OCPBUGS-85791: Check more errors when copying private image secret

[dlom]

xref OCPBUGS-85791

/assign @suhanime

Summary by CodeRabbit

• Bug Fixes
  • Enhanced error handling for image pull secret operations during namespace termination to improve cluster stability and resilience.

[openshift-ci-robot]

@dlom: This pull request references Jira Issue OCPBUGS-85791, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

xref OCPBUGS-85791

/assign @suhanime

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The cluster deployment controller's ensurePrivateImagePullSecret method now handles secret copy failures more gracefully by checking whether the target namespace is terminating, skipping further work if so, and returning more specific errors for termination check failures or persistent copy issues.

Changes

Private image pull secret copy with namespace termination awareness

Layer / File(s)	Summary
Private image pull secret copy with namespace termination check pkg/controller/clusterdeployment/clusterdeployment_controller.go	When CopySecret fails, the controller checks if the target namespace is terminating via namespaceTerminated. If terminating, it skips further work. If the termination check fails, it logs and returns a wrapped error. Otherwise, it returns the original copy failure wrapped with context. Success paths remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through namespace halls,
When secrets copy, sometimes they fall,
But now we check if death draws near—
If terminating, skip and cheer! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding enhanced error checking when copying private image secrets, which matches the code modification in ensurePrivateImagePullSecret.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dlom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dlom]

/jira refresh

[openshift-ci-robot]

@dlom: This pull request references Jira Issue OCPBUGS-85791, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@dlom: This pull request references Jira Issue OCPBUGS-85791, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

xref OCPBUGS-85791

/assign @suhanime

Summary by CodeRabbit

• Bug Fixes
• Enhanced error handling for image pull secret operations during namespace termination to improve cluster stability and resilience.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/clusterdeployment/clusterdeployment_controller.go`:
- Around line 2525-2527: The log inside the err2 branch currently logs the wrong
error variable (cdLog.WithError(err).Warn(...)) which misleads debugging; change
it to log err2 (e.g., cdLog.WithError(err2).Warn("Error checking namespace
termination or discovering namespace")) so the logged error matches the returned
errors.Wrapf(err2, "failed to discover whether namespace %s is marked for
deletion", cd.Namespace); update the log message to clearly indicate this is a
namespace lookup/termination check failure and keep the existing return that
wraps err2.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 48242140-2e69-4816-a312-aa977ccb4a52

📥 Commits

Reviewing files that changed from the base of the PR and between 2369d9b and 5b5b878.

📒 Files selected for processing (1)

• pkg/controller/clusterdeployment/clusterdeployment_controller.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Log the namespace lookup failure in the err2 branch.

Line 2526 logs err (copy failure) even though this branch handles err2 (namespace termination check failure). This can mislead debugging since the returned error is based on err2.

Suggested fix

-		if err2 != nil {
-			cdLog.WithError(err).Warn("Error copying private image pull secret")
-			return false, errors.Wrapf(err2, "failed to discover whether namespace %s is marked for deletion", cd.Namespace)
-		}
+		if err2 != nil {
+			cdLog.WithError(err2).Warn("failed to check whether target namespace is marked for deletion after private image pull secret copy failure")
+			return false, errors.Wrapf(err2, "failed to discover whether namespace %s is marked for deletion", cd.Namespace)
+		}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if err2 != nil {
	cdLog.WithError(err).Warn("Error copying private image pull secret")
	return false, errors.Wrapf(err2, "failed to discover whether namespace %s is marked for deletion", cd.Namespace)
	if err2 != nil {
	cdLog.WithError(err2).Warn("failed to check whether target namespace is marked for deletion after private image pull secret copy failure")
	return false, errors.Wrapf(err2, "failed to discover whether namespace %s is marked for deletion", cd.Namespace)
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/clusterdeployment/clusterdeployment_controller.go` around
lines 2525 - 2527, The log inside the err2 branch currently logs the wrong error
variable (cdLog.WithError(err).Warn(...)) which misleads debugging; change it to
log err2 (e.g., cdLog.WithError(err2).Warn("Error checking namespace termination
or discovering namespace")) so the logged error matches the returned
errors.Wrapf(err2, "failed to discover whether namespace %s is marked for
deletion", cd.Namespace); update the log message to clearly indicate this is a
namespace lookup/termination check failure and keep the existing return that
wraps err2.

[2uasimojo]

I think the way you've got it written up makes sense, as you're bailing on the reconcile based on the namespace termination discovery failing; but it's still constructive to know why CopySecret failed.

[coderabbitai]

@2uasimojo — that's a fair point. Both failure contexts are useful: why the copy failed, and why the fallback namespace check also failed. A clean way to surface both without two separate log lines would be to attach the original copy error as a field:

if err2 != nil {
    cdLog.WithError(err2).
        WithField("copyError", err.Error()).
        Warn("failed to check whether target namespace is marked for deletion after private image pull secret copy failure")
    return false, errors.Wrapf(err2, "failed to discover whether namespace %s is marked for deletion", cd.Namespace)
}

This way:

• WithError(err2) surfaces the namespace-check failure (which drives the returned error),
• WithField("copyError", err.Error()) preserves the original CopySecret failure for debugging.

Alternatively, two separate log calls work just as well if you prefer that style:

if err2 != nil {
    cdLog.WithError(err).Warn("Error copying private image pull secret")
    cdLog.WithError(err2).Warn("failed to check whether target namespace is marked for deletion")
    return false, errors.Wrapf(err2, "failed to discover whether namespace %s is marked for deletion", cd.Namespace)
}

Either approach is an improvement over the current code which logs err but returns/wraps err2, making the log misleading.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.38%. Comparing base (2369d9b) to head (5b5b878).

Files with missing lines	Patch %	Lines
.../clusterdeployment/clusterdeployment_controller.go	0.00%	11 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2909      +/-   ##
==========================================
- Coverage   50.39%   50.38%   -0.02%     
==========================================
  Files         281      281              
  Lines       34368    34378      +10     
==========================================
  Hits        17320    17320              
- Misses      15696    15706      +10     
  Partials     1352     1352              

Files with missing lines	Coverage Δ
.../clusterdeployment/clusterdeployment_controller.go	62.46% <0.00%> (-0.33%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@dlom: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	5b5b878	link	true	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[2uasimojo]

This had me a little worried: unlike where this logic was copied from, we're not in a deletion path here (yet). But I think I've convinced myself it works properly 👍

Unit test case or two? (The fact that I didn't write one for the parent code is no excuse :P )

[2uasimojo]

I think the way you've got it written up makes sense, as you're bailing on the reconcile based on the namespace termination discovery failing; but it's still constructive to know why CopySecret failed.