Skip to content

CNTRLPLANE-3763: tag bastion resources with e2e provenance#9022

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ironcladlou:ws/hcp-missing-aws-tags
Jul 17, 2026
Merged

CNTRLPLANE-3763: tag bastion resources with e2e provenance#9022
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ironcladlou:ws/hcp-missing-aws-tags

Conversation

@ironcladlou

@ironcladlou ironcladlou commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

The bastion keypair, security group, and EC2 instance were missed
in PR #8909. Plumb AdditionalTags through CreateBastionOpts so
the e2e journal dump path tags them with source and prow-job-id.

Summary by CodeRabbit

  • New Features
    • Added support for applying custom key=value tags when creating AWS bastions.
    • Custom tags are applied consistently to the bastion’s security group, key pair, and EC2 instance.
    • Automated environments now include source and job-identification tags on created bastions.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot

openshift-ci-robot commented Jul 16, 2026

Copy link
Copy Markdown

@ironcladlou: This pull request references CNTRLPLANE-3763 which is a valid jira issue.

Details

In response to this:

These were missed in #8909

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 16, 2026
@openshift-ci
openshift-ci Bot requested review from devguyio and enxebre July 16, 2026 19:56
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

The AWS bastion creation command adds an --additional-tags string-slice flag, parses supplied key=value entries, and propagates the resulting tags to security groups, key pairs, and EC2 instances. E2E bastion setup now adds Hypershift source and optional Prow job tags.

Sequence Diagram(s)

sequenceDiagram
  participant E2ESetup
  participant BastionCreate
  participant AWSResources
  participant EC2
  E2ESetup->>BastionCreate: provide source and Prow job tags
  BastionCreate->>BastionCreate: parse key=value tags
  BastionCreate->>AWSResources: pass additional tags
  AWSResources->>EC2: apply tags to resource specifications
Loading

Suggested reviewers: enxebre, devguyio

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo It/Describe/Context/When titles were added or changed in the touched files; the e2e change only threads tags through helper code.
Test Structure And Quality ✅ Passed No Ginkgo specs were changed; the only test-side edit is a helper that adds tags and still cleans up the bastion with t.Cleanup.
Topology-Aware Scheduling Compatibility ✅ Passed PR only adds AWS bastion resource tagging in CLI/e2e helper; no manifests, controllers, affinities, selectors, or topology-dependent scheduling logic were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the e2e util change only threads AWS tags into an existing helper, with no new IPv4 or public-internet assumptions.
No-Weak-Crypto ✅ Passed Touched files only add AWS tag plumbing; they import no crypto packages and contain no weak ciphers, hashes, or secret comparisons.
Container-Privileges ✅ Passed Only Go files changed for AWS bastion tagging; no container/K8s manifests or privileged/hostNetwork/allowPrivilegeEscalation settings were added.
No-Sensitive-Data-In-Logs ✅ Passed No new logging of secrets/PII/internal hostnames was added; new tag values are only propagated to AWS tags, and touched log lines only emit IDs/IPs.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding e2e provenance tagging to bastion AWS resources.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added area/cli Indicates the PR includes changes for CLI area/platform/aws PR/issue for AWS (AWSPlatform) platform area/testing Indicates the PR includes changes for e2e testing and removed do-not-merge/needs-area labels Jul 16, 2026
The bastion keypair, security group, and EC2 instance were missed
in PR openshift#8909. Plumb AdditionalTags through CreateBastionOpts so
the e2e journal dump path tags them with source and prow-job-id.
@ironcladlou
ironcladlou force-pushed the ws/hcp-missing-aws-tags branch from 5ba9d86 to 9c3de5d Compare July 16, 2026 19:58
@ironcladlou ironcladlou changed the title CNTRLPLANE-3763: plumb e2e provenance tags through bastion AWS resource creation CNTRLPLANE-3763: tag bastion resources with e2e provenance Jul 16, 2026
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 16, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, ironcladlou

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
cmd/bastion/aws/create.go (1)

166-172: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

Preallocate slice capacity.

Since the size of tagMap is known, preallocate the slice capacity to avoid unnecessary allocations, as per the coding guidelines.

♻️ Proposed refactor
-	var additionalTags []ec2types.Tag
+	additionalTags := make([]ec2types.Tag, 0, len(tagMap))
	for k, v := range tagMap {
		additionalTags = append(additionalTags, ec2types.Tag{
			Key:   aws.String(k),
			Value: aws.String(v),
		})
	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/bastion/aws/create.go` around lines 166 - 172, Update the additionalTags
slice initialization in the tagMap loop to preallocate capacity using
len(tagMap), while preserving the existing tag conversion and append behavior.

Source: Coding guidelines

test/e2e/util/dump/journals.go (1)

155-160: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

Preallocate slice capacity.

To avoid a potential reallocation when appending the Prow job ID tag, consider preallocating the slice capacity to 2 as per the coding guidelines.

♻️ Proposed refactor
-	additionalTags := []string{
-		supportawsutil.HypershiftSourceTagKey + "=e2e",
-	}
+	additionalTags := make([]string, 0, 2)
+	additionalTags = append(additionalTags, supportawsutil.HypershiftSourceTagKey+"=e2e")
	if prowJobID := os.Getenv("PROW_JOB_ID"); prowJobID != "" {
		additionalTags = append(additionalTags, supportawsutil.HypershiftProwJobIDTagKey+"="+prowJobID)
	}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/util/dump/journals.go` around lines 155 - 160, Preallocate capacity
for two elements when initializing additionalTags in the journal dump flow,
while preserving the existing initial Hypershift source tag and conditional Prow
job ID append behavior.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@cmd/bastion/aws/create.go`:
- Around line 166-172: Update the additionalTags slice initialization in the
tagMap loop to preallocate capacity using len(tagMap), while preserving the
existing tag conversion and append behavior.

In `@test/e2e/util/dump/journals.go`:
- Around line 155-160: Preallocate capacity for two elements when initializing
additionalTags in the journal dump flow, while preserving the existing initial
Hypershift source tag and conditional Prow job ID append behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: bdbe69b2-7324-4775-bcdd-17e7e56d0575

📥 Commits

Reviewing files that changed from the base of the PR and between e4576ff and 5ba9d86.

📒 Files selected for processing (2)
  • cmd/bastion/aws/create.go
  • test/e2e/util/dump/journals.go

@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.17%. Comparing base (3a71948) to head (9c3de5d).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
cmd/bastion/aws/create.go 0.00% 24 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9022      +/-   ##
==========================================
- Coverage   44.17%   44.17%   -0.01%     
==========================================
  Files         772      772              
  Lines       96333    96346      +13     
==========================================
+ Hits        42558    42559       +1     
- Misses      50831    50843      +12     
  Partials     2944     2944              
Files with missing lines Coverage Δ
cmd/bastion/aws/create.go 0.00% <0.00%> (ø)

... and 1 file with indirect coverage changes

Flag Coverage Δ
cmd-support 38.23% <0.00%> (-0.02%) ⬇️
cpo-hostedcontrolplane 46.25% <ø> (ø)
cpo-other 45.22% <ø> (ø)
hypershift-operator 54.14% <ø> (+<0.01%) ⬆️
other 32.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/verified by e2e for regressions and manual testing to verify tag support

$ bin/hypershift create bastion aws \
    --infra-id ... \
    --region us-east-1 \
    --ssh-key-file ... \
    --additional-tags "hypershift.openshift.io/source=e2e,test-tag=hello" \
    --aws-creds ...

<resources created>
<new tags verified>

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 16, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@ironcladlou: This PR has been marked as verified by e2e for regressions and manual testing to verify tag support.

Details

In response to this:

/verified by e2e for regressions and manual testing to verify tag support

$ bin/hypershift create bastion aws \
   --infra-id ... \
   --region us-east-1 \
   --ssh-key-file ... \
   --additional-tags "hypershift.openshift.io/source=e2e,test-tag=hello" \
   --aws-creds ...

<resources created>
<new tags verified>

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/override codecov/patch

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/override codecov/project

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@ironcladlou: ironcladlou unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers.

Details

In response to this:

/override codecov/patch

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@ironcladlou: ironcladlou unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers.

Details

In response to this:

/override codecov/project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/label acknowledge-critical-fixes-only

@openshift-ci openshift-ci Bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Jul 16, 2026
@cwbotbot

cwbotbot commented Jul 16, 2026

Copy link
Copy Markdown

Test Results

e2e-aws

e2e-aks

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/retest-required

@csrwng

csrwng commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

/override codecov/patch
/override codecov/project

@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@csrwng: Overrode contexts on behalf of csrwng: codecov/patch, codecov/project

Details

In response to this:

/override codecov/patch
/override codecov/project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

@ironcladlou: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot
openshift-merge-bot Bot merged commit 85c46e8 into openshift:main Jul 17, 2026
41 of 43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cli Indicates the PR includes changes for CLI area/platform/aws PR/issue for AWS (AWSPlatform) platform area/testing Indicates the PR includes changes for e2e testing jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants