feat(api): add OAuthNoProxyEndpoints field for IBMCloud platform

[pamelachristie]

What this PR does / why we need it:

This PR adds a new optional field oauthNoProxyEndpoints to the IBMCloudPlatformSpec API to allow users to specify additional endpoints that should be added to the OAuth server's NO_PROXY configuration.

The change extends the existing IBM Cloud platform configuration by:

• Adding the new `OAuthNoProxyEndpoints` field to the API types with appropriate validation (1-50 items, each 1-253 characters)
• Updating the CRD manifests for HostedCluster, HostedControlPlane, and NodePool resources
• Modifying the OAuth server deployment logic to append user-specified endpoints to the default IBM Cloud endpoints (`iam.cloud.ibm.com`, `iam.test.cloud.ibm.com`)
• Fixing the DeepCopy implementation to properly handle the new slice field
• Updating the client apply configuration to support the new field

This allows IBM Cloud users to configure additional no-proxy endpoints for their OAuth server without having to override the defaults, which is particularly useful in environments with custom IAM endpoints or private network configurations.

This PR is based on the original work in #8241 and discussion with Caesar.

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

• The change maintains backward compatibility by keeping the default IBM Cloud endpoints (iam.cloud.ibm.com, iam.test.cloud.ibm.com) and only appending user-specified endpoints
• Validation ensures between 1-50 endpoints can be specified, with each endpoint being 1-253 characters long
• The field is marked as optional and uses listType=set to prevent duplicates
• Both v1 and v2 OAuth controller implementations have been updated consistently
• The DeepCopy generator correctly identified the need to update the copy logic from shallow (**out = **in) to deep copy (DeepCopyInto) due to the new slice field

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features
  • Added support for configurable OAuth no-proxy endpoints on IBM Cloud platforms, allowing users to specify additional endpoints to exclude from proxy settings while maintaining backward compatibility.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request extends the IBM Cloud platform specification with a new optional OAuthNoProxyEndpoints field that allows users to configure additional endpoints that should bypass the OAuth proxy. The change introduces the schema field in IBMCloudPlatformSpec, then implements support for it in two OAuth configuration code paths: the OAuth server parameters and the v2 OAuth deployment environment. Both implementation paths maintain backward compatibility by starting with default IBM Cloud endpoints and then appending any additional user-specified endpoints.

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	No test files exist for the new functionality: params.go and v2/oauth/deployment.go changes lack test coverage, violating the custom check's requirement for proper test structure and quality.	Add params_test.go and deployment_test.go test files covering IBMCloud OAuth NO_PROXY endpoint merge behavior with single-responsibility tests, proper assertions with messages, and Gomega patterns consistent with codebase.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding an OAuthNoProxyEndpoints field to the IBMCloud platform specification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR does not add any Ginkgo tests. The custom check for stable test names is not applicable since no test files were added or modified. PR only modifies API definitions and implementation code.
Microshift Test Compatibility	✅ Passed	PR adds API field and controller logic only; no new Ginkgo e2e tests are added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only adds API type field and controller logic changes, not new Ginkgo e2e tests. Custom check applies only to new Ginkgo tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces only API field addition and OAuth NO_PROXY environment variable configuration. No scheduling constraints (affinity, topology spread, replica counts, nodeSelectors) are added or modified.
Ote Binary Stdout Contract	✅ Passed	PR has no process-level entry points (main, init, TestMain, BeforeSuite). Changes are API struct fields and controller utility functions with data operations only—no stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes are API/controller updates with standard Go unit tests only.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pamelachristie
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• api/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

api/hypershift/v1beta1/hostedcluster_types.go (1)

1366-1374: ⚡ Quick win

Strengthen the API contract with endpoint-shape validation.

The new field only enforces count and length; invalid values (e.g., URL-with-scheme, whitespace-only, malformed hosts) can still pass and silently produce ineffective NO_PROXY entries. Add item-level validation (CEL/pattern) for supported endpoint formats.

As per coding guidelines, "Design APIs contract-first" and "Prefer admission-time CEL validation over controller-time validation; use CEL rules, not webhooks, for new validation."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/hypershift/v1beta1/hostedcluster_types.go` around lines 1366 - 1374, The
OAuthNoProxyEndpoints slice allows invalid endpoint shapes; add item-level
validation to reject schemes, whitespace-only strings, and malformed hosts by
adding a kubebuilder items-pattern and a CEL rule that each element of
OAuthNoProxyEndpoints matches a host or host:port pattern (no scheme, no
surrounding whitespace, valid hostname/IP or hostname:port), e.g. add a
+kubebuilder:validation:items:Pattern annotation on OAuthNoProxyEndpoints and a
corresponding CRD CEL validation expression referencing OAuthNoProxyEndpoints to
enforce the same regex per item so invalid entries are rejected at admission
time.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/hypershift/v1beta1/hostedcluster_types.go`:
- Around line 1366-1374: The API change adding the OAuthNoProxyEndpoints field
in hostedcluster_types.go lacks the required API linter output; run make
api-lint-fix and commit the fixes it produces, then include the make
api-lint-fix output in the PR description; specifically ensure the kubebuilder
validation annotations on the OAuthNoProxyEndpoints slice (OAuthNoProxyEndpoints
[]string) conform to the linter suggestions and any generated CRD or deepcopy
changes are staged and pushed with the PR.

In `@control-plane-operator/controllers/hostedcontrolplane/oauth/params.go`:
- Around line 97-103: Add unit tests for NewOAuthServerParams to verify IBMCloud
OAuth NO_PROXY merge semantics: (1) when Platform.Type == hyperv1.IBMCloud and
IBMCloud is nil, OAuthServerParams.OAuthNoProxy contains only the default
entries "iam.cloud.ibm.com" and "iam.test.cloud.ibm.com"; (2) when IBMCloud is
non-nil but OAuthNoProxyEndpoints is empty, OAuthNoProxy still contains only the
defaults; and (3) when IBMCloud.OAuthNoProxyEndpoints contains values,
OAuthNoProxy contains the defaults plus those endpoints in the merged slice.
Construct HostedControlPlane objects with Platform.Type == hyperv1.IBMCloud and
varying IBMCloud/OAuthNoProxyEndpoints values, call NewOAuthServerParams, and
assert OAuthServerParams.OAuthNoProxy equals the expected slice (including order
if relevant).

---

Nitpick comments:
In `@api/hypershift/v1beta1/hostedcluster_types.go`:
- Around line 1366-1374: The OAuthNoProxyEndpoints slice allows invalid endpoint
shapes; add item-level validation to reject schemes, whitespace-only strings,
and malformed hosts by adding a kubebuilder items-pattern and a CEL rule that
each element of OAuthNoProxyEndpoints matches a host or host:port pattern (no
scheme, no surrounding whitespace, valid hostname/IP or hostname:port), e.g. add
a +kubebuilder:validation:items:Pattern annotation on OAuthNoProxyEndpoints and
a corresponding CRD CEL validation expression referencing OAuthNoProxyEndpoints
to enforce the same regex per item so invalid entries are rejected at admission
time.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9c5a198e-2d55-4ff2-9030-fa3f505ed02f

📥 Commits

Reviewing files that changed from the base of the PR and between d24af10 and b3a05ad.

⛔ Files ignored due to path filters (44)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• client/applyconfiguration/hypershift/v1beta1/ibmcloudplatformspec.go is excluded by !client/**
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/nodepools-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/nodepools-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/nodepools-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md
• docs/content/reference/api.md is excluded by !docs/content/reference/api.md
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*

📒 Files selected for processing (3)

• api/hypershift/v1beta1/hostedcluster_types.go
• control-plane-operator/controllers/hostedcontrolplane/oauth/params.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

API linter findings are missing for this API change.

Please run make api-lint-fix and include its output in the PR review context before merge.

As per coding guidelines, "**/api/**: Run make api-lint-fix before writing any review and include its output in the review. The linter is the authoritative source for convention violations. Review must start with linter findings, then add your own analysis on top."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/hypershift/v1beta1/hostedcluster_types.go` around lines 1366 - 1374, The
API change adding the OAuthNoProxyEndpoints field in hostedcluster_types.go
lacks the required API linter output; run make api-lint-fix and commit the fixes
it produces, then include the make api-lint-fix output in the PR description;
specifically ensure the kubebuilder validation annotations on the
OAuthNoProxyEndpoints slice (OAuthNoProxyEndpoints []string) conform to the
linter suggestions and any generated CRD or deepcopy changes are staged and
pushed with the PR.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify whether tests already cover the new behavior.
rg -n --type=go -g '*_test.go' \
  'OAuthNoProxyEndpoints|NewOAuthServerParams|NO_PROXY|iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com|IBMCloudPlatform'

Repository: openshift/hypershift

Length of output: 16241

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Locate the function and relevant symbols in the target file
echo "== params.go excerpt for context =="
sed -n '1,200p' control-plane-operator/controllers/hostedcontrolplane/oauth/params.go | nl -ba | sed -n '70,140p'

# 2) Search for tests or usages in the oauth package
echo "== Search for OAuthNoProxy* in oauth package tests =="
rg -n --type=go \
  'OAuthNoProxyEndpoints|OAuthNoProxy|NewOAuthServerParams|OAuthNoProxyEndpoints' \
  control-plane-operator/controllers/hostedcontrolplane/oauth -S

echo "== Search for NO_PROXY env merge logic specifically tied to OAuth in oauth tests =="
rg -n --type=go \
  'NO_PROXY|no_proxy|OAuth' \
  control-plane-operator/controllers/hostedcontrolplane/oauth/* -S

# 3) Find any *_test.go in the oauth directory and list them
echo "== *_test.go files in oauth directory =="
fd -e go --changed-within 99999d '*_test.go' control-plane-operator/controllers/hostedcontrolplane/oauth -a | cat

Repository: openshift/hypershift

Length of output: 161

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Print params.go with line numbers (no nl available)
echo "== params.go excerpt for context =="
awk 'NR>=70 && NR<=140 {printf "%d\t%s\n", NR, $0}' control-plane-operator/controllers/hostedcontrolplane/oauth/params.go

echo
echo "== *_test.go files in oauth directory =="
fd -e go --changed-within 99999d '*_test.go' control-plane-operator/controllers/hostedcontrolplane/oauth -a | sort

echo
echo "== Search for OAuthNoProxy* in oauth package =="
rg -n --type=go \
  'OAuthNoProxyEndpoints|OAuthNoProxy|NewOAuthServerParams' \
  control-plane-operator/controllers/hostedcontrolplane/oauth -S

echo
echo "== Search for IBMCloud OAuthNoProxy / iam.cloud.ibm.com / OAuthNoProxyEndpoints in oauth package =="
rg -n --type=go \
  'IBMCloud|iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com|OAuthNoProxyEndpoints|OAuthNoProxy' \
  control-plane-operator/controllers/hostedcontrolplane/oauth -S

Repository: openshift/hypershift

Length of output: 2621

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== List *_test.go under oauth directory =="
fd --type f '*_test.go' control-plane-operator/controllers/hostedcontrolplane/oauth | sort || true

echo
echo "== Search for NewOAuthServerParams in repo =="
rg -n --type=go 'func\s+NewOAuthServerParams|NewOAuthServerParams' . || true

echo
echo "== Search for OAuthNoProxy in repo =="
rg -n --type=go 'OAuthNoProxy' . || true

echo
echo "== Search for iam.cloud.ibm.com in repo (go/tests) =="
rg -n --type=go 'iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com' . || true

Repository: openshift/hypershift

Length of output: 7000

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== *_test.go under control-plane-operator/controllers/hostedcontrolplane/oauth =="
fd --type f --glob '*_test.go' control-plane-operator/controllers/hostedcontrolplane/oauth | sort

echo
echo "== Search in oauth tests for IBMCloud NO_PROXY / iam.cloud.ibm.com =="
rg -n --type=go 'iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com|NO_PROXY|OAuthNoProxyEndpoints|OAuthNoProxy' \
  control-plane-operator/controllers/hostedcontrolplane/oauth -S || true

echo
echo "== Search for NewOAuthServerParams usage in oauth tests =="
rg -n --type=go 'NewOAuthServerParams' \
  control-plane-operator/controllers/hostedcontrolplane/oauth -S || true

echo
echo "== If service_test.go exists, show relevant sections (first 220 lines) =="
if [ -f control-plane-operator/controllers/hostedcontrolplane/oauth/service_test.go ]; then
  sed -n '1,220p' control-plane-operator/controllers/hostedcontrolplane/oauth/service_test.go | nl -ba 2>/dev/null || sed -n '1,220p' control-plane-operator/controllers/hostedcontrolplane/oauth/service_test.go
fi

echo
echo "== Show more targeted region around any IBMCloud/NO_PROXY assertions (search within file) =="
if [ -f control-plane-operator/controllers/hostedcontrolplane/oauth/service_test.go ]; then
  rg -n 'IBMCloud|NO_PROXY|iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com|OAuthNoProxy' control-plane-operator/controllers/hostedcontrolplane/oauth/service_test.go || true
fi

Repository: openshift/hypershift

Length of output: 9071

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== *_test.go containing iam.cloud.ibm.com =="
rg -n --type=go -g '*_test.go' 'iam\.cloud\.ibm\.com' . || true

echo
echo "== *_test.go containing iam.test.cloud.ibm.com =="
rg -n --type=go -g '*_test.go' 'iam\.test\.cloud\.ibm\.com' . || true

echo
echo "== *_test.go containing OAuthNoProxyEndpoints =="
rg -n --type=go -g '*_test.go' 'OAuthNoProxyEndpoints' . || true

echo
echo "== *_test.go containing OAuthNoProxy merge mentions =="
rg -n --type=go -g '*_test.go' 'OAuthNoProxy' control-plane-operator . || true

echo
echo "== *_test.go containing 'iam.cloud' within control-plane-operator =="
rg -n --type=go -g '*_test.go' 'iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com' control-plane-operator . || true

Repository: openshift/hypershift

Length of output: 504

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== *_test.go under control-plane-operator/controllers/hostedcontrolplane/v2/oauth =="
fd --type f --glob '*_test.go' control-plane-operator/controllers/hostedcontrolplane/v2/oauth | sort || true

echo
echo "== Search v2/oauth tests for NO_PROXY / IBMCloudPlatform / OAuthNoProxyEndpoints =="
rg -n --type=go \
  'NO_PROXY|IBMCloudPlatform|OAuthNoProxyEndpoints|OAuthNoProxy|iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com' \
  control-plane-operator/controllers/hostedcontrolplane/v2/oauth -S || true

echo
echo "== Search v2/oauth_apiserver tests for IBMCloudPlatform + NO_PROXY assembly =="
fd --type f --glob '*_test.go' control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver | sort || true
rg -n --type=go \
  'NO_PROXY|IBMCloudPlatform|iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com|OAuthNoProxyEndpoints' \
  control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver -S || true

Repository: openshift/hypershift

Length of output: 2368

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search in v2/oauth_apiserver tests for IBMCloud default endpoints =="
rg -n --type=go \
  'iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com|OAuthNoProxyEndpoints' \
  control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/*_test.go -S || true

echo
echo "== Search in v2/oauth_apiserver deployment_test.go for platform IBMCloud ===="
rg -n --type=go 'IBMCloudPlatform' control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go -S || true

echo
echo "== Show relevant NO_PROXY assertion blocks in v2/oauth_apiserver/deployment_test.go (around matches) =="
rg -n --type=go 'NO_PROXY' control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go -n -S
rg -n --type=go 'iam\.cloud\.ibm\.com|iam\.test\.cloud\.ibm\.com' control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go -S || true

# Print a small neighborhood around the first NO_PROXY assertion occurrences
echo
echo "== Neighborhood for first 2 NO_PROXY matches =="
rg -n --type=go 'FindEnvVar\("NO_PROXY"|Check NO_PROXY|NO_PROXY' control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go -S | head -n 2 | cut -d: -f1 | while read -r line; do
  echo "--- around line $line ---"
  sed -n "$((line-20)),$((line+20))p" control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go
done

Repository: openshift/hypershift

Length of output: 3640

---

Add unit tests for IBMCloud OAuth NO_PROXY endpoint merge behavior (defaults + optional OAuthNoProxyEndpoints). (control-plane-operator/controllers/hostedcontrolplane/oauth/params.go:97-103)

The IBMCloud branch always adds defaults (iam.cloud.ibm.com, iam.test.cloud.ibm.com) and then conditionally appends hcp.Spec.Platform.IBMCloud.OAuthNoProxyEndpoints only when IBMCloud != nil. No existing unit tests cover this merge semantics (defaults-only, defaults+custom endpoints, and nil IBMCloud spec). Add/extend tests for NewOAuthServerParams/OAuthServerParams.OAuthNoProxy.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@control-plane-operator/controllers/hostedcontrolplane/oauth/params.go` around
lines 97 - 103, Add unit tests for NewOAuthServerParams to verify IBMCloud OAuth
NO_PROXY merge semantics: (1) when Platform.Type == hyperv1.IBMCloud and
IBMCloud is nil, OAuthServerParams.OAuthNoProxy contains only the default
entries "iam.cloud.ibm.com" and "iam.test.cloud.ibm.com"; (2) when IBMCloud is
non-nil but OAuthNoProxyEndpoints is empty, OAuthNoProxy still contains only the
defaults; and (3) when IBMCloud.OAuthNoProxyEndpoints contains values,
OAuthNoProxy contains the defaults plus those endpoints in the merged slice.
Construct HostedControlPlane objects with Platform.Type == hyperv1.IBMCloud and
varying IBMCloud/OAuthNoProxyEndpoints values, call NewOAuthServerParams, and
assert OAuthServerParams.OAuthNoProxy equals the expected slice (including order
if relevant).

[codecov]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.40%. Comparing base (d24af10) to head (b3a05ad).

Files with missing lines	Patch %	Lines
...tor/controllers/hostedcontrolplane/oauth/params.go	0.00%	5 Missing ⚠️
...trollers/hostedcontrolplane/v2/oauth/deployment.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8580      +/-   ##
==========================================
- Coverage   40.41%   40.40%   -0.01%     
==========================================
  Files         755      755              
  Lines       93235    93243       +8     
==========================================
  Hits        37679    37679              
- Misses      52854    52862       +8     
  Partials     2702     2702              

Files with missing lines	Coverage Δ
...tor/controllers/hostedcontrolplane/oauth/params.go	0.00% <0.00%> (ø)
...trollers/hostedcontrolplane/v2/oauth/deployment.go	0.00% <0.00%> (ø)

Flag	Coverage Δ
cmd-support	34.44% <ø> (ø)
cpo-hostedcontrolplane	41.74% <0.00%> (-0.03%)	⬇️
cpo-other	40.31% <ø> (ø)
hypershift-operator	50.72% <ø> (ø)
other	31.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hypershift-jira-solve-ci]

I already have all the information I need from the diff, Codecov report, and PR comments. Let me now compile the complete analysis.

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/patch
• Build ID: 77461967822 (GitHub Check Run)
• PR: #8580 — feat(api): add OAuthNoProxyEndpoints field for IBMCloud platform
• Target: Patch coverage gate
• Result: 0% patch coverage (10 lines uncovered)

Test Failure Analysis

Error

Patch coverage is 0% with 10 lines in your changes missing coverage.
Files with missing lines:
  - control-plane-operator/controllers/hostedcontrolplane/oauth/params.go: 0.00% (5 lines missing)
  - control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go: 0.00% (5 lines missing)

Summary

The codecov/patch check failed because the PR adds 10 new executable lines of Go code across two files (oauth/params.go and v2/oauth/deployment.go) — all implementing the new OAuthNoProxyEndpoints field for IBMCloud — but includes zero unit tests covering that logic. Codecov reports 0% patch coverage. Both files already had 0% file-level coverage before this PR, meaning no existing tests exercise any code in these files. The client/ directory changes, vendor/ files, YAML manifests, docs, and api/ type definitions are all correctly excluded from coverage via the repository's codecov.yml ignore rules, so only the two controller files with runtime logic are flagged.

Root Cause

The root cause is missing unit tests for new runtime logic. Specifically:

1. control-plane-operator/controllers/hostedcontrolplane/oauth/params.go (5 uncovered lines): The PR adds lines 98–102, which check whether hcp.Spec.Platform.IBMCloud is non-nil and OAuthNoProxyEndpoints is populated, then appends those endpoints to p.OAuthNoProxy. This is a conditional branch with runtime behavior that no test exercises.

2. control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go (5 uncovered lines): The PR adds lines 60–64, which perform the same conditional check and append OAuthNoProxyEndpoints values to the noProxy slice used for the NO_PROXY environment variable in the OAuth deployment. This file already has 0% coverage — no tests exist for the adaptDeployment function.

Both files had 0% coverage before this PR (the ø delta confirms no change to pre-existing file coverage). The PR added new conditional branches but no corresponding _test.go files or test cases. The codecov/patch gate requires that changed lines have test coverage, and since none of these 10 lines are hit by any test, the check fails.

The codecov.yml configuration correctly ignores client/**, vendor/**, docs/**, and **/*.yaml — so the only files counted toward patch coverage are exactly these two controller files containing executable logic.

Recommendations

1. Add unit tests for NewOAuthServerParams in oauth/params.go: Create a test (e.g., in params_test.go) that constructs a HostedControlPlane with Platform.Type = IBMCloudPlatform and Platform.IBMCloud.OAuthNoProxyEndpoints populated. Assert that the returned OAuthServerParams.OAuthNoProxy contains both the default endpoints (iam.cloud.ibm.com, iam.test.cloud.ibm.com) and the custom endpoints.

2. Add unit tests for adaptDeployment in v2/oauth/deployment.go: Create a test (e.g., in deployment_test.go) that verifies the NO_PROXY environment variable on the OAuth container includes custom OAuthNoProxyEndpoints when the IBMCloud platform spec is set.

3. Cover the nil/empty guard branches: Ensure tests also cover the cases where IBMCloud is nil or OAuthNoProxyEndpoints is empty, verifying that only the default endpoints are set (backward compatibility).

4. Consider adding the API types file to the codecov ignore list: The file api/hypershift/v1beta1/hostedcluster_types.go contains only struct definitions and is already effectively excluded from coverage. If future type-only changes trigger coverage concerns, adding it to the codecov.yml ignore list would be consistent with the existing pattern (e.g., api/ibmcapi/types.go is already ignored).

Evidence

Evidence	Detail
Check run conclusion	failure — "0.00% of diff hit (target 40.41%)"
Uncovered file 1	control-plane-operator/controllers/hostedcontrolplane/oauth/params.go — 5 lines, 0% patch coverage
Uncovered file 2	control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go — 5 lines, 0% patch coverage
Pre-existing file coverage	Both files had 0.00% coverage before the PR (delta = ø)
Total uncovered lines	10 new executable lines with 0 test hits
Codecov ignore rules	client/**, vendor/**, docs/**, **/*.yaml, **/*.md are all correctly excluded
Codecov report	Codecov PR #8580
CodeRabbit pre-merge warning	"No test files exist for the new functionality: params.go and v2/oauth/deployment.go changes lack test coverage"
Diff in params.go (lines 98–102)	if hcp.Spec.Platform.IBMCloud != nil && len(hcp.Spec.Platform.IBMCloud.OAuthNoProxyEndpoints) > 0 { p.OAuthNoProxy = append(p.OAuthNoProxy, hcp.Spec.Platform.IBMCloud.OAuthNoProxyEndpoints...) }
Diff in deployment.go (lines 60–64)	if cpContext.HCP.Spec.Platform.IBMCloud != nil && len(cpContext.HCP.Spec.Platform.IBMCloud.OAuthNoProxyEndpoints) > 0 { noProxy = append(noProxy, cpContext.HCP.Spec.Platform.IBMCloud.OAuthNoProxyEndpoints...) }

---