WIP: OCPBUGS-80958: Kube apiserver node replace

[bhperry]

When master node is deleted and recreated with the same name, ensure the node status is reset by comparing UID.

Summary by CodeRabbit

• New Features

  • Enhanced node status tracking: Node entries now record and respect unique node identifiers, improving detection of replaced or removed nodes and reducing accidental removals.

• Tests

  • Added test coverage to verify deterministic UID assignment and correct behavior when node UIDs change or nodes are removed.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@bhperry: This pull request references Jira Issue OCPBUGS-80958, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When master node is deleted and recreated with the same name, ensure the node status is reset by comparing UID.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@bhperry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 52 minutes and 25 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7690297c-f5e4-4b7c-8cba-3bc08cd46f4e

📥 Commits

Reviewing files that changed from the base of the PR and between 9f5d47f and 849d9a8.

⛔ Files ignored due to path filters (13)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/nodestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• go.mod
• pkg/operator/staticpod/controller/node/node_controller.go
• pkg/operator/staticpod/controller/node/node_controller_test.go
• pkg/operator/v1helpers/test_helpers.go

Walkthrough

Adds Node UID tracking to the static pod operator: reconciliation now compares NodeName and NodeUID when pruning/updating NodeStatuses, records NodeUID in apply configurations and events, and test fixtures/helpers are updated. Also adds two replace directives in go.mod pointing to bhperry pseudo-versions.

Changes

Cohort / File(s)	Summary
Module Dependencies go.mod	Adds two replace directives redirecting github.com/openshift/api and github.com/openshift/client-go to github.com/bhperry/* pseudo-version commits.
Node Controller Logic pkg/operator/staticpod/controller/node/node_controller.go	Makes NodeStatuses reconciliation UID-aware: builds nodeName→UID lookup, retains entries only when stored UID matches (or is empty), emits MasterNodeReplaced when same name has different UID, updates duplicate detection to require UID match, and writes WithNodeUID into apply configs and events.
Tests & Helpers pkg/operator/staticpod/controller/node/node_controller_test.go, pkg/operator/v1helpers/test_helpers.go	Tests: assign deterministic Node.UIDs and add TestNodeControllerTrackNodeUIDs to validate UID-aware behavior. Helper: merge function now copies NodeUID from apply configuration into resulting StaticPodOperatorStatus.NodeStatuses.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 warning, 3 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Stable And Deterministic Test Names	❓ Inconclusive	Unable to access and analyze the test file content to verify whether test names contain dynamic information or unstable identifiers despite multiple technical approaches.	Provide the actual test file content or manually verify that all test names use only static descriptive strings without node names, UIDs, timestamps, or other dynamic values.
Test Structure And Quality	❓ Inconclusive	Custom check instructions are for Ginkgo test code, but the pull request uses standard Go testing with table-driven tests and t.Run() blocks.	Check criteria should be adapted to evaluate standard Go testing patterns, or tests should be converted to Ginkgo syntax if required.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Unable to locate repository files or verify code changes due to missing shell command execution context.	Provide access to the repository directory and file contents to verify the node_controller.go modifications and test coverage.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly indicates the main change: adding UID-aware node status reconciliation to handle node replacement scenarios, directly aligning with the bug fix for OCPBUGS-80958 regarding node replacement.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Microshift Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests. The new tests added in node_controller_test.go are unit tests using Go's standard testing package with table-driven test patterns, not Ginkgo-based e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR does not add any Ginkgo e2e tests. The new test is a standard Go unit test using the testing package with no Ginkgo imports or patterns.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes found; all changes confined to business logic, helpers, and test cases.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR does not add any new Ginkgo e2e tests; it only adds a standard Go unit test in node_controller_test.go.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 52 minutes and 25 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bhperry
Once this PR has been reviewed and has the lgtm label, please assign bertinatto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

pkg/operator/staticpod/controller/node/node_controller_test.go (3)

740-740: Remove unused expectedNodes field.

expectedNodes [][2]string is declared in the table struct but never populated or read by any of the four scenarios. Drop it to avoid confusion about what the test actually asserts.

♻️ Proposed change

 	tests := []struct {
 		name               string
 		startNodes         []runtime.Object
 		startNodeStatus    []operatorv1.NodeStatus
-		expectedNodes      [][2]string
 		evaluateNodeStatus func([]operatorv1.NodeStatus) error
 	}{

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/staticpod/controller/node/node_controller_test.go` at line 740,
The test table struct contains an unused field expectedNodes [][2]string; remove
this field from the table type declaration in node_controller_test.go and from
any table literal entries so the scenarios only include fields actually used by
the tests (ensure you update the table struct definition that declares
expectedNodes and all test case literals that reference it, e.g., in the
testCases slice for the Node controller tests).

---

786-807: Consider asserting the replacement event and JSONPatch, not just the final NodeStatuses.

The "node replaced mismatched uid in status" scenario is the most important new behavior this PR introduces, but the test only checks the final NodeStatuses. Nothing verifies that:

1. The controller emits MasterNodeReplaced (with old+new UIDs) via the recorder — see node_controller.go line 106.
2. A jsonPatch is created to remove the stale entry at the expected index before the apply — see node_controller.go line 117.

Both are observable via kubeClient.Fake.Actions() (event create) and fakeStaticPodOperatorClient.GetPatchedOperatorStatus(), as already done in TestNodeControllerDegradedConditionType scenarios 5 and 12. Adding these assertions would lock in the behavior the PR description calls out ("ensure the node status is reset by comparing the node UID"). Non-blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/staticpod/controller/node/node_controller_test.go` around lines
786 - 807, The test currently only verifies final NodeStatuses; update the "node
replaced mismatched uid in status" case to also assert that the controller
emitted a MasterNodeReplaced event and that a JSONPatch removing the stale
status entry was created: after running the controller, inspect
kubeClient.Fake.Actions() for an event create matching MasterNodeReplaced
(including old and new UIDs) and call
fakeStaticPodOperatorClient.GetPatchedOperatorStatus() to retrieve the patch and
assert it contains the expected JSONPatch operation that removes the stale index
(as produced by the jsonPatch logic in node_controller.go). Ensure you reference
the test case by name and check the exact event reason/message and the remove op
in the patch, failing the test if either is missing.

---

808-829: Scenario name is misleading.

The "node removed" scenario actually exercises the case where the previously tracked node name is gone and a different node has appeared (test-node-1 → test-node-2), i.e. a combined remove-and-add, not a pure removal. Consider renaming to something like "node removed and replaced by different name" to match the existing "single-node-removed" case in TestNewNodeController which tests the pure-removal behavior. Optional.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/staticpod/controller/node/node_controller_test.go` around lines
808 - 829, The test case in the table uses a misleading name "node removed" but
actually exercises a remove-and-add scenario (previous NodeStatus test-node-1
replaced by startNodes test-node-2); update the test case's name field in
node_controller_test.go to something clearer (for example "node removed and
replaced by different name") so it accurately reflects the scenario and aligns
with the existing "single-node-removed" naming in TestNewNodeController; locate
the table entry by its name field in the test case slice and change only that
string (no behavior changes).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 5-7: The go.mod contains forked-replace directives (replace
github.com/openshift/api => github.com/bhperry/openshift-api
v0.0.0-20260422220337-85d77b44a5a5 and replace github.com/openshift/client-go =>
github.com/bhperry/openshift-client-go v0.0.0-20260424144941-de7d2d9bafad) that
must be removed from the shared module manifest; delete these two replace lines
and either move the local overrides into a developer-only go.work (or similar
local config) or update the require lines to point to the approved upstream
module revisions before committing. Ensure no other project-wide go.mod contains
the same forked replace entries and run go mod tidy to verify dependency graph
is clean.

---

Nitpick comments:
In `@pkg/operator/staticpod/controller/node/node_controller_test.go`:
- Line 740: The test table struct contains an unused field expectedNodes
[][2]string; remove this field from the table type declaration in
node_controller_test.go and from any table literal entries so the scenarios only
include fields actually used by the tests (ensure you update the table struct
definition that declares expectedNodes and all test case literals that reference
it, e.g., in the testCases slice for the Node controller tests).
- Around line 786-807: The test currently only verifies final NodeStatuses;
update the "node replaced mismatched uid in status" case to also assert that the
controller emitted a MasterNodeReplaced event and that a JSONPatch removing the
stale status entry was created: after running the controller, inspect
kubeClient.Fake.Actions() for an event create matching MasterNodeReplaced
(including old and new UIDs) and call
fakeStaticPodOperatorClient.GetPatchedOperatorStatus() to retrieve the patch and
assert it contains the expected JSONPatch operation that removes the stale index
(as produced by the jsonPatch logic in node_controller.go). Ensure you reference
the test case by name and check the exact event reason/message and the remove op
in the patch, failing the test if either is missing.
- Around line 808-829: The test case in the table uses a misleading name "node
removed" but actually exercises a remove-and-add scenario (previous NodeStatus
test-node-1 replaced by startNodes test-node-2); update the test case's name
field in node_controller_test.go to something clearer (for example "node removed
and replaced by different name") so it accurately reflects the scenario and
aligns with the existing "single-node-removed" naming in TestNewNodeController;
locate the table entry by its name field in the test case slice and change only
that string (no behavior changes).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0131c169-b1c2-4ef4-ad19-3d6cd3ae6310

📥 Commits

Reviewing files that changed from the base of the PR and between 7acd240 and 69d77b8.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/operator/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/nodestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• go.mod
• pkg/operator/staticpod/controller/node/node_controller.go
• pkg/operator/staticpod/controller/node/node_controller_test.go
• pkg/operator/v1helpers/test_helpers.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify fork-based replace directives and estimate impact scope (read-only).

set -euo pipefail

echo "== replace directives in go.mod =="
rg -n '^replace\s+' go.mod

echo
echo "== non-openshift target replacements (potential fork/private targets) =="
awk '
  $1=="replace" && $3=="=>" {
    src=$2; dst=$4;
    if (dst !~ /^github\.com\/openshift\//) print NR ":" $0
  }
' go.mod

echo
echo "== import usage of affected modules across repo =="
rg -n --type=go 'github.com/openshift/(api|client-go)/' -g '!**/vendor/**'

Repository: openshift/library-go

Length of output: 49882

---

Remove personal-fork replace directives from the shared module manifest.

Lines 5 and 7 redirect core dependencies to github.com/bhperry/* forks. These appear in 350+ imports across the codebase and affect critical operator, encryption, configuration, and routing functionality. Committing fork-based replacements breaks reproducibility for CI and downstream consumers if fork availability or history changes. Keep these overrides local (e.g., go.work) or switch to upstream module revisions before merge.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 5 - 7, The go.mod contains forked-replace directives
(replace github.com/openshift/api => github.com/bhperry/openshift-api
v0.0.0-20260422220337-85d77b44a5a5 and replace github.com/openshift/client-go =>
github.com/bhperry/openshift-client-go v0.0.0-20260424144941-de7d2d9bafad) that
must be removed from the shared module manifest; delete these two replace lines
and either move the local overrides into a developer-only go.work (or similar
local config) or update the require lines to point to the approved upstream
module revisions before committing. Ensure no other project-wide go.mod contains
the same forked replace entries and run go mod tidy to verify dependency graph
is clean.

[bhperry]

/jira refresh

[openshift-ci-robot]

@bhperry: This pull request references Jira Issue OCPBUGS-80958, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bhperry]

/retest

[openshift-ci]

@bhperry: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/operator/staticpod/controller/node/node_controller.go (1)

110-118: ⚠️ Potential issue | 🟠 Major

Tighten the remove patch precondition to the UID-aware match.

The JSONPatch delete still only guards on nodeName. If the status list has already been rewritten for the same name, this can delete the wrong entry. The removal path should validate the UID as well, or re-fetch before patching.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/staticpod/controller/node/node_controller.go` around lines 110 -
118, The remove operation currently only tests /status/nodeStatuses/%d/nodeName
via jsonPatch.WithRemove and jsonpatch.NewTestCondition using
nodeState.NodeName, which can remove the wrong entry if names were reused;
update the precondition to also validate the node UID (e.g., add a test for
/status/nodeStatuses/%d/uid using nodeState.UID or otherwise combine name+uid
checks) before calling jsonPatch.WithRemove (referencing jsonPatch.WithRemove,
jsonpatch.NewTestCondition, nodeState.NodeName, nodeState.UID, and
removedNodeStatusesCounter), or alternatively re-fetch the status list and
re-compute removeAtIndex immediately prior to patching to ensure the exact entry
is removed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/staticpod/controller/node/node_controller.go`:
- Around line 98-103: The current condition treats an empty nodeState.NodeUID as
a match which preserves legacy statuses and can keep stale state after a node is
deleted/recreated; update the matching logic so you only consider it a match
when nodeState.NodeUID exactly equals the currentUID (i.e., remove the "||
nodeState.NodeUID == \"\"" branch) in the block building newTargetNodeState (the
code that calls
applyoperatorv1.NodeStatus().WithNodeName(...).WithNodeUID(currentUID) and
appends to newTargetNodeStates), and apply the same strict-equality change to
the analogous logic around lines 126-136 so legacy empty UIDs are not treated as
matches and will be reset instead of preserved.

---

Outside diff comments:
In `@pkg/operator/staticpod/controller/node/node_controller.go`:
- Around line 110-118: The remove operation currently only tests
/status/nodeStatuses/%d/nodeName via jsonPatch.WithRemove and
jsonpatch.NewTestCondition using nodeState.NodeName, which can remove the wrong
entry if names were reused; update the precondition to also validate the node
UID (e.g., add a test for /status/nodeStatuses/%d/uid using nodeState.UID or
otherwise combine name+uid checks) before calling jsonPatch.WithRemove
(referencing jsonPatch.WithRemove, jsonpatch.NewTestCondition,
nodeState.NodeName, nodeState.UID, and removedNodeStatusesCounter), or
alternatively re-fetch the status list and re-compute removeAtIndex immediately
prior to patching to ensure the exact entry is removed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e0840c87-5aa4-4d00-bb60-525c3ca309aa

📥 Commits

Reviewing files that changed from the base of the PR and between 69d77b8 and 9f5d47f.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/operator/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/nodestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• go.mod
• pkg/operator/staticpod/controller/node/node_controller.go
• pkg/operator/staticpod/controller/node/node_controller_test.go
• pkg/operator/v1helpers/test_helpers.go

✅ Files skipped from review due to trivial changes (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/operator/v1helpers/test_helpers.go
• pkg/operator/staticpod/controller/node/node_controller_test.go