Skip to content

NE-2387: IngressController AWS NLB Security Group Selection#2914

Open
aswinsuryan wants to merge 2 commits into
openshift:masterfrom
aswinsuryan:NE-2387/ingress-controller-lb-security-groups-aws
Open

NE-2387: IngressController AWS NLB Security Group Selection#2914
aswinsuryan wants to merge 2 commits into
openshift:masterfrom
aswinsuryan:NE-2387/ingress-controller-lb-security-groups-aws

Conversation

@aswinsuryan

Copy link
Copy Markdown

Allows administrators to specify custom security groups for
IngressControllers using AWS Network Load Balancers. Introduce
under the IngressControllerLBSecurityGroupsAWS FeatureGate.

Adds a securityGroups field to AWSNetworkLoadBalancerParameters
with a new SecurityGroupID type validated against the AWS sg-*
format. When specified, these security groups replace the managed
security group that the Cloud Controller Manager would otherwise
create automatically.

Enhancement: openshift/enhancements#2037
Epic: https://issues.redhat.com/browse/NE-2387

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 3, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot

openshift-ci-robot commented Jul 3, 2026

Copy link
Copy Markdown

@aswinsuryan: This pull request references NE-2387 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Allows administrators to specify custom security groups for
IngressControllers using AWS Network Load Balancers. Introduce
under the IngressControllerLBSecurityGroupsAWS FeatureGate.

Adds a securityGroups field to AWSNetworkLoadBalancerParameters
with a new SecurityGroupID type validated against the AWS sg-*
format. When specified, these security groups replace the managed
security group that the Cloud Controller Manager would otherwise
create automatically.

Enhancement: openshift/enhancements#2037
Epic: https://issues.redhat.com/browse/NE-2387

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Hello @aswinsuryan! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci Bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This pull request adds the IngressControllerLBSecurityGroupsAWS feature gate, introduces SecurityGroups on AWSNetworkLoadBalancerParameters, and defines the SecurityGroupID type with validation. It also updates the feature matrix and generated FeatureGate manifests to mark the gate enabled for DevPreviewNoUpgrade and TechPreviewNoUpgrade and disabled for Default and OKD release sets.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Microshift Test Compatibility ⚠️ Warning New tests use IngressControllerLBSecurityGroupsAWS and operator.openshift.io/v1/openshift-ingress-operator, with no MicroShift skip, apigroup tag, or runtime guard. Add a [Skipped:MicroShift] or [apigroup:...] tag, or guard with exutil.IsMicroShiftCluster(); otherwise exclude this suite from MicroShift jobs.
✅ Passed checks (14 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding AWS NLB security group selection for IngressController resources.
Description check ✅ Passed The description accurately describes the feature gate, new field, validation, and AWS NLB behavior introduced by the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The added suite names are static, descriptive strings; no titles embed timestamps, IDs, node/pod/namespace names, or other run-specific data.
Test Structure And Quality ✅ Passed PASS: Each YAML case targets one behavior; the shared harness handles default-namespace cleanup, 5s timeouts, and assertion messages in the standard repo pattern.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new YAML e2e suite only checks CRD defaulting/validation and mutable fields; it has no node/HA assumptions and no SNO skip is needed.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds AWS NLB security-group API/feature-gate plumbing and tests; no node selectors, affinity, spread, replicas, or topology checks were introduced.
Ote Binary Stdout Contract ✅ Passed Changed Go files only add feature declarations/types; no main/init/TestMain/BeforeSuite stdout writes were introduced, and the new test artifact is YAML only.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The new YAML suite only exercises CRD validation with AWS security-group IDs; it contains no IP literals, hostnames, or network calls, and the harness uses envtest/K8s client only.
No-Weak-Crypto ✅ Passed Touched files add feature-gate and AWS NLB validation only; scans found no md5/sha1/des/rc4/3des/blowfish/ecb, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed No changed K8s manifests set privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root; PR changes are feature gates, CRD schema, and tests.
No-Sensitive-Data-In-Logs ✅ Passed The change only adds feature-gate/schema definitions and validation tests; I found no new log statements or runtime paths that would print secrets/PII.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
operator/v1/types_ingresscontroller.go (1)

902-966: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

No validation test coverage included for the new field/type.

This PR introduces a new gated field with non-trivial CEL validation logic (duplicate check, format regex, length bounds), but no .testsuite.yaml files are included in this diff to exercise the new validation rules (including the edge case above).

As per coding guidelines ("Add validation tests in <group>/<version>/tests/<crd-name>/... Run make update-codegen-crds to generate CRDs"), please add integration tests covering valid/invalid securityGroups values, especially inputs lacking -. Want me to draft a .testsuite.yaml for this?

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_ingresscontroller.go` around lines 902 - 966, The new
SecurityGroups field and SecurityGroupID type add CEL validation but have no
test coverage. Add a .testsuite.yaml under the ingresscontroller CRD tests path
to exercise the generated validation for
IngressController/IngressControllerSpec.SecurityGroups, covering valid values,
duplicate entries, max item limits, and invalid formats such as missing the sg-
prefix or bad hex length. Use the new SecurityGroups and SecurityGroupID symbols
to ensure the tests target the gated field and its validation rules, then
regenerate CRDs with make update-codegen-crds.

Source: Coding guidelines

🧹 Nitpick comments (2)
operator/v1/types_ingresscontroller.go (2)

902-926: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Omitted-field behavior only partially documented.

The comment explains behavior when the field is omitted only for the case where NLBSecurityGroupMode is Managed in the CCM cloud-config. It's unclear what happens when the field is omitted and that mode is not Managed (e.g. Disabled or unset). Per the API review documentation requirements, every +optional field should fully explain omitted behavior.

As per coding guidelines, "Ensure every +optional field explains omitted behavior" — please clarify the omitted-field behavior for all CCM configurations, not just the Managed case.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_ingresscontroller.go` around lines 902 - 926, The
SecurityGroups field comment only documents the omitted case for
NLBSecurityGroupMode=Managed, so update the doc on SecurityGroups to describe
what happens when it is omitted for all CCM cloud-config modes, including
Disabled or unset. Keep the existing behavior for the Managed case and add the
missing omitted-field behavior so the +optional field is fully specified.

Source: Coding guidelines


958-964: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Length range is broader than real AWS security group ID formats.

AWS generates security group IDs as either 8 hex characters (legacy) or 17 hex characters (current standard), e.g. sg-903004f8 or sg-0a1b2c3d4e5f6a7b8, not any length in between. The {8,17} range and MinLength=11/MaxLength=20 would incorrectly accept e.g. a 12-hex-char suffix that AWS would never issue.

Consider tightening to ^[0-9a-fA-F]{8}$|^[0-9a-fA-F]{17}$ (and adjusting length bounds) if strict AWS format matching is desired.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_ingresscontroller.go` around lines 958 - 964, The
SecurityGroupID validation in the ingress controller types is too permissive
because it allows any hex suffix length between 8 and 17 instead of only the
AWS-issued 8- or 17-character formats. Update the kubebuilder validation on
SecurityGroupID to match only the two valid AWS shapes and align the
MinLength/MaxLength constraints accordingly, using the existing SecurityGroupID
annotation block in types_ingresscontroller.go.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_ingresscontroller.go`:
- Around line 958-966: The SecurityGroupID validation currently splits on “-” in
a separate XValidation rule, which can still fail at runtime for values missing
the prefix. Update the validation on SecurityGroupID so the prefix and suffix
checks are combined safely, either by folding the sg- check into the same CEL
rule or by using a safe substring-based match instead of self.split("-", 2)[1].
Keep the existing intent of enforcing sg- followed by 8 to 17 hex characters
while avoiding indexed-expression errors.

---

Outside diff comments:
In `@operator/v1/types_ingresscontroller.go`:
- Around line 902-966: The new SecurityGroups field and SecurityGroupID type add
CEL validation but have no test coverage. Add a .testsuite.yaml under the
ingresscontroller CRD tests path to exercise the generated validation for
IngressController/IngressControllerSpec.SecurityGroups, covering valid values,
duplicate entries, max item limits, and invalid formats such as missing the sg-
prefix or bad hex length. Use the new SecurityGroups and SecurityGroupID symbols
to ensure the tests target the gated field and its validation rules, then
regenerate CRDs with make update-codegen-crds.

---

Nitpick comments:
In `@operator/v1/types_ingresscontroller.go`:
- Around line 902-926: The SecurityGroups field comment only documents the
omitted case for NLBSecurityGroupMode=Managed, so update the doc on
SecurityGroups to describe what happens when it is omitted for all CCM
cloud-config modes, including Disabled or unset. Keep the existing behavior for
the Managed case and add the missing omitted-field behavior so the +optional
field is fully specified.
- Around line 958-964: The SecurityGroupID validation in the ingress controller
types is too permissive because it allows any hex suffix length between 8 and 17
instead of only the AWS-issued 8- or 17-character formats. Update the
kubebuilder validation on SecurityGroupID to match only the two valid AWS shapes
and align the MinLength/MaxLength constraints accordingly, using the existing
SecurityGroupID annotation block in types_ingresscontroller.go.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8077e609-8fb4-4105-997a-13173f1f2637

📥 Commits

Reviewing files that changed from the base of the PR and between 02e2c3d and 0c8edfa.

⛔ Files ignored due to path filters (6)
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSecurityGroupsAWS.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
📒 Files selected for processing (11)
  • features.md
  • features/features.go
  • operator/v1/types_ingresscontroller.go
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
  • payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

Comment thread operator/v1/types_ingresscontroller.go
@aswinsuryan aswinsuryan force-pushed the NE-2387/ingress-controller-lb-security-groups-aws branch from 0c8edfa to 0c5d225 Compare July 7, 2026 03:35
@aswinsuryan aswinsuryan marked this pull request as ready for review July 7, 2026 17:53
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 7, 2026
@openshift-ci openshift-ci Bot requested review from JoelSpeed and everettraven July 7, 2026 17:55
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 8, 2026
@gcs278

gcs278 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

/assign @gcs278

@gcs278

gcs278 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

/assign @bentito

Comment thread operator/v1/types_ingresscontroller.go Outdated
Comment on lines +913 to +917
// When this field is omitted, behavior depends on the
// NLBSecurityGroupMode setting in the CCM cloud-config: if set to
// Managed, the Cloud Controller Manager automatically creates and
// manages a security group for the NLB; if set to Disabled or
// unset, no security group is attached to the NLB.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this true that you can turn off SecurityGroup management in Openshift?

I thought the CCMO disables it when the feature gate is GA (which is is).

Maybe @mtulio could chime in too. Is this really exposed as a supported knob in OpenShift?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not optional, Managed mode must be enforced in config.
afaict the only possibility to a service NLB does not have SGs will be on existing services (created prior this feature).

@gcs278

gcs278 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@aswinsuryan you will need to rebase - and take a look at verify & lint failures (you'll need to add an integration test).

@aswinsuryan aswinsuryan force-pushed the NE-2387/ingress-controller-lb-security-groups-aws branch from 0c5d225 to 6d44ef8 Compare July 9, 2026 03:31
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 9, 2026
Allows administrators to specify custom security groups for
IngressControllers using AWS Network Load Balancers. Introduce
under the `IngressControllerLBSecurityGroupsAWS` FeatureGate.

Signed-off-by: Aswin Suryanarayanan <asuryana@redhat.com>
@aswinsuryan aswinsuryan force-pushed the NE-2387/ingress-controller-lb-security-groups-aws branch from 6d44ef8 to 3056220 Compare July 9, 2026 03:42
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@aswinsuryan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 3056220 link true /test verify
ci/prow/verify-hypershift-integration 3056220 link true /test verify-hypershift-integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@mtulio

mtulio commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

cc @mfbonfigli

@gcs278

gcs278 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@aswinsuryan Generally LGTM - you'll just need integration tests to clear CI.

Signed-off-by: Aswin Suryanarayanan <asuryana@redhat.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSecurityGroupsAWS.yaml (1)

1-435: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Comprehensive test coverage for security group validation.

The test suite thoroughly covers the upstream contract from types_ingresscontroller.go: valid 8-char and 17-char hex IDs, empty values, wrong prefix, non-hex characters, wrong hex length, MaxItems exceeded, duplicates, MaxLength exceeded, and mutability (add, change, remove). The expectedError strings align with the kubebuilder validation markers (MinLength, MaxLength, MaxItems, XValidation messages).

Two minor edge-case gaps worth considering:

  1. MaxItems upper boundary (exactly 5 valid groups) — the suite tests 6 groups (invalid) but doesn't confirm that exactly 5 is accepted. This validates the boundary itself.

  2. Empty list [] (MinItems=1) — the suite tests omission (valid via +optional) and a single item, but not an explicit empty list which should trigger MinItems=1.

➕ Suggested additional test cases
     - name: Should not allow more than 5 security groups.
       initial: |
         apiVersion: operator.openshift.io/v1
         kind: IngressController
         metadata:
           name: sgtestnlb
           namespace: openshift-ingress-operator
         spec:
           endpointPublishingStrategy:
             loadBalancer:
               scope: External
               providerParameters:
                 type: AWS
                 aws:
                   type: NLB
                   networkLoadBalancer:
                     securityGroups:
                     - sg-1234567890abcdef0
                     - sg-1234567890abcdef1
                     - sg-1234567890abcdef2
                     - sg-1234567890abcdef3
                     - sg-1234567890abcdef4
                     - sg-1234567890abcdef5
             type: LoadBalancerService
       expectedError: "spec.endpointPublishingStrategy.loadBalancer.providerParameters.aws.networkLoadBalancer.securityGroups: Too many: 6: must have at most 5 items"
+    - name: Should allow exactly 5 security groups (MaxItems boundary).
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: sgtestnlb
+          namespace: openshift-ingress-operator
+        spec:
+          endpointPublishingStrategy:
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: NLB
+                  networkLoadBalancer:
+                    securityGroups:
+                    - sg-1234567890abcdef0
+                    - sg-1234567890abcdef1
+                    - sg-1234567890abcdef2
+                    - sg-1234567890abcdef3
+                    - sg-1234567890abcdef4
+            type: LoadBalancerService
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: sgtestnlb
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
+          endpointPublishingStrategy:
+            loadBalancer:
+              dnsManagementPolicy: Managed
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: NLB
+                  networkLoadBalancer:
+                    securityGroups:
+                    - sg-1234567890abcdef0
+                    - sg-1234567890abcdef1
+                    - sg-1234567890abcdef2
+                    - sg-1234567890abcdef3
+                    - sg-1234567890abcdef4
+            type: LoadBalancerService
+    - name: Should not allow an empty security groups list.
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: sgtestnlb
+          namespace: openshift-ingress-operator
+        spec:
+          endpointPublishingStrategy:
+            loadBalancer:
+              scope: External
+              providerParameters:
+                type: AWS
+                aws:
+                  type: NLB
+                  networkLoadBalancer:
+                    securityGroups: []
+            type: LoadBalancerService
+      expectedError: "spec.endpointPublishingStrategy.loadBalancer.providerParameters.aws.networkLoadBalancer.securityGroups: Too few: 0: must have at least 1 items"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSecurityGroupsAWS.yaml`
around lines 1 - 435, Add tests under onCreate for the securityGroups field in
the IngressController cases: one with exactly five valid security group IDs that
succeeds, and one with an explicitly empty securityGroups list that expects the
MinItems=1 validation error. Keep the fixtures consistent with the existing NLB
examples and assert the corresponding validation message.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSecurityGroupsAWS.yaml`:
- Around line 1-435: Add tests under onCreate for the securityGroups field in
the IngressController cases: one with exactly five valid security group IDs that
succeeds, and one with an explicitly empty securityGroups list that expects the
MinItems=1 validation error. Keep the fixtures consistent with the existing NLB
examples and assert the corresponding validation message.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2e487cd6-07ce-49f2-babc-1f4b79ce396b

📥 Commits

Reviewing files that changed from the base of the PR and between 3056220 and 4441457.

📒 Files selected for processing (1)
  • operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSecurityGroupsAWS.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants