OCPBUGS-84955: Add render-sensitive flag to hypershift install render

[clebs]

What this PR does / why we need it:

Introduce the --render-sensitive flag to the hypershift install render command to avoid leaking secrets.
This is now needed because the new webhookcerts controller introduces secrets that should not be rendered by default.

Which issue(s) this PR fixes:

Fixes OCPBUGS-84955

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Added a --render-sensitive option to control whether sensitive resources (e.g., Secrets) are emitted when rendering manifests; sensitive objects are excluded by default.
  • Template rendering now requires explicit --render-sensitive to include sensitive data; omitting it returns a clear error.

• Tests

  • Added tests validating inclusion/exclusion of sensitive resources and the template-without-flag failure.

• Chores

  • Exposed a public option to enable render-sensitive behavior.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@clebs: This pull request references Jira Issue OCPBUGS-84955, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

Introduce the --render-sensitive flag to the hypershift install render command to avoid leaking secrets.
This is now needed because the new webhookcerts controller introduces secrets that should not be rendered by default.

Which issue(s) this PR fixes:

Fixes OCPBUGS-84955

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A new boolean Options field RenderSensitive and a --render-sensitive CLI flag were added. When rendering manifests, the command now returns an error if --template is used without --render-sensitive. By default (RenderSensitive=false) Kubernetes Secret objects are filtered out of the rendered output; when RenderSensitive=true secrets are included. Tests were added to verify both behaviors.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI as InstallCmd
    participant Renderer
    participant Store as ManifestObjects
    participant Output

    User->>CLI: invoke install command (flags: --template?, --render-sensitive?)
    CLI->>Renderer: render(Template, RenderSensitive)
    alt Template true and RenderSensitive false
        Renderer-->>CLI: return error "templates require --render-sensitive when secrets are present"
        CLI-->>User: print error
    else
        Renderer->>Store: load manifests (Secrets + other objects)
        alt RenderSensitive false
            Renderer->>Store: filter out Secret objects
        end
        Renderer->>Output: emit rendered manifests
        Output-->>User: write manifests
    end

Loading

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check targets Ginkgo test patterns (Describe/It blocks, BeforeEach/AfterEach). Tests in PR use standard Go testing with t.Run and Gomega matchers. Check applicability is unclear.	Verify if check should apply to standard Go tests. If yes, tests have helpful assertion messages and single responsibility per subtest. If no, check is not applicable.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check applies to Ginkgo BDD tests (It(), Describe(), Context(), When()). PR adds only standard Go tests with testing.T. Not applicable to this codebase.
Microshift Test Compatibility	✅ Passed	The new tests added are standard Go unit tests (using testing.T and Gomega matchers), not Ginkgo e2e tests. The custom check only applies to Ginkgo e2e tests, so this check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. All test additions are standard Go unit tests using testing.T in cmd/install/, not Ginkgo-based e2e tests. The custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds a --render-sensitive flag to filter Secret objects from CLI rendering. Does not introduce deployment manifests, operator code, or controllers with scheduling constraints. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes found. All render output via io.Writer parameters. Tests use cmd.SetOut() to capture output. No main(), init(), or global var initializers write to stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check applies to Ginkgo e2e tests only. Tests added are standard Go unit tests, not Ginkgo. No IPv4 assumptions or external connectivity detected.
Title check	✅ Passed	The title accurately reflects the primary change: adding a render-sensitive flag to the hypershift install render command, which is the core feature across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[clebs]

/area cli

[clebs]

/jira refresh

[openshift-ci-robot]

@clebs: This pull request references Jira Issue OCPBUGS-84955, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

What this PR does / why we need it:

Introduce the --render-sensitive flag to the hypershift install render command to avoid leaking secrets.
This is now needed because the new webhookcerts controller introduces secrets that should not be rendered by default.

Which issue(s) this PR fixes:

Fixes OCPBUGS-84955

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• Added --render-sensitive flag to control the inclusion of sensitive data in manifest rendering

• Sensitive objects are now excluded by default for enhanced security

• Tests

• Added tests to verify render-sensitive functionality

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@clebs: This pull request references Jira Issue OCPBUGS-84955, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: clebs, patjlm
Once this PR has been reviewed and has the lgtm label, please assign muraee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.46%. Comparing base (7ac2953) to head (2376a26).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8436      +/-   ##
==========================================
+ Coverage   37.44%   37.46%   +0.02%     
==========================================
  Files         751      751              
  Lines       91969    91980      +11     
==========================================
+ Hits        34435    34461      +26     
+ Misses      54894    54881      -13     
+ Partials     2640     2638       -2     

Files with missing lines	Coverage Δ
cmd/install/install.go	52.60% <ø> (+1.26%)	⬆️
cmd/install/install_render.go	57.02% <100.00%> (+2.11%)	⬆️

Flag	Coverage Δ
cmd-support	32.71% <100.00%> (+0.07%)	⬆️
cpo-hostedcontrolplane	36.48% <ø> (ø)
cpo-other	37.73% <ø> (ø)
hypershift-operator	47.93% <ø> (ø)
other	27.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/install/install_render.go`:
- Around line 135-144: The current filter only removes top-level *corev1.Secret
entries from objectsToRender when opts.RenderSensitive is false but misses
secrets embedded inside Template objects; update the filtering loop to detect
template objects (the Template type used by the codebase, e.g.
templatev1.Template or the project's Template wrapper) and either remove any
inner *corev1.Secret entries from the template's Objects slice or skip emitting
the entire Template if it contains secrets; ensure you still build a new
filtered objectsToRender slice and reference opts.RenderSensitive,
objectsToRender, corev1.Secret and the Template type/name to locate and modify
the logic.

In `@cmd/install/install_test.go`:
- Around line 514-558: The test is bypassing the real rendering by calling
hyperShiftOperatorManifests and re-implementing secret filtering; replace that
with an end-to-end call to RenderHyperShiftOperator using the same Options (pass
tc.renderSensitive) and assert directly on the returned objects so the
sensitive-rendering flag behavior is exercised; remove the manual filtering
logic (the loop that builds rendered and renderedSecrets) and instead inspect
the objects slice returned by RenderHyperShiftOperator for corev1.Secret
instances and their names, then use g.Expect on that result according to
tc.expectSecrets.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6f7dd5cc-ab34-4576-bc90-82d8f68906d1

📥 Commits

Reviewing files that changed from the base of the PR and between 7ac2953 and 500185f.

📒 Files selected for processing (3)

• cmd/install/install.go
• cmd/install/install_render.go
• cmd/install/install_test.go

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/install/install_test.go`:
- Around line 529-544: The test currently swallows Decode errors from
hyperapi.YamlSerializer.Decode while iterating over strings.SplitSeq output,
which can hide parsing failures; update the loop that builds secretNames to fail
the test on any non-nil err returned by hyperapi.YamlSerializer.Decode (use
g.Expect(err).ToNot(HaveOccurred() or equivalent) so decode errors fail fast)
and additionally assert that at least one manifest document was decoded (e.g.,
track a decodedCount and g.Expect(decodedCount).To(BeNumerically(">", 0)) before
checking tc.expectSecrets) so the test cannot pass vacuously when parsing fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1425c809-dd28-4dbd-adbc-7505f933e0f5

📥 Commits

Reviewing files that changed from the base of the PR and between db4c56f and c41aeae.

📒 Files selected for processing (4)

• cmd/install/install.go
• cmd/install/install_render.go
• cmd/install/install_render_test.go
• cmd/install/install_test.go

[coderabbitai]

🧹 Nitpick comments (1)

cmd/install/install_test.go (1)

549-553: ⚡ Quick win

Remove duplicated secret assertion block.

Lines 549-553 repeat the same tc.expectSecrets assertions already done at Lines 543-547. Keeping one block avoids redundant checks and future drift.

♻️ Proposed cleanup

-			if tc.expectSecrets {
-				g.Expect(secretNames).ToNot(BeEmpty(), "expected secrets in rendered output")
-			} else {
-				g.Expect(secretNames).To(BeEmpty(), "expected no secrets in rendered output")
-			}
 		})
 	}
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/install/install_test.go` around lines 549 - 553, Remove the duplicated
assertion block that checks tc.expectSecrets against secretNames (the second
g.Expect block using secretNames and tc.expectSecrets); keep the original
assertions (the first g.Expect checks on secretNames at the earlier block) and
delete the repeated g.Expect(...) else branch starting with "if tc.expectSecrets
{ g.Expect(secretNames)..." to avoid redundant checks and drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@cmd/install/install_test.go`:
- Around line 549-553: Remove the duplicated assertion block that checks
tc.expectSecrets against secretNames (the second g.Expect block using
secretNames and tc.expectSecrets); keep the original assertions (the first
g.Expect checks on secretNames at the earlier block) and delete the repeated
g.Expect(...) else branch starting with "if tc.expectSecrets {
g.Expect(secretNames)..." to avoid redundant checks and drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d3a36dcb-290e-4404-ac37-3eecf3a0a0bf

📥 Commits

Reviewing files that changed from the base of the PR and between c41aeae and 6c6bd93.

📒 Files selected for processing (1)

• cmd/install/install_test.go