chore(SREP-4482, SREP-4486, SREP-4800: Boilerplate Update for Agentic SDLC Rollout)

[devppratik]

What type of PR is this?

boilerplate update

What this PR does / why we need it?

This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?

Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Summary by CodeRabbit

• Chores

  • Updated base container images, added a pre-commit workflow (linting, secret scanning, RBAC checks), configured code coverage gating for project and patch, and adjusted ownership aliases and operator startup/leader-election behavior.

• Refactor

  • Threaded context propagation across controllers, clients, helpers, and tests for more consistent and cancellable request handling.

[openshift-ci-robot]

@devppratik: This pull request references SREP-4482 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4486 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references SREP-4800 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What type of PR is this?

boilerplate update

What this PR does / why we need it?

This PR moves the changes introduced in boilerplate for Agentic SDLC Rollout into MVP for ocm-agent-operator.
Related BP MRs

• SREP-4482: Update golangci-lint configuration with enhanced linters boilerplate#716
• SREP-4484: Enable Codecov Enforcement boilerplate#720
• [SREP-4485] add pre-commit hooks to golang-osd-operator convention boilerplate#723

Which Jira/Github issue(s) this PR fixes?

Part of Rollout for Agentic SDLC -

• Lint -https://redhat.atlassian.net/browse/SREP-4482
• Pre-Commit Hook - https://redhat.atlassian.net/browse/SREP-4486
• CodeCov - https://redhat.atlassian.net/browse/SREP-4800

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b05a8d3c-b87a-4248-981a-d59ff31c2629

📥 Commits

Reviewing files that changed from the base of the PR and between 1f7f9fc and d70d9ea.

📒 Files selected for processing (3)

• controllers/certificaterequest/update_status_test.go
• main.go
• test/e2e/utils/utils.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/utils/utils.go

---

Walkthrough

Threads context.Context through controllers, clients, helpers and tests (replacing context.TODO()), updates related function signatures, and separately updates CI/build/config (pre-commit, codecov, Docker image tags) and OWNERS_ALIASES.

Changes

Context propagation across controllers, clients, and helpers

Layer / File(s)	Summary
Core utility shape controllers/certificaterequest/utils.go, pkg/leclient/utils.go	GetSecret and SecretExists now accept ctx context.Context and use it for kubeClient.Get instead of context.TODO().
API markers api/v1alpha1/groupversion_info.go	Adds Kubebuilder markers: // +kubebuilder:object:generate=true and // +groupName=certman.managed.openshift.io.
Certificate helpers controllers/certificaterequest/certificate.go	GetCertificate signature updated to accept ctx and passes it into secret retrieval.
DNS helpers / HTTP calls controllers/certificaterequest/cloudflare.go, controllers/certificaterequest/issue_certificate.go	DNS fetch/verification and zone-finding APIs now accept ctx and use context-aware HTTP requests; IssueCertificate and FindZoneIDForChallenge accept and propagate ctx.
LetsEncrypt client pkg/leclient/lets_encrypt.go, pkg/leclient/lets_encrypt_test.go	NewClient and helper functions updated to accept ctx and retrieve account data via context-aware GetSecret; tests updated to pass context.TODO().
Reconciler surface & core flows controllers/certificaterequest/*.go	Reconcile and related helpers (finalize/create/revoke/issue/renew/updateStatus/UpdateCertValidDuration/relocationBailOut and others) updated to accept and propagate ctx for all client operations; some helper return signatures simplified (e.g., acmeError).
ClusterDeployment controller controllers/clusterdeployment/*.go	syncCertificateRequests, getCurrentCertificateRequests, handleDelete and related reconciliation paths now accept ctx and use it for List/Get/Create/Update/Delete/Patch calls.
Metrics & DB usage pkg/localmetrics/*, pkg/localmetrics/crt_sh.go	CheckInitCounter now accepts ctx and uses it for list queries; DB query uses QueryRowContext and defers Close with logged error.
Clients: AWS/GCP/Azure pkg/clients/aws/route53.go, pkg/clients/gcp/dns.go, pkg/clients/azure/*	Improved error wrapping (%w), AWS STS error detection uses errors.As, minor preallocation and error-wrapping changes; some tests gain lint suppressions.
Helpers, utils & lint controllers/utils/utils.go, fips.go, main.go	getConfig/GetDefaultNotificationEmailAddress now accept ctx; minor logging/lint adjustments (nolint, print handling, leader-election branching).
Tests **/*_test.go across controllers, leclient, localmetrics, utils	All updated call sites pass context.TODO() as new first arg; imports adjusted where required.
E2E utilities & robustness test/e2e/utils/utils.go	Refined EOF checks to errors.Is, replaced plain defer Body.Close() with deferred closures that log close errors, and added multiple //nolint directives on large helpers.

Infrastructure, CI and repository hygiene

Layer / File(s)	Summary
Pre-commit tooling .pre-commit-config.yaml	Adds .pre-commit-config.yaml with upstream hooks (merge-conflict, trailing-whitespace, EOF, YAML), gitleaks, golangci-lint, and local hooks for go build, go mod tidy drift detection, and RBAC wildcard checks.
Coverage gating .codecov.yml	Replaces coverage.status: project/patch: no with explicit gating: project.default: 35%/threshold: 1% and patch.default: 50%/threshold: 1%.
Build images .ci-operator.yaml, build/Dockerfile, build/Dockerfile.olm-registry	Bumps build_root_image tag to image-v8.3.6; updates UBI minimal runtime base image tag to 9.7-1778072020 (including OLm registry Dockerfile).
Repository metadata OWNERS_ALIASES	Removes several alias members from owners alias groups.
Tests / lint annotations pkg/clients/azure/*, various tests	Minor test print/log adjustments and added //nolint directives where noted.

sequenceDiagram
    participant Controller
    participant KubeAPI
    participant LetsEncrypt
    participant DNSProvider
    participant DB
    Controller->>KubeAPI: Reconcile(ctx) -> Get/List/Update (with ctx)
    Controller->>LetsEncrypt: NewClient(ctx) / Revoke/Issue (ctx)
    Controller->>DNSProvider: VerifyDnsResourceRecordUpdate(ctx)
    Controller->>KubeAPI: Create/Update Secret (with ctx)
    Controller->>DB: QueryRowContext / metrics ops (with ctx)
    KubeAPI-->>Controller: Resource objects / Secrets
    LetsEncrypt-->>Controller: ACME responses
    DNSProvider-->>Controller: DNS lookup responses
    DB-->>Controller: Query results

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	fips.go init() has fmt.Println writing non-JSON text to stdout during process startup, violating the OTE Binary Stdout Contract. Blank identifier only suppresses linting.	Remove fmt.Println or redirect output to stderr via fmt.Fprintf(os.Stderr, ...).
Docstring Coverage	⚠️ Warning	Docstring coverage is 51.79% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the boilerplate update for Agentic SDLC rollout with specific Jira issue identifiers, accurately summarizing the main changes across configuration files, linting, pre-commit hooks, and context threading.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR does not modify any Ginkgo test names. Modified test files are standard Go tests (testing.T). Existing Ginkgo tests in repository have stable, deterministic names with no dynamic content.
Test Structure And Quality	✅ Passed	All Ginkgo test quality requirements met: single responsibility, proper setup/cleanup, timeouts on all waits, meaningful assertions, codebase consistency.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are boilerplate updates, configuration modifications, context threading, and linting improvements only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no new Ginkgo e2e tests. Changes to test/e2e/utils/utils.go are linting and utility improvements only (nolint directives, error handling, EOF detection). Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains no deployment manifest changes, scheduling constraints, or affinity rules. Only configuration, build, and code quality updates.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Check is not applicable as it only applies to newly added tests. PR contains refactoring and linting improvements to existing code.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: devppratik
Once this PR has been reviewed and has the lgtm label, please assign iamkirkbater for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

.codecov.yml (1)

11-18: ⚡ Quick win

LGTM — valid CodeCov configuration activating coverage gates.

The target: 35% / target: 50% values are valid; CodeCov accepts the coverage target as a string, int, or float (e.g. 75% or 100%). The threshold: 1% on both blocks is standard and correctly grants a 1% wiggle room before the status fails.

The choice of a higher patch target (50%) than the project floor (35%) follows the recommended pattern of focusing test requirements on newly written code rather than legacy code, which is a sensible bootstrapping approach for an MVP codebase.

One thing to keep in mind: informational is not set, so it defaults to false — meaning these are blocking status checks. If the current project coverage is already below 35% and a coverage report is uploaded on this PR, the check will fail immediately. Consider adding informational: true temporarily while the team ramps up coverage, and then removing it once the baseline is stable.

💡 Optional: make checks informational until baseline is confirmed stable

     project:
       default:
         target: 35%
         threshold: 1%
+        informational: true   # remove once project coverage >= 35%
     patch:
       default:
         target: 50%
         threshold: 1%
+        informational: true   # remove once patch coverage >= 50%

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.codecov.yml around lines 11 - 18, Add the optional Codecov "informational"
flag to make the coverage gates non-blocking for now; specifically, update the
project.default and patch.default blocks (the existing keys with target: 35% and
target: 50%) to include informational: true so the checks are informational
instead of failing the status while team coverage baseline is being ramped up.

.pre-commit-config.yaml (1)

129-134: 💤 Low value

rbac-wildcard-check lacks the timeout guard used by every other local hook.

Hooks 4 (go-build, 30 s) and 5 (go-mod-tidy, 60 s) both wrap their entry with the portable timeout/gtimeout detection pattern described in the TIMEOUT NOTE comment (lines 88–92). Hook 6 invokes make rbac-wildcard-check bare, so a hung make invocation can block the commit indefinitely.

♻️ Proposed fix

-        entry: bash -c 'make rbac-wildcard-check'
+        entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} make rbac-wildcard-check'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 129 - 134, The local pre-commit hook
"rbac-wildcard-check" currently runs entry: bash -c 'make rbac-wildcard-check'
without a timeout guard; update its entry to wrap the make invocation using the
same portable timeout detection pattern referenced in the TIMEOUT NOTE
(detecting timeout/gtimeout and prefixing the command) used by the other hooks
(e.g., go-build, go-mod-tidy) so that make rbac-wildcard-check is executed
through the timeout wrapper to prevent commits from hanging.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.pre-commit-config.yaml:
- Line 68: Update the gitleaks hook revision from the pinned "rev: v8.18.0" to
the current stable "v8.30.1" in .pre-commit-config.yaml for the gitleaks entry;
locate the gitleaks hook by the "gitleaks" repository/hook name and replace the
rev field value, then run pre-commit autoupdate or validate the config to ensure
the new version is accepted.

In `@build/Dockerfile`:
- Line 1: The Dockerfile's base image uses a non-existent tag "image-v8.3.6" in
the FROM instruction; change the tag to the latest released stable
"image-v8.3.4" (or another valid released tag) in the FROM line so the builder
can pull the base image successfully, ensuring the change is applied to the FROM
statement in the Dockerfile.

In `@controllers/certificaterequest/update_status_test.go`:
- Around line 221-224: The test's failure message incorrectly references
GetCertificate() instead of updateStatusError; inside TestUpdateStatusError (or
the test containing the call to reconciler.updateStatusError), update the
t.Errorf string to refer to updateStatusError (or a generic "Got unexpected
error") so the message matches the function under test and avoids copy-paste
confusion; locate the assertion around reconciler.updateStatusError(...) and
replace the "GetCertificate() Got unexpected error: %v" text accordingly.

---

Nitpick comments:
In @.codecov.yml:
- Around line 11-18: Add the optional Codecov "informational" flag to make the
coverage gates non-blocking for now; specifically, update the project.default
and patch.default blocks (the existing keys with target: 35% and target: 50%) to
include informational: true so the checks are informational instead of failing
the status while team coverage baseline is being ramped up.

In @.pre-commit-config.yaml:
- Around line 129-134: The local pre-commit hook "rbac-wildcard-check" currently
runs entry: bash -c 'make rbac-wildcard-check' without a timeout guard; update
its entry to wrap the make invocation using the same portable timeout detection
pattern referenced in the TIMEOUT NOTE (detecting timeout/gtimeout and prefixing
the command) used by the other hooks (e.g., go-build, go-mod-tidy) so that make
rbac-wildcard-check is executed through the timeout wrapper to prevent commits
from hanging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 967d58d5-338d-41e8-8bdd-53b1a05ff10b

📥 Commits

Reviewing files that changed from the base of the PR and between e855464 and 7475c83.

⛔ Files ignored due to path filters (11)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/.codecov.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/ensure.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/golangci.yml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/pre-commit-config.yaml is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**

📒 Files selected for processing (20)

• .ci-operator.yaml
• .codecov.yml
• .pre-commit-config.yaml
• OWNERS_ALIASES
• api/v1alpha1/groupversion_info.go
• build/Dockerfile
• build/Dockerfile.olm-registry
• controllers/certificaterequest/certificate.go
• controllers/certificaterequest/certificate_test.go
• controllers/certificaterequest/certificaterequest_controller.go
• controllers/certificaterequest/certificaterequest_controller_test.go
• controllers/certificaterequest/renew_certificate.go
• controllers/certificaterequest/renew_certificate_test.go
• controllers/certificaterequest/revoke_certificate.go
• controllers/certificaterequest/revoke_certificate_test.go
• controllers/certificaterequest/update_status.go
• controllers/certificaterequest/update_status_test.go
• controllers/certificaterequest/utils.go
• controllers/certificaterequest/utils_test.go
• test/e2e/utils/utils.go

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the latest stable release of gitleaks?

💡 Result:

The latest stable release of Gitleaks is v8.30.1, released on 2026-03-21.[1][2][3] This is confirmed as the latest release on the official GitHub repository releases page[4], the latest release redirect[1], the specific tag page with assets and changelog[2], the main repo page listing it as latest[3][5], and third-party trackers like mise[6]. No newer releases are mentioned in searches up to today's date of 2026-05-07, and it includes standard binary assets for multiple platforms, indicating stability (not marked as prerelease).[2]

Citations:

• 1: https://github.com/zricethezav/gitleaks/releases/latest
• 2: https://github.com/gitleaks/gitleaks/releases/tag/v8.30.1
• 3: https://www.github.com/gitleaks/gitleaks
• 4: https://github.com/gitleaks/gitleaks/releases
• 5: https://github.com/gitleaks/gitleaks
• 6: https://mise-versions.jdx.dev/tools/gitleaks

---

Update gitleaks to the latest stable release — v8.30.1.

The pinned version v8.18.0 is significantly outdated. As a security-focused tool, gitleaks releases regularly include new secret pattern detection rules. Staying current ensures the hook catches newly added threat vectors.

Proposed fix

-    rev: v8.18.0                         # pinned immutable tag (golden rule 15)
+    rev: v8.30.1                         # pinned immutable tag (golden rule 15)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	rev: v8.18.0 # pinned immutable tag (golden rule 15)
	rev: v8.30.1 # pinned immutable tag (golden rule 15)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml at line 68, Update the gitleaks hook revision from
the pinned "rev: v8.18.0" to the current stable "v8.30.1" in
.pre-commit-config.yaml for the gitleaks entry; locate the gitleaks hook by the
"gitleaks" repository/hook name and replace the rev field value, then run
pre-commit autoupdate or validate the config to ensure the new version is
accepted.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the new boilerplate image tag exists and is accessible
echo "Checking if the new boilerplate image tag is accessible..."
docker manifest inspect quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.6 >/dev/null 2>&1
if [ $? -eq 0 ]; then
  echo "✓ Image tag boilerplate:image-v8.3.6 exists and is accessible"
else
  echo "✗ Image tag boilerplate:image-v8.3.6 could not be verified"
fi

# Also check the old tag for comparison
echo ""
echo "Checking if the old boilerplate image tag is still accessible..."
docker manifest inspect quay.io/redhat-services-prod/openshift/boilerplate:image-v8.3.4 >/dev/null 2>&1
if [ $? -eq 0 ]; then
  echo "✓ Image tag boilerplate:image-v8.3.4 exists and is accessible"
else
  echo "✗ Image tag boilerplate:image-v8.3.4 could not be verified"
fi

Repository: openshift/certman-operator

Length of output: 1934

---

🌐 Web query:

openshift boilerplate image-v8.3.6 changelog release notes

💡 Result:

No changelog or release notes found for openshift/boilerplate image-v8.3.6. The official GitHub repository https://github.com/openshift/boilerplate/ has only 8 releases, with the latest being image-v8.3.4 released on 2026-02-25 [1][2]. Searches for the specific tag image-v8.3.6 returned no matching releases or pages [3][4]. The repository's last push was 2026-03-31, but no evidence of v8.3.6 exists in available sources [1]. It may not have been released yet, or the tag exists without a published release page. Check the full tags list directly at https://github.com/openshift/boilerplate/tags for confirmation.

Citations:

• 1: https://github.com/openshift/boilerplate/
• 2: https://github.com/openshift/boilerplate
• 3: https://github.com/openshift/boilerplate/releases/tag/image-v8.3.4
• 4: https://github.com/openshift/boilerplate/tree/84124f7d4bed3bad80a9998f87552c02b0c3c4f5

---

🌐 Web query:

site:github.com/openshift/boilerplate "image-v8.3.6"

💡 Result:

"image-v8.3.6" refers to a potential Git tag in the OpenShift Boilerplate repository (https://github.com/openshift/boilerplate), which standardizes development conventions and builds a container image used in OpenShift CI/CD pipelines [1][2]. Tags follow the format image-vX.Y.Z for versioning the build image defined in config/Dockerfile, based on RHEL with Go, golangci-lint, kustomize, etc. [3][1]. The latest released tag as of 2026-05-07 is image-v8.3.4 (published 2026-02-25), including updates like konflux references and envtest fixes [4]. No sources mention image-v8.3.6 or higher; it may be unreleased, upcoming, or internal [1][4][2]. The repo's last push was 2026-03-31, but no new image-v* tags post-v8.3.4 [1].

Citations:

• 1: https://github.com/openshift/boilerplate
• 2: https://github.com/openshift/boilerplate/
• 3: https://github.com/openshift/boilerplate/blob/9e32f3652525c3d1ebe62ad1655820c6a7bc0c0e/README.md
• 4: https://github.com/openshift/boilerplate/releases/tag/image-v8.3.4

---

The boilerplate image tag image-v8.3.6 does not exist. The latest released version is image-v8.3.4 (released 2026-02-25). This will cause the build to fail when attempting to pull the base image. Either revert to the stable image-v8.3.4 or wait for image-v8.3.6 to be officially released before using it.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 1, The Dockerfile's base image uses a non-existent
tag "image-v8.3.6" in the FROM instruction; change the tag to the latest
released stable "image-v8.3.4" (or another valid released tag) in the FROM line
so the builder can pull the base image successfully, ensuring the change is
applied to the FROM statement in the Dockerfile.

[codecov]

Codecov Report

❌ Patch coverage is 52.89855% with 65 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.04%. Comparing base (e855464) to head (d70d9ea).

Files with missing lines	Patch %	Lines
...ertificaterequest/certificaterequest_controller.go	51.11%	21 Missing and 1 partial ⚠️
controllers/certificaterequest/cloudflare.go	0.00%	10 Missing ⚠️
pkg/clients/aws/route53.go	0.00%	9 Missing ⚠️
.../clusterdeployment/clusterdeployment_controller.go	50.00%	2 Missing and 6 partials ⚠️
main.go	0.00%	6 Missing ⚠️
pkg/localmetrics/crt_sh.go	0.00%	4 Missing ⚠️
pkg/clients/gcp/dns.go	0.00%	2 Missing ⚠️
...ontrollers/certificaterequest/issue_certificate.go	85.71%	1 Missing ⚠️
...ntrollers/certificaterequest/revoke_certificate.go	66.66%	1 Missing ⚠️
...lers/clusterdeployment/clusterdeployment_delete.go	66.66%	0 Missing and 1 partial ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #443      +/-   ##
==========================================
- Coverage   57.15%   57.04%   -0.11%     
==========================================
  Files          29       29              
  Lines        2138     2142       +4     
==========================================
  Hits         1222     1222              
- Misses        802      808       +6     
+ Partials      114      112       -2     

Files with missing lines	Coverage Δ
controllers/certificaterequest/certificate.go	88.23% <100.00%> (ø)
...ontrollers/certificaterequest/renew_certificate.go	56.25% <100.00%> (ø)
controllers/certificaterequest/update_status.go	80.39% <100.00%> (+4.92%)	⬆️
controllers/certificaterequest/utils.go	100.00% <100.00%> (ø)
controllers/utils/utils.go	87.09% <100.00%> (ø)
pkg/leclient/lets_encrypt.go	79.81% <100.00%> (ø)
pkg/leclient/utils.go	100.00% <100.00%> (ø)
pkg/localmetrics/localmetrics.go	70.31% <100.00%> (-0.46%)	⬇️
...ontrollers/certificaterequest/issue_certificate.go	58.13% <85.71%> (ø)
...ntrollers/certificaterequest/revoke_certificate.go	25.00% <66.66%> (ø)
... and 9 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

pkg/localmetrics/crt_sh.go (1)

21-31: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Potential nil-pointer dereference if sql.Open fails.

If sql.Open returns an error, db may be nil and the deferred db.Close() call will panic. The current code only logs the open error and continues. Guard the close or return early.

🛡️ Proposed guard

 	db, err := sql.Open("postgres", getPsqlInfo())
-
 	if err != nil {
 		log.Error(err, "Failed to establish connection with crt.sh database")
+		return 0
 	}
 
 	defer func() {
 		if closeErr := db.Close(); closeErr != nil {
 			log.Error(closeErr, "error closing database connection")
 		}
 	}()

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/localmetrics/crt_sh.go` around lines 21 - 31, The code calls sql.Open in
pkg/localmetrics/crt_sh.go and defers db.Close() even when sql.Open returned an
error, risking a nil-pointer panic; modify the error handling in the block that
calls sql.Open (the db, err := sql.Open(...) section) to return early (or
otherwise abort the function) when err != nil instead of just logging, or only
install the defer db.Close() after confirming db != nil (i.e., move the defer
below the nil-check), so that Close is never called on a nil db.

pkg/localmetrics/localmetrics.go (1)

118-135: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Don't mark the counter initialized after a failed list.

Now that this uses reconcile-scoped ctx, cancellation/timeouts can hit the initial List call. On that path the function still sets the metric and flips areCountInitialized = true, so a transient failure can permanently pin the gauge to 0 until restart.

Suggested fix

 func CheckInitCounter(ctx context.Context, c client.Client) {
 	if !areCountInitialized {
 		counter := 0.0
 
 		var certRequestList certmanv1alpha1.CertificateRequestList
 
 		if err := c.List(ctx, &certRequestList, &client.ListOptions{}); err != nil {
 			logger.Error(err, "Failed to Init counter for Certificate Request")
+			return
 		}
 
 		for _, cr := range certRequestList.Items {
 			if utils.ContainsString(cr.Finalizers, certmanv1alpha1.CertmanOperatorFinalizerLabel) {
 				counter++
 			}
 		}
 
 		MetricCertRequestsCount.Set(counter)
 		areCountInitialized = true
 	}
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/localmetrics/localmetrics.go` around lines 118 - 135, In
CheckInitCounter, do not mark areCountInitialized true or set
MetricCertRequestsCount when the initial c.List(ctx, &certRequestList, ...)
returns an error; instead return early after logging the error so transient list
failures (due to reconcile-scoped ctx cancellation/timeouts) do not permanently
seal the gauge at 0. Locate the c.List call and its error handling in
CheckInitCounter, ensure you exit the function on error (leaving
areCountInitialized false) and only proceed to iterate certRequestList.Items,
call MetricCertRequestsCount.Set(counter), and set areCountInitialized = true
when the list succeeds.

controllers/certificaterequest/issue_certificate_test.go (2)

282-299: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Actually enable the FedRAMP branch in the test.

The FedRAMP case never sets the package-level fedramp / fedrampHostedZoneID flags that FindZoneIDForChallenge reads, so this path still exercises the non-FedRAMP logic. The final assertion only compares the fixture value against itself.

Suggested fix

 		t.Run(tc.name, func(t *testing.T) {
+			origFedramp, origHostedZoneID := fedramp, fedrampHostedZoneID
+			fedramp = tc.fedramp
+			fedrampHostedZoneID = tc.fedrampHostedZoneID
+			t.Cleanup(func() {
+				fedramp = origFedramp
+				fedrampHostedZoneID = origHostedZoneID
+			})
 
 			testClient := setUpTestClient(t, tc.KubeObjects)
@@
 			zoneID, err := reconciler.FindZoneIDForChallenge(context.TODO(), "test", mockClient)
@@
-			if tc.expectedFedrampHostedZoneID != mockClient.FedrampHostedZoneID && tc.fedramp == true {
-				t.Fatalf("unexpected zone id - Expected Fedramp Zone Id: %v - Got - %v", tc.expectedFedrampHostedZoneID, fedrampHostedZoneID)
+			if tc.fedramp && zoneID != tc.expectedFedrampHostedZoneID {
+				t.Fatalf("unexpected zone id - Expected Fedramp Zone Id: %v - Got - %v", tc.expectedFedrampHostedZoneID, zoneID)
 			}
 		})
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/certificaterequest/issue_certificate_test.go` around lines 282 -
299, Test never enables the FedRAMP branch because the package-level flags
fedramp and fedrampHostedZoneID (which FindZoneIDForChallenge reads) are not set
in the test; set fedramp = true and fedrampHostedZoneID =
mockClient.FedrampHostedZoneID (or the expected test value) before calling
reconciler.FindZoneIDForChallenge in the FedRAMP case, run the assertion
comparing zoneID to the expectedFedrampHostedZoneID, and then restore the
original package-level values (or reset fedramp = false) after the subtest to
avoid impacting other tests; refer to FindZoneIDForChallenge, fedramp,
fedrampHostedZoneID, and mockClient.FedrampHostedZoneID to locate the relevant
code to change.

---

112-131: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use testErr in the assertions.

The updated call stores the function result in testErr, but the assertions still inspect the older err variable from the setup path. That means unexpected IssueCertificate failures are missed, and the error-path assertion can dereference nil.

Suggested fix

 			testErr := rcr.IssueCertificate(context.TODO(), nullLogger, cr, s, test.LEClient)
-			if err != nil && !test.ExpectError {
-				t.Errorf("got unexpected error: %s", err)
+			if testErr != nil && !test.ExpectError {
+				t.Errorf("got unexpected error: %s", testErr)
 			}
@@
 			if test.ExpectError {
+				if testErr == nil {
+					t.Fatalf("expected error containing %q, got nil", test.ExpectedErrorMessage)
+				}
 				if !strings.Contains(testErr.Error(), test.ExpectedErrorMessage) {
-					t.Errorf("error (%s) did not contain expected message (%s)", err.Error(), test.ExpectedErrorMessage)
+					t.Errorf("error (%s) did not contain expected message (%s)", testErr.Error(), test.ExpectedErrorMessage)
 				}
 			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/certificaterequest/issue_certificate_test.go` around lines 112 -
131, The test calls IssueCertificate and assigns its result to testErr but later
assertions still reference err; change those to use testErr: replace the
unexpected-error check "if err != nil && !test.ExpectError" with "if testErr !=
nil && !test.ExpectError", and in the error-path assertion use testErr.Error()
(or check testErr non-nil before calling Error()) instead of err.Error(); keep
the local "err" used for metric Write as-is but ensure you don't mix it with
testErr.

🧹 Nitpick comments (5)

pkg/clients/aws/route53.go (1)

248-249: ⚡ Quick win

Add a short rationale next to //nolint:gocyclo suppressions.

Please append a brief reason (and ideally a follow-up issue ID) to each suppression so future cleanup is actionable.

Also applies to: 354-355

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/clients/aws/route53.go` around lines 248 - 249, Add a short rationale
comment next to the existing //nolint:gocyclo on the
DeleteAcmeChallengeResourceRecords function (and the other occurrence around
lines 354-355) explaining why cyclomatic complexity is being suppressed and
include an action item or issue ID for future refactor; locate the
//nolint:gocyclo on the awsClient methods (e.g.,
DeleteAcmeChallengeResourceRecords) and append a brief note like
“//nolint:gocyclo: complex AWS Route53 logic; refactor tracked in ISSUE-1234” so
maintainers know the reason and have a follow-up to address later.

controllers/certificaterequest/update_status.go (1)

72-105: 💤 Low value

Sentinel-via-empty-Status is fragile; consider returning a bool or *Condition.

acmeError now returns the zero-value condition when one already exists, and callers detect this with newCondition.Status != "". That couples the "should append" decision to a default-valued field, which is easy to break later (e.g., if a caller forgets the empty check, or if Status ever becomes legitimately empty for some other path). A (condition, ok bool) or *CertificateRequestCondition return makes intent explicit.

♻️ Proposed change

-func acmeError(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest, err error) certmanv1alpha1.CertificateRequestCondition {
+func acmeError(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest, err error) (certmanv1alpha1.CertificateRequestCondition, bool) {
 	var found bool
 	var newCondition certmanv1alpha1.CertificateRequestCondition
 	for index := range cr.Status.Conditions {
 		if cr.Status.Conditions[index].Type == "acme error" {
 			found = true
 		}
 	}
-	if !found {
-		m := fmt.Sprint(err)
-		newCondition.Type = certmanv1alpha1.CertificateRequestConditionType("acme error")
-		newCondition.Status = corev1.ConditionStatus("Error")
-		newCondition.Message = &m
-		reqLogger.Info("Added condition 'acme error'")
-	}
-	return newCondition
+	if found {
+		return newCondition, false
+	}
+	m := fmt.Sprint(err)
+	newCondition.Type = certmanv1alpha1.CertificateRequestConditionType("acme error")
+	newCondition.Status = corev1.ConditionStatus("Error")
+	newCondition.Message = &m
+	reqLogger.Info("Added condition 'acme error'")
+	return newCondition, true
 }

Update the caller:

-			newCondition := acmeError(reqLogger, cr, err)
-			if newCondition.Status != "" {
-				cr.Status.Conditions = append(cr.Status.Conditions, newCondition)
-			}
+			if newCondition, ok := acmeError(reqLogger, cr, err); ok {
+				cr.Status.Conditions = append(cr.Status.Conditions, newCondition)
+			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/certificaterequest/update_status.go` around lines 72 - 105, The
acmeError function currently returns a zero-value CertificateRequestCondition to
signal "no new condition", which is fragile; change acmeError to return a
pointer and a bool (or just a pointer) — e.g., func acmeError(reqLogger
logr.Logger, cr *certmanv1alpha1.CertificateRequest, err error)
(*certmanv1alpha1.CertificateRequestCondition, bool) — and return (nil, false)
when an existing "acme error" condition is found and ( &newCondition, true) when
constructing a new one; then update the caller in updateStatusError to use the
new signature and append only when ok is true (or when the returned pointer is
non-nil) instead of checking newCondition.Status != "" so the intent is explicit
and not tied to zero-valued fields.

controllers/certificaterequest/cloudflare.go (1)

61-92: ⚡ Quick win

Make the per-attempt sleep ctx-aware.

time.Sleep(...) ignores ctx; if the reconcile context is cancelled (e.g., shutdown, deadline) the loop will keep sleeping for up to maxNegativeCacheTTL seconds per attempt before noticing. Now that ctx is threaded through, the sleep should respect cancellation.

♻️ Proposed change

 		reqLogger.Info(fmt.Sprintf("will query DNS in %v seconds", sleepDuration))
-		time.Sleep(time.Duration(sleepDuration) * time.Second)
+		select {
+		case <-time.After(time.Duration(sleepDuration) * time.Second):
+		case <-ctx.Done():
+			return false
+		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/certificaterequest/cloudflare.go` around lines 61 - 92, The loop
in cloudflare.go currently uses time.Sleep(sleepDuration) which ignores ctx;
replace the direct sleep with a ctx-aware wait (use a timer or time.After
combined with select on ctx.Done()) so the reconcile exits immediately if ctx is
cancelled. Specifically, in the for loop around
TryFetchResourceRecordUsingPublicDNS, swap the
time.Sleep(time.Duration(sleepDuration)*time.Second) with a select that either
waits the duration or returns/propagates when <-ctx.Done() fires (log the
cancellation via reqLogger and return false or ctx.Err() as appropriate) while
keeping the existing variables sleepDuration, attempt, fqdn and txtValue intact.

controllers/utils/utils.go (1)

50-86: ⚡ Quick win

Thread ctx through GetCredentialsJSON and getSecret for consistency.

The PR established a pattern of threading ctx through GetDefaultNotificationEmailAddress and getConfig, but GetCredentialsJSON and its helper getSecret still use hardcoded context.Background() and context.TODO(). This prevents cancellation and timeouts from flowing into the credentials fetch path.

Update both function signatures to accept ctx, propagate it to the Kubernetes client calls and google.CredentialsFromJSON, and update call sites (pkg/clients/gcp/dns.go:170 and tests) accordingly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/utils/utils.go` around lines 50 - 86, Update GetCredentialsJSON
and getSecret to accept a context.Context parameter and use that ctx instead of
context.Background()/context.TODO(); specifically, change GetCredentialsJSON(ctx
context.Context, kubeClient client.Client, namespacesedName
types.NamespacedName) to pass ctx into getSecret and into
google.CredentialsFromJSON(ctx, sa, ...), and change getSecret(ctx
context.Context, kubeClient client.Client, namespacesedName
types.NamespacedName) to call kubeClient.Get(ctx, namespacesedName, secret)
(instead of context.TODO()); then update all call sites (notably
pkg/clients/gcp/dns.go:170 and related tests) to supply the context argument so
cancellation/timeouts propagate.

pkg/localmetrics/crt_sh.go (1)

19-48: ⚡ Quick win

Consider accepting context.Context as a parameter instead of using context.Background().

The function makes a network call to crt.sh that could block indefinitely if the service is slow or unresponsive. Using context.Background() means there is no way to cancel this query (e.g., on shutdown).

However, note that GetCountOfCertsIssued is called only from UpdateCertsIssuedInLastDayGauge() and UpdateCertsIssuedInLastWeekGauge(), which are invoked from UpdateMetrics() as a background ticker loop in main.go. Implementing this change would require threading context through the entire chain: main() → UpdateMetrics() → UpdateCertsIssuedInLastDayGauge/Week() → GetCountOfCertsIssued(), which requires broader architectural changes since the current ticker-based loop has no natural context lifecycle.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/localmetrics/crt_sh.go` around lines 19 - 48, Change
GetCountOfCertsIssued to accept a context.Context parameter (e.g., func
GetCountOfCertsIssued(ctx context.Context, domain string, durationDays int) int)
and use that ctx in db.QueryRowContext instead of context.Background(); update
callers UpdateCertsIssuedInLastDayGauge and UpdateCertsIssuedInLastWeekGauge to
pass a context through, then propagate that context from UpdateMetrics and from
main’s ticker loop so the background ticker can be cancelled on shutdown; ensure
the db opening/closing and error paths remain the same and that you pass the
same ctx into any other DB calls used in this flow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@main.go`:
- Around line 143-146: The leader-election branch currently treats
k8sutil.ErrRunLocal and k8sutil.ErrNoNamespace the same; change the conditional
so that only errors.Is(err, k8sutil.ErrRunLocal) results in skipping leader
election (keep setupLog.Info("Skipping leader election; not running in a
cluster.") there), and handle errors.Is(err, k8sutil.ErrNoNamespace) as a
configuration/runtime error instead (e.g., log an error via setupLog.Error and
exit/return so the operator fails fast). Update the surrounding leader-election
logic where errors.Is(err, k8sutil.ErrRunLocal) and k8sutil.ErrNoNamespace are
checked to reflect this separation.

---

Outside diff comments:
In `@controllers/certificaterequest/issue_certificate_test.go`:
- Around line 282-299: Test never enables the FedRAMP branch because the
package-level flags fedramp and fedrampHostedZoneID (which
FindZoneIDForChallenge reads) are not set in the test; set fedramp = true and
fedrampHostedZoneID = mockClient.FedrampHostedZoneID (or the expected test
value) before calling reconciler.FindZoneIDForChallenge in the FedRAMP case, run
the assertion comparing zoneID to the expectedFedrampHostedZoneID, and then
restore the original package-level values (or reset fedramp = false) after the
subtest to avoid impacting other tests; refer to FindZoneIDForChallenge,
fedramp, fedrampHostedZoneID, and mockClient.FedrampHostedZoneID to locate the
relevant code to change.
- Around line 112-131: The test calls IssueCertificate and assigns its result to
testErr but later assertions still reference err; change those to use testErr:
replace the unexpected-error check "if err != nil && !test.ExpectError" with "if
testErr != nil && !test.ExpectError", and in the error-path assertion use
testErr.Error() (or check testErr non-nil before calling Error()) instead of
err.Error(); keep the local "err" used for metric Write as-is but ensure you
don't mix it with testErr.

In `@pkg/localmetrics/crt_sh.go`:
- Around line 21-31: The code calls sql.Open in pkg/localmetrics/crt_sh.go and
defers db.Close() even when sql.Open returned an error, risking a nil-pointer
panic; modify the error handling in the block that calls sql.Open (the db, err
:= sql.Open(...) section) to return early (or otherwise abort the function) when
err != nil instead of just logging, or only install the defer db.Close() after
confirming db != nil (i.e., move the defer below the nil-check), so that Close
is never called on a nil db.

In `@pkg/localmetrics/localmetrics.go`:
- Around line 118-135: In CheckInitCounter, do not mark areCountInitialized true
or set MetricCertRequestsCount when the initial c.List(ctx, &certRequestList,
...) returns an error; instead return early after logging the error so transient
list failures (due to reconcile-scoped ctx cancellation/timeouts) do not
permanently seal the gauge at 0. Locate the c.List call and its error handling
in CheckInitCounter, ensure you exit the function on error (leaving
areCountInitialized false) and only proceed to iterate certRequestList.Items,
call MetricCertRequestsCount.Set(counter), and set areCountInitialized = true
when the list succeeds.

---

Nitpick comments:
In `@controllers/certificaterequest/cloudflare.go`:
- Around line 61-92: The loop in cloudflare.go currently uses
time.Sleep(sleepDuration) which ignores ctx; replace the direct sleep with a
ctx-aware wait (use a timer or time.After combined with select on ctx.Done()) so
the reconcile exits immediately if ctx is cancelled. Specifically, in the for
loop around TryFetchResourceRecordUsingPublicDNS, swap the
time.Sleep(time.Duration(sleepDuration)*time.Second) with a select that either
waits the duration or returns/propagates when <-ctx.Done() fires (log the
cancellation via reqLogger and return false or ctx.Err() as appropriate) while
keeping the existing variables sleepDuration, attempt, fqdn and txtValue intact.

In `@controllers/certificaterequest/update_status.go`:
- Around line 72-105: The acmeError function currently returns a zero-value
CertificateRequestCondition to signal "no new condition", which is fragile;
change acmeError to return a pointer and a bool (or just a pointer) — e.g., func
acmeError(reqLogger logr.Logger, cr *certmanv1alpha1.CertificateRequest, err
error) (*certmanv1alpha1.CertificateRequestCondition, bool) — and return (nil,
false) when an existing "acme error" condition is found and ( &newCondition,
true) when constructing a new one; then update the caller in updateStatusError
to use the new signature and append only when ok is true (or when the returned
pointer is non-nil) instead of checking newCondition.Status != "" so the intent
is explicit and not tied to zero-valued fields.

In `@controllers/utils/utils.go`:
- Around line 50-86: Update GetCredentialsJSON and getSecret to accept a
context.Context parameter and use that ctx instead of
context.Background()/context.TODO(); specifically, change GetCredentialsJSON(ctx
context.Context, kubeClient client.Client, namespacesedName
types.NamespacedName) to pass ctx into getSecret and into
google.CredentialsFromJSON(ctx, sa, ...), and change getSecret(ctx
context.Context, kubeClient client.Client, namespacesedName
types.NamespacedName) to call kubeClient.Get(ctx, namespacesedName, secret)
(instead of context.TODO()); then update all call sites (notably
pkg/clients/gcp/dns.go:170 and related tests) to supply the context argument so
cancellation/timeouts propagate.

In `@pkg/clients/aws/route53.go`:
- Around line 248-249: Add a short rationale comment next to the existing
//nolint:gocyclo on the DeleteAcmeChallengeResourceRecords function (and the
other occurrence around lines 354-355) explaining why cyclomatic complexity is
being suppressed and include an action item or issue ID for future refactor;
locate the //nolint:gocyclo on the awsClient methods (e.g.,
DeleteAcmeChallengeResourceRecords) and append a brief note like
“//nolint:gocyclo: complex AWS Route53 logic; refactor tracked in ISSUE-1234” so
maintainers know the reason and have a follow-up to address later.

In `@pkg/localmetrics/crt_sh.go`:
- Around line 19-48: Change GetCountOfCertsIssued to accept a context.Context
parameter (e.g., func GetCountOfCertsIssued(ctx context.Context, domain string,
durationDays int) int) and use that ctx in db.QueryRowContext instead of
context.Background(); update callers UpdateCertsIssuedInLastDayGauge and
UpdateCertsIssuedInLastWeekGauge to pass a context through, then propagate that
context from UpdateMetrics and from main’s ticker loop so the background ticker
can be cancelled on shutdown; ensure the db opening/closing and error paths
remain the same and that you pass the same ctx into any other DB calls used in
this flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b36b7144-6e70-4a40-a8ef-15fd55095325

📥 Commits

Reviewing files that changed from the base of the PR and between 7475c83 and 1f7f9fc.

📒 Files selected for processing (24)

• controllers/certificaterequest/certificaterequest_controller.go
• controllers/certificaterequest/cloudflare.go
• controllers/certificaterequest/issue_certificate.go
• controllers/certificaterequest/issue_certificate_test.go
• controllers/certificaterequest/revoke_certificate.go
• controllers/certificaterequest/update_status.go
• controllers/certificaterequest/update_status_test.go
• controllers/clusterdeployment/clusterdeployment_controller.go
• controllers/clusterdeployment/clusterdeployment_controller_test.go
• controllers/clusterdeployment/clusterdeployment_delete.go
• controllers/utils/utils.go
• controllers/utils/utils_test.go
• fips.go
• main.go
• pkg/clients/aws/route53.go
• pkg/clients/azure/dns_test.go
• pkg/clients/gcp/dns.go
• pkg/leclient/lets_encrypt.go
• pkg/leclient/lets_encrypt_test.go
• pkg/leclient/utils.go
• pkg/localmetrics/crt_sh.go
• pkg/localmetrics/localmetrics.go
• pkg/localmetrics/localmetrics_test.go
• test/e2e/utils/utils.go

✅ Files skipped from review due to trivial changes (1)

• pkg/clients/azure/dns_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• controllers/certificaterequest/update_status_test.go
• controllers/certificaterequest/revoke_certificate.go
• test/e2e/utils/utils.go

[devppratik]

/test validate
/test lint

[openshift-ci]

@devppratik: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	d70d9ea	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.