CNTRLPLANE-3568: test(e2e): verify AWS additional-tags propagation to guest infrastruc…

[mgencur]

…ture

What this PR does / why we need it:

Add a v2 e2e test that reads the HostedCluster's spec.platform.aws.resourceTags and verifies they appear in the guest cluster's infrastructure/cluster .status.platformStatus.aws.resourceTags. Tags with the kubernetes.io prefix are filtered to match the production logic in support/globalconfig/infrastructure.go.

Covers https://redhat.atlassian.net/browse/CNTRLPLANE-3568
The original test logic has a few more assertions but they are already tested in other parts of the E2E test suite. This new PR only covers what was left - propagating resource tags from HostedCluster to Infrastructure on guest cluster.

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Tests
  • Added an AWS-only end-to-end test that verifies AWS resource tags from a HostedCluster spec are propagated into the guest cluster infrastructure/platform status. The test skips non-AWS clusters or when no AWS tags are present, ignores keys starting with "kubernetes.io", and asserts that the remaining expected tags are present and that the status tag list matches the expected count.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@mgencur: This pull request references CNTRLPLANE-3568 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

…ture

What this PR does / why we need it:

Add a v2 e2e test that reads the HostedCluster's spec.platform.aws.resourceTags and verifies they appear in the guest cluster's infrastructure/cluster .status.platformStatus.aws.resourceTags. Tags with the kubernetes.io prefix are filtered to match the production logic in support/globalconfig/infrastructure.go.

Covers https://redhat.atlassian.net/browse/CNTRLPLANE-3568
The original test logic has a few more assertions but they are already tested in other parts of the E2E test suite. This new PR only covers what was left - propagating resource tags from HostedCluster to Infrastructure on guest cluster.

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 486e4225-63e2-4599-934f-faeaf333dd31

📥 Commits

Reviewing files that changed from the base of the PR and between 1471ac1 and ef4ee5c.

📒 Files selected for processing (1)

• test/e2e/v2/tests/hosted_cluster_aws_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/v2/tests/hosted_cluster_aws_test.go

---

📝 Walkthrough

Walkthrough

Adds an AWS-only E2E test, EnsureInfrastructureResourceTagsTest, that runs for AWS HostedClusters with AWS spec tags (excluding keys starting with "kubernetes.io"). The test fetches the guest cluster's configv1.Infrastructure (infrastructure/cluster), asserts AWS platform status and non-empty ResourceTags, verifies each expected tag exists, and checks the status tag list length matches the filtered expected set. The file imports configv1 and registers the new test in RegisterHostedClusterAWSTests.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 182 logs AWS tag keys and values directly in assertion messages without filtering or masking when assertions fail, potentially exposing sensitive data.	Remove tag key-value data from assertion messages or mask potentially sensitive tag data before logging.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the Jira ticket and summarizes the main change: adding an e2e test to verify AWS tags propagation from HostedCluster spec to guest infrastructure status.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test titles are static and descriptive with no dynamic values, timestamps, UUIDs, pod names, node names, or random identifiers. Assertions and context-dependent messages are properly in test bodies.
Test Structure And Quality	✅ Passed	Test meets all quality requirements: single responsibility, read-only (no cleanup), appropriate timeout handling, meaningful assertion messages, and follows codebase patterns.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds only an e2e test for AWS tag propagation; no deployment manifests, operator code, controllers, or scheduling constraints that could affect topology compatibility.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Test only validates AWS tag propagation via Kubernetes API calls; no IPv4 assumptions, IP parsing, hardcoded addresses, or external connectivity requirements found.
No-Weak-Crypto	✅ Passed	PR adds only test code with no weak crypto, custom crypto implementations, or secret/token comparison issues detected.
Container-Privileges	✅ Passed	PR adds only Go test code with no container/K8s manifests. No privileged settings, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or root-as-default configurations present.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.54%. Comparing base (832b848) to head (ef4ee5c).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8712      +/-   ##
==========================================
+ Coverage   41.50%   41.54%   +0.04%     
==========================================
  Files         758      758              
  Lines       93689    93838     +149     
==========================================
+ Hits        38882    38986     +104     
- Misses      52070    52107      +37     
- Partials     2737     2745       +8     

see 9 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.96% <ø> (+0.10%)	⬆️
cpo-hostedcontrolplane	43.59% <ø> (ø)
cpo-other	43.17% <ø> (ø)
hypershift-operator	51.62% <ø> (+0.05%)	⬆️
other	31.56% <ø> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/v2/tests/hosted_cluster_aws_test.go`:
- Around line 131-138: Rename user-facing strings in the
EnsureGuestInfrastructureResourceTagsTest function to use "hosted cluster"
terminology: replace occurrences of "guest cluster infrastructure resource" and
"guest infrastructure resource tags test" with phrasing like "infrastructure
resource in the hosted cluster" or "hosted cluster infrastructure resource tags
test" (update the When/It descriptions and any Skip message). Ensure the
function name and any log/test labels remain unchanged unless you want to also
rename the function; focus on updating the human-readable test descriptions
inside EnsureGuestInfrastructureResourceTagsTest and the Skip message that
checks hc.Spec.Platform.Type.
- Around line 160-181: The test uses incorrect "guest cluster"/"guest
infrastructure" wording in its Expect diagnostic messages; update the messages
in the block that calls ValidateHostedClusterClient() / GetHostedClusterClient()
and checks infra.Status.PlatformStatus.AWS.ResourceTags so that "guest cluster"
becomes "hosted cluster" and "guest infrastructure" becomes "infrastructure in
the hosted cluster" (or "hosted cluster infrastructure") — specifically change
the Expect failure text for the Get() call and the two later Expect message
strings that mention the cluster/infrastructure to the corrected terminology.
- Around line 140-158: The test currently fails if no AWS resource tags exist by
asserting specTags and expectedTags are non-empty; instead, change the checks in
the HostedCluster tag verification to Skip the test when preconditions are
absent: inspect specTags (and the computed expectedTags) in the test body
(symbols: specTags, expectedTags, HostedCluster hc) and call Skip("no AWS
resource tags configured; skipping test") when either is empty rather than using
Expect(...).NotTo(BeEmpty()), ensuring the test remains read-only and only
verifies existing state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 337450e5-3b8e-42c5-a0b0-9e0a69486882

📥 Commits

Reviewing files that changed from the base of the PR and between 832b848 and 093459a.

📒 Files selected for processing (1)

• test/e2e/v2/tests/hosted_cluster_aws_test.go

[enxebre]

1. Rename function — EnsureGuestInfrastructureResourceTagsTest → EnsureHostedClusterInfrastructureResourceTagsTest (or drop "Guest"). The "guest cluster" terminology is explicitly prohibited by the v2 framework.
   Affects the function name at line 130 and the registration call at line 44.

Recommended Improvements

1. Add nil-check on hc.Spec.Platform.AWS before accessing .ResourceTags (line 138) per framework standard 11.
2. Consider adding a tag count assertion (Expect(len(infra...ResourceTags)).To(Equal(len(expectedTags)))) after the per-tag loop to detect kubernetes.io tag leakage in the reverse direction.

[mgencur]

Rename function — EnsureGuestInfrastructureResourceTagsTest

Done.

Also fixed the other two suggestion.

[openshift-ci]

@mgencur: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[enxebre]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enxebre, mgencur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mehabhalodiya]

Have we verified that one of the existing AWS v2 E2E lanes provisions a HostedCluster with spec.platform.aws.resourceTags configured? Otherwise, this test may always skip and never provide coverage.

This is probably the most important thing to verify.

[mgencur]

Have we verified that one of the existing AWS v2 E2E lanes provisions a HostedCluster with spec.platform.aws.resourceTags configured?

This run if from a different PR and includes the resoiurceTags:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_hypershift/8459/pull-ci-openshift-hypershift-main-e2e-v2-aws/2064717142858665984/artifacts/e2e-v2-aws/dump/artifacts/namespaces/clusters/hypershift.openshift.io/hostedclusters/d3ffdc047d3ee690c410.yaml

When you put lgtm CI will run E2E tests and we'll see it on this PR as well.