HYPERFLEET-1289 - feat: tag e2e namespaces with hyperfleet.io/test-ru…

[rh-amarin]

Summary

• make install-hyperfleet now labels the target namespace with hyperfleet.io/test-run=<namespace-name> before helmfile runs
• Namespace cleaner CronJob extended to also clean stale namespaces carrying hyperfleet.io/test-run (OR semantics — each selector queried independently via a for loop)
• Defaults and Makefile variable updated; backward compatible (overriding CLEANER_LABEL_SELECTOR to a single selector restores previous behavior
• Creates a custom rolebinding specific to the namespace it is deployed (so, two jobs can be deployed by helm independently)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sherine-k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

install-hyperfleet now validates and labels $(NAMESPACE) with hyperfleet.io/test-run=$(NAMESPACE) before helmfile ... apply. The namespace-cleaner selector default and chart value now include hyperfleet.io/test-run, and the cleanup script evaluates each space-separated selector independently. The Helm chart also switches cluster-scoped RBAC names to a helper that appends .Release.Namespace.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is specific and matches the main change: tagging e2e namespaces with the new test-run label.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No slog/logr/zap/fmt.Print* output includes token/password/credential/secret in non-test/example files; only benign echo text. CWE-532 not present.
No Hardcoded Secrets	✅ Passed	No CWE-798/CWE-259 findings: touched files have no hardcoded creds, embedded user:pass URLs, or apiKey/secret/token/password string literals.
No Weak Cryptography	✅ Passed	No CWE-327/CWE-208 issues: changed files add no md5/des/rc4/SHA1/ECB, custom crypto, or secret comparison logic.
No Injection Vectors	✅ Passed	No new CWE-78/89/79/502 vector in the PR; NAMESPACE is DNS-validated before kubectl label, and script args are quoted.
No Privileged Containers	✅ Passed	No privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root USER settings were added in the changed Helm/K8s files; no Dockerfiles present. CWE-732.
No Pii Or Sensitive Data In Logs	✅ Passed	No CWE-532/CWE-200 issue: the new Makefile log prints only a DNS-label namespace and label value, not PII, session IDs, raw bodies, or creds.
Description check	✅ Passed	The description matches the Makefile, namespace cleaner, and RBAC changes described in the diff.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/namespace-cleaner/scripts/namespace-cleaner.sh`:
- Around line 75-99: The namespace cleanup loop in namespace-cleaner.sh
processes the same namespace multiple times when it matches more than one
selector, which leads to duplicate output and misleading delete warnings. Add
cross-iteration deduplication in the main selector loop by tracking namespace
names before the delete path, and skip any namespace already seen so each
namespace is handled only once regardless of how many selectors match it.

In `@Makefile`:
- Around line 337-340: The check-hyperfleet-namespace Make target is expanding
NAMESPACE directly into shell commands, which allows command injection when
overridden from the CLI or environment. Update the recipe to validate NAMESPACE
once before any shell invocation (reuse or strengthen check-namespace if
needed), then pass it safely quoted to the kubectl label command and the echo
output. Keep the fix localized to the check-hyperfleet-namespace target and its
supporting namespace validation logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9755fa33-5af1-4506-a03d-d6bd13a047fe

📥 Commits

Reviewing files that changed from the base of the PR and between a48df96 and 9939bbc.

📒 Files selected for processing (3)

• Makefile
• helm/namespace-cleaner/scripts/namespace-cleaner.sh
• helm/namespace-cleaner/values.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/namespace-cleaner/templates/_helpers.tpl`:
- Around line 47-48: The cluster-scoped name helper can still collide after
truncation because `namespace-cleaner.clusterResourceName` truncates the entire
combined fullname and namespace string, which can drop the namespace identifier
entirely. Update this helper so the namespace contribution is preserved as a
fixed-length suffix derived from `.Release.Namespace` while keeping the base
`namespace-cleaner.fullname` truncated to fit within the 63-character limit.
Ensure the resulting name remains unique per namespace even when the fullname is
long.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: bf032c49-457d-45c4-82dd-113ee92a5a64

📥 Commits

Reviewing files that changed from the base of the PR and between 7ae3ab3 and a4c7e0c.

📒 Files selected for processing (6)

• Makefile
• helm/namespace-cleaner/scripts/namespace-cleaner.sh
• helm/namespace-cleaner/templates/_helpers.tpl
• helm/namespace-cleaner/templates/clusterrole.yaml
• helm/namespace-cleaner/templates/clusterrolebinding.yaml
• helm/namespace-cleaner/values.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

🚧 Files skipped from review as they are similar to previous changes (3)

• helm/namespace-cleaner/values.yaml
• helm/namespace-cleaner/scripts/namespace-cleaner.sh
• Makefile

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Preserve namespace uniqueness after truncation.

This helper can still generate colliding cluster-scoped names when namespace-cleaner.fullname already consumes most of the 63-character budget, because .Release.Namespace gets truncated off. That reintroduces ClusterRole/ClusterRoleBinding conflicts between installs in different namespaces and breaks the isolation this PR is adding. Keep a fixed-length namespace-derived suffix instead of truncating the entire combined string.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helm/namespace-cleaner/templates/_helpers.tpl` around lines 47 - 48, The
cluster-scoped name helper can still collide after truncation because
`namespace-cleaner.clusterResourceName` truncates the entire combined fullname
and namespace string, which can drop the namespace identifier entirely. Update
this helper so the namespace contribution is preserved as a fixed-length suffix
derived from `.Release.Namespace` while keeping the base
`namespace-cleaner.fullname` truncated to fit within the 63-character limit.
Ensure the resulting name remains unique per namespace even when the fullname is
long.

[ma-hill]

Since this is a non-blocking call, it won't error out if the namespace failed to be deleted. With --wait=false, kubectl would almost never fail because it only validates that the DELETE request was accepted by the API server.

I'm not sure what the alternative is because we don't want to block the deletion. But the namespace could just hang in terminating state forever and the logs from this script would be "Delete requested for namespace"