check-cluster-profiles-config: Workround to handle Cluster Profile Sets

[danilo-gemoli]

Cluster Profile Sets are special, they don't have a secret associated with them. This PR introduces a workaround to skip that check in case of cluster profile sets.
I'll come up with a solid solution once the cluster profile migration is done.

check-cluster-profiles-config now treats Cluster Profile Sets as a special case and skips the secret lookup for those profiles, since they do not have associated secrets yet. For the remaining profiles, it now checks all referenced secrets and reports any lookup failures together in one aggregated error instead of stopping at the first problem. This is a temporary workaround to keep CI config validation working until the cluster profile migration is complete.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

📝 Walkthrough

Walkthrough

checkCISecrets() in cmd/check-cluster-profiles-config/main.go is changed from fail-fast to collect-all: it now imports k8s.io/apimachinery/pkg/util/errors, skips a hardcoded set of cluster profiles, and aggregates all resolver/secret lookup failures before returning a single combined error.

check-cluster-profiles-config

Layer / File(s)	Summary
checkCISecrets error aggregation cmd/check-cluster-profiles-config/main.go	Adds utilerrors import; rewrites checkCISecrets to introduce a skip set, iterate all profiles without early return, append each resolver/get failure to an error slice, and return utilerrors.NewAggregate(errs).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	cmd/check-cluster-profiles-config/main.go calls fmt.Print(diff) in main(), writing non-JSON to stdout and violating the OTE binary contract.	Send the diff to stderr/logrus or remove it; main-process stdout must stay JSON-only.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Error Handling	⚠️ Warning	checkCISecrets appends a resolver error without wrapping the underlying err, so the cause is lost.	Wrap the resolver failure with fmt.Errorf("...: %w", err) and keep the existing secret-lookup wrapping.
Test Coverage For New Features	⚠️ Warning	The package tests only cover Validate/Normalize; nothing exercises checkCISecrets, the new bypass, or aggregated error handling.	Add a table-driven regression test for checkCISecrets covering skipped profile sets plus resolver/secret failure paths.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: a workaround in check-cluster-profiles-config to skip secret checks for Cluster Profile Sets.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Only cmd/check-cluster-profiles-config/main.go changed; no test files or Ginkgo titles were added or modified.
Test Structure And Quality	✅ Passed	Not applicable: the touched tests are standard Go unit tests, not Ginkgo/cluster-interaction tests, so none of the listed checks apply.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes cmd/check-cluster-profiles-config/main.go, which has no test declarations or MicroShift-specific APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; this PR only changes a CLI validator in cmd/check-cluster-profiles-config, with no SNO-sensitive test assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Only a config-validation utility changed; no manifests, controllers, replicas, affinity, node selectors, or topology logic were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only touches cmd/check-cluster-profiles-config/main.go and contains no IPv4 or external-connectivity test code.
No-Weak-Crypto	✅ Passed	Changed file only aggregates secret lookup errors and skips specific profile sets; no weak crypto APIs or non-constant-time comparisons appear in the diff.
Container-Privileges	✅ Passed	The PR only changes validator error handling in a Go CLI; no container manifests or privileged settings (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation) were added.
No-Sensitive-Data-In-Logs	✅ Passed	No new logs print secrets, tokens, PII, or hostnames; the added error text only includes profile/secret names and generic failures.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[psalajova]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danilo-gemoli, psalajova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danilo-gemoli,psalajova]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/check-cluster-profiles-config/main.go`:
- Around line 178-185: The profile-set bypass in the validator is hardcoded to
specific names, which will drift from the real source of truth. Update the logic
in main.go around the validator.profiles loop to derive skip behavior from the
resolved cluster profile-set metadata (or profile details) instead of matching
profileName against a fixed set, so new valid sets are handled without code
changes.
- Around line 190-192: The error handling in the config-resolver branch drops
the original failure, so the aggregate error loses the real cause. Update the
`check-cluster-profiles-config` flow where `profileName` details are appended to
`errs` to wrap `err` with `fmt.Errorf("...: %w", err)` just like the secret
lookup branch, keeping the message lowercase and without trailing punctuation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d48a3fb3-9ce1-4dd8-b5e4-5011e885534f

📥 Commits

Reviewing files that changed from the base of the PR and between f291df3 and 6817783.

📒 Files selected for processing (1)

• cmd/check-cluster-profiles-config/main.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/release (manual)
• openshift/ci-docs (manual)
• openshift/release-controller (manual)
• openshift/ci-chat-bot (manual)

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

Don't hardcode the profile-set bypass.

This validator gates openshift/release, and cluster profile sets are already a first-class concept in adjacent config/jobs. A fixed name list here will drift and start rejecting valid new sets until this binary is patched again. Please drive the skip from the source-of-truth profile-set metadata (or the resolved profile details) instead of profile names.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/check-cluster-profiles-config/main.go` around lines 178 - 185, The
profile-set bypass in the validator is hardcoded to specific names, which will
drift from the real source of truth. Update the logic in main.go around the
validator.profiles loop to derive skip behavior from the resolved cluster
profile-set metadata (or profile details) instead of matching profileName
against a fixed set, so new valid sets are handled without code changes.

Source: Linked repositories

[coderabbitai]

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Preserve the resolver failure cause.

This branch drops err, so the aggregate loses the actual config-resolver failure. Wrap it the same way as the secret lookup branch.

Suggested fix

-			errs = append(errs, fmt.Errorf("failed to retrieve details from config resolver for '%s' cluster profile", profileName))
+			errs = append(errs, fmt.Errorf("failed to retrieve details from config resolver for %q cluster profile: %w", profileName, err))

As per path instructions, **/*.go: Wrap errors with fmt.Errorf("context: %w", err), lowercase messages, no trailing punctuation; and coding guidelines, Errors should be handled correctly - determine whether to ignore, log, wrap and raise up.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if err != nil {
	return fmt.Errorf("failed to retrieve details from config resolver for '%s' cluster profile", p.Name())
	errs = append(errs, fmt.Errorf("failed to retrieve details from config resolver for '%s' cluster profile", profileName))
	continue
	if err != nil {
	errs = append(errs, fmt.Errorf("failed to retrieve details from config resolver for %q cluster profile: %w", profileName, err))
	continue

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/check-cluster-profiles-config/main.go` around lines 190 - 192, The error
handling in the config-resolver branch drops the original failure, so the
aggregate error loses the real cause. Update the `check-cluster-profiles-config`
flow where `profileName` details are appended to `errs` to wrap `err` with
`fmt.Errorf("...: %w", err)` just like the secret lookup branch, keeping the
message lowercase and without trailing punctuation.

Sources: Coding guidelines, Path instructions

[danilo-gemoli]

/override ci/prow/integration

[openshift-ci]

@danilo-gemoli: Overrode contexts on behalf of danilo-gemoli: ci/prow/integration

Details

In response to this:

/override ci/prow/integration

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the main branch

Use /test ? to see all available tests.

[danilo-gemoli]

/override ci/prow/images

[openshift-ci]

@danilo-gemoli: Overrode contexts on behalf of danilo-gemoli: ci/prow/images

Details

In response to this:

/override ci/prow/images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 1f22de5 and 2 for PR HEAD 6817783 in total

[openshift-ci]

@danilo-gemoli: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/integration	6817783	link	true	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.