HYPERFLEET-1108 - feat: Label all E2E-created resources with a unique run ID (DRAFT)

[mliptak0]

Summary

• HYPERFLEET-1108

Test Plan

• Unit tests added/updated
• make test-all passes
• make lint passes
• Helm chart changes validated with make test-helm (if applicable)
• Deployed to a development cluster and verified (if Helm/config changes)
• E2E tests passed (if cross-component or major changes)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mliptak0 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (2)

• do-not-merge/work-in-progress
• do-not-merge/hold

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a4e5d7fa-7083-419f-884d-9a94f6e38217

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A globally scoped E2E run ID is introduced across the test infrastructure. The pkg/helper package gains GenerateRunID, SetRunID, and GetRunID, where GenerateRunID reads E2E_RUN_ID (validating against the 63-char Kubernetes label limit and an allowed-character regex) or falls back to UUID v7. The Helper struct gains a RunID field populated at construction. The suite lifecycle calls GenerateRunID in BeforeSuite. A --e2e-run-id CLI flag injects the value into the environment before suite execution. DeployAdapter appends Helm --set flags to stamp the run ID as a label and env var on adapter pods. Deploy scripts export and validate E2E_RUN_ID. All testdata adapter YAML configs replace or add an e2eRunId parameter and apply e2e.hyperfleet.io/run-id labels to created Kubernetes resources.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

CWE-807 / env variable trust boundary — cmd.go:94–102: os.Setenv("E2E_RUN_ID", args.e2eRunID) is called before GenerateRunID reads it. The flag value is not validated here; it passes raw CLI input into the environment that GenerateRunID then reads and validates. The validation in GenerateRunID (length ≤63, regex) is the only gate. Confirm no code path can bypass GenerateRunID and consume a raw, unvalidated E2E_RUN_ID from a Helm --set injection point.

CWE-330 / insufficient randomness — pkg/helper/adapter.go:20–26: randomAlphanumeric now uses crypto/rand via rand.Int, which is correct. However the prior generateRandomString removal must be confirmed to have no remaining callers — if any test helper still references the old name it will panic at runtime, not compile time, if the symbol was unexported.

CWE-20 / deploy-scripts/lib/adapter.sh:170–179 — The shell-level E2E_RUN_ID length check is a string comparison in bash, not a byte-level check. A value containing multi-byte UTF-8 characters could pass the ${#E2E_RUN_ID} character-count guard while exceeding the Kubernetes 63-byte label value limit. Kubernetes label values are byte-limited, not character-limited. The Go GenerateRunID path correctly rejects this but the shell path does not.

CWE-78 / shell injection in adapter.sh:216–218 — E2E_RUN_ID is interpolated directly into helm --set argument strings without quoting or escaping beyond the dot-in-label-key escaping. If E2E_RUN_ID contains characters meaningful to Helm's --set parser (e.g., commas, braces), it can corrupt the Helm invocation. The Go GenerateRunID regex gate blocks this for Go-originated IDs, but the shell script has no equivalent character-class restriction.

Supply chain note — testdata/adapter-configs/cl-invalid-resource removes testRunId entirely. Any CI job or external caller that still passes TEST_RUN_ID will silently receive an empty required param, causing task failure. Verify no prow job configs still export TEST_RUN_ID for these configs.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
Sec-02: Secrets In Log Output	❌ Error	PR logs credentials in plaintext: deploy-scripts/lib/adapter.sh line 235 logs helm_cmd[*] containing --set broker.rabbitmq.url=${ADAPTER_BROKER_RABBITMQ_URL} (AMQP URL with user:password); pkg/...	Remove credential-bearing values from log output. Redact AMQP/API URLs, tokens, passwords in both bash and Go logging. Use sanitized argument logging for security-sensitive commands.
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
No Injection Vectors	⚠️ Warning	Shell script deployment path lacks character validation for E2E_RUN_ID. While Go code validates via labelValueRegex, deploy-scripts/lib/adapter.sh (line 170-178) only checks length, allowing shell...	Add regex validation in deploy-scripts/lib/adapter.sh after line 178 to match Go's pattern: if [[ ! "${e2e_run_id}" =~ ^[a-zA-Z0-9]([-_.a-zA-Z0-9]*[a-zA-Z0-9])?$ ]]; then log_error... fi

✅ Passed checks (8 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets, API keys, tokens, passwords, private keys, or base64-encoded credentials detected. E2E_RUN_ID is a UUID-based resource labeling identifier, not sensitive data.
No Weak Cryptography	✅ Passed	No banned cryptographic primitives (MD5, DES, RC4, SHA1 for security) or custom crypto implementations. SHA256 used only for content hashing (release name truncation). Proper use of crypto/rand and...
No Privileged Containers	✅ Passed	No privileged containers detected. PR adds E2E run ID labeling: no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN caps, allowPrivilegeEscalation: true, or runAsUser: 0 acr...
No Pii Or Sensitive Data In Logs	✅ Passed	All logging statements use structured key-value logging (logger.Info) or structured error messages. Run IDs logged are test identifiers (UUID v7), not PII. No raw request bodies, session IDs, or cr...
Title check	✅ Passed	The title accurately describes the main feature: labeling E2E-created resources with a unique run ID, matching the changeset scope across Go code, shell scripts, and YAML configurations.
Description check	✅ Passed	The description references HYPERFLEET-1108 and outlines a test plan checklist related to validating the E2E resource labeling feature, which aligns with the changeset scope.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

pkg/helper/adapter.go (1)

25-27: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Document intentional crypto/rand fallback.

Silent fallback to time-based randomness when crypto/rand fails is intentional degradation. Per path instructions ERR-01 and QUAL-02, add a comment explaining why this is acceptable (diagnostic log suffix collision is low-impact).

📝 Suggested comment

 		n, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))
 		if err != nil {
+			// Fallback to time-based randomness for diagnostic log suffix; crypto quality not required
 			b[i] = charset[(time.Now().UnixNano()+int64(i))%int64(len(charset))]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helper/adapter.go` around lines 25 - 27, Add a comment above or within
the error handling block (after the rand.Int call fails) in the charset
randomization logic that explains the intentional fallback to time-based
randomness is acceptable because diagnostic log suffix collisions have low
impact. Reference that this is intentional degradation per error handling and
quality guidelines, making it clear to future maintainers that the silent
fallback using time.Now().UnixNano() is not an oversight but a deliberate design
choice.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy-scripts/lib/adapter.sh`:
- Around line 216-218: The hardcoded array indices env[0].name and env[0].value
on lines 216-217 will overwrite existing environment variables instead of
appending to them. Coordinate with the chart maintainers to modify the Helm
chart to accept a dedicated values path (such as e2e.runID) and have the chart
template merge this value into the env array without using fixed indices.
Replace the --set "env[0].name=E2E_RUN_ID" and --set
"env[0].value=${e2e_run_id}" calls with a --set call to your new dedicated
values path so conflicts are avoided.
- Around line 170-179: The E2E_RUN_ID validation block is missing character
validation for Kubernetes label values. After the existing length check (which
validates that e2e_run_id does not exceed 63 characters), add an additional
validation check to ensure the e2e_run_id matches the Kubernetes label value
regex pattern which allows only alphanumeric characters, hyphens, underscores,
and periods, and must start and end with an alphanumeric character. Use a
conditional test to match the variable against the required pattern and log an
error with a clear message describing which characters are allowed if the
validation fails.

In `@testdata/adapter-configs/cl-crash/adapter-task-config.yaml`:
- Line 56: The label key `e2e.hyperfleet.io/run-id` on line 56 of the
adapter-task-config.yaml file is inconsistent with the Helm injection that uses
`e2e.hyperfleet.io/run` in pkg/helper/adapter.go (set via --set
labels.e2e\\.hyperfleet\\.io/run=%s). Change the label key from
`e2e.hyperfleet.io/run-id` to `e2e.hyperfleet.io/run` to unify the label keys
across both Helm and adapter resources, ensuring cleanup and reporting use a
single consistent selector key.

In
`@testdata/adapter-configs/cl-deployment/adapter-task-resource-deployment.yaml`:
- Line 10: The run-id label is currently only applied to the Deployment metadata
but not to the Pod template metadata. Add the same label
`e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}"` to the
`spec.template.metadata.labels` section of the YAML configuration so that Pods
created from this Deployment template inherit the run-id label and become
selectable by E2E run-id selectors.

In `@testdata/adapter-configs/cl-job/adapter-task-resource-job.yaml`:
- Line 11: The label e2e.hyperfleet.io/run-id is currently set only on the Job
object metadata, but Pods created by this Job will not inherit it. To fix this,
add the same label e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}" under the Pod
template specification at spec.template.metadata.labels so that all Pods spawned
by this Job will carry the run-id label for proper tracking and identification.

In `@testdata/adapter-configs/cl-m-unreg-consumer/adapter-task-config.yaml`:
- Line 85: The e2e.hyperfleet.io/run-id label is currently only applied to the
ManifestWork wrapper resource at line 85 but is missing from the nested manifest
resources (Namespace and ConfigMap) that start at line 126. You need to
propagate the run-id label by adding the same e2e.hyperfleet.io/run-id: "{{
.e2eRunId }}" label to the metadata.labels section of each nested resource
definition so that target-cluster resources can be properly filtered and cleaned
by run-id.

---

Nitpick comments:
In `@pkg/helper/adapter.go`:
- Around line 25-27: Add a comment above or within the error handling block
(after the rand.Int call fails) in the charset randomization logic that explains
the intentional fallback to time-based randomness is acceptable because
diagnostic log suffix collisions have low impact. Reference that this is
intentional degradation per error handling and quality guidelines, making it
clear to future maintainers that the silent fallback using time.Now().UnixNano()
is not an oversight but a deliberate design choice.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a1d0dac1-18dc-4467-af82-bee96dd31978

📥 Commits

Reviewing files that changed from the base of the PR and between c328ef6 and 4e6c493.

📒 Files selected for processing (23)

• cmd/hyperfleet-e2e/test/cmd.go
• deploy-scripts/deploy-clm.sh
• deploy-scripts/lib/adapter.sh
• pkg/e2e/suite.go
• pkg/helper/adapter.go
• pkg/helper/helper.go
• pkg/helper/suite.go
• testdata/adapter-configs/cl-crash/adapter-task-config.yaml
• testdata/adapter-configs/cl-deployment/adapter-task-config.yaml
• testdata/adapter-configs/cl-deployment/adapter-task-resource-deployment.yaml
• testdata/adapter-configs/cl-invalid-resource/adapter-task-config.yaml
• testdata/adapter-configs/cl-job/adapter-task-config.yaml
• testdata/adapter-configs/cl-job/adapter-task-resource-job.yaml
• testdata/adapter-configs/cl-m-unreg-consumer/adapter-task-config.yaml
• testdata/adapter-configs/cl-m-wrong-ds/adapter-task-config.yaml
• testdata/adapter-configs/cl-m-wrong-nest/adapter-task-config.yaml
• testdata/adapter-configs/cl-maestro/adapter-task-config.yaml
• testdata/adapter-configs/cl-maestro/adapter-task-resource-manifestwork.yaml
• testdata/adapter-configs/cl-namespace/adapter-task-config.yaml
• testdata/adapter-configs/cl-precondition-error/adapter-task-config.yaml
• testdata/adapter-configs/cl-stuck/adapter-task-config.yaml
• testdata/adapter-configs/np-configmap/adapter-task-config.yaml
• testdata/adapter-configs/np-configmap/adapter-task-resource-configmap.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Missing character validation for E2E_RUN_ID label value.

Lines 170-179 validate length (≤63 chars) but not allowed characters. Kubernetes label values must match (([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?. Invalid characters (e.g., spaces, special chars) will cause Helm deployment failure at line 218.

🔒 Proposed validation fix

   if (( ${`#e2e_run_id`} > 63 )); then
     log_error "E2E_RUN_ID '${e2e_run_id}' is ${`#e2e_run_id`} characters, exceeds the 63-character Kubernetes label value limit."
     return 1
   fi
+  if [[ ! "${e2e_run_id}" =~ ^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$ ]]; then
+    log_error "E2E_RUN_ID '${e2e_run_id}' contains invalid characters. Must match Kubernetes label value format: ([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]"
+    return 1
+  fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy-scripts/lib/adapter.sh` around lines 170 - 179, The E2E_RUN_ID
validation block is missing character validation for Kubernetes label values.
After the existing length check (which validates that e2e_run_id does not exceed
63 characters), add an additional validation check to ensure the e2e_run_id
matches the Kubernetes label value regex pattern which allows only alphanumeric
characters, hyphens, underscores, and periods, and must start and end with an
alphanumeric character. Use a conditional test to match the variable against the
required pattern and log an error with a clear message describing which
characters are allowed if the validation fails.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Hardcoded env array index risks clobbering existing environment variables.

Lines 216-217 inject env[0].name=E2E_RUN_ID and env[0].value=<run-id>. Same issue as adapter.go: Helm array indexing replaces, doesn't append. If chart defines env or another --set targets env[0], this overwrites existing entries.

Coordinate with chart maintainers to use a dedicated values path (e.g., e2e.runID) that the chart merges into env without index conflicts.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy-scripts/lib/adapter.sh` around lines 216 - 218, The hardcoded array
indices env[0].name and env[0].value on lines 216-217 will overwrite existing
environment variables instead of appending to them. Coordinate with the chart
maintainers to modify the Helm chart to accept a dedicated values path (such as
e2e.runID) and have the chart template merge this value into the env array
without using fixed indices. Replace the --set "env[0].name=E2E_RUN_ID" and
--set "env[0].value=${e2e_run_id}" calls with a --set call to your new dedicated
values path so conflicts are avoided.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Unify run label key across Helm and adapter resources

Line 56 uses e2e.hyperfleet.io/run-id, but Helm injection uses e2e.hyperfleet.io/run in pkg/helper/adapter.go (--set labels.e2e\\.hyperfleet\\.io/run=%s). This splits selectors across two keys and breaks single-key cleanup/reporting.

Proposed fix

-          e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}"
+          e2e.hyperfleet.io/run: "{{ .e2eRunId }}"

Or standardize the Helm key to run-id everywhere instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@testdata/adapter-configs/cl-crash/adapter-task-config.yaml` at line 56, The
label key `e2e.hyperfleet.io/run-id` on line 56 of the adapter-task-config.yaml
file is inconsistent with the Helm injection that uses `e2e.hyperfleet.io/run`
in pkg/helper/adapter.go (set via --set labels.e2e\\.hyperfleet\\.io/run=%s).
Change the label key from `e2e.hyperfleet.io/run-id` to `e2e.hyperfleet.io/run`
to unify the label keys across both Helm and adapter resources, ensuring cleanup
and reporting use a single consistent selector key.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Add run-id label on Job Pod template

Line 11 labels only the Job object. Pods created by this Job are not guaranteed to carry e2e.hyperfleet.io/run-id unless it is set under spec.template.metadata.labels.

Proposed fix

 spec:
   backoffLimit: 0
   template:
+    metadata:
+      labels:
+        e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}"
     spec:
       restartPolicy: Never

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@testdata/adapter-configs/cl-job/adapter-task-resource-job.yaml` at line 11,
The label e2e.hyperfleet.io/run-id is currently set only on the Job object
metadata, but Pods created by this Job will not inherit it. To fix this, add the
same label e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}" under the Pod template
specification at spec.template.metadata.labels so that all Pods spawned by this
Job will carry the run-id label for proper tracking and identification.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Run-id is not propagated to nested ManifestWork payload resources

Line 85 labels the ManifestWork wrapper only. The nested Namespace/ConfigMap manifests (lines 126+ context) are created without e2e.hyperfleet.io/run-id, so target-cluster resources cannot be filtered/cleaned by run-id.

Proposed fix pattern

           - apiVersion: v1
             kind: Namespace
             metadata:
               name: "{{ .clusterId | lower }}-{{ .adapter.name }}-namespace"
               labels:
                 app.kubernetes.io/component: adapter-task-config
                 app.kubernetes.io/instance: "{{ .adapter.name }}"
                 app.kubernetes.io/name: cl-maestro
                 app.kubernetes.io/transport: maestro
+                e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}"
           - apiVersion: v1
             kind: ConfigMap
             metadata:
               name: "{{ .clusterId | lower }}-{{ .adapter.name }}-configmap"
               namespace: "{{ .clusterId | lower }}-{{ .adapter.name }}-namespace"
               labels:
                 app.kubernetes.io/component: adapter-task-config
                 app.kubernetes.io/instance: "{{ .adapter.name }}"
                 app.kubernetes.io/name: cl-maestro
                 app.kubernetes.io/version: 1.0.0
                 app.kubernetes.io/transport: maestro
+                e2e.hyperfleet.io/run-id: "{{ .e2eRunId }}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@testdata/adapter-configs/cl-m-unreg-consumer/adapter-task-config.yaml` at
line 85, The e2e.hyperfleet.io/run-id label is currently only applied to the
ManifestWork wrapper resource at line 85 but is missing from the nested manifest
resources (Namespace and ConfigMap) that start at line 126. You need to
propagate the run-id label by adding the same e2e.hyperfleet.io/run-id: "{{
.e2eRunId }}" label to the metadata.labels section of each nested resource
definition so that target-cluster resources can be properly filtered and cleaned
by run-id.