feat: Support passing node selectors and tolerations to hypershift install cmd

[ashishmax31]

What this PR does / why we need it:

Allow passing node selectors and tolerations to hypershift install cmd so that we can influence the placement of the HO pods.

Fixes

https://issues.redhat.com/browse/ARO-23223

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

Added support for operator tolerations and node selectors: new fields on install Options and HyperShiftOperatorDeployment, parsing and validation of toleration strings and node selector keys/values, propagation into deployment Build(), and corresponding tests and utilities.

Changes

Cohort / File(s)	Change Summary
Deployment configuration cmd/install/assets/hypershift_operator.go	Added OperatorTolerations []string and OperatorNodeSelectors map[string]string to HyperShiftOperatorDeployment. Build() now parses toleration strings, collects node selectors, and applies them to deployment.Spec.Template.Spec.Tolerations and deployment.Spec.Template.Spec.NodeSelector.
Install command (options & validation) cmd/install/install.go	Added OperatorTolerations []string and OperatorNodeSelectors map[string]string to Options. Added CLI flags and defaults, propagated fields through operator resource setup, and introduced validation helpers: validateTolerationString, validateTolerationKeyValuePart, validateTolerationEffectPart, validateTolerationSecondsPart, validateNodeSelectorKey, validateNodeSelectorValue. Added imports (slices, k8s.io/apimachinery/pkg/util/validation).
Utility parsing cmd/util/util.go	Added ParseTolerationString(s string) *corev1.Toleration and internal helper setTolerationKeyValueAndEffect to parse strings of forms key[=value]:effect and key[=value]:effect:seconds and return a *corev1.Toleration. Added strings and strconv imports.
Tests – deployment cmd/install/assets/hypershift_operator_test.go	Extended test cases and table with expectedTolerations and expectedNodeSelectors; added case for operator tolerations and node selectors, adjusted assertions to conditionally verify tolerations and node selectors; added ptr import.
Tests – install options cmd/install/install_test.go	Added test cases to TestOptions_Validate covering valid and invalid operator tolerations and node selectors, including mixed scenarios.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[muraee]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/util/util.go (1)

46-86: Consider extracting duplicate key/value parsing logic.

The key=value parsing logic is duplicated in both the 2-part and 3-part branches (lines 53-61 and 68-76). While the current implementation works correctly, extracting this into a helper function would improve maintainability.

Example refactor:

+func parseTolerationKeyValue(part string) (key, value string, operator corev1.TolerationOperator) {
+	if strings.Contains(part, "=") {
+		kv := strings.SplitN(part, "=", 2)
+		return kv[0], kv[1], corev1.TolerationOpEqual
+	}
+	return part, "", corev1.TolerationOpExists
+}
+
 func ParseTolerationString(s string) corev1.Toleration {
 	toleration := corev1.Toleration{}
 	parts := strings.Split(s, ":")
 
 	// No toleration seconds
 	if len(parts) == 2 {
-		if strings.Contains(parts[0], "=") {
-			kv := strings.SplitN(parts[0], "=", 2)
-			toleration.Key = kv[0]
-			toleration.Value = kv[1]
-			toleration.Operator = corev1.TolerationOpEqual
-		} else {
-			toleration.Key = parts[0]
-			toleration.Operator = corev1.TolerationOpExists
-		}
+		toleration.Key, toleration.Value, toleration.Operator = parseTolerationKeyValue(parts[0])
 		toleration.Effect = corev1.TaintEffect(parts[1])
 	}
 
 	// With toleration seconds
 	if len(parts) == 3 {
-		if strings.Contains(parts[0], "=") {
-			kv := strings.SplitN(parts[0], "=", 2)
-			toleration.Key = kv[0]
-			toleration.Value = kv[1]
-			toleration.Operator = corev1.TolerationOpEqual
-		} else {
-			toleration.Key = parts[0]
-			toleration.Operator = corev1.TolerationOpExists
-		}
+		toleration.Key, toleration.Value, toleration.Operator = parseTolerationKeyValue(parts[0])
 		toleration.Effect = corev1.TaintEffect(parts[1])
 		tolerationSeconds, _ := strconv.ParseInt(parts[2], 10, 64)
 		if tolerationSeconds > 0 {
 			toleration.TolerationSeconds = &tolerationSeconds
 		}
 	}
 	return toleration
 }

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 88e53d2 and d926516.

📒 Files selected for processing (5)

• cmd/install/assets/hypershift_operator.go (4 hunks)
• cmd/install/assets/hypershift_operator_test.go (3 hunks)
• cmd/install/install.go (7 hunks)
• cmd/install/install_test.go (1 hunks)
• cmd/util/util.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• cmd/util/util.go
• cmd/install/install.go
• cmd/install/install_test.go
• cmd/install/assets/hypershift_operator_test.go
• cmd/install/assets/hypershift_operator.go

🧬 Code graph analysis (3)

cmd/install/install_test.go (2)

cmd/install/install.go (1)

• Options (79-139)

api/hypershift/v1beta1/hostedcluster_types.go (1)

• NonePlatform (1215-1215)

cmd/install/assets/hypershift_operator_test.go (2)

cmd/install/assets/hypershift_operator.go (1)

• HyperShiftOperatorDeployment (386-427)

api/hypershift/v1beta1/hostedcluster_types.go (1)

• NonePlatform (1215-1215)

cmd/install/assets/hypershift_operator.go (1)

cmd/util/util.go (1)

• ParseTolerationString (47-86)

🪛 golangci-lint (2.5.0)

cmd/install/install.go

[error] 228-228: : # github.com/openshift/hypershift/sync-global-pullsecret [github.com/openshift/hypershift/sync-global-pullsecret.test]
sync-global-pullsecret/sync-global-pullsecret_test.go:228:23: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:234:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:247:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:257:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:270:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:283:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:296:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:309:26: undefined: MockdbusConn
sync-global-pullsecret/sync-global-pullsecret_test.go:327:12: undefined: NewMockdbusConn

(typecheck)

🔇 Additional comments (11)

cmd/install/install_test.go (1)

143-185: LGTM! Comprehensive test coverage for tolerations and node selectors.

The test cases effectively cover validation scenarios for both valid and invalid operator tolerations and node selectors, including edge cases like mixed valid/invalid tolerations and malformed keys.

cmd/install/assets/hypershift_operator_test.go (2)

437-483: LGTM! Well-structured test case for tolerations and node selectors.

The test case effectively validates both toleration formats (with and without values, with TolerationSeconds) and node selector application on the deployment.

---

493-498: LGTM! Proper conditional assertions.

The conditional checks ensure tolerations and node selectors are only validated when explicitly provided in test cases, preventing false positives.

cmd/install/assets/hypershift_operator.go (3)

406-407: LGTM! Appropriate field types for tolerations and node selectors.

The field types align well with the CLI input format and downstream usage.

---

617-628: LGTM! Proper parsing and filtering of tolerations and node selectors.

The implementation correctly:

• Parses toleration strings using the utility function
• Filters out empty tolerations
• Preserves non-empty keys from node selectors (empty values are valid)

---

841-847: LGTM! Correct application of tolerations and node selectors to deployment.

The conditional application ensures these fields are only set when values are provided, maintaining clean deployment specs.

cmd/install/install.go (5)

254-287: LGTM! Comprehensive toleration string validation.

The validation correctly handles both toleration formats and provides clear error messages for each failure mode.

---

289-351: LGTM! Thorough validation helper functions.

The helper functions correctly validate each component of the toleration string using appropriate Kubernetes validators and provide clear error messages.

---

427-428: LGTM! Appropriate CLI flags for tolerations and node selectors.

The flags use correct types (StringSliceVar and StringToStringVar) and provide clear descriptions with format examples.

---

500-501: LGTM! Correct default initialization.

Initializing as empty slice and map ensures proper handling when flags are not provided.

---

974-975: LGTM! Fields correctly propagated to deployment.

The operator tolerations and node selectors are properly passed through to the HyperShiftOperatorDeployment builder.

[ashishmax31]

@muraee Ptal, i've addressed your review comments.

[muraee]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashishmax31, muraee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [muraee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @cmd/install/install.go:
- Around line 239-256: The toleration validation is inconsistent with the
parser: validateTolerationSecondsPart currently allows 0 and
validateTolerationString permits a trailing :seconds for any effect, but the
parser only applies seconds when >0 and Kubernetes semantics only allow
tolerationSeconds for effect=NoExecute; update validateTolerationSecondsPart to
reject zero (require >0) and adjust validateTolerationString to only accept a
:seconds suffix when the parsed effect is "NoExecute" (and reject or error if
seconds are present for other effects), ensuring all error messages reference
the offending toleration string via the same fmt.Errorf wrapping used elsewhere.
- Around line 452-453: The help text for the --operator-tolerations flag is
incorrect; update the PersistentFlags().StringSliceVar call for
opts.OperatorTolerations so the description documents the actual expected format
"key[=value]:effect[:seconds]" and note that the operator (Exists vs Equal) is
inferred by presence/absence of '=' (no operator token). Keep the flag name
(--operator-tolerations) and opts.OperatorTolerations unchanged; only replace
the descriptive string to accurately describe key[=value]:effect[:seconds].

🧹 Nitpick comments (2)

cmd/install/assets/hypershift_operator_test.go (1)

493-498: Tests should assert absence of tolerations/nodeSelector in other cases (don’t skip checks)
The if len(...) > 0 gating reduces regression coverage; most cases can/should still assert Tolerations/NodeSelector are empty/nil.

Proposed diff

 			g.Expect(deployment.Spec.Template.Spec.Volumes).To(BeEquivalentTo(test.expectedVolumes))
 			g.Expect(deployment.Spec.Template.Spec.Containers[0].VolumeMounts).To(BeEquivalentTo(test.expectedVolumeMounts))
 			g.Expect(deployment.Spec.Template.Spec.Containers[0].Env).To(ContainElements(test.expectedEnvVars))
-			if len(test.expectedTolerations) > 0 {
-				g.Expect(deployment.Spec.Template.Spec.Tolerations).To(BeEquivalentTo(test.expectedTolerations))
-			}
-			if len(test.expectedNodeSelectors) > 0 {
-				g.Expect(deployment.Spec.Template.Spec.NodeSelector).To(BeEquivalentTo(test.expectedNodeSelectors))
-			}
+			g.Expect(deployment.Spec.Template.Spec.Tolerations).To(BeEquivalentTo(test.expectedTolerations))
+			g.Expect(deployment.Spec.Template.Spec.NodeSelector).To(BeEquivalentTo(test.expectedNodeSelectors))
 		})
 	}
 }

cmd/install/assets/hypershift_operator.go (1)

430-432: Defensive handling: trim/skip empty inputs; avoid silently ignoring unparsable tolerations
Given Build() can be called outside the CLI validation path, consider trimming and skipping empty strings/keys to reduce “it didn’t apply” surprises.

Proposed diff

 	var volumes []corev1.Volume
 	var tolerations []corev1.Toleration
 	var nodeSelectors = make(map[string]string)
 	envVars := []corev1.EnvVar{
@@
-	for _, tolerationStr := range o.OperatorTolerations {
-		toleration := cmdutil.ParseTolerationString(tolerationStr)
+	for _, tolerationStr := range o.OperatorTolerations {
+		tolerationStr = strings.TrimSpace(tolerationStr)
+		if tolerationStr == "" {
+			continue
+		}
+		toleration := cmdutil.ParseTolerationString(tolerationStr)
 		if toleration != nil {
 			tolerations = append(tolerations, *toleration)
 		}
 	}
 
 	for key, value := range o.OperatorNodeSelectors {
-		if key != "" {
-			nodeSelectors[key] = value
+		key = strings.TrimSpace(key)
+		value = strings.TrimSpace(value)
+		if key != "" {
+			nodeSelectors[key] = value
 		}
 	}

Also applies to: 473-475, 662-673, 886-892

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d926516 and 308b227.

📒 Files selected for processing (5)

• cmd/install/assets/hypershift_operator.go
• cmd/install/assets/hypershift_operator_test.go
• cmd/install/install.go
• cmd/install/install_test.go
• cmd/util/util.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/install/install_test.go
• cmd/util/util.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• cmd/install/assets/hypershift_operator_test.go
• cmd/install/install.go
• cmd/install/assets/hypershift_operator.go

🧬 Code graph analysis (2)

cmd/install/assets/hypershift_operator_test.go (2)

cmd/install/assets/hypershift_operator.go (1)

• HyperShiftOperatorDeployment (410-453)

api/hypershift/v1beta1/hostedcluster_types.go (1)

• NonePlatform (1220-1220)

cmd/install/assets/hypershift_operator.go (1)

cmd/util/util.go (1)

• ParseTolerationString (47-64)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Red Hat Konflux / hypershift-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-release-mce-211-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-cli-mce-211-on-pull-request

🔇 Additional comments (2)

cmd/install/assets/hypershift_operator_test.go (1)

19-27: Good coverage for tolerations/nodeSelector propagation
The new test case exercises both key=value:effect and keyOnly:NoExecute:seconds toleration forms and validates node selector propagation; this aligns well with the intended feature.

Also applies to: 437-483

cmd/install/install.go (1)

140-142: Wiring + defaults look correct
Defaults initialize the new fields, validation runs, and values are propagated into assets.HyperShiftOperatorDeployment.

Also applies to: 531-533, 1037-1038

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Align tolerationSeconds validation with parsing/semantics (effect+zero handling)
Today validateTolerationSecondsPart allows 0, and validateTolerationString allows :seconds with any effect—while parsing (per cmd/util/util.go snippet) only applies seconds when >0, which can silently change meaning.

Proposed diff (fail fast, consistent with current parser)

 func validateTolerationString(s string) error {
@@
 	// Validate effect part
 	if err := validateTolerationEffectPart(parts[1]); err != nil {
 		return err
 	}
 
 	// Validate tolerationSeconds part (if present)
 	if len(parts) == 3 {
+		if parts[1] != string(corev1.TaintEffectNoExecute) {
+			return fmt.Errorf("tolerationSeconds is only valid with effect %s", corev1.TaintEffectNoExecute)
+		}
 		if err := validateTolerationSecondsPart(parts[2]); err != nil {
 			return err
 		}
 	}
@@
 func validateTolerationSecondsPart(tolerationSecondsStr string) error {
 	if tolerationSecondsStr == "" {
 		return fmt.Errorf("tolerationSeconds cannot be empty when specified")
 	}
@@
-	if seconds < 0 {
-		return fmt.Errorf("tolerationSeconds must be non-negative, got %d", seconds)
+	if seconds <= 0 {
+		return fmt.Errorf("tolerationSeconds must be positive, got %d", seconds)
 	}
 
 	return nil
 }

Also applies to: 276-309, 341-373

🤖 Prompt for AI Agents

In @cmd/install/install.go around lines 239 - 256, The toleration validation is
inconsistent with the parser: validateTolerationSecondsPart currently allows 0
and validateTolerationString permits a trailing :seconds for any effect, but the
parser only applies seconds when >0 and Kubernetes semantics only allow
tolerationSeconds for effect=NoExecute; update validateTolerationSecondsPart to
reject zero (require >0) and adjust validateTolerationString to only accept a
:seconds suffix when the parsed effect is "NoExecute" (and reject or error if
seconds are present for other effects), ensuring all error messages reference
the offending toleration string via the same fmt.Errorf wrapping used elsewhere.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix --operator-tolerations flag help text: it documents the wrong format
The current description mentions ...:effect:operator but the code expects key[=value]:effect[:seconds] (and operator is inferred from presence of =).

Proposed diff

-	cmd.PersistentFlags().StringSliceVar(&opts.OperatorTolerations, "operator-tolerations", opts.OperatorTolerations, "A list of tolerations to apply to the HyperShift Operator deployment in the format 'key1=value1:effect:operator,key2=value2:effect:operator'.")
+	cmd.PersistentFlags().StringSliceVar(&opts.OperatorTolerations, "operator-tolerations", opts.OperatorTolerations, "A list of tolerations to apply to the HyperShift Operator deployment in the format 'key[=value]:effect[:tolerationSeconds]' (e.g. 'infra=true:NoSchedule', 'keyOnly:NoExecute:3600').")
 	cmd.PersistentFlags().StringToStringVar(&opts.OperatorNodeSelectors, "operator-node-selectors", opts.OperatorNodeSelectors, "Set of node selectors to apply to the HyperShift Operator deployment in the format 'key1=value1,key2=value2'.")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cmd.PersistentFlags().StringSliceVar(&opts.OperatorTolerations, "operator-tolerations", opts.OperatorTolerations, "A list of tolerations to apply to the HyperShift Operator deployment in the format 'key1=value1:effect:operator,key2=value2:effect:operator'.")
	cmd.PersistentFlags().StringToStringVar(&opts.OperatorNodeSelectors, "operator-node-selectors", opts.OperatorNodeSelectors, "Set of node selectors to apply to the HyperShift Operator deployment in the format 'key1=value1,key2=value2'.")
	cmd.PersistentFlags().StringSliceVar(&opts.OperatorTolerations, "operator-tolerations", opts.OperatorTolerations, "A list of tolerations to apply to the HyperShift Operator deployment in the format 'key[=value]:effect[:tolerationSeconds]' (e.g. 'infra=true:NoSchedule', 'keyOnly:NoExecute:3600').")
	cmd.PersistentFlags().StringToStringVar(&opts.OperatorNodeSelectors, "operator-node-selectors", opts.OperatorNodeSelectors, "Set of node selectors to apply to the HyperShift Operator deployment in the format 'key1=value1,key2=value2'.")

🤖 Prompt for AI Agents

In @cmd/install/install.go around lines 452 - 453, The help text for the
--operator-tolerations flag is incorrect; update the
PersistentFlags().StringSliceVar call for opts.OperatorTolerations so the
description documents the actual expected format "key[=value]:effect[:seconds]"
and note that the operator (Exists vs Equal) is inferred by presence/absence of
'=' (no operator token). Keep the flag name (--operator-tolerations) and
opts.OperatorTolerations unchanged; only replace the descriptive string to
accurately describe key[=value]:effect[:seconds].

[ashishmax31]

/retest-required

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@ashishmax31: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	308b227	link	true	/test verify
ci/prow/e2e-aws-upgrade-hypershift-operator	308b227	link	true	/test e2e-aws-upgrade-hypershift-operator
ci/prow/e2e-aks	308b227	link	true	/test e2e-aks
ci/prow/e2e-aws	308b227	link	true	/test e2e-aws
ci/prow/unit	308b227	link	true	/test unit
ci/prow/e2e-azure-self-managed	308b227	link	true	/test e2e-azure-self-managed

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

Stale PRs are closed after 21d of inactivity.

If this PR is still relevant, comment to refresh it or remove the stale label.
Mark the PR as fresh by commenting /remove-lifecycle stale.

If this PR is safe to close now please do so with /close.

/lifecycle stale

[codecov]

Codecov Report

❌ Patch coverage is 52.48227% with 67 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.56%. Comparing base (4755e9c) to head (c13ae06).

Files with missing lines	Patch %	Lines
cmd/install/install.go	57.57%	28 Missing and 14 partials ⚠️
cmd/util/util.go	0.00%	25 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7404      +/-   ##
==========================================
+ Coverage   41.54%   41.56%   +0.01%     
==========================================
  Files         758      758              
  Lines       93838    93979     +141     
==========================================
+ Hits        38986    39060      +74     
- Misses      52107    52160      +53     
- Partials     2745     2759      +14     

Files with missing lines	Coverage Δ
cmd/install/assets/hypershift_operator.go	48.56% <100.00%> (+0.45%)	⬆️
cmd/util/util.go	0.00% <0.00%> (ø)
cmd/install/install.go	62.66% <57.57%> (-0.42%)	⬇️

Flag	Coverage Δ
cmd-support	35.04% <52.48%> (+0.07%)	⬆️
cpo-hostedcontrolplane	43.59% <ø> (ø)
cpo-other	43.17% <ø> (ø)
hypershift-operator	51.62% <ø> (ø)
other	31.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hypershift-jira-solve-ci]

Now I have all the information needed. Let me compile the final report.

Test Failure Analysis Complete

Job Information

• PR: #7404 — feat: Support passing node selectors and tolerations to hypershift install cmd
• Repository: openshift/hypershift
• Branch: ARO-23223
• Jobs Analyzed: 4 (images, security, tide, Codespell)

Test Failure Analysis

Error

1. ci/prow/images (Build ID: 2046872891240222720):
   curl: (6) Could not resolve host: packages.microsoft.com
   error: https://packages.microsoft.com/keys/microsoft.asc: import read failed(2).

2. ci/prow/security (Build ID: 2053896784232583168):
   CONFLICT (content): Merge conflict in cmd/install/install.go
   Automatic merge failed; fix conflicts and then commit the result.

3. Codespell:
   ./cmd/install/install.go:415: cant ==> can't

4. tide:
   Not mergeable. Missing labels: lgtm, jira/valid-reference. Forbidden label present: lifecycle/stale.

Summary

Four distinct failures affect this PR. Codespell found a real typo (cant → can't) in newly added code at cmd/install/install.go:415. ci/prow/security never ran its scan — it failed during git merge because cmd/install/install.go has diverged significantly from main (the PR is ~6 months old). ci/prow/images failed due to a transient DNS resolution error in the CI build environment (unrelated to the PR). Tide cannot merge the PR because it lacks lgtm and jira/valid-reference labels and has the forbidden lifecycle/stale label.

Root Cause

There are three independent root causes across the four failures:

1. Codespell — Typo in new code (actionable)
The PR introduces a validateTolerationEffectPart function in cmd/install/install.go that contains the error message "toleration effect cant be empty". The word cant is a misspelling of can't (or cannot). This is the only Codespell finding.

2. ci/prow/security — Merge conflict due to stale branch (actionable)
The PR was opened on 2025-12-17 and has not been rebased since. The cmd/install/install.go file has been heavily modified on main by multiple PRs since then (including refactors for cyclomatic complexity, addition of DisableCAPIConversionWebhook, conversion webhooks, and cert secret bootstrapping removal). Prow's automatic merge of the PR branch onto main fails with a content conflict in cmd/install/install.go, so the security scan never executes.

3. ci/prow/images — Transient DNS failure (not actionable)
The hypershift-tests image build (Dockerfile.e2e) failed at the step that installs Azure CLI from packages.microsoft.com. The builder pod could not resolve this hostname (curl: (6) Could not resolve host). All Go compilation completed successfully, and all other image builds (hypershift, hypershift-operator, hypershift-cli) succeeded. The PR did not modify Dockerfile.e2e. This is a transient CI infrastructure issue.

4. Tide — Missing merge prerequisites (downstream)
Tide cannot merge because: (a) the lgtm label is missing (no reviewer has approved with /lgtm), (b) the jira/valid-reference label is missing, and (c) the lifecycle/stale label is present (forbidden by merge pool configuration). Eight e2e jobs are stuck in PENDING because they are gated on the lgtm label. This is a process/review state issue, not a code issue.

Recommendations

1. Fix the typo — Change line 415 of cmd/install/install.go from "toleration effect cant be empty" to "toleration effect cannot be empty" to resolve the Codespell failure.

2. Rebase onto main — The PR branch is ~6 months stale. Rebase onto current main and resolve the merge conflict in cmd/install/install.go. This will fix the security job (and likely surface additional code changes needed to align with recent refactors).

3. Retry the images job — The DNS failure is transient and unrelated to the PR. A /retest comment should clear it once the rebase is done.

4. Address Tide prerequisites:

   • Remove the stale label: comment /remove-lifecycle stale
   • Ensure the Jira reference (ARO-23223) is valid and properly linked
   • Request a reviewer to /lgtm once the code issues are resolved

5. Priority order: Rebase first (most impactful — unblocks security scan and aligns code), fix the typo during rebase, then address labels/review.

Evidence

Evidence	Detail
Codespell finding	./cmd/install/install.go:415: cant ==> can't — exit code 2
Merge conflict file	cmd/install/install.go — content conflict during Prow's auto-merge of PR onto main
Merge conflict cause	PR opened 2025-12-17; main has received multiple conflicting changes since (cedd0fa, 45e53af, 59db58b, e1993ba)
DNS failure	curl: (6) Could not resolve host: packages.microsoft.com during Dockerfile.e2e step 13/15
Images job — Go compilation	All Go builds succeeded; only the Azure CLI RPM install step failed
Images job — unmodified file	Dockerfile.e2e was not changed by this PR
Tide missing labels	lgtm (missing), jira/valid-reference (missing), lifecycle/stale (present, forbidden)
Pending e2e jobs	8 e2e jobs (aws, aks, azure, kubevirt, gke, etc.) stuck in PENDING — gated on lgtm label
PR age	~6 months old (opened 2025-12-17)

---