OCPBUGS-80925: Remove the CRB for the default openshift-cluster-version SA

[DavidHurta]

The PR aims to remove the default CRB by adding the delete annotation and updating the rendering logic to respect the annotation.

Summary by CodeRabbit

• New Features

  • Support for the release.openshift.io/delete annotation to exclude manifests during bootstrap; manifests annotated "true" are skipped.

• Bug Fixes

  • Validation now rejects invalid delete-annotation values and surfaces errors for malformed annotations.

• Documentation

  • Improved render command help text and added comments to the static Pod bootstrap manifest.

• Tests

  • Expanded tests covering delete-annotation handling, exclusion behavior, and error cases.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[DavidHurta]

/test all

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 23132e30-e251-4370-bd88-c0978f53f3cd

📥 Commits

Reviewing files that changed from the base of the PR and between e9c1c39 and b7b86df.

📒 Files selected for processing (5)

• bootstrap/bootstrap-pod.yaml
• cmd/cluster-version-operator/render.go
• install/0000_00_cluster-version-operator_90_roles-default.yaml
• pkg/payload/render.go
• pkg/payload/render_test.go

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

---

Walkthrough

Validates and honors release.openshift.io/delete annotations during payload rendering (excluding or erroring on manifests), updates the render command help text, adds the delete annotation to a CVO RoleBinding, and adds three YAML comments to the bootstrap Pod manifest; tests were extended to cover the new behavior.

Changes

Cohort / File(s)	Summary
Bootstrap Manifest bootstrap/bootstrap-pod.yaml	Added three YAML comment lines describing static Pod deployment and resource reference restrictions.
CLI Help Text cmd/cluster-version-operator/render.go	Updated render cobra command Short and Long help text to describe rendering/filtering of CVO and release payload manifests for cluster bootstrap.
Release Lifecycle Annotation install/0000_00_cluster-version-operator_90_roles-default.yaml	Added release.openshift.io/delete: "true" annotation to the cluster-version-operator RoleBinding metadata.
Payload Rendering Logic pkg/payload/render.go	Added per-manifest validation of release.openshift.io/delete via resourcedelete.ValidDeleteAnnotation(...) after existing include checks; manifests annotated "true" are excluded, invalid values produce errors.
Tests pkg/payload/render_test.go	Renamed TestRenderDirWithMajorVersionFiltering → TestRenderDirFiltering; added expectError flag and test cases asserting exclusion for "true" and errors for invalid annotation values.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 8 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title describes removing a ClusterRoleBinding for a ServiceAccount, but the actual changes focus on adding delete annotation validation and updating documentation/help text related to cluster bootstrap.	Update the title to accurately reflect the main changes: adding delete annotation support and related bootstrap documentation updates, rather than claiming to remove a ClusterRoleBinding.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Stable And Deterministic Test Names	✅ Passed	The PR modifies Go table-driven tests with static, deterministic test case names; no Ginkgo tests or dynamic naming patterns detected.
Test Structure And Quality	✅ Passed	PR contains standard Go unit tests with table-driven patterns, not Ginkgo-style tests. The custom check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only modifies standard Go unit tests in pkg/payload/render_test.go and does not add any Ginkgo e2e tests, which are outside the scope of this custom check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests. Test modifications are only to standard Go unit tests in pkg/payload/render_test.go.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no new scheduling constraints affecting SNO, Two-Node, HyperShift, or other OpenShift topologies. Changes limited to YAML comments, RBAC annotations, help text, and manifest rendering validation logic.
Ote Binary Stdout Contract	✅ Passed	PR modifications do not violate the OTE Binary Stdout Contract; logging properly configured to use stderr.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. Modifications include YAML comments, CLI help text updates, RoleBinding annotation, and validation logic. The only test file modified uses the standard Go testing package, not Ginkgo framework.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DavidHurta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [DavidHurta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-80925, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/payload/render_test.go (1)

299-303: Prefer early-fail when an expected error is missing.

Using t.Fatalf here avoids cascading assertion noise in inclusion/exclusion checks after a failed precondition.

Optional tidy-up

 			if tt.expectError {
 				if err == nil {
-					t.Errorf("expected error but got none")
+					t.Fatalf("expected error but got none")
 				}
 			} else {
 				if err != nil {
 					t.Fatalf("renderDir failed: %v", err)
 				}
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/payload/render_test.go` around lines 299 - 303, Replace the non-fatal
assertion that checks for a missing expected error (currently using t.Errorf
when tt.expectError is true and err == nil) with a fatal assertion so the test
stops immediately; specifically change the t.Errorf("expected error but got
none") to t.Fatalf(...) in the test where tt.expectError and err are checked
(the block referencing tt.expectError and err) to prevent subsequent
inclusion/exclusion assertions from running after the precondition fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/payload/render_test.go`:
- Around line 299-303: Replace the non-fatal assertion that checks for a missing
expected error (currently using t.Errorf when tt.expectError is true and err ==
nil) with a fatal assertion so the test stops immediately; specifically change
the t.Errorf("expected error but got none") to t.Fatalf(...) in the test where
tt.expectError and err are checked (the block referencing tt.expectError and
err) to prevent subsequent inclusion/exclusion assertions from running after the
precondition fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4447c6b7-2046-44f4-9be6-3c41a2db645f

📥 Commits

Reviewing files that changed from the base of the PR and between e9c1c39 and f64426f.

📒 Files selected for processing (5)

• bootstrap/bootstrap-pod.yaml
• cmd/cluster-version-operator/render.go
• install/0000_00_cluster-version-operator_90_roles-default.yaml
• pkg/payload/render.go
• pkg/payload/render_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/payload/render.go`:
- Around line 151-156: Reorder the validation so the delete-annotation is
checked before feature/profile/version exclusion: call
resourcedelete.ValidDeleteAnnotation(manifest.Obj.GetAnnotations()) first (using
the same error handling pattern that appends to errs with fmt.Errorf("invalid
delete annotation in %s from %s: %w", manifest.String(), file.Name(), err)),
handle the found==true case with the same klog.Infof exclusion message, and only
afterwards call manifest.Include(nil, requiredFeatureSet, clusterProfile, nil,
overrides, enabledFeatureGates, majorVersion); keep existing log messages and
error appending behavior but swap the order of
resourcedelete.ValidDeleteAnnotation and manifest.Include so malformed delete
annotations are always validated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3fa4623d-f2a6-484c-801f-8489a6427297

📥 Commits

Reviewing files that changed from the base of the PR and between f64426f and b7b86df.

📒 Files selected for processing (5)

• bootstrap/bootstrap-pod.yaml
• cmd/cluster-version-operator/render.go
• install/0000_00_cluster-version-operator_90_roles-default.yaml
• pkg/payload/render.go
• pkg/payload/render_test.go

✅ Files skipped from review due to trivial changes (3)

• install/0000_00_cluster-version-operator_90_roles-default.yaml
• bootstrap/bootstrap-pod.yaml
• cmd/cluster-version-operator/render.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/payload/render_test.go

[DavidHurta]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
• @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
• @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[DavidHurta]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.

[DavidHurta]

@coderabbitai summary

Also note the added delete annotation to remove the CRB.

[coderabbitai]

@DavidHurta: Thanks for the context! I've noted that the key mechanism in this PR is the addition of the release.openshift.io/delete: "true" annotation to the cluster-version-operator RoleBinding in install/0000_00_cluster-version-operator_90_roles-default.yaml, which — combined with the new validation logic in pkg/payload/render.go — causes the CRB to be excluded (effectively removed) during manifest rendering. I'll include this in the regenerated summary.

The PR removes the ClusterRoleBinding (CRB) for the default openshift-cluster-version ServiceAccount by adding a release.openshift.io/delete: "true" annotation to the RoleBinding manifest, with supporting render-time filtering logic to exclude annotated manifests from the output.

✅ Actions performed

Summary regeneration triggered.

[DavidHurta]

/jira refresh

[openshift-ci-robot]

@DavidHurta: This pull request references Jira Issue OCPBUGS-80925, which is invalid:

• expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.23.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[DavidHurta]

/retest-required

[openshift-ci]

@DavidHurta: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-techpreview	b7b86df	link	true	/test e2e-aws-ovn-techpreview
ci/prow/e2e-agnostic-ovn-techpreview-serial-3of3	b7b86df	link	true	/test e2e-agnostic-ovn-techpreview-serial-3of3
ci/prow/e2e-agnostic-ovn-techpreview-serial-1of3	b7b86df	link	true	/test e2e-agnostic-ovn-techpreview-serial-1of3
ci/prow/e2e-hypershift-conformance	b7b86df	link	true	/test e2e-hypershift-conformance
ci/prow/e2e-agnostic-ovn	b7b86df	link	true	/test e2e-agnostic-ovn
ci/prow/e2e-agnostic-ovn-techpreview-serial-2of3	b7b86df	link	true	/test e2e-agnostic-ovn-techpreview-serial-2of3

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.