SREP-3938: Add --hive-ocm-url flag to network verify-egress for multi-env OCM support

[nephomaniac]

Summary

Adds --hive-ocm-url flag to osdctl network verify-egress command to enable multi-environment OCM support for staging/integration testing.

Changes

• Added --hive-ocm-url optional flag to network verify-egress command
• Implements conditional logic to use separate OCM connections for target cluster and hive when flag is provided
• Added early validation in validateInput() method to fail fast on invalid OCM URLs
• Preserves backward compatibility - original code path unchanged when flag not provided
• Supports OCM URL aliases: 'production', 'staging', 'integration'
• Updated unit tests in verification_test.go to verify early validation behavior

Implementation Details

When --hive-ocm-url is specified:

1. Creates separate OCM connection for hive using utils.CreateConnectionWithUrl()
2. Uses utils.GetHiveClusterWithConn() to query hive from different OCM environment
3. Creates hive k8s client with appropriate OCM connection
4. Validates OCM URL early using utils.ValidateAndResolveOcmUrl()

Testing

• ✅ Tested in staging environment with valid --hive-ocm-url values
• ✅ Tested in production environment with valid --hive-ocm-url values
• ✅ Validated early failure with invalid --hive-ocm-url values
• ✅ Backward compatibility verified (command works without --hive-ocm-url flag)
• ✅ Unit tests passing (including new tests for validation logic)

Testing Limitation

⚠️ Note: The code path that actually uses Hive with --hive-ocm-url requires a cluster configured with a cluster-wide proxy. No such clusters were available for testing in either staging or production environments. The implementation follows the same pattern as other commands in this series (SREP-3940, SREP-3941, SREP-3896) and has been verified through code review and unit tests.

Related

• Parent Epic: SREP-3936
• Jira: SREP-3938

Note

This PR is part of a series adding multi-environment OCM support to osdctl commands. Will place on hold until the common implementation pattern can be reviewed across all related PRs.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

[nephomaniac]

Placing on hold until all the similar commands/PRs adding multiple OCM env support can have the common impl pattern reviewed. Will unhold after the other PRs, and general pattern get a chance for review.

/hold

[coderabbitai]

Walkthrough

This pull request introduces multi-environment Hive/OCM support to the network verification command by adding a new --hive-ocm-url flag and optional parameter to the EgressVerification struct. The implementation branches on the presence of hiveOcmUrl to support both single-OCM and multi-OCM paths while maintaining backward compatibility.

Changes

Cohort / File(s)	Summary
Core Implementation cmd/network/verification.go	Added hiveOcmUrl field and --hive-ocm-url flag to enable multi-environment Hive operations. Implemented branching logic in CA bundle retrieval and validation to support separate OCM connections for target and Hive clusters while preserving original single-OCM flow when flag is absent.
Test Coverage cmd/network/verification_test.go	Extended input validation tests with cases for valid (production, staging, integration, full URL) and invalid hive-ocm-url values. Added new TestHiveOcmUrlValidation function to verify URL validation behavior including error message assertions.
Documentation docs/README.md, docs/osdctl_network_verify-egress.md	Documented new --hive-ocm-url flag with aliases and default behavior. Added example demonstrating multi-environment usage with staging cluster and production Hive.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@nephomaniac: An error was encountered searching for bug SREP-3938 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/SREP-3938": GET https://issues.redhat.com/rest/api/2/issue/SREP-3938 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Summary

Adds --hive-ocm-url flag to osdctl network verify-egress command to enable multi-environment OCM support for staging/integration testing.

Changes

• Added --hive-ocm-url optional flag to network verify-egress command
• Implements conditional logic to use separate OCM connections for target cluster and hive when flag is provided
• Added early validation in validateInput() method to fail fast on invalid OCM URLs
• Preserves backward compatibility - original code path unchanged when flag not provided
• Supports OCM URL aliases: 'production', 'staging', 'integration'
• Updated unit tests in verification_test.go to verify early validation behavior

Implementation Details

When --hive-ocm-url is specified:

1. Creates separate OCM connection for hive using utils.CreateConnectionWithUrl()
2. Uses utils.GetHiveClusterWithConn() to query hive from different OCM environment
3. Creates hive k8s client with appropriate OCM connection
4. Validates OCM URL early using utils.ValidateAndResolveOcmUrl()

Testing

• ✅ Tested in staging environment with valid --hive-ocm-url values
• ✅ Tested in production environment with valid --hive-ocm-url values
• ✅ Validated early failure with invalid --hive-ocm-url values
• ✅ Backward compatibility verified (command works without --hive-ocm-url flag)
• ✅ Unit tests passing (including new tests for validation logic)

Testing Limitation

⚠️ Note: The code path that actually uses Hive with --hive-ocm-url requires a cluster configured with a cluster-wide proxy. No such clusters were available for testing in either staging or production environments. The implementation follows the same pattern as other commands in this series (SREP-3940, SREP-3941, SREP-3896) and has been verified through code review and unit tests.

Related

• Parent Epic: SREP-3936
• Jira: SREP-3938

Note

This PR is part of a series adding multi-environment OCM support to osdctl commands. Will place on hold until the common implementation pattern can be reviewed across all related PRs.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: nephomaniac
Once this PR has been reviewed and has the lgtm label, please assign iamkirkbater for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (3)

cmd/network/verification.go (2)

170-173: Clarify when this example actually exercises --hive-ocm-url.

This reads like a general multi-environment switch, but in this command's current implementation the flag is only consulted on the Hive-backed CA-bundle lookup path. Calling out the classic/proxy CA-bundle case here will set the right expectation and avoid confusing no-op runs.

Possible wording

-  # Run against a staging cluster using production Hive (multi-environment OCM)
+  # For a classic cluster that needs automatic proxy CA-bundle retrieval,
+  # target staging OCM while querying Hive from production

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/network/verification.go` around lines 170 - 173, Update the example text
for the osdctl network verify-egress invocation to explicitly state that the
--hive-ocm-url flag is only consulted when the command follows the Hive-backed
CA-bundle lookup path (i.e., when the code path that queries Hive for CA bundles
is used) and is effectively a no-op for the classic/proxy CA-bundle lookup path;
mention the env var OCM_URL and the command osdctl network verify-egress and the
flag --hive-ocm-url so readers know when the flag matters.

---

455-497: Extract the Hive client bootstrap into a helper.

Both branches resolve the Hive cluster and then build a Kubernetes client, with only the connection source changing. Pulling that into a helper would remove duplication here and make the new multi-env path easier to unit-test.

Possible shape

 func (e *EgressVerification) getCaBundleFromHive(ctx context.Context) (string, error) {
 	scheme := runtime.NewScheme()
 	if err := corev1.AddToScheme(scheme); err != nil {
 		return "", err
 	}
 	if err := hivev1.AddToScheme(scheme); err != nil {
 		return "", err
 	}
 
-	var hive *cmv1.Cluster
-	var hc client.Client
-	var err error
-
-	if e.hiveOcmUrl != "" {
-		...
-	} else {
-		...
-	}
+	hive, hc, err := e.getHiveClient(ctx, scheme)
+	if err != nil {
+		return "", err
+	}
 
 	e.log.Debug(ctx, "searching for proxy SyncSet")
 	...
 }

func (e *EgressVerification) getHiveClient(ctx context.Context, scheme *runtime.Scheme) (*cmv1.Cluster, client.Client, error) {
	// keep the single-env and multi-env connection/client setup here
}

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/network/verification.go` around lines 455 - 497, Extract the duplicated
logic that resolves a Hive cluster and builds a Kubernetes client into a helper
on EgressVerification (e.g. func (e *EgressVerification) getHiveClient(ctx
context.Context, scheme *runtime.Scheme) (*cmv1.Cluster, client.Client, error));
inside it handle both paths: when e.hiveOcmUrl != "" call
utils.CreateConnection(), utils.CreateConnectionWithUrl(e.hiveOcmUrl) and
utils.GetHiveClusterWithConn(e.cluster.ID(), targetOCM, hiveOCM) and create the
k8s client with k8s.NewWithConn(hive.ID(), client.Options{Scheme: scheme},
hiveOCM) (ensuring you defer Close on connections inside caller context or
return connections if needed), otherwise call
utils.GetHiveCluster(e.cluster.ID()) and k8s.New(hive.ID(),
client.Options{Scheme: scheme}); then replace the duplicated block in
verification.go with a single call to e.getHiveClient(ctx, scheme) and propagate
returned errors.

cmd/network/verification_test.go (1)

177-182: Remove redundant conditional - both branches are identical.

The if/else block executes the same code in both branches, making the conditional unnecessary.

♻️ Simplify by removing the conditional

-			// This simulates the validation that occurs in the validateInput() method
-			var err error
-			if tt.hiveOcmUrl != "" {
-				_, err = utils.ValidateAndResolveOcmUrl(tt.hiveOcmUrl)
-			} else {
-				_, err = utils.ValidateAndResolveOcmUrl(tt.hiveOcmUrl)
-			}
+			// This simulates the validation that occurs in the validateInput() method
+			_, err := utils.ValidateAndResolveOcmUrl(tt.hiveOcmUrl)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/network/verification_test.go` around lines 177 - 182, The if/else block
around calling utils.ValidateAndResolveOcmUrl is redundant because both branches
call the same function with tt.hiveOcmUrl; remove the conditional and call
utils.ValidateAndResolveOcmUrl(tt.hiveOcmUrl) once, assigning to the existing
err variable (and discarding the first return value if unused) to simplify the
test code that references ValidateAndResolveOcmUrl and tt.hiveOcmUrl.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@cmd/network/verification_test.go`:
- Around line 177-182: The if/else block around calling
utils.ValidateAndResolveOcmUrl is redundant because both branches call the same
function with tt.hiveOcmUrl; remove the conditional and call
utils.ValidateAndResolveOcmUrl(tt.hiveOcmUrl) once, assigning to the existing
err variable (and discarding the first return value if unused) to simplify the
test code that references ValidateAndResolveOcmUrl and tt.hiveOcmUrl.

In `@cmd/network/verification.go`:
- Around line 170-173: Update the example text for the osdctl network
verify-egress invocation to explicitly state that the --hive-ocm-url flag is
only consulted when the command follows the Hive-backed CA-bundle lookup path
(i.e., when the code path that queries Hive for CA bundles is used) and is
effectively a no-op for the classic/proxy CA-bundle lookup path; mention the env
var OCM_URL and the command osdctl network verify-egress and the flag
--hive-ocm-url so readers know when the flag matters.
- Around line 455-497: Extract the duplicated logic that resolves a Hive cluster
and builds a Kubernetes client into a helper on EgressVerification (e.g. func (e
*EgressVerification) getHiveClient(ctx context.Context, scheme *runtime.Scheme)
(*cmv1.Cluster, client.Client, error)); inside it handle both paths: when
e.hiveOcmUrl != "" call utils.CreateConnection(),
utils.CreateConnectionWithUrl(e.hiveOcmUrl) and
utils.GetHiveClusterWithConn(e.cluster.ID(), targetOCM, hiveOCM) and create the
k8s client with k8s.NewWithConn(hive.ID(), client.Options{Scheme: scheme},
hiveOCM) (ensuring you defer Close on connections inside caller context or
return connections if needed), otherwise call
utils.GetHiveCluster(e.cluster.ID()) and k8s.New(hive.ID(),
client.Options{Scheme: scheme}); then replace the duplicated block in
verification.go with a single call to e.getHiveClient(ctx, scheme) and propagate
returned errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 06df6dde-0fa9-4949-bb60-973ebb0b528a

📥 Commits

Reviewing files that changed from the base of the PR and between 71e44ff and 93b5020.

📒 Files selected for processing (4)

• cmd/network/verification.go
• cmd/network/verification_test.go
• docs/README.md
• docs/osdctl_network_verify-egress.md

[openshift-ci]

@nephomaniac: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.