OCPBUGS-63353: Fix ValidAWSIdentityProvider status when KAS is unavailable

[muraee]

What this PR does / why we need it:

This PR fixes the ValidAWSIdentityProvider condition to show Unknown status instead of False when the Kube API Server (KAS) is not available.

The AWS identity provider validation requires minting tokens via KAS. When KAS is not up (during cluster provisioning or when API server pods are down), the validation cannot be performed. Previously, the condition would show as False with reason InvalidIdentityProvider and message WebIdentityErr, which was misleading since the actual validation never occurred.

Changes:

1. Check KAS availability first: Before attempting AWS validation, check if the KubeAPIServerAvailable condition is True
2. Set condition to Unknown when validation cannot be performed:
   • When KAS is not available
   • When EC2 client is nil (token minting failed)
3. Only validate when KAS is available: Perform actual AWS identity provider validation only when KAS is confirmed to be available

This ensures accurate status reporting and prevents misleading alerts for service providers.

Which issue(s) this PR fixes:

Fixes OCPBUGS-63353

Special notes for your reviewer:

• The metric hypershift_cluster_invalid_aws_creds handling will be addressed in a separate PR
• Unit tests have been added to validate the condition logic
• The change only affects the condition status when KAS is not available - existing validation logic remains unchanged

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs. (No doc changes needed - behavior fix)
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-63353

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@muraee: This pull request references Jira Issue OCPBUGS-63353, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

This PR fixes the ValidAWSIdentityProvider condition to show Unknown status instead of False when the Kube API Server (KAS) is not available.

The AWS identity provider validation requires minting tokens via KAS. When KAS is not up (during cluster provisioning or when API server pods are down), the validation cannot be performed. Previously, the condition would show as False with reason InvalidIdentityProvider and message WebIdentityErr, which was misleading since the actual validation never occurred.

Changes:

1. Check KAS availability first: Before attempting AWS validation, check if the KubeAPIServerAvailable condition is True
2. Set condition to Unknown when validation cannot be performed:

• When KAS is not available
• When EC2 client is nil (token minting failed)

3. Only validate when KAS is available: Perform actual AWS identity provider validation only when KAS is confirmed to be available

This ensures accurate status reporting and prevents misleading alerts for service providers.

Which issue(s) this PR fixes:

Fixes OCPBUGS-63353

Special notes for your reviewer:

• The metric hypershift_cluster_invalid_aws_creds handling will be addressed in a separate PR
• Unit tests have been added to validate the condition logic
• The change only affects the condition status when KAS is not available - existing validation logic remains unchanged

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs. (No doc changes needed - behavior fix)
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-63353

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Added KubeAPIServer availability and EC2 client presence pre-checks to the AWS identity-provider health check; when either is unavailable the ValidAWSIdentityProvider condition is set to Unknown with an explanatory message and the check returns. Added a unit test exercising four KAS availability scenarios.

Changes

Cohort / File(s)	Summary
AWS health-check implementation control-plane-operator/controllers/healthcheck/aws.go	Added pre-check: if KubeAPIServer (KAS) condition is missing/false/unknown, set ValidAWSIdentityProvider condition to Unknown with an explanatory message and return. Added nil-check for the EC2 client that sets the same condition/message and returns.
AWS health-check tests control-plane-operator/controllers/healthcheck/aws_test.go	New test TestAWSHealthCheckIdentityProviderConditionLogic covering four KAS scenarios (missing, false, unknown, available). Asserts ValidAWSIdentityProvider is created with expected Status, Reason, Message, and ObservedGeneration, and that the function returns no error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify exact Reason and Message strings match project conventions.
• Confirm ObservedGeneration usage is consistent with other health checks.
• Ensure the test covers the EC2-client nil branch for the KAS-available case.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing the ValidAWSIdentityProvider condition status when KAS is unavailable, which aligns directly with the changeset modifications.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the problem, solution, and rationale for the changes to AWS health check logic.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8d1359b and 09d1e48.

📒 Files selected for processing (1)

• control-plane-operator/controllers/healthcheck/aws_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• control-plane-operator/controllers/healthcheck/aws_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Red Hat Konflux / control-plane-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-cli-mce-211-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-operator-main-on-pull-request
• GitHub Check: Red Hat Konflux / hypershift-release-mce-211-on-pull-request

🔇 Additional comments (1)

control-plane-operator/controllers/healthcheck/aws_test.go (1)

1-110: LGTM! Well-structured test validates the condition logic correctly.

This test thoroughly covers the key scenarios introduced by the PR: the behavior of ValidAWSIdentityProvider condition when validation cannot be performed due to KAS unavailability or missing EC2 client. The table-driven approach is clean, test cases are well-named, and assertions properly verify all relevant condition fields (Status, Reason, Message, ObservedGeneration).

The test appropriately focuses on the pre-check logic that sets the condition to Unknown in early-return scenarios, which aligns with the PR's stated objective of fixing condition behavior when KAS is unavailable.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[muraee]

@coderabbitai review

[muraee]

/auto-cc

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

control-plane-operator/controllers/healthcheck/aws_test.go (2)

56-64: Consider verifying the expected message in the "KAS available" test case.

When KAS is available but the EC2 client is nil (which will be the case in this test environment without mocking), the function sets a specific message "AWS EC2 client is not available". Adding this to expectedMessagePart would make the test more complete and explicit about the expected behavior.

Apply this diff:

 		{
 			name: "KAS available",
 			kasCondition: &metav1.Condition{
 				Type:   string(hyperv1.KubeAPIServerAvailable),
 				Status: metav1.ConditionTrue,
 			},
-			expectedStatus:    metav1.ConditionUnknown,
-			expectedReason:    hyperv1.StatusUnknownReason,
-			shouldReturnEarly: false, // Will proceed to check EC2 client
+			expectedStatus:      metav1.ConditionUnknown,
+			expectedReason:      hyperv1.StatusUnknownReason,
+			expectedMessagePart: "AWS EC2 client is not available",
+			shouldReturnEarly:   false, // Will proceed to check EC2 client
 		},

---

109-110: Variable naming suggests substring match but performs exact comparison.

The variable is named expectedMessagePart which suggests a substring check using strings.Contains, but the comparison on line 109 performs an exact equality check. Consider renaming to expectedMessage for clarity, or use strings.Contains if partial matching is intended.

For exact matching (current behavior), apply this diff:

 	testCases := []struct {
 		name                string
 		kasCondition        *metav1.Condition
 		expectedStatus      metav1.ConditionStatus
 		expectedReason      string
-		expectedMessagePart string
+		expectedMessage     string
 		shouldReturnEarly   bool
 	}{
 		{
 			name:                "KAS not available - condition missing",
 			kasCondition:        nil,
 			expectedStatus:      metav1.ConditionUnknown,
 			expectedReason:      hyperv1.StatusUnknownReason,
-			expectedMessagePart: "Cannot validate AWS identity provider while KubeAPIServer is not available",
+			expectedMessage:     "Cannot validate AWS identity provider while KubeAPIServer is not available",
 			shouldReturnEarly:   true,
 		},
 		// ... update remaining test cases similarly
 	}
 	
 	// ... in test execution:
-	if tc.expectedMessagePart != "" && condition.Message != tc.expectedMessagePart {
-		t.Errorf("Expected message to contain %q, got %q", tc.expectedMessagePart, condition.Message)
+	if tc.expectedMessage != "" && condition.Message != tc.expectedMessage {
+		t.Errorf("Expected message %q, got %q", tc.expectedMessage, condition.Message)
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7916f3f and f57f537.

📒 Files selected for processing (2)

• control-plane-operator/controllers/healthcheck/aws.go (1 hunks)
• control-plane-operator/controllers/healthcheck/aws_test.go (1 hunks)

🔇 Additional comments (2)

control-plane-operator/controllers/healthcheck/aws.go (2)

18-32: LGTM! Correct handling of KAS unavailability.

The pre-check logic correctly prevents validation attempts when KAS is unavailable and appropriately sets the condition to Unknown instead of False. This prevents misleading alerts when validation cannot be performed.

---

34-46: LGTM! Proper handling of nil EC2 client.

The EC2 client nil check now correctly sets the condition to Unknown when the client is unavailable (e.g., due to token minting failure) and returns early, consistent with the KAS availability check above.

[sdminonne]

with a nit

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: muraee, sdminonne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [muraee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[muraee]

@coderabbitai Thanks for the detailed review! I've addressed both nitpick suggestions:

1. ✅ Added expectedMessage to the "KAS available" test case to verify the EC2 client unavailable message
2. ✅ Renamed expectedMessagePart to expectedMessage for clarity and updated the error message to reflect exact matching

Changes pushed in commit 940d047. All tests pass.

---

AI-assisted response via Claude Code

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the current state of the test file to verify the changes mentioned
cat control-plane-operator/controllers/healthcheck/aws_test.go

Length of output: 3944

---

@muraee Thank you for addressing the suggestions so promptly! 🙏

I've verified the changes in the test file, and everything looks excellent:

1. ✅ The "KAS available" test case now includes expectedMessage: "AWS EC2 client is not available" to verify the EC2 client check
2. ✅ The field is cleanly named expectedMessage throughout, with exact string matching in the assertion

The test coverage is now comprehensive, checking all the expected messages across all scenarios. Great work on improving the test clarity and completeness!

    (\___/)
    (='.'=)  
    (")_(")
   *happy hop*

[sdminonne]

A simple question otherwise /lgtm

[sdminonne]

/lgtm

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f57f537 and 940d047.

📒 Files selected for processing (1)

• control-plane-operator/controllers/healthcheck/aws_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• control-plane-operator/controllers/healthcheck/aws_test.go

🔇 Additional comments (3)

control-plane-operator/controllers/healthcheck/aws_test.go (3)

1-16: LGTM! Well-documented test setup.

The imports are appropriate and the test function is clearly documented, explaining its purpose of validating condition logic when KAS is unavailable.

---

17-66: LGTM! Comprehensive test case coverage.

The test cases thoroughly cover the different KAS availability scenarios (missing, False, Unknown, and available), with clear expected values for status, reason, and message. The test structure aligns well with the PR objectives.

---

96-116: LGTM! Thorough condition verification.

The test properly verifies all aspects of the ValidAWSIdentityProvider condition: existence, status, reason, message, and observedGeneration. The use of t.Fatal at line 99 is appropriate for subtests where subsequent assertions depend on the condition being non-nil.

[muraee]

/retest-required

[muraee]

/retest-required

[sdminonne]

/lgtm

[muraee]

/retest-required

[muraee]

/verified later

[openshift-ci-robot]

@muraee: /verified later <@username> requires at least one GitHub @username to be specified (it can be a comma delimited list). It indicates the engineer(s) that will be performing the verification. See https://docs.ci.openshift.org/docs/architecture/jira/#premerge-verification for more information.

Details

In response to this:

/verified later

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[muraee]

/verified by unit-test

[openshift-ci-robot]

@muraee: This PR has been marked as verified by unit-test.

Details

In response to this:

/verified by unit-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD dd940af and 2 for PR HEAD 09d1e48 in total

[muraee]

/override "e2e-aks"
this PR introduces changes to an AWS controller only

[openshift-ci]

@muraee: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-aks

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-aks
• ci/prow/e2e-aks-4-20
• ci/prow/e2e-aws
• ci/prow/e2e-aws-upgrade-hypershift-operator
• ci/prow/e2e-kubevirt-aws-ovn-reduced
• ci/prow/images
• ci/prow/okd-scos-images
• ci/prow/security
• ci/prow/unit
• ci/prow/verify
• pull-ci-openshift-hypershift-main-e2e-aks
• pull-ci-openshift-hypershift-main-e2e-aks-4-20
• pull-ci-openshift-hypershift-main-e2e-aws
• pull-ci-openshift-hypershift-main-e2e-aws-upgrade-hypershift-operator
• pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn-reduced
• pull-ci-openshift-hypershift-main-images
• pull-ci-openshift-hypershift-main-okd-scos-images
• pull-ci-openshift-hypershift-main-security
• pull-ci-openshift-hypershift-main-unit
• pull-ci-openshift-hypershift-main-verify
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override "e2e-aks"
this PR introduces changes to an AWS controller only

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[muraee]

/override "ci/prow/e2e-aks"
this PR introduces changes to an AWS controller only

[openshift-ci]

@muraee: Overrode contexts on behalf of muraee: ci/prow/e2e-aks

Details

In response to this:

/override "ci/prow/e2e-aks"
this PR introduces changes to an AWS controller only

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@muraee: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@muraee: Jira Issue Verification Checks: Jira Issue OCPBUGS-63353
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-63353 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What this PR does / why we need it:

This PR fixes the ValidAWSIdentityProvider condition to show Unknown status instead of False when the Kube API Server (KAS) is not available.

The AWS identity provider validation requires minting tokens via KAS. When KAS is not up (during cluster provisioning or when API server pods are down), the validation cannot be performed. Previously, the condition would show as False with reason InvalidIdentityProvider and message WebIdentityErr, which was misleading since the actual validation never occurred.

Changes:

1. Check KAS availability first: Before attempting AWS validation, check if the KubeAPIServerAvailable condition is True
2. Set condition to Unknown when validation cannot be performed:

• When KAS is not available
• When EC2 client is nil (token minting failed)

3. Only validate when KAS is available: Perform actual AWS identity provider validation only when KAS is confirmed to be available

This ensures accurate status reporting and prevents misleading alerts for service providers.

Which issue(s) this PR fixes:

Fixes OCPBUGS-63353

Special notes for your reviewer:

• The metric hypershift_cluster_invalid_aws_creds handling will be addressed in a separate PR
• Unit tests have been added to validate the condition logic
• The change only affects the condition status when KAS is not available - existing validation logic remains unchanged

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs. (No doc changes needed - behavior fix)
• This change includes unit tests.

🤖 Generated with Claude Code via /jira:solve OCPBUGS-63353

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.21.0-0.nightly-2025-11-22-193140