OCPBUGS-85367: controllercmd,certsyncpod: add UserAgentSuffix to distinguish clients

[tchap]

Add WithUserAgentSuffix to ControllerBuilder and expose UserAgentSuffix on ControllerCommandConfig so that static pod sidecar controllers using localhost can be identified by the kube-apiserver's pre-readiness request filter.

The cert-syncer, which does not use controllercmd, sets its suffix directly in Complete().

---

Note that this does not generate super pretty UserAgent strings. When you run the test, you get something like

___TestWithUserAgentSuffix_in_github_com_openshift_library_go_pkg_controller_controllercmd.test/v0.0.0 (linux/amd64) kubernetes/$Format/cert-recovery

So to check for a particular component, you need to do `HasPrefix("cluster-kube-controller-manager-operator") && HasSuffix(/cert-syncer), for example.

Summary by CodeRabbit

Release Notes

• New Features

  • Controllers now support a configurable REST client User-Agent suffix, which is appended to outgoing requests for clearer identification.

• Tests

  • Added coverage to verify the User-Agent suffix behavior, including the “empty suffix” and “appended suffix” cases.

• Documentation / Chores

  • Reorganized import ordering where applicable.

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-85367, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add WithUserAgentSuffix to ControllerBuilder and expose UserAgentSuffix on ControllerCommandConfig so that static pod sidecar controllers using localhost can be identified by the kube-apiserver's pre-readiness request filter.

The cert-syncer, which does not use controllercmd, sets its suffix directly in Complete().

---

Note that this does not generate super pretty UserAgent strings. When you run the test, you get something like

___TestWithUserAgentSuffix_in_github_com_openshift_library_go_pkg_controller_controllercmd.test/v0.0.0 (linux/amd64) kubernetes/$Format/cert-recovery

So to check for a particular component, you need to do `HasPrefix("cluster-kube-controller-manager-operator") && HasSuffix(/cert-syncer), for example.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 64ee8753-ca51-46d6-920e-c4073ba15aa5

📥 Commits

Reviewing files that changed from the base of the PR and between f02ede1 and 22dee73.

📒 Files selected for processing (4)

• pkg/controller/controllercmd/builder.go
• pkg/controller/controllercmd/builder_test.go
• pkg/controller/controllercmd/cmd.go
• pkg/operator/staticpod/certsyncpod/certsync_cmd.go

✅ Files skipped from review due to trivial changes (1)

• pkg/operator/staticpod/certsyncpod/certsync_cmd.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/controller/controllercmd/builder_test.go
• pkg/controller/controllercmd/cmd.go

---

Walkthrough

This PR extends the ControllerBuilder pattern to support customizable REST client User-Agent suffixes. A new builder method and configuration field enable controllers to append custom identifiers to their default User-Agent headers. The mechanism is tested and applied in both a generic configuration layer and a specific cert-sync component.

Changes

User-Agent customization support

Layer / File(s)	Summary
Builder User-Agent mechanism pkg/controller/controllercmd/builder.go	ControllerBuilder struct adds userAgentSuffix field, WithUserAgentSuffix() builder method, and conditional application in Run() via rest.AddUserAgent() when suffix is non-empty. Imports reorganized for standard-library grouping.
Builder mechanism tests pkg/controller/controllercmd/builder_test.go	TestWithUserAgentSuffix validates empty and non-empty suffix behavior by constructing a controller with user-agent configuration and asserting the resulting rest.Config.UserAgent value. Imports reorganized.
Configuration and wiring pkg/controller/controllercmd/cmd.go	ControllerCommandConfig struct adds exported UserAgentSuffix field; StartController() wiring passes the configured suffix to builder via WithUserAgentSuffix() method call.
Cert-sync component integration pkg/operator/staticpod/certsyncpod/certsync_cmd.go	CertSyncControllerOptions.Complete() directly calls rest.AddUserAgent(kubeConfig, "cert-syncer") to apply a fixed user-agent suffix to the kubeconfig-derived REST client. Imports reorganized.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding UserAgentSuffix capability to controllercmd and certsyncpod to distinguish clients.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic. The new TestWithUserAgentSuffix test uses hardcoded static strings ("suffix is appended to default user agent", "no suffix leaves user agent empty for d...
Test Structure And Quality	✅ Passed	PR adds standard Go tests, not Ginkgo tests. The custom check applies only to Ginkgo test code, which is not present in this PR or repository.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. The new TestWithUserAgentSuffix is a standard Go unit test using testing.T, not a Ginkgo e2e test, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are present in this PR. Only standard Go unit tests were added (TestWithUserAgentSuffix), which do not apply to the SNO compatibility check.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only client-side REST config (User-Agent headers). No deployment manifests, pod affinity/anti-affinity, topology constraints, or scheduling logic are introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout writes found in process-level code. Changes only add struct fields, methods with simple assignments, and rest.AddUserAgent() calls within instance methods (Run, Complete) not in main/init...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests (TestWithUserAgentSuffix), not Ginkgo e2e tests. Check applies only to Ginkgo e2e tests, so it is not applicable.
No-Weak-Crypto	✅ Passed	PR adds UserAgent suffix functionality only; contains no weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom crypto, or non-constant-time secret comparisons.
Container-Privileges	✅ Passed	No container/K8s manifests with privileged settings, host access, capabilities, or root execution found. PR modifies only Go source files implementing User-Agent suffix functionality.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, keys, PII, etc.) is logged in this PR. UserAgentSuffix values are only used in HTTP headers and are component identifiers like "cert-syncer", which are not sen...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tchap
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tchap]

/jira refresh

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-85367, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/controller/controllercmd/builder_test.go (1)

271-293: ⚡ Quick win

Test duplicates Run()'s logic rather than exercising it.

Lines 277-279 re-implement the exact conditional from Run (if len(...) > 0 { rest.AddUserAgent(...) }). The test therefore validates that WithUserAgentSuffix stores the field and that rest.AddUserAgent behaves as expected, but it does not cover the production code path in Run. If the suffix application were removed from Run, this test would still pass.

Consider asserting against the field directly (and/or covering Run's application path), so the test fails if Run stops applying the suffix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/controllercmd/builder_test.go` around lines 271 - 293, The
test is duplicating Run's behavior instead of exercising it; update the test in
builder_test.go to assert the controller's userAgentSuffix field directly
(access b.userAgentSuffix) to verify WithUserAgentSuffix stored the value, and
add a subtest that calls the controller's Run method (or the function that
applies the suffix to a rest.Config) to verify Run actually applies the suffix
to cfg.UserAgent rather than reimplementing the if len(...) > 0 {
rest.AddUserAgent(...) } conditional; reference NewController,
WithUserAgentSuffix, Run and the userAgentSuffix field when locating the code to
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/controllercmd/builder.go`:
- Around line 111-113: The field comment for userAgentSuffix incorrectly
references a non-existent method name; update the doc comment so it points to
the actual builder method WithUserAgentSuffix (or remove the reference). Locate
the userAgentSuffix field and change the text "Set via WithUserAgent." to "Set
via WithUserAgentSuffix." (or equivalent accurate wording) so the comment
matches the real API (userAgentSuffix and WithUserAgentSuffix).

---

Nitpick comments:
In `@pkg/controller/controllercmd/builder_test.go`:
- Around line 271-293: The test is duplicating Run's behavior instead of
exercising it; update the test in builder_test.go to assert the controller's
userAgentSuffix field directly (access b.userAgentSuffix) to verify
WithUserAgentSuffix stored the value, and add a subtest that calls the
controller's Run method (or the function that applies the suffix to a
rest.Config) to verify Run actually applies the suffix to cfg.UserAgent rather
than reimplementing the if len(...) > 0 { rest.AddUserAgent(...) } conditional;
reference NewController, WithUserAgentSuffix, Run and the userAgentSuffix field
when locating the code to change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f2134fc8-d6b1-418e-af95-1a33cb87c60e

📥 Commits

Reviewing files that changed from the base of the PR and between 60d533b and f02ede1.

📒 Files selected for processing (4)

• pkg/controller/controllercmd/builder.go
• pkg/controller/controllercmd/builder_test.go
• pkg/controller/controllercmd/cmd.go
• pkg/operator/staticpod/certsyncpod/certsync_cmd.go

[p0lyn0mial]

Overall the approach seems reasonable. It would help me if you could provide a list of the components you'd like to change, or even just one component you'd like to modify.

[tchap]

Overall the approach seems reasonable. It would help me if you could provide a list of the components you'd like to change, or even just one component you'd like to modify.

There is already a testing PR for KCM-O: openshift/cluster-kube-controller-manager-operator#940 . The Jira issue mentions KAS-O, KCM-O and the scheduler operator, but I haven't checked other components. All these three need a very similar PR as this testing one for KCM-O. Then we need to align the skip list in the API server. And by skip list I mean to extend the logic as in openshift/kubernetes#376

[openshift-ci]

@tchap: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.