restored.

Fix

After confirming the backup exists and is Completed, read its spec.includedNamespaces and verify the expected HCP namespace ({hcNamespace}-{hcName}) is present. In non-render mode, return a hard error with a clear message showing the expected vs actual namespaces. In render mode, log a warning but proceed (consistent with existing render mode behavior).

Test plan

• New unit test TestValidateBackupNamespaceMatch covering:
  • Matching namespaces pass validation
  • Mismatched --hc-name fails with clear error
  • Mismatched --hc-namespace fails with clear error
  • Render mode with mismatch warns but does not fail
  • Backup without includedNamespaces skips validation gracefully
  • Matching namespaces with additional namespaces pass
• All existing cmd/oadp/ unit tests continue to pass

Jira: https://redhat.atlassian.net/browse/OCPBUGS-87162

Made with Cursor

Summary by CodeRabbit

• New Features

  • Validation now checks that a backup includes the expected control-plane namespace during restore operations.

• Improvements

  • Clarified --hc-name and --hc-namespace flag help text to state they must match the original backed-up cluster.
  • Restore validation behavior adjusted: mismatches produce errors in normal runs and warnings in render/preview mode.

• Tests

  • Added tests covering namespace-matching and render-mode behavior.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@dpateriya: This pull request references Jira Issue OCPBUGS-87162, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Validate that the --hc-name / --hc-namespace provided to hypershift create oadp-restore match the cluster name stored in the backup's spec.includedNamespaces, preventing silently partial restores when mismatched
• Clarify --hc-name and --hc-namespace flag descriptions to indicate they must match the original backed-up cluster

Problem

When a user runs hypershift create oadp-restore --hc-name restore-example against a backup of cluster example, the CLI computes includedNamespaces: [clusters, clusters-restore-example]. Since clusters-restore-example doesn't exist in the backup (it has clusters-example), the Velero Restore completes successfully but only restores resources from the shared HC namespace — the entire control plane namespace is silently skipped.

The restore reports phase: Completed with itemsRestored: 19 even though no HostedControlPlane, deployments, statefulsets, or other control plane resources were restored.

Fix

After confirming the backup exists and is Completed, read its spec.includedNamespaces and verify the expected HCP namespace ({hcNamespace}-{hcName}) is present. In non-render mode, return a hard error with a clear message showing the expected vs actual namespaces. In render mode, log a warning but proceed (consistent with existing render mode behavior).

Test plan

• New unit test TestValidateBackupNamespaceMatch covering:
• Matching namespaces pass validation
• Mismatched --hc-name fails with clear error
• Mismatched --hc-namespace fails with clear error
• Render mode with mismatch warns but does not fail
• Backup without includedNamespaces skips validation gracefully
• Matching namespaces with additional namespaces pass
• All existing cmd/oadp/ unit tests continue to pass

Jira: https://redhat.atlassian.net/browse/OCPBUGS-87162

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dpateriya
Once this PR has been reviewed and has the lgtm label, please assign jparrill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dpateriya]

/retest

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ddceeed1-3a50-4a64-b2d7-4c1632fd1c8e

📥 Commits

Reviewing files that changed from the base of the PR and between 43ac4c1 and 422eb82.

📒 Files selected for processing (2)

• cmd/oadp/restore.go
• cmd/oadp/restore_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/oadp/restore.go
• cmd/oadp/restore_test.go

---

📝 Walkthrough

Walkthrough

This PR adds validation to the restore command to ensure the Velero backup includes the expected HCP control-plane namespace. The --hc-name and --hc-namespace flag descriptions are updated to emphasize they must match the original backed-up cluster. The validateBackupExists function now checks that spec.includedNamespaces contains the derived control-plane namespace, returning an error in normal mode if absent or logging a warning in render mode. A comprehensive table-driven test validates all scenarios including matching namespaces, mismatches, and nil includedNamespaces.

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant validateBackupExists
  participant VeleroAPI
  participant BackupSpec
  CLI->>validateBackupExists: invoke restore validation (hc-name, hc-namespace, backup)
  validateBackupExists->>VeleroAPI: GET Backup resource
  VeleroAPI-->>validateBackupExists: Backup with spec.includedNamespaces
  validateBackupExists->>BackupSpec: parse includedNamespaces
  BackupSpec-->>validateBackupExists: namespaces list or parse error
  validateBackupExists-->>CLI: error (non-render) or warning/log (render)

Loading

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	Custom check specifies Ginkgo test requirements (Describe, It, BeforeEach/AfterEach blocks), but the PR adds a regular Go test using testing.T with table-driven patterns, which is not Ginkgo.	Clarify if check applies to regular Go tests or only Ginkgo tests. If Go tests: test meets quality standards with table-driven cases, meaningful messages, and consistent patterns.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding validation to ensure the restore command's --hc-name flag matches the backup's namespaces, which directly aligns with the changeset's core objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR uses standard Go testing, not Ginkgo. Test names in TestValidateBackupNamespaceMatch are static and descriptive with no dynamic information.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CLI command code (cmd/oadp/restore.go), not deployment manifests, operators, or controllers. No scheduling constraints are introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. The new TestValidateBackupNamespaceMatch is a standard Go unit test using *testing.T with mocked clients, no IPv4 assumptions, and no external connectivity requirements.
No-Weak-Crypto	✅ Passed	No weak cryptographic patterns found. The PR only modifies restore command validation logic using standard string comparisons for configuration values, with no crypto-related imports or operations.
Container-Privileges	✅ Passed	PR modifies only Go CLI code (cmd/oadp/*.go) for restore validation; no container/K8s manifests with privilege settings are present.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs) is logged. All logged data is non-sensitive configuration identifiers and namespace names.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dpateriya]

/jira refresh

[openshift-ci-robot]

@dpateriya: This pull request references Jira Issue OCPBUGS-87162, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hypershift-jira-solve-ci]

This confirms everything. Now I have the complete picture for the report.

Test Failure Analysis Complete

Job Information

• Prow Job: gitlint / Gitlint (GitHub Actions)
• Build ID: 26960788495 / Job 79550687821
• PR: #8670 — fix: OCPBUGS-87162: Validate restore --hc-name matches backup namespaces
• Commit: 43ac4c17ab58c6656b06fc59991c36f1e78ddfd4

Test Failure Analysis

Error

1: CT1 Title does not start with one of fix, feat, chore, docs, style, refactor, perf, test, revert, ci, build: "OCPBUGS-87162: Validate restore --hc-name matches backup namespaces"
make: *** [Makefile:614: run-gitlint] Error 1

Summary

The gitlint CI check failed because the commit message title does not follow the Conventional Commits format required by the repository. The PR title correctly uses fix: OCPBUGS-87162: ..., but the actual Git commit title is OCPBUGS-87162: Validate restore --hc-name matches backup namespaces — missing the fix: prefix. Gitlint validates the commit message, not the PR title.

Root Cause

The repository's .gitlint configuration enforces the contrib-title-conventional-commits rule, which requires every commit message title to begin with one of the allowed type prefixes: fix, feat, chore, docs, style, refactor, perf, test, revert, ci, or build.

The commit 43ac4c17 has the title:

OCPBUGS-87162: Validate restore --hc-name matches backup namespaces

This starts with the JIRA issue key OCPBUGS-87162: instead of a conventional commit type prefix. The correct format would be:

fix: OCPBUGS-87162: Validate restore --hc-name matches backup namespaces

The author set the PR title correctly (with fix: prefix) but did not apply the same prefix to the commit message itself. Since gitlint checks commits (not PR titles), the CI check fails with rule CT1.

Recommendations

1. Amend the commit message to add the fix: conventional commit prefix:

   git commit --amend -m "fix: OCPBUGS-87162: Validate restore --hc-name matches backup namespaces" \
     -m "<keep existing body>" 
   git push --force-with-lease

2. Specifically, the full amended commit message should be:

   fix: OCPBUGS-87162: Validate restore --hc-name matches backup namespaces
   
   The oadp-restore command did not validate that the user-provided
   --hc-name/--hc-namespace matched the cluster name stored in the
   backup. ...
   

3. No code changes are needed — only the commit message title needs updating.

Evidence

Evidence	Detail
Failed step	Run make run-gitlint
Gitlint rule violated	CT1 (contrib-title-conventional-commits)
Commit message title	OCPBUGS-87162: Validate restore --hc-name matches backup namespaces
Expected format	Must start with one of: fix, feat, chore, docs, style, refactor, perf, test, revert, ci, build
PR title (correct)	fix: OCPBUGS-87162: Validate restore --hc-name matches backup namespaces
Commit SHA	43ac4c17ab58c6656b06fc59991c36f1e78ddfd4
.gitlint config	contrib=contrib-title-conventional-commits with types = fix,feat,chore,docs,style,refactor,perf,test,revert,ci,build

---

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

cmd/oadp/restore_test.go (1)

358-406: ⚡ Quick win

Rename new table cases to the required When ... it should ... style.

These new case titles don’t follow the required _test.go naming convention.

Example rename pattern

- name:             "matching namespaces should pass",
+ name:             "When backup includes expected control plane namespace it should pass",
- name:             "mismatched hc-name should fail",
+ name:             "When hc-name does not match backup namespaces it should fail",
- name:             "mismatched hc-namespace should fail",
+ name:             "When hc-namespace does not match backup namespaces it should fail",
- name:             "mismatched namespaces in render mode should warn but not fail",
+ name:             "When namespaces mismatch in render mode it should warn without failing",
- name:             "backup without includedNamespaces should skip validation",
+ name:             "When backup has no includedNamespaces it should skip namespace validation",
- name:             "matching namespaces with additional namespaces should pass",
+ name:             "When expected namespace exists among additional namespaces it should pass",

As per coding guidelines, "**/*_test.go: Always use "When ... it should ..." format for describing test cases when creating unit tests".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/oadp/restore_test.go` around lines 358 - 406, Rename the test case "name"
fields in the table that define the test scenarios so they follow the required
`_test.go` convention: use "When ... it should ..." phrasing. Specifically
update entries whose name values are "matching namespaces should pass",
"mismatched hc-name should fail", "mismatched hc-namespace should fail",
"mismatched namespaces in render mode should warn but not fail", "backup without
includedNamespaces should skip validation", and "matching namespaces with
additional namespaces should pass" to descriptive "When ... it should ..."
sentences (e.g. "When backup namespaces match control plane it should pass",
"When hc name mismatches it should fail with ...", etc.) so the test table
entries in restore_test.go use the required naming style; keep the rest of the
struct fields (hcName, hcNamespace, backupNamespaces, renderMode, shouldError,
errorSubstring) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/oadp/restore.go`:
- Around line 295-309: The code currently ignores parsing errors from
unstructured.NestedStringSlice (backupNamespaces, nsFound, nsErr) inside
validateBackupExists; update the logic to handle nsErr when nsFound is true by
surfacing the error instead of silently proceeding: if nsErr != nil then in
renderMode call o.Log.Info or o.Log.Error with a clear message including
o.BackupName and nsErr, and when not in renderMode return a formatted error
(similar style to existing returns) explaining that spec.includedNamespaces is
malformed and include nsErr; keep the existing namespace-contains check
(slices.Contains) when nsErr == nil.

---

Nitpick comments:
In `@cmd/oadp/restore_test.go`:
- Around line 358-406: Rename the test case "name" fields in the table that
define the test scenarios so they follow the required `_test.go` convention: use
"When ... it should ..." phrasing. Specifically update entries whose name values
are "matching namespaces should pass", "mismatched hc-name should fail",
"mismatched hc-namespace should fail", "mismatched namespaces in render mode
should warn but not fail", "backup without includedNamespaces should skip
validation", and "matching namespaces with additional namespaces should pass" to
descriptive "When ... it should ..." sentences (e.g. "When backup namespaces
match control plane it should pass", "When hc name mismatches it should fail
with ...", etc.) so the test table entries in restore_test.go use the required
naming style; keep the rest of the struct fields (hcName, hcNamespace,
backupNamespaces, renderMode, shouldError, errorSubstring) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0ed0a0ab-c39d-4b17-9dd9-4b070e48fb2d

📥 Commits

Reviewing files that changed from the base of the PR and between 25817d4 and 43ac4c1.

📒 Files selected for processing (2)

• cmd/oadp/restore.go
• cmd/oadp/restore_test.go

[dpateriya]

Test Evidence

Tested the built binary (hypershift-linux-amd64 from this PR branch) against a live cluster with an existing OADP backup.

Negative Test — Namespace mismatch detected

$ /tmp/hypershift-linux-amd64 create oadp-restore --hc-name another-hc --hc-namespace cluster --from-backup example-clusters-lkbtzw
{"level":"info","ts":"2026-06-04T15:22:10Z","msg":"Validating backup exists..."}
Error: backup validation failed: backup 'example-clusters-lkbtzw' does not contain the expected control plane namespace 'cluster-another-hc'. The backup includes namespaces [clusters clusters-example]. Ensure --hc-name and --hc-namespace match the original backed-up cluster

The CLI now correctly blocks the restore and surfaces an actionable error when --hc-name / --hc-namespace do not match the backup's includedNamespaces.

Positive Test — Matching names proceed normally

$ /tmp/hypershift-linux-amd64 create oadp-restore --hc-name example --hc-namespace clusters --from-backup example-clusters-lkbtzw
{"level":"info","ts":"2026-06-04T15:23:37Z","msg":"Validating backup exists..."}
{"level":"info","ts":"2026-06-04T15:23:37Z","msg":"Validating OADP installation..."}
{"level":"info","ts":"2026-06-04T15:23:37Z","msg":"HyperShift plugin found in DPA","dpa":"dpa-instance"}
{"level":"info","ts":"2026-06-04T15:23:37Z","msg":"Verifying DataProtectionApplication resource..."}
{"level":"info","ts":"2026-06-04T15:23:37Z","msg":"Creating restore..."}
{"level":"info","ts":"2026-06-04T15:23:37Z","msg":"Restore created successfully","name":"example-clusters-c7n7gc","namespace":"openshift-adp","backup":"example-clusters-lkbtzw"}

When --hc-name and --hc-namespace match the backup contents, validation passes and the restore proceeds as expected.

[dpateriya]

/verified by me

[openshift-ci-robot]

@dpateriya: This PR has been marked as verified by me.

Details

In response to this:

/verified by me

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@dpateriya: This pull request references Jira Issue OCPBUGS-87162, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary

• Validate that the --hc-name / --hc-namespace provided to hypershift create oadp-restore match the cluster name stored in the backup's spec.includedNamespaces, preventing silently partial restores when mismatched
• Clarify --hc-name and --hc-namespace flag descriptions to indicate they must match the original backed-up cluster

Problem

When a user runs hypershift create oadp-restore --hc-name restore-example against a backup of cluster example, the CLI computes includedNamespaces: [clusters, clusters-restore-example]. Since clusters-restore-example doesn't exist in the backup (it has clusters-example), the Velero Restore completes successfully but only restores resources from the shared HC namespace — the entire control plane namespace is silently skipped.

The restore reports phase: Completed with itemsRestored: 19 even though no HostedControlPlane, deployments, statefulsets, or other control plane resources were restored.

Fix

After confirming the backup exists and is Completed, read its spec.includedNamespaces and verify the expected HCP namespace ({hcNamespace}-{hcName}) is present. In non-render mode, return a hard error with a clear message showing the expected vs actual namespaces. In render mode, log a warning but proceed (consistent with existing render mode behavior).

Test plan

• New unit test TestValidateBackupNamespaceMatch covering:
• Matching namespaces pass validation
• Mismatched --hc-name fails with clear error
• Mismatched --hc-namespace fails with clear error
• Render mode with mismatch warns but does not fail
• Backup without includedNamespaces skips validation gracefully
• Matching namespaces with additional namespaces pass
• All existing cmd/oadp/ unit tests continue to pass

Jira: https://redhat.atlassian.net/browse/OCPBUGS-87162

Made with Cursor

Summary by CodeRabbit

• New Features

• Validation now checks that a backup includes the expected control-plane namespace during restore operations.

• Improvements

• Clarified --hc-name and --hc-namespace flag help text to state they must match the original backed-up cluster.

• Restore validation behavior adjusted: mismatches produce errors in normal runs and warnings in render/preview mode.

• Tests

• Added tests covering namespace-matching and render-mode behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

❌ Patch coverage is 59.09091% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.43%. Comparing base (25817d4) to head (422eb82).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/oadp/restore.go	59.09%	8 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8670   +/-   ##
=======================================
  Coverage   41.43%   41.43%           
=======================================
  Files         756      756           
  Lines       93658    93678   +20     
=======================================
+ Hits        38807    38820   +13     
- Misses      52128    52134    +6     
- Partials     2723     2724    +1     

Files with missing lines	Coverage Δ
cmd/oadp/restore.go	38.06% <59.09%> (+1.73%)	⬆️

Flag	Coverage Δ
cmd-support	34.89% <59.09%> (+0.01%)	⬆️
cpo-hostedcontrolplane	43.50% <ø> (ø)
cpo-other	42.74% <ø> (ø)
hypershift-operator	51.56% <ø> (ø)
other	31.64% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@dpateriya: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.