Fix breaking changes

[deepsm007]

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_ci-tools/4831/pull-ci-openshift-ci-tools-main-breaking-changes/1991097703345426432

/cc @openshift/test-platform

[openshift-ci-robot]

Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. Review these jobs and use /test <job> to manually trigger optional jobs most likely to be impacted by the proposed changes.

[coderabbitai]

Walkthrough

Removed custom JSON (un)marshalling from secret bootstrap Config, switched Load/Save to strict YAML and deep-copy YAML marshaling, added ClusterGroups and DockerConfigJSONData fields, updated tests/fixtures and many secret routing YAMLs, and made small test/release and embedded YAML formatting tweaks.

Changes

Cohort / File(s)	Summary
Secret bootstrap core pkg/api/secretbootstrap/secretboostrap.go	Deleted MarshalJSON/UnmarshalJSON and stripVaultPrefix; removed encoding/json and strings imports. LoadConfigFromFile now uses gzip.ReadFileMaybeGZIP, yaml.UnmarshalStrict and returns config.resolve(). SaveConfigToFile deep-copies Config, marshals with YAML, and writes file. resolve() updated for Vault prefixing and cluster-group expansion.
Public API & tests cmd/ci-secret-bootstrap/main_test.go, pkg/api/secretbootstrap/secretboostrap_test.go, pkg/api/secretbootstrap/testdata/*	Added ClusterGroups map[string][]string to Config and DockerConfigJSONData []... to ItemContext. Tests updated to initialize/normalize these fields; added deterministic normalization (sorting) for comparisons; test fixtures updated accordingly.
Test fixtures & integration configs pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml, test/integration/.../openshift-monitoring/cluster-monitoring-config.yaml, test/integration/.../core-services/ci-secret-bootstrap/_config.yaml	Large rework of secret_configs routing to per-cluster-group mappings and many from/to remappings; added/updated cluster targets (e.g., build02). One YAML block scalar indicator/formatting change in monitoring ConfigMap.
Release test utility pkg/config/release_test.go	During tests set git config core.hooksPath /dev/null; prefer Output() with fallback to CombinedOutput() for errors; trim/validate commit hash and pass validated hash to callback.
OpenShift monitoring formatting pkg/clusterinit/onboard/openshiftmonitoring.go	Minor repositioning of raw-string backtick around embedded YAML (formatting only).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas needing extra attention:
  • Serialization/compatibility changes in pkg/api/secretbootstrap/secretboostrap.go (removed JSON hooks, YAML strict unmarshal, deep-copy semantics) and impact on callers.
  • resolve() modifications for Vault prefixing and cluster-group expansion — verify logic across varied fixture cases.
  • Public API additions (ClusterGroups, DockerConfigJSONData) propagation and initialization across tests and production code paths.
  • Large YAML fixture/config rework in test/integration/.../core-services/ci-secret-bootstrap/_config.yaml for correctness of secret routing.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d78043d and e642ad5.

📒 Files selected for processing (8)

• cmd/ci-secret-bootstrap/main_test.go (5 hunks)
• pkg/api/secretbootstrap/secretboostrap.go (1 hunks)
• pkg/api/secretbootstrap/secretboostrap_test.go (7 hunks)
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1 hunks)
• pkg/clusterinit/onboard/openshiftmonitoring.go (1 hunks)
• pkg/config/release_test.go (2 hunks)
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1 hunks)
• test/integration/cluster-init/update-build99/expected/core-services/ci-secret-bootstrap/_config.yaml (5 hunks)

✅ Files skipped from review due to trivial changes (1)

• pkg/clusterinit/onboard/openshiftmonitoring.go

🚧 Files skipped from review as they are similar to previous changes (3)

• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml
• cmd/ci-secret-bootstrap/main_test.go
• pkg/api/secretbootstrap/secretboostrap_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml
• pkg/config/release_test.go
• test/integration/cluster-init/update-build99/expected/core-services/ci-secret-bootstrap/_config.yaml
• pkg/api/secretbootstrap/secretboostrap.go

🔇 Additional comments (6)

pkg/config/release_test.go (1)

44-72: LGTM! Clean handling of git command output.

The change to use Output() instead of CombinedOutput() appropriately avoids pre-commit hook interference, and the fallback logic provides good error diagnostics. The commit hash validation ensures correctness.

pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1)

38-54: Test fixture correctly reflects new cluster-group routing.

The new secret_configs entry with per-cluster-group routing aligns with the expanded API surface for ClusterGroups introduced in this PR.

pkg/api/secretbootstrap/secretboostrap.go (3)

68-71: LGTM! Strict YAML validation and normalization.

Using UnmarshalStrict catches configuration typos, and calling resolve() ensures cluster groups and Vault prefixes are properly expanded.

---

150-203: Cluster group expansion and Vault prefix logic is correct.

The resolve() method properly:

• Validates mutual exclusivity of cluster and cluster_groups
• Expands cluster groups to individual clusters
• Applies Vault prefix to items and DockerConfigJSON data

---

76-85: Correct the timeline and clarify findings; recommendation stands but is not urgent.

The github.com/getlantern/deepcopy dependency is indeed unmaintained, but the facts need correction: the last repository push was 2018-03-02, making it ~7 years old rather than 9 years. No security vulnerabilities were found in the GitHub advisory database.

While the library is old and receives no maintenance, it appears stable and is used as a direct dependency across multiple files (secretbootstrap, secretgenerator, shardprowconfig, diffs, jobconfig, rehearse, config-brancher). The recommendations to consider well-maintained alternatives like github.com/mitchellh/copystructure or JSON marshal/unmarshal for production code handling sensitive configuration remain valid—they reduce long-term maintenance risk—but this is not an urgent security concern given the absence of known vulnerabilities.

test/integration/cluster-init/update-build99/expected/core-services/ci-secret-bootstrap/_config.yaml (1)

257-275: Verify that empty from: {} is valid and intentional.

Line 257 defines a secret configuration with an empty from: {} block but valid to destinations. Confirm whether:

• The system supports secrets with no source data (e.g., for generated/placeholder secrets)
• This is an intentional test case for validation logic
• The config will pass validation in production

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

pkg/api/secretbootstrap/secretboostrap.go (1)

72-108: Consider sorting the To field for complete determinism.

The MarshalYAML method sorts the From map and DockerConfigJSONData slices to ensure deterministic output, but the To field (a []SecretContext slice) is not sorted. If the order of To elements can vary between runs, this could still produce non-deterministic YAML output.

If complete determinism is required, consider sorting the To slice as well. For example:

+	// Sort To slice for determinism
+	sortedTo := make([]SecretContext, len(s.To))
+	copy(sortedTo, s.To)
+	sort.Slice(sortedTo, func(i, j int) bool {
+		if sortedTo[i].Cluster != sortedTo[j].Cluster {
+			return sortedTo[i].Cluster < sortedTo[j].Cluster
+		}
+		if sortedTo[i].Namespace != sortedTo[j].Namespace {
+			return sortedTo[i].Namespace < sortedTo[j].Namespace
+		}
+		return sortedTo[i].Name < sortedTo[j].Name
+	})
+
 	return &secretConfigForMarshal{
 		From: sortedFrom,
-		To:   s.To,
+		To:   sortedTo,
 	}, nil

If the current order of To is intentional and significant, please document why it's excluded from sorting.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 472c375 and a0551f8.

📒 Files selected for processing (2)

• pkg/api/secretbootstrap/secretboostrap.go (3 hunks)
• pkg/clusterinit/onboard/manifestgenerator.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/api/secretbootstrap/secretboostrap.go
• pkg/clusterinit/onboard/manifestgenerator.go

[deepsm007]

/pipeline required

[openshift-ci-robot]

Scheduling required tests:
/test e2e

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test integration-optional-test

[hector-vido]

/lgtm

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deepsm007, hector-vido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [deepsm007,hector-vido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 472c375 and 2 for PR HEAD e45d4b9 in total

[deepsm007]

/hold

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/api/secretbootstrap/secretboostrap.go (1)

65-98: Avoid manual ItemContext reconstruction; clarify intent around map ordering

The DockerConfigJSONData sorting is good, but rebuilding ItemContext field‑by‑field is brittle: any future fields added to ItemContext will be silently dropped when orderSecretConfig runs. Also, re‑creating the From map does not affect Go’s map iteration order, so it doesn’t buy determinism by itself.

You can keep the behavior while making it safer and simpler by mutating the copied ItemContext and writing it back into the existing map:

-func (s *SecretConfig) orderSecretConfig() {
-	// Sort From map keys and DockerConfigJSONData slices
-	sortedFrom := make(map[string]ItemContext)
-	keys := make([]string, 0, len(s.From))
-	for k := range s.From {
-		keys = append(keys, k)
-	}
-	sort.Strings(keys)
-
-	for _, k := range keys {
-		itemCtx := s.From[k]
-		// Sort DockerConfigJSONData slice
-		dockerData := make([]DockerConfigJSONData, len(itemCtx.DockerConfigJSONData))
-		copy(dockerData, itemCtx.DockerConfigJSONData)
-		sort.Slice(dockerData, func(i, j int) bool {
-			if dockerData[i].RegistryURL != dockerData[j].RegistryURL {
-				return dockerData[i].RegistryURL < dockerData[j].RegistryURL
-			}
-			if dockerData[i].Item != dockerData[j].Item {
-				return dockerData[i].Item < dockerData[j].Item
-			}
-			return dockerData[i].AuthField < dockerData[j].AuthField
-		})
-
-		sortedFrom[k] = ItemContext{
-			Item:                 itemCtx.Item,
-			Field:                itemCtx.Field,
-			DockerConfigJSONData: dockerData,
-			Base64Decode:         itemCtx.Base64Decode,
-		}
-	}
-	s.From = sortedFrom
-}
+func (s *SecretConfig) orderSecretConfig() {
+	if len(s.From) == 0 {
+		return
+	}
+
+	// Sort From keys to ensure we process entries in a stable order
+	keys := make([]string, 0, len(s.From))
+	for k := range s.From {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	for _, k := range keys {
+		itemCtx := s.From[k]
+
+		dockerData := make([]DockerConfigJSONData, len(itemCtx.DockerConfigJSONData))
+		copy(dockerData, itemCtx.DockerConfigJSONData)
+		sort.Slice(dockerData, func(i, j int) bool {
+			if dockerData[i].RegistryURL != dockerData[j].RegistryURL {
+				return dockerData[i].RegistryURL < dockerData[j].RegistryURL
+			}
+			if dockerData[i].Item != dockerData[j].Item {
+				return dockerData[i].Item < dockerData[j].Item
+			}
+			return dockerData[i].AuthField < dockerData[j].AuthField
+		})
+
+		itemCtx.DockerConfigJSONData = dockerData
+		s.From[k] = itemCtx
+	}
+}

If your goal is also to make From’s key order deterministic in serialized YAML/JSON, that will still require walking keys during marshaling rather than relying on map iteration.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between fbc882b and 96a3c50.

📒 Files selected for processing (5)

• pkg/api/secretbootstrap/secretboostrap.go (4 hunks)
• pkg/clusterinit/onboard/manifestgenerator.go (1 hunks)
• pkg/image-graph-generator/images.go (4 hunks)
• pkg/image-graph-generator/manifests.go (2 hunks)
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/image-graph-generator/manifests.go
• pkg/image-graph-generator/images.go
• pkg/clusterinit/onboard/manifestgenerator.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml
• pkg/api/secretbootstrap/secretboostrap.go

🔇 Additional comments (2)

test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1)

9-9: YAML block scalar style change is appropriate

Switching from |- to | keeps the content identical except for a trailing newline and aligns this expected fixture with the updated manifest generator output; no issues from a test or config perspective.

pkg/api/secretbootstrap/secretboostrap.go (1)

118-166: Placement and scope of deterministic ordering look good

Centralizing deterministic ordering in Config.orderConfig() (sorting ClusterGroups values, Secrets by first To’s cluster/namespace/name, and UserSecretsTargetClusters) and invoking it at the end of resolve() is a clean approach that avoids custom marshal hooks while ensuring stable output order after all resolution logic has run. This structure looks sound and maintainable.

Also applies to: 326-328

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/image-graph-generator/images.go (1)

7-7: Deterministic ordering for parents/branches looks correct

The added sort.Slice calls on Parents and Branches in UpdateImage, addImageRef, and updateImageRef provide stable, name/ID‑based ordering without altering the underlying graph semantics. Empty slices are handled safely, and the GraphQL inputs become reproducible across runs.

If this pattern expands further, consider a small helper (e.g., sortParentsByName, sortBranchesByID) to centralize the ordering rules, but that’s optional.

Also applies to: 88-97, 127-132, 138-144, 204-207, 213-219

pkg/api/secretbootstrap/secretboostrap.go (1)

21-35: Deterministic ordering for secretbootstrap config is sound; minor forward‑compat refactor

The new orderSecretConfig and orderConfig helpers give you stable ordering for:

• ClusterGroups keys and their cluster lists,
• Secrets (grouped by first To entry’s Cluster/Namespace/Name),
• UserSecretsTargetClusters,
• and DockerConfigJSONData entries inside each ItemContext.

Calling c.orderConfig() from resolve() centralizes this, and the added DockerConfigJSONData handling in resolve/stripVaultPrefix is consistent.

One small maintainability tweak: in orderSecretConfig you manually copy ItemContext fields, which means new fields added later could be accidentally dropped. You can keep behavior identical while future‑proofing with:

-		itemCtx := s.From[k]
+		itemCtx := s.From[k]
 		// Sort DockerConfigJSONData slice
 		dockerData := make([]DockerConfigJSONData, len(itemCtx.DockerConfigJSONData))
 		copy(dockerData, itemCtx.DockerConfigJSONData)
 		sort.Slice(dockerData, func(i, j int) bool {
 			// ...
 		})
-
-		sortedFrom[k] = ItemContext{
-			Item:                 itemCtx.Item,
-			Field:                itemCtx.Field,
-			DockerConfigJSONData: dockerData,
-			Base64Decode:         itemCtx.Base64Decode,
-		}
+		itemCtxCopy := itemCtx
+		itemCtxCopy.DockerConfigJSONData = dockerData
+		sortedFrom[k] = itemCtxCopy

This keeps all existing semantics but automatically preserves any future ItemContext fields.

Also applies to: 65-99, 118-166, 326-328

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a97b7dd and 6254e03.

📒 Files selected for processing (9)

• cmd/ci-secret-bootstrap/main_test.go (4 hunks)
• pkg/api/secretbootstrap/secretboostrap.go (4 hunks)
• pkg/api/secretbootstrap/secretboostrap_test.go (4 hunks)
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1 hunks)
• pkg/clusterinit/onboard/manifestgenerator.go (1 hunks)
• pkg/config/release_test.go (3 hunks)
• pkg/image-graph-generator/images.go (4 hunks)
• pkg/image-graph-generator/manifests.go (2 hunks)
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/image-graph-generator/manifests.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/image-graph-generator/images.go
• pkg/config/release_test.go
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml
• pkg/clusterinit/onboard/manifestgenerator.go
• cmd/ci-secret-bootstrap/main_test.go
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml
• pkg/api/secretbootstrap/secretboostrap_test.go
• pkg/api/secretbootstrap/secretboostrap.go

🔇 Additional comments (5)

test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1)

9-9: Fixture update correctly reflects new scalar style

Aligning config.yaml with | instead of |- matches the new manifest post-processing behavior and keeps the expectation deterministic; nothing else in the ConfigMap is affected.

pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1)

1-59: Roundtrip fixture matches new secretbootstrap config shape

The added secret_config using cluster_groups and the inclusion of build02 in user_secrets_target_clusters are consistent with the new Config semantics and deterministic ordering (ClusterGroups + Secrets). The YAML stays structurally valid and aligns with the updated tests.

pkg/config/release_test.go (1)

20-27: Robust commit hash extraction in tests

Using isHexString plus a 40‑character length check on each output line makes the test resilient to stray Git/hook noise while still guaranteeing a real hash is passed into f. Disabling hooks via core.hooksPath /dev/null further reduces flakiness. The helper and parsing logic look correct and self‑contained.

Also applies to: 58-58, 71-86

pkg/api/secretbootstrap/secretboostrap_test.go (1)

52-55: Tests correctly capture new resolution and ordering semantics

The expectations in TestResolving and TestLoadConfigFromFile now match the resolved/ordered Config:

• From is normalized to empty maps where unset.
• ClusterGroups is consistently represented as an empty map when absent.
• ItemContext values include DockerConfigJSONData, even when empty, reflecting the new field.
• The “basic base” test mirrors the updated fixture for mirror/rh‑cdn secrets and target clusters.

These updates look consistent with the implementation changes.

Also applies to: 92-100, 124-127, 174-209

cmd/ci-secret-bootstrap/main_test.go (1)

178-198: CLI tests updated coherently for new secretbootstrap behavior

The adjusted fixtures and expectations in this file:

• Add the default .dockerconfigjson secret (and associated DockerConfigJSONData) to defaultConfig/defaultConfigWithoutDefaultCluster.
• Reflect the new normalized/ordered shapes of Config and ItemContext (empty ClusterGroups maps, explicit empty DockerConfigJSONData slices).
• Update error strings (e.g., in TestConstructSecrets, TestGetUnusedItems, TestConstructDockerConfigJSON) to include the new dockerconfigjson‑related paths and deterministic aggregation order.

These changes keep the CLI tests in sync with the API changes and deterministic ordering; no functional or robustness issues stand out.

Also applies to: 201-235, 252-265, 393-403, 1023-1028, 1867-1969, 2089-2126

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Guard metadata cast to avoid potential panics

The new post‑processing is correctly scoped to kind: ConfigMap and metadata.name == "cluster-monitoring-config", but this line is unsafe:

if name, ok := manifestMap["metadata"].(map[string]interface{})["name"].(string); ok && name == "cluster-monitoring-config" {

If manifestMap["metadata"] is absent or not a map[string]interface{}, this will panic before the ok check. That’s unlikely in normal manifests but turns malformed input into a hard crash.

Wrap the metadata lookup in its own type assertion to keep the step robust:

-		if kind, ok := manifestMap["kind"].(string); ok && kind == "ConfigMap" {
-			if name, ok := manifestMap["metadata"].(map[string]interface{})["name"].(string); ok && name == "cluster-monitoring-config" {
-				manifestBytesPatched = bytes.ReplaceAll(manifestBytesPatched, []byte("config.yaml: |-"), []byte("config.yaml: |"))
-			}
-		}
+		if kind, ok := manifestMap["kind"].(string); ok && kind == "ConfigMap" {
+			if metadata, ok := manifestMap["metadata"].(map[string]interface{}); ok {
+				if name, ok := metadata["name"].(string); ok && name == "cluster-monitoring-config" {
+					manifestBytesPatched = bytes.ReplaceAll(manifestBytesPatched, []byte("config.yaml: |-"), []byte("config.yaml: |"))
+				}
+			}
+		}

This preserves the current behavior while avoiding panics on unexpected manifest shapes.

🤖 Prompt for AI Agents

In pkg/clusterinit/onboard/manifestgenerator.go around lines 130 to 139, the
metadata name lookup does an inline type assertion that can panic if
manifestMap["metadata"] is missing or not a map; extract manifestMap["metadata"]
into a variable with a separate type assertion (e.g., meta, ok :=
manifestMap["metadata"].(map[string]interface{})), check ok before accessing
meta["name"], then assert name, ok := meta["name"].(string) and compare to
"cluster-monitoring-config"; this preserves current behavior while avoiding a
potential panic on malformed manifests.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/ci-secret-bootstrap/main_test.go (1)

1023-1028: Updated aggregated error expectation for missing fields remains accurate but brittle

The new expectedError now correctly accounts for the additional .dockerconfigjson secret (missing quay.io data) alongside the original "key-name-1" missing-field error, matching the behavior after adding the default Docker config secret. If future Vault error formatting changes become noisy for this test, consider asserting on key substrings or using a helper to normalize error text, but that's optional for now.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a97b7dd and 6254e03.

📒 Files selected for processing (9)

• cmd/ci-secret-bootstrap/main_test.go (4 hunks)
• pkg/api/secretbootstrap/secretboostrap.go (4 hunks)
• pkg/api/secretbootstrap/secretboostrap_test.go (4 hunks)
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1 hunks)
• pkg/clusterinit/onboard/manifestgenerator.go (1 hunks)
• pkg/config/release_test.go (3 hunks)
• pkg/image-graph-generator/images.go (4 hunks)
• pkg/image-graph-generator/manifests.go (2 hunks)
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/api/secretbootstrap/secretboostrap.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/config/release_test.go
• pkg/image-graph-generator/images.go
• pkg/clusterinit/onboard/manifestgenerator.go
• pkg/api/secretbootstrap/secretboostrap_test.go
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml
• cmd/ci-secret-bootstrap/main_test.go
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml
• pkg/image-graph-generator/manifests.go

🔇 Additional comments (12)

pkg/clusterinit/onboard/manifestgenerator.go (1)

130-139: LGTM! Post-processing workaround is safe and well-documented.

The YAML scalar style adjustment is correctly targeted to the cluster-monitoring-config ConfigMap with appropriate guard conditions. The updated comments accurately describe the change. Looking forward to the follow-up PR for a more robust solution using yaml.v3's scalar style control as discussed.

test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1)

9-9: LGTM! Test expectation correctly reflects the scalar style change.

The change from |- to | matches the post-processing logic in manifestgenerator.go and correctly adjusts the expected YAML scalar style for the monitoring configuration.

pkg/image-graph-generator/manifests.go (1)

161-164: LGTM! Deterministic ordering correctly implemented.

The sorting of Parents by Name ensures stable ordering in manifest generation, preventing non-deterministic output that could cause breaking changes. The placement right before adding/updating the ImageRef is appropriate.

pkg/image-graph-generator/images.go (3)

88-96: LGTM! Deterministic ordering ensures stable graph operations.

The sorting of Parents by Name and Branches by ID in UpdateImage prevents non-deterministic output and aligns with the PR's goal of fixing breaking changes.

---

127-143: LGTM! Proper use of sorted copies for deterministic payload construction.

Creating sorted copies of Branches and Parents ensures the mutation payload has deterministic ordering without mutating the input slices. The approach is consistent with updateImageRef.

---

204-218: LGTM! Consistent deterministic ordering in update operations.

The sorting strategy matches addImageRef, ensuring consistent behavior across add and update paths. Using sorted copies maintains proper encapsulation.

pkg/config/release_test.go (3)

20-27: LGTM: Hex validation helper is correct.

The implementation correctly validates hexadecimal characters and serves its purpose well in filtering the commit hash from git output.

---

58-58: LGTM: Disabling hooks improves test isolation.

Setting core.hooksPath to /dev/null prevents git hooks from interfering with test execution, which directly addresses the breaking changes this PR aims to fix.

---

71-86: LGTM: Robust commit hash extraction.

The new parsing logic correctly filters git output to extract the commit hash, making the tests resilient to pre-commit hook output or other noise. The 40-character length check is appropriate for SHA-1 hashes (Git's current default), and the clear error message will aid debugging if issues arise.

pkg/api/secretbootstrap/secretboostrap_test.go (1)

52-52: Explicit zero-value expectations for new fields look correct

The updates to include From: map[string]ItemContext{}, ClusterGroups: map[string][]string{}, and DockerConfigJSONData: []DockerConfigJSONData{} in the expected configs align the tests with the new public fields and deterministic marshalling behavior of Config. This keeps the equality checks precise without changing semantics.

Also applies to: 92-99, 125-126, 178-187

pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1)

38-54: Roundtrip fixture update matches new secret routing model

The additional secret_configs entry for ops-mirror.pem/rh-cdn.pem keyed by cluster_groups (build_farm, cg_2, cg_3) is structurally consistent with the existing YAML and the Go tests that consume it. This should keep the roundtrip test aligned with the new configuration behavior.

cmd/ci-secret-bootstrap/main_test.go (1)

178-249: Default configs and group-resolution expectations are consistent with new DockerConfig handling

The introduction of:

• an explicit ClusterGroups: map[string][]string{} field,
• a dedicated .dockerconfigjson secret in defaultConfig (matching the configContent YAML), and
• empty DockerConfigJSONData slices on all From entries (including the "group is resolved" case)

keeps the tests aligned with the updated secretbootstrap.Config shape and Docker config semantics. The resolved To entry retaining ClusterGroups while setting Cluster: "default" also matches the resolution behavior exercised in the package-level tests.

Also applies to: 251-301, 395-403

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/config/release_test.go (1)

58-67: Simplify the fallback error handling logic.

The fallback from Output() to CombinedOutput() is confusing. If p.Output() fails, p.CombinedOutput() (which executes the same command) is unlikely to succeed. This nested error handling adds complexity without clear benefit.

Consider simplifying to either:

• Use Output() directly and handle errors, or
• Use CombinedOutput() if stderr is needed for debugging

Apply this diff to simplify:

-	// Use Output() instead of CombinedOutput() to avoid pre-commit hook output on stderr
-	out, err := p.Output()
+	out, err := p.Output()
 	if err != nil {
-		// If Output() fails, try CombinedOutput() for error details
-		combinedOut, combinedErr := p.CombinedOutput()
-		if combinedErr != nil {
-			t.Fatalf("%q failed, output:\n%s", p.Args, combinedOut)
-		}
-		out = combinedOut
+		t.Fatalf("%q failed: %v", p.Args, err)
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 3d7301b and e198410.

📒 Files selected for processing (7)

• cmd/ci-secret-bootstrap/main_test.go (4 hunks)
• pkg/api/secretbootstrap/secretboostrap.go (3 hunks)
• pkg/api/secretbootstrap/secretboostrap_test.go (4 hunks)
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1 hunks)
• pkg/clusterinit/onboard/manifestgenerator.go (1 hunks)
• pkg/config/release_test.go (2 hunks)
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml
• pkg/api/secretbootstrap/secretboostrap.go
• cmd/ci-secret-bootstrap/main_test.go
• pkg/clusterinit/onboard/manifestgenerator.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/api/secretbootstrap/secretboostrap_test.go
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml
• pkg/config/release_test.go

🔇 Additional comments (3)

pkg/config/release_test.go (1)

49-49: Verify whether disabling git hooks is the appropriate solution.

A past reviewer questioned whether these changes are necessary. While disabling hooks via core.hooksPath and switching to Output() addresses stderr contamination, consider whether:

• The test environment should have hooks that interfere with output
• A different approach (e.g., cleaning the test environment) might be more appropriate

Based on past review comments.

Also applies to: 58-71

pkg/api/secretbootstrap/secretboostrap_test.go (1)

52-52: LGTM!

The test expectations have been correctly updated to reflect the new struct fields (From, ClusterGroups, DockerConfigJSONData). Explicitly setting these fields to nil in test cases ensures accurate validation of the config resolution logic.

Also applies to: 93-99, 125-125, 177-187

pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1)

38-54: LGTM!

The test fixture has been correctly updated to reflect the new per-cluster-group routing structure. The secret configuration now properly maps ops-mirror.pem and rh-cdn.pem to their target cluster groups (build_farm, cg_2, cg_3) with appropriate namespaces.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

pkg/config/release_test.go (1)

58-67: Cannot reuse exec.Cmd after Output() has been called.

The fallback logic on lines 62-66 attempts to call CombinedOutput() after Output() has already been invoked on the same exec.Cmd object. Both methods internally call Run(), and Go's exec.Cmd cannot be reused once it has been started. This code will not execute as intended and may panic or produce unexpected behavior.

Apply this diff to fix the issue by using CombinedOutput() directly:

-	// Use Output() instead of CombinedOutput() to avoid pre-commit hook output on stderr
-	out, err := p.Output()
+	out, err := p.CombinedOutput()
 	if err != nil {
-		// If Output() fails, try CombinedOutput() for error details
-		combinedOut, combinedErr := p.CombinedOutput()
-		if combinedErr != nil {
-			t.Fatalf("%q failed, output:\n%s", p.Args, combinedOut)
-		}
-		out = combinedOut
+		t.Fatalf("%q failed, output:\n%s", p.Args, out)
 	}

🧹 Nitpick comments (2)

pkg/config/release_test.go (1)

49-49: Hook output concern is mitigated by line 49.

Since core.hooksPath is set to /dev/null on line 49, git hooks are already disabled. The distinction between Output() and CombinedOutput() to avoid hook stderr output is unnecessary. Using CombinedOutput() directly would simplify the code and provide better error diagnostics when the git command fails.

Also applies to: 58-58

pkg/api/secretbootstrap/secretboostrap.go (1)

73-88: Deterministic ordering + deep-copying of Config looks solid overall

Using a deep copy in SaveConfigToFile and applying orderConfig only to the copy preserves the caller’s view of Config while giving you stable, normalized output for YAML and tests, which is a nice property for an exported helper.

orderConfig itself is nil‑safe and gives you a consistent normalization pass:

• Cluster group member lists ([]string) are copied and sorted.
• Secrets are sorted by the first To entry’s Cluster/Namespace/Name, with sensible handling of empty To slices.
• UserSecretsTargetClusters and each DockerConfigJSONData slice are sorted, which removes slice-order nondeterminism in both top‑level and nested structures.

One thing to keep in mind for future maintainers: rebuilding ClusterGroups via sorted keys does not make map iteration deterministic (Go maps are unordered regardless of insertion order), so this normalization is mainly useful for struct equality and for having sorted per‑group member lists, not for relying on any particular map iteration order elsewhere. If you ever need deterministic traversal of cluster groups, you’ll still want to carry an explicit sorted key slice at call sites.

Also applies to: 90-155

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e198410 and 2fa1a04.

📒 Files selected for processing (8)

• cmd/ci-secret-bootstrap/main_test.go (4 hunks)
• pkg/api/secretbootstrap/secretboostrap.go (2 hunks)
• pkg/api/secretbootstrap/secretboostrap_test.go (5 hunks)
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1 hunks)
• pkg/clusterinit/onboard/openshiftmonitoring.go (1 hunks)
• pkg/config/release_test.go (2 hunks)
• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml (1 hunks)
• test/integration/cluster-init/update-build99/expected/core-services/ci-secret-bootstrap/_config.yaml (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• test/integration/cluster-init/update-build99/expected/clusters/build-clusters/build99/openshift-monitoring/cluster-monitoring-config.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• cmd/ci-secret-bootstrap/main_test.go
• pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml
• pkg/api/secretbootstrap/secretboostrap.go
• pkg/config/release_test.go
• pkg/api/secretbootstrap/secretboostrap_test.go
• pkg/clusterinit/onboard/openshiftmonitoring.go
• test/integration/cluster-init/update-build99/expected/core-services/ci-secret-bootstrap/_config.yaml

🧬 Code graph analysis (2)

cmd/ci-secret-bootstrap/main_test.go (1)

pkg/api/secretbootstrap/secretboostrap.go (4)

• SecretConfig (59-62)
• ItemContext (20-27)
• DockerConfigJSONData (29-34)
• SecretContext (45-53)

pkg/api/secretbootstrap/secretboostrap.go (1)

pkg/api/types.go (1)

• Cluster (749-749)

🔇 Additional comments (7)

pkg/clusterinit/onboard/openshiftmonitoring.go (1)

138-139: LGTM!

The formatting adjustment to the raw string literal's closing backtick has no functional impact.

cmd/ci-secret-bootstrap/main_test.go (1)

179-402: LGTM! Test fixtures correctly updated for new API structure.

The changes systematically update test data to reflect the new ClusterGroups and DockerConfigJSONData fields introduced in the public API. Key updates include:

• Adding the .dockerconfigjson secret as the first entry in defaultConfig (shifting the original secret from index 0 to 1)
• Initializing DockerConfigJSONData to empty slices throughout ItemContext structs for consistency
• Correctly updating error messages to reference config.1 instead of config.0 for the main secret, since the new .dockerconfigjson secret is now at index 0

The error message at lines 1023-1028 correctly captures two failures: the missing quay.io item for the new config.0 entry and the missing field in item-name-1 for config.1.

Also applies to: 1023-1028

pkg/config/release_test.go (1)

68-71: LGTM!

Parsing and validating the commit hash to be exactly 40 characters improves test robustness and ensures that only the hash (not extra whitespace or output) is passed to the callback.

pkg/api/secretbootstrap/secretboostrap_test.go (2)

52-99: Updated expectations around ClusterGroups and DockerConfigJSONData are consistent with the new API

The adjustments in TestResolving and TestLoadConfigFromFile to:

• Declare ClusterGroups: nil explicitly,
• Include From: nil where appropriate, and
• Populate DockerConfigJSONData: nil in ItemContext expectations,

all line up with the extended Config/ItemContext shape and make the tests resilient to future ordering/normalization changes. The DPTP prefix tests correctly assert that the prefix is applied both to From.Item and to each DockerConfigJSONData[i].Item.

Also applies to: 92-107, 124-127, 172-187

---

259-275: Round‑trip test now validates semantic equality via orderConfig—good improvement

Switching TestRoundtripConfig to:

• Load both the canonical fixture and the generated output into Config structs,
• Normalize both via orderConfig(), and
• Compare via cmp.Diff,

is a solid way to verify round‑tripping without being brittle to field ordering in YAML. This directly exercises SaveConfigToFile’s normalization behavior and keeps the test focused on logical equality of configs rather than raw file bytes.

pkg/api/secretbootstrap/testdata/zz_fixture_TestRoundtripConfig_basic_base.yaml (1)

38-55: Round‑trip fixture wiring for mirror/test secrets matches the new routing model

The added secret_configs entry for ops-mirror.pem/rh-cdn.pem:

• Uses from items and fields consistent with ItemContext,
• Targets cluster_groups (build_farm, cg_2, cg_3) rather than hard‑coding clusters,

which aligns with the updated ClusterGroups and resolving logic exercised in TestRoundtripConfig. Structurally this is compatible with the Go types and supports the new deterministic round‑trip behavior.

test/integration/cluster-init/update-build99/expected/core-services/ci-secret-bootstrap/_config.yaml (1)

30-46: Restructured secret mappings for build99 look coherent and type‑consistent

The updated _config.yaml:

• Groups related sa.* entries under clearer logical items (e.g., ci-chat-bot, cluster-display, pod-scaler) while keeping field values aligned with the actual key names.
• Points to blocks at appropriately renamed secrets (ci-chat-bot-kubeconfigs, cluster-display, dptp-controller-manager, github-ldap-user-group-creator, hook, pod-scaler, prow-controller-manager, sinker) in the expected ci namespace.
• Uses from: {} for the empty registry‑pull config, which deserializes cleanly as an empty map and is compatible with the map[string]ItemContext type.

From a type/structure perspective this fixture matches the Go API and the updated routing model; no obvious miswirings or schema issues stand out in the changed sections.

Also applies to: 80-99, 121-151, 172-203, 218-236, 238-257, 257-257

[openshift-ci]

@deepsm007: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/integration-optional-test	e45d4b9	link	true	/test integration-optional-test
ci/prow/integration	e642ad5	link	true	/test integration
ci/prow/images	e642ad5	link	true	/test images
ci/prow/breaking-changes	e642ad5	link	false	/test breaking-changes
ci/prow/unit	e642ad5	link	true	/test unit

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Prucek]

Does it even help? The breaking-changes job is still failing

[Prucek]

Nothing is using this code?

[deepsm007]

I need to push the latest changes, i havent had time to verify locally yet

[Prucek]

Why we need to resolve it now?