OCPBUGS-66251: OADP restore results in htpasswd no longer being applied as volume

[mehabhalodiya]

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

  • Added GCP Workload Identity Federation support with resource labeling
  • AWS Network Load Balancer now supports Elastic IP allocation and subnet configuration
  • Node pool auto-scaling supports scale-from-zero on AWS
  • OKD now supported as a platform option

• Infrastructure Updates

  • Upgraded Go runtime from 1.24 to 1.25
  • Updated OpenShift platform from 4.21 to 4.22
  • Enhanced multi-architecture CLI builds
  • Refreshed container base images

• Documentation

  • Expanded contributor guidelines with detailed workflows

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

This PR updates Go toolchain from 1.24 to 1.25 across build files, enhances GCP platform support with Workload Identity Federation and resource labeling, introduces node CIDR allocation controls and AWS network load balancer EIP/subnet configurations, adds OKD feature gate support, expands API validations and TLS profile guidance, updates Tekton task digests, adds documentation for new Claude commands, and adjusts project ownership rules.

Changes

Cohort / File(s)	Summary
Go Toolchain and Base Image Updates .ci-operator.yaml, Dockerfile, Dockerfile.control-plane, Dockerfile.dev, Dockerfile.e2e, Containerfile.operator, Containerfile.control-plane	Updated Go toolchain from 1.24 to 1.25 and base image versions from 4.21 to 4.22. Adjusted builder and runtime image references accordingly.
CLI Build Enhancements Containerfile.cli	Upgraded builder image to Go 1.25, switched to new builder registry, added multi-architecture tarball packaging (linux/amd64, arm64, ppc64le, s390x, darwin, windows), updated nginx base image, and added CPE metadata.
Dependency and Module Updates api/go.mod, api/.golangci.yml	Bumped Go toolchain to 1.25.3, updated AWS SDK v2, Kubernetes API, operatorpkg, and various transitive dependencies. Reconfigured linter with selective enables and tightened field-specific lint rule targets.
Tekton Pipeline Digest Updates .tekton/hypershift-gomaxprocs-webhook-pull-request.yaml, .tekton/hypershift-gomaxprocs-webhook-push.yaml, .tekton/hypershift-operator-main-tag.yaml, .tekton/pipelines/common-operator-build.yaml	Updated task bundle digests and image references to latest versions across multiple PipelineRun manifests; some tasks updated semantic versions.
GCP Platform API Enhancements api/hypershift/v1beta1/gcp.go	Added GCPResourceLabel, GCPWorkloadIdentityConfig, and GCPServiceAccountsEmails types with comprehensive validation rules for Workload Identity Federation configuration, resource labeling, and service account email management.
HostedCluster and HostedControlPlane API Changes api/hypershift/v1beta1/hostedcluster_conditions.go, api/hypershift/v1beta1/hostedcluster_types.go, api/hypershift/v1beta1/nodepool_types.go	Added GCP credential validation conditions, node CIDR allocation field (AllocateNodeCIDRsMode), service account key rotation support, Karpenter annotations, and CAPI GCP provider image constant. Updated NodePool autoScaling.min to support scale-from-zero (0 value) on AWS platform.
CRD Manifest Schema Updates (HostedCluster Variants) api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/*	Enhanced all feature-gated CRD variants with: allocateNodeCIDRs field, eipAllocations/subnets for AWS load balancers, GCP workload identity and resource labels, OKD feature gate support, updated TLS profile defaults (current default Intermediate), cross-field validations for networking/load balancer consistency, and key rotation guidance.
CRD Manifest Schema Updates (HostedControlPlane Variants) api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/*	Applied similar enhancements to HostedControlPlane CRD variants including allocateNodeCIDRs, eipAllocations/subnets under networkLoadBalancer, OKD transitions, increased history/risks limits (maxItems: 200), and consistent TLS/networking validations across all feature gate configurations.
NodePool CRD Updates api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/*	Updated NodePool schema to allow autoScaling.min value of 0 for scale-from-zero support (AWS only), added min as required field, and refined Windows image type validation constraints.
Feature Gate and Condition Types api/hypershift/v1beta1/featuregates/featureGate-Hypershift-Default.yaml, api/hypershift/v1beta1/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml	Renamed "DynamicResourceAllocation" feature gate to "HyperShiftOnlyDynamicResourceAllocation" across enabled feature gate lists.
Build and Project Configuration Makefile, OWNERS, OWNERS_ALIASES, .gitignore, .golangci.yml	Added cluster-api-provider-gcp and docs-aggregate build targets, added karpenter-operator OWNERS rules and aliases, added Azure Cleanzones binary to .gitignore, and adjusted staticcheck exclusions with AWS SDK deprecation note.
Documentation and Developer Guidance .claude/SKILLS.md, .claude/agents/*.md, .claude/commands/*.md, .github/CONTRIBUTING.md	Added documented commands for fixing HyperShift bot PRs and updating Konflux tasks, expanded command descriptions in SKILLS section, refined agent descriptions (api-sme, cloud-provider-sme, control-plane-sme, data-plane-sme, hcp-architect-sme), and enhanced CONTRIBUTING workflow with explicit CI commands, slash commands, and reviewer assignment steps.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references a specific Jira issue (OCPBUGS-66251) but describes an oauth/htpasswd bug unrelated to the changeset's primary focus on updating container images, Go versions, GCP platform features, and CRD schemas.	Revise the PR title to reflect the actual scope of changes, such as 'Update Go 1.24 to 1.25, add GCP Workload Identity and cluster networking features, update CRDs and container images' or split into multiple focused PRs.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	No test files with dynamic test names found. Repository contains primarily configuration and documentation files.
Test Structure And Quality	✅ Passed	Tests demonstrate strong adherence to quality requirements with focused single responsibility, appropriate setup/cleanup, and consistency with codebase patterns.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go`:
- Around line 95-118: When identityProviders > 0, removeIDPVolumeMounts must run
regardless of whether ConvertIdentityProviders returned volumes to avoid leaving
stale mounts; change the block handling ConvertIdentityProviders so that after
calling removeIDPVolumes(deployment) and calling ConvertIdentityProviders(...)
you always call removeIDPVolumeMounts(deployment) before inspecting
volumeMountInfo.Volumes, then only append volumeMountInfo.Volumes and update
container mounts via util.UpdateContainer(ComponentName, ...) if
len(volumeMountInfo.Volumes) > 0. Ensure the same functions (removeIDPVolumes,
removeIDPVolumeMounts, ConvertIdentityProviders, util.UpdateContainer,
ComponentName, deployment) are used and no other behavior changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the ConvertIdentityProviders function
fd -t f -e go -path "*oauth*" control-plane-operator/controllers/hostedcontrolplane/v2 | head -20

Repository: openshift/hypershift

Length of output: 232

---

🏁 Script executed:

#!/bin/bash
# Search for ConvertIdentityProviders implementation
rg "func ConvertIdentityProviders" -A 50 --type go

Repository: openshift/hypershift

Length of output: 11465

---

🏁 Script executed:

#!/bin/bash
# Also search for the removeIDPVolumes and removeIDPVolumeMounts functions
rg "func (.*)?removeIDPVolumes|func (.*)?removeIDPVolumeMounts" -A 15 --type go

Repository: openshift/hypershift

Length of output: 3071

---

Fix dangling IDP mounts when volume conversion fails.

When ConvertIdentityProviders produces zero volumes (e.g., all providers fail conversion), removeIDPVolumes runs unconditionally, but removeIDPVolumeMounts is skipped because volumeMountInfo.Volumes is empty. This leaves stale mounts referencing volumes that no longer exist, creating an inconsistent pod spec. Move removeIDPVolumeMounts outside the conditional to always clean up mounts alongside volumes.

✅ Suggested adjustment

-			removeIDPVolumes(deployment)
-			
-			_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
+			removeIDPVolumes(deployment)
+			removeIDPVolumeMounts(deployment)
+
+			_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
 			// Ignore the error here, since we don't want to fail the deployment if the identity providers are invalid
 			// A condition will be set on the HC to indicate the error
 			if len(volumeMountInfo.Volumes) > 0 {
-				// Remove any existing IDP volume mounts before adding new ones
-				removeIDPVolumeMounts(deployment)
-				
 				deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volumeMountInfo.Volumes...)
 				util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
 					c.VolumeMounts = append(c.VolumeMounts, volumeMountInfo.VolumeMounts.ContainerMounts(ComponentName)...)
 				})
 			}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	identityProviders := configuration.OAuth.IdentityProviders
	if len(identityProviders) > 0 {
	// Remove any existing IDP volumes to ensure clean state after restore
	// This is important for OADP restore scenarios where the deployment
	// might be restored with stale volume configurations
	removeIDPVolumes(deployment)
	_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
	// Ignore the error here, since we don't want to fail the deployment if the identity providers are invalid
	// A condition will be set on the HC to indicate the error
	if len(volumeMountInfo.Volumes) > 0 {
	// Remove any existing IDP volume mounts before adding new ones
	removeIDPVolumeMounts(deployment)
	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volumeMountInfo.Volumes...)
	util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
	c.VolumeMounts = append(c.VolumeMounts, volumeMountInfo.VolumeMounts.ContainerMounts(ComponentName)...)
	})
	}
	} else {
	// If no identity providers are configured, ensure any stale IDP volumes are removed
	removeIDPVolumes(deployment)
	removeIDPVolumeMounts(deployment)
	}
	identityProviders := configuration.OAuth.IdentityProviders
	if len(identityProviders) > 0 {
	// Remove any existing IDP volumes to ensure clean state after restore
	// This is important for OADP restore scenarios where the deployment
	// might be restored with stale volume configurations
	removeIDPVolumes(deployment)
	removeIDPVolumeMounts(deployment)
	_, volumeMountInfo, _ := ConvertIdentityProviders(cpContext, identityProviders, providerOverrides(cpContext.HCP), cpContext.Client, deployment.Namespace)
	// Ignore the error here, since we don't want to fail the deployment if the identity providers are invalid
	// A condition will be set on the HC to indicate the error
	if len(volumeMountInfo.Volumes) > 0 {
	deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, volumeMountInfo.Volumes...)
	util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
	c.VolumeMounts = append(c.VolumeMounts, volumeMountInfo.VolumeMounts.ContainerMounts(ComponentName)...)
	})
	}
	} else {
	// If no identity providers are configured, ensure any stale IDP volumes are removed
	removeIDPVolumes(deployment)
	removeIDPVolumeMounts(deployment)
	}

🤖 Prompt for AI Agents

In `@control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go`
around lines 95 - 118, When identityProviders > 0, removeIDPVolumeMounts must
run regardless of whether ConvertIdentityProviders returned volumes to avoid
leaving stale mounts; change the block handling ConvertIdentityProviders so that
after calling removeIDPVolumes(deployment) and calling
ConvertIdentityProviders(...) you always call removeIDPVolumeMounts(deployment)
before inspecting volumeMountInfo.Volumes, then only append
volumeMountInfo.Volumes and update container mounts via
util.UpdateContainer(ComponentName, ...) if len(volumeMountInfo.Volumes) > 0.
Ensure the same functions (removeIDPVolumes, removeIDPVolumeMounts,
ConvertIdentityProviders, util.UpdateContainer, ComponentName, deployment) are
used and no other behavior changes.

[jparrill]

/assign @jparrill

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

• Added GCP Workload Identity Federation support with resource labeling

• AWS Network Load Balancer now supports Elastic IP allocation and subnet configuration

• Node pool auto-scaling supports scale-from-zero on AWS

• OKD now supported as a platform option

• Infrastructure Updates

• Upgraded Go runtime from 1.24 to 1.25

• Updated OpenShift platform from 4.21 to 4.22

• Enhanced multi-architecture CLI builds

• Refreshed container base images

• Documentation

• Expanded contributor guidelines with detailed workflows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is invalid:

• expected the bug to target either version "4.20." or "openshift-4.20.", but it targets "4.22.0" instead
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-66251 to depend on a bug targeting a version in 4.21.0, 4.21.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

• Added GCP Workload Identity Federation support with resource labeling

• AWS Network Load Balancer now supports Elastic IP allocation and subnet configuration

• Node pool auto-scaling supports scale-from-zero on AWS

• OKD now supported as a platform option

• Infrastructure Updates

• Upgraded Go runtime from 1.24 to 1.25

• Updated OpenShift platform from 4.21 to 4.22

• Enhanced multi-architecture CLI builds

• Refreshed container base images

• Documentation

• Expanded contributor guidelines with detailed workflows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mehabhalodiya: This pull request references Jira Issue OCPBUGS-66251, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

This PR fixes an issue where OAuth identity provider (IDP) secrets are not mounted as volumes in the oauth-openshift deployment after OADP restore operations.

What this PR does / why we need it:

Problem

After restoring a HostedCluster using the OADP plugin, htpasswd IDP secrets exist in the HCP namespace but are not mounted as volumes in the oauth-openshift deployment. This prevents OAuth authentication from working with the IDP.

Root Cause

The oauth-openshift deployment reconciliation logic appends IDP volumes to the existing volumes list without first removing stale volumes. When OADP restores the deployment, it may restore with:

• Stale volumes from previous configurations
• Missing volumes entirely
• Incorrect volume mount configurations

The reconciliation doesn't clean up these stale volumes, leading to inconsistent state.

Solution

HyperShift Codebase Fix

File: control-plane-operator/controllers/hostedcontrolplane/v2/oauth/deployment.go

Changes:

1. Added removeIDPVolumes() function to clean up stale IDP volumes
2. Added removeIDPVolumeMounts() function to clean up stale IDP volume mounts
3. Updated adaptDeployment() to remove stale volumes/mounts before adding new ones

Key Benefits:

• Ensures clean state after restore
• Makes reconciliation idempotent
• Works correctly even if deployment is restored with incorrect state
• Backward compatible

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-66251

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

• Added GCP Workload Identity Federation support with resource labeling

• AWS Network Load Balancer now supports Elastic IP allocation and subnet configuration

• Node pool auto-scaling supports scale-from-zero on AWS

• OKD now supported as a platform option

• Infrastructure Updates

• Upgraded Go runtime from 1.24 to 1.25

• Updated OpenShift platform from 4.21 to 4.22

• Enhanced multi-architecture CLI builds

• Refreshed container base images

• Documentation

• Expanded contributor guidelines with detailed workflows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mehabhalodiya
Once this PR has been reviewed and has the lgtm label, please ask for approval from jparrill. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@mehabhalodiya: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-v2-aws	cf02839	link	true	/test e2e-v2-aws
ci/prow/e2e-aks-4-21	cf02839	link	true	/test e2e-aks-4-21
ci/prow/docs-preview	3f75e61	link	false	/test docs-preview
ci/prow/verify-deps	cf02839	link	true	/test verify-deps
ci/prow/verify	08f2779	link	true	/test verify
ci/prow/e2e-gke	3f75e61	link	false	/test e2e-gke
ci/prow/e2e-aks	cf02839	link	true	/test e2e-aks
ci/prow/images	cf02839	link	true	/test images
ci/prow/e2e-aws	cf02839	link	true	/test e2e-aws
ci/prow/verify	cf02839	link	true	/test verify
ci/prow/security	cf02839	link	true	/test security
ci/prow/e2e-kubevirt-aws-ovn-reduced	cf02839	link	true	/test e2e-kubevirt-aws-ovn-reduced
ci/prow/e2e-aws-upgrade-hypershift-operator	cf02839	link	true	/test e2e-aws-upgrade-hypershift-operator
ci/prow/unit	cf02839	link	true	/test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.