ROSAENG-8224: refactor(ho): improve --hcp-egress-block-cidrs validation

[Ajpantuso]

What this PR does / why we need it:

Improves validation of the --hcp-egress-block-cidrs flag introduced in #8689:

• Moves CIDR validation from the cmd.Run closure (which called os.Exit) into
  validateStartOptions, where it returns errors consistently with other startup checks.
• Rejects IPv6 CIDRs, since the values are used exclusively in IPv4 NetworkPolicy
IPBlock.Except rules.
• Logs configured CIDRs at startup for operational visibility.
• Applies the same IPv6 rejection to the install command's validateHCPEgressBlockCIDRs.
• Updates flag help text in both entry points to document the IPv4 constraint.

Which issue(s) this PR fixes:

Fixes ROSAENG-8224

Special notes for your reviewer:

Follow-up to #8689. The validation logic is functionally equivalent for valid IPv4 inputs —
this PR moves it to a better location, adds the IPv6 guard, and adds test coverage that
did not previously exist for validateStartOptions.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Bug Fixes
  • Improved validation for --hcp-egress-block-cidrs by rejecting any non-IPv4 CIDR entries and returning clearer errors for invalid or IPv6 CIDRs.
  • Updated the operator flow so CIDR validation happens during startup options validation; emits an informational message when CIDRs are configured.
• Tests
  • Added table-driven unit tests for --hcp-egress-block-cidrs validation, including empty input, valid IPv4 CIDRs, invalid CIDR strings, and IPv6 (including mixed) cases.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@Ajpantuso: This pull request references ROSAENG-8224 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Improves validation of the --hcp-egress-block-cidrs flag introduced in #8689:

• Moves CIDR validation from the cmd.Run closure (which called os.Exit) into
  validateStartOptions, where it returns errors consistently with other startup checks.
• Rejects IPv6 CIDRs, since the values are used exclusively in IPv4 NetworkPolicy
IPBlock.Except rules.
• Logs configured CIDRs at startup for operational visibility.
• Applies the same IPv6 rejection to the install command's validateHCPEgressBlockCIDRs.
• Updates flag help text in both entry points to document the IPv4 constraint.

Which issue(s) this PR fixes:

Fixes ROSAENG-8224

Special notes for your reviewer:

Follow-up to #8689. The validation logic is functionally equivalent for valid IPv4 inputs —
this PR moves it to a better location, adds the IPv6 guard, and adds test coverage that
did not previously exist for validateStartOptions.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 45e7f8fc-e894-4869-9391-d80f82b62057

📥 Commits

Reviewing files that changed from the base of the PR and between ba66b85 and 72d94c6.

📒 Files selected for processing (4)

• cmd/install/install.go
• cmd/install/install_test.go
• hypershift-operator/main.go
• hypershift-operator/main_validate_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• cmd/install/install_test.go
• cmd/install/install.go
• hypershift-operator/main.go
• hypershift-operator/main_validate_test.go

---

📝 Walkthrough

Walkthrough

validateHCPEgressBlockCIDRs in cmd/install/install.go and the CIDR validation in validateStartOptions in hypershift-operator/main.go are both extended to reject IPv6 CIDRs: after parsing each value with net.ParseCIDR, the code checks whether the resulting IP has an IPv4 form and returns an explicit error if not. The prior ad-hoc validation loop in main.go's run path is removed and replaced by this structured check inside validateStartOptions, which also emits an info log when CIDRs are configured. Table-driven unit tests are added to both packages covering empty, valid IPv4, invalid string, and IPv6 inputs.

Possibly related PRs

• openshift/hypershift#8689: Adds the end-to-end --hcp-egress-block-cidrs flag wiring and its use in network policy reconciliation, which this PR builds on by tightening the validation to reject IPv6 CIDRs.

Suggested reviewers

• clebs
• bryan-cox

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Tests are standard Go tests, not Ginkgo, but have critical quality issues: assertions lack failure messages (e.g., g.Expect(errs).NotTo(BeEmpty()) should include context), violating requirement #4.	Add meaningful failure messages to all Expect assertions (e.g., g.Expect(errs).NotTo(BeEmpty(), "expected validation errors for %s", tc.name)).

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: refactoring and improving validation of the --hcp-egress-block-cidrs flag across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Tests in PR use standard Go table-driven testing with t.Run(), not Ginkgo. All test names are stable descriptive strings without dynamic content like timestamps, UUIDs, or generated identifiers.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only changes CLI flag validation logic for HCP egress block CIDRs. No deployment manifests, pod specs, or scheduling constraints are added or modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests (TestValidateHCPEgressBlockCIDRs, TestValidateStartOptions), not Ginkgo e2e tests. Check applies only to Ginkgo e2e tests.
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography patterns. Changes are limited to CIDR validation using standard library net.ParseCIDR and IP.To4() functions for network policy configuration.
Container-Privileges	✅ Passed	The PR only modifies Go source and test files (cmd/install/install.go, cmd/install/install_test.go, hypershift-operator/main.go, hypershift-operator/main_validate_test.go). No Kubernetes manifests,...
No-Sensitive-Data-In-Logs	✅ Passed	The PR logs CIDR blocks (network ranges like 10.0.0.0/16) used in NetworkPolicy rules, which are non-sensitive configuration data. No passwords, tokens, API keys, PII, session IDs, internal hostnam...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Ajpantuso
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hypershift-operator/main.go`:
- Around line 366-368: The log statement in the HCP egress block CIDRs check is
logging the full list of `opts.HCPEgressBlockCIDRs`, which exposes sensitive
customer network ranges in centralized logs. Instead of logging the actual CIDR
values, modify the log statement to only log the count of configured CIDRs
(using len(opts.HCPEgressBlockCIDRs)) to maintain visibility into the
configuration while protecting sensitive network information.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cc17f3a9-1fb9-447d-80f4-679b4945903c

📥 Commits

Reviewing files that changed from the base of the PR and between fabde37 and ba66b85.

📒 Files selected for processing (4)

• cmd/install/install.go
• cmd/install/install_test.go
• hypershift-operator/main.go
• hypershift-operator/main_validate_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Avoid logging raw HCP egress CIDR values.

Line 367 logs the full HCPEgressBlockCIDRs list, which can leak internal/customer network ranges into centralized logs. Prefer logging only count (or redacted values).

Suggested change

 	if len(opts.HCPEgressBlockCIDRs) > 0 {
-		log.Info("Static HCP egress block CIDRs configured", "cidrs", opts.HCPEgressBlockCIDRs)
+		log.Info("Static HCP egress block CIDRs configured", "count", len(opts.HCPEgressBlockCIDRs))
 	}

As per coding guidelines, "Flag logging that may expose passwords, tokens, API keys, PII (email, SSN, credit card), session IDs, internal hostnames, or customer data".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if len(opts.HCPEgressBlockCIDRs) > 0 {
	log.Info("Static HCP egress block CIDRs configured", "cidrs", opts.HCPEgressBlockCIDRs)
	}
	if len(opts.HCPEgressBlockCIDRs) > 0 {
	log.Info("Static HCP egress block CIDRs configured", "count", len(opts.HCPEgressBlockCIDRs))
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/main.go` around lines 366 - 368, The log statement in the
HCP egress block CIDRs check is logging the full list of
`opts.HCPEgressBlockCIDRs`, which exposes sensitive customer network ranges in
centralized logs. Instead of logging the actual CIDR values, modify the log
statement to only log the count of configured CIDRs (using
len(opts.HCPEgressBlockCIDRs)) to maintain visibility into the configuration
while protecting sensitive network information.

Source: Coding guidelines

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 41.82%. Comparing base (fabde37) to head (72d94c6).

Files with missing lines	Patch %	Lines
hypershift-operator/main.go	91.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8763      +/-   ##
==========================================
+ Coverage   41.80%   41.82%   +0.02%     
==========================================
  Files         759      759              
  Lines       94067    94077      +10     
==========================================
+ Hits        39323    39348      +25     
+ Misses      51993    51977      -16     
- Partials     2751     2752       +1     

Files with missing lines	Coverage Δ
cmd/install/install.go	63.48% <100.00%> (+0.44%)	⬆️
hypershift-operator/main.go	2.18% <91.66%> (+2.18%)	⬆️

Flag	Coverage Δ
cmd-support	35.15% <100.00%> (+0.02%)	⬆️
cpo-hostedcontrolplane	44.10% <ø> (ø)
cpo-other	43.45% <ø> (ø)
hypershift-operator	51.93% <91.66%> (+0.05%)	⬆️
other	31.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@Ajpantuso: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.