NO-JIRA: cleanup unused code and refactor for allowlist controller

[karampok]

• Removes unused code (scheme field, configmap template)
• Refactors/simplifies (inlines single-use helpers, better naming)
• No functional changes, just QOL improvements

[coderabbitai]

Walkthrough

Removes a bundled allowlist ConfigMap manifest, renames two exported constants, and refactors the allowlist controller: replaces wiring/signatures to use a cnoclient.Client, renames constants/helpers, changes manifest rendering to accept a manifest path, and updates lifecycle handling for the ConfigMap and DaemonSet. (50 words)

Changes

Cohort / File(s)	Summary
Manifest removal bindata/allowlist/config/configmap.yaml	Deleted Kubernetes ConfigMap manifest cni-sysctl-allowlist that contained regexp entries for node-bound sysctls.
Controller refactor pkg/controller/allowlist/allowlist_controller.go	Large refactor: replaced reconciler construction and signatures to accept cnoclient.Client; removed scheme from ReconcileAllowlist; renamed constants/vars (allowlistDsName→dsName, allowlistAnnotation→dsAnnotation, manifestDir→dsManifestDir, allowlistManifestDir→defaultCMManifest); renamed helpers and APIs (createObjects→createObjectsFrom, getConfig→getConfigMap, cleanup→cleanupDaemonSet, daemonsetConfigExists→allowlistConfigMapExists); changed manifest rendering to use manifestPath; updated namespace/name references to names.MultusNamespace and names.AllowlistConfigName; added nil-ConfigMap handling and adjusted creation/cleanup flows; removed unused imports.
Constants renaming pkg/names/names.go	Renamed exported constants: MULTUS_NAMESPACE → MultusNamespace, ALLOWLIST_CONFIG_NAME → AllowlistConfigName (values unchanged).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Verify all renamed functions, constants, and signatures are updated and compile across the repository.
• Inspect code paths that create the default ConfigMap from defaultCMManifest and validate error handling and contents expected by other components.
• Review DaemonSet creation/cleanup, pod readiness checks, and any annotation/name assumptions after renames.
• Confirm removal of bindata/allowlist/config/configmap.yaml doesn't break any tests, CI jobs, or consumers that expected the file.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

pkg/controller/allowlist/allowlist_controller.go (2)

108-116: TODO comment needs clarification or resolution.

The comment on line 113 (TODO should reconcile before on create?) is unclear. Consider addressing it in this PR or adding more context about what needs to be decided.

---

242-252: Redundant nil check on successful Get.

When Get returns without error, cm will always be non-nil. The cm != nil check on line 251 is unnecessary.

 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			return false, nil
 		}
 		return false, err
 	}
-	return cm != nil, nil
+	return true, nil
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 41be31e and 37a59a6.

📒 Files selected for processing (3)

• bindata/allowlist/config/configmap.yaml (0 hunks)
• pkg/controller/allowlist/allowlist_controller.go (11 hunks)
• pkg/names/names.go (1 hunks)

💤 Files with no reviewable changes (1)

• bindata/allowlist/config/configmap.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/names/names.go
• pkg/controller/allowlist/allowlist_controller.go

🧬 Code graph analysis (1)

pkg/controller/allowlist/allowlist_controller.go (2)

pkg/names/names.go (2)

• MultusNamespace (33-33)
• AllowlistConfigName (36-36)

pkg/render/render.go (2)

• MakeRenderData (25-30)
• RenderDir (34-36)

🔇 Additional comments (9)

pkg/names/names.go (1)

35-36: LGTM!

The constant rename to AllowlistConfigName follows Go naming conventions, and the comment accurately describes its purpose.

pkg/controller/allowlist/allowlist_controller.go (8)

46-51: LGTM!

The simplified initialization directly constructing ReconcileAllowlist removes unnecessary indirection and improves readability.

---

79-82: LGTM!

Removing the unused scheme field simplifies the struct.

---

118-150: LGTM!

The reconciliation flow is clear, and the use of defer cleanupDaemonSet ensures cleanup happens regardless of the path taken through the function.

---

152-167: LGTM!

The refactored createObjectsFrom function is more flexible by accepting a manifest path parameter, and provides clear error context.

---

169-179: LGTM!

The renamed getConfigMap function has clearer naming and appropriate error handling.

---

181-213: LGTM!

The pod readiness check correctly uses the new constants and handles ownership validation.

---

215-240: LGTM!

The renamed cleanupDaemonSet function is more descriptive, and both functions correctly use the centralized constants.

---

38-44: Let me search for information about the RenderDir function online to understand its expected behavior.

[search query: RenderDir function go manifest rendering bindata]

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Misleading comment copied from APPLIED_NAMESPACE.

The comment states this is "the namespace where applied configuration configmaps are stored" but that describes APPLIED_NAMESPACE above. MultusNamespace is the namespace for Multus network components.

-// MultusNamespace is the namespace where applied configuration
-// configmaps are stored.
-// Should match 00_namespace.yaml
+// MultusNamespace is the namespace where Multus components are deployed.
 const MultusNamespace = "openshift-multus"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// MultusNamespace is the namespace where applied configuration
	// configmaps are stored.
	// Should match 00_namespace.yaml
	const MULTUS_NAMESPACE = "openshift-multus"
	const MultusNamespace = "openshift-multus"
	// MultusNamespace is the namespace where Multus components are deployed.
	const MultusNamespace = "openshift-multus"

🤖 Prompt for AI Agents

In pkg/names/names.go around lines 30 to 33, the comment for MultusNamespace
incorrectly repeats the description for APPLIED_NAMESPACE; update the comment to
accurately state that MultusNamespace is the namespace for Multus network
components (e.g., used for deploying Multus-related resources) and remove the
reference to "applied configuration configmaps". Keep the constant name and
value unchanged.

[zeeke]

/lgtm

Great cleaning IMO

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: karampok, zeeke
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zeeke]

/retest

[openshift-ci-robot]

@karampok: This pull request explicitly references no jira issue.

Details

In response to this:

• Removes unused code (scheme field, configmap template)
• Refactors/simplifies (inlines single-use helpers, better naming)
• No functional changes, just QOL improvements

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jrvaldes]

/test e2e-aws-ovn-windows

PR merged

• Do not fail metadata endpoint check in AWS windows-machine-config-operator#3603

[jcaamano]

@karampok

Can you address the @coderrabitai comments?
Is there any testing coverage for this controller?

[jcaamano]

Can you explain the motivation of the dsManifest value change? I am missing it from the commit message. This is being passed to a renderDir function so it wouldn't naturally make sense.

[karampok]

Since that dir has only one manifest

tree bindata/allowlist/daemonset/
bindata/allowlist/daemonset/
└── daemonset.yaml

having a Dir is more confusing, and there is no path (AFAIK) that will be any other manifest there.

This PR is minimal refactoring, in a next PR I will also refactor the renderDir as this is what does not make sense

[jcaamano]

I am not sure I agree. The daemonset is represented by the contents of bindata/allowlist/daemonset/; the fact that this is represented by a single or multiple manifests is a detail that is best left out from the controller code. Otherwise, if in the future we want to add more manifests (let's say a config map) then we would need to change the code. Rendering directories is the common pattern we follow in CNO to abstract the code from this fact.

[karampok]

no strong opinion, i changed to dsManifestDir = "../../bindata/allowlist/daemonset"

[karampok]

@karampok

Can you address the @coderrabitai comments?

I will fix the typo for the first comment. The second comment is actually code/comment which I do not want to touch since many comments are in that way.

Is there any testing coverage for this controller?

Unfortunately there is no unit test, there are some high level test in origin

"[sig-network][Feature:tuning] pod should not start for sysctls not on whitelist [apigroup:k8s.cni.cncf.io] net.ipv4.conf.IFNAME.arp_filter [Suite:openshift/conformance/parallel]"

and here https://github.com/openshift-kni/cnf-features-deploy/blob/master/cnf-tests/testsuites/e2esuite/security/tuning.go

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

pkg/controller/allowlist/allowlist_controller.go (1)

70-70: Typo already flagged in previous review.

The comment contains "there cni-sysctl-allowlist" which should be "the cni-sysctl-allowlist". This was already identified in a previous review and you acknowledged you would fix it.

🧹 Nitpick comments (1)

pkg/controller/allowlist/allowlist_controller.go (1)

108-113: Consider clarifying or removing the TODO comment.

The TODO on line 113 ("should reconcile before on create?") is unclear. If this is a known enhancement, consider creating an issue and referencing it in the comment, or remove it if it's no longer relevant.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 37a59a6 and 1047c0a.

📒 Files selected for processing (3)

• bindata/allowlist/config/configmap.yaml (0 hunks)
• pkg/controller/allowlist/allowlist_controller.go (11 hunks)
• pkg/names/names.go (1 hunks)

💤 Files with no reviewable changes (1)

• bindata/allowlist/config/configmap.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/names/names.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/controller/allowlist/allowlist_controller.go

🔇 Additional comments (10)

pkg/controller/allowlist/allowlist_controller.go (10)

1-2: LGTM: Clear package documentation.

The updated package comment clearly describes the controller's purpose.

---

46-47: LGTM: Simplified initialization.

Direct instantiation of the reconciler is cleaner than the previous pattern.

---

79-82: LGTM: Struct simplified.

Removal of the unused scheme field aligns with the PR objective to clean up unused code.

---

86-95: LGTM: Cleaner bootstrap logic.

The refactored ConfigMap existence check and creation flow is more straightforward.

---

152-167: LGTM: Simplified object creation.

Removing the intermediate createObject helper and using direct client creation is cleaner. The enhanced error wrapping provides better debugging context.

---

169-179: LGTM: Clear function naming.

Renaming to getConfigMap is more descriptive than the previous getConfig.

---

191-192: LGTM: Constants usage updated.

Correct usage of the new public constants names.MultusNamespace and dsAnnotation.

---

215-228: LGTM: Clean DaemonSet cleanup.

The function correctly uses updated constants and has appropriate error handling.

---

230-240: LGTM: Standard DaemonSet retrieval.

Correct usage of updated constants with proper error handling for NotFound cases.

---

242-252: LGTM: Clear existence check.

The new allowlistConfigMapExists function has clear semantics and correctly handles both the NotFound case and other errors.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controller/allowlist/allowlist_controller.go (1)

86-95: Fix error handling around allowlistConfigMapExists in Reconcile

The current pattern:

if exists, err := allowlistConfigMapExists(ctx, r.client); !exists {
    err = createObjectsFrom(ctx, r.client, defaultCMManifest)
    ...
} else if err != nil {
    ...
}

is unsafe: if allowlistConfigMapExists returns (false, err) for a non-NotFound error, the !exists branch runs and attempts to create the ConfigMap while silently discarding the lookup failure. This can mask real API errors and cause confusing behavior.

Re-structure to handle err first, then exists, e.g.:

-   if exists, err := allowlistConfigMapExists(ctx, r.client); !exists {
-       err = createObjectsFrom(ctx, r.client, defaultCMManifest)
-       if err != nil {
-           klog.Errorf("Failed to create allowlist config map: %v", err)
-           return reconcile.Result{}, err
-       }
-   } else if err != nil {
-       klog.Errorf("Failed to look up allowlist config map: %v", err)
-       return reconcile.Result{}, err
-   }
+   exists, err := allowlistConfigMapExists(ctx, r.client)
+   if err != nil {
+       klog.Errorf("Failed to look up allowlist config map: %v", err)
+       return reconcile.Result{}, err
+   }
+   if !exists {
+       if err := createObjectsFrom(ctx, r.client, defaultCMManifest); err != nil {
+           klog.Errorf("Failed to create allowlist config map: %v", err)
+           return reconcile.Result{}, err
+       }
+   }

This preserves behavior in the success/NotFound cases while ensuring genuine lookup errors are handled correctly.

Also applies to: 241-250

♻️ Duplicate comments (1)

pkg/names/names.go (1)

30-33: MultusNamespace comment still describes the applied-configmaps namespace

The comment here still matches APPLIED_NAMESPACE above rather than the Multus namespace purpose, which can confuse readers scanning these constants together.

Consider updating it along these lines to better reflect usage:

-// MultusNamespace is the namespace where applied configuration
-// configmaps are stored.
-// Should match 00_namespace.yaml
+// MultusNamespace is the namespace where Multus components are deployed.
+// Should match the Multus namespace in manifests (e.g. 00_namespace.yaml).

🧹 Nitpick comments (1)

pkg/controller/allowlist/allowlist_controller.go (1)

117-117: Consider making createObjectsFrom idempotent for AlreadyExists errors

The DS lifecycle is:

• defer cleanupDaemonSet(...) to ensure cleanup.
• getDaemonSet + early retry if DS already exists.
• createObjectsFrom to render and create DS objects.
• checkDsPodsReady to wait for readiness.

createObjectsFrom currently does a plain Create for each rendered object:

for _, obj := range manifests {
    if err := client.Default().CRClient().Create(ctx, obj); err != nil {
        return errors.Wrapf(err, "error creating %s %s/%s", ...)
    }
}

If a race or prior partial run leaves a resource already present, this will fail with an AlreadyExists error and abort the reconcile, even though the state might be acceptable.

You could make this more robust by treating AlreadyExists as non-fatal for these one-shot resources, e.g.:

-    if err := client.Default().CRClient().Create(ctx, obj); err != nil {
-        return errors.Wrapf(err, "error creating %s %s/%s", obj.GroupVersionKind(), obj.GetNamespace(), obj.GetName())
-    }
+    if err := client.Default().CRClient().Create(ctx, obj); err != nil {
+        if apierrors.IsAlreadyExists(err) {
+            continue
+        }
+        return errors.Wrapf(err, "error creating %s %s/%s", obj.GroupVersionKind(), obj.GetNamespace(), obj.GetName())
+    }

That would keep behavior the same in normal cases while avoiding unnecessary failures on harmless AlreadyExists races.

Also applies to: 130-130, 151-166, 214-223, 230-231

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 65a9f7c and dbc7837.

📒 Files selected for processing (3)

• bindata/allowlist/config/configmap.yaml (0 hunks)
• pkg/controller/allowlist/allowlist_controller.go (11 hunks)
• pkg/names/names.go (1 hunks)

💤 Files with no reviewable changes (1)

• bindata/allowlist/config/configmap.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/names/names.go
• pkg/controller/allowlist/allowlist_controller.go

🧬 Code graph analysis (1)

pkg/controller/allowlist/allowlist_controller.go (2)

pkg/names/names.go (2)

• MultusNamespace (33-33)
• AllowlistConfigName (36-36)

pkg/render/render.go (2)

• MakeRenderData (25-30)
• RenderDir (34-36)

🔇 Additional comments (6)

pkg/names/names.go (1)

35-36: AllowlistConfigName constant is clear and matches controller usage

The new AllowlistConfigName constant and comment are clear and align with its use in the allowlist controller (watch predicate, render data, and existence checks).

pkg/controller/allowlist/allowlist_controller.go (5)

1-2: Package-level doc for allowlist controller is concise and helpful

The new package comment clearly states the controller’s purpose (distributing CNI sysctl allowlist config to nodes) and improves readability without changing behavior.

---

39-44: DaemonSet/manifest constants are well factored

The dsName, dsAnnotation, dsManifestDir, and defaultCMManifest constants make the DS and manifest wiring explicit and keep magic strings out of the logic, which helps maintainability.

---

46-47: Add() wiring and ConfigMap watch predicate look sound

• Using names.MultusNamespace for the ConfigMap informer scope keeps the controller focused on the expected namespace.
• The predicate with strings.Contains(object.GetName(), names.AllowlistConfigName) matches both cni-sysctl-allowlist and default-cni-sysctl-allowlist, consistent with the comment about using the default as a trigger.

This matches the intended behavior without introducing extra complexity.

Also applies to: 56-56, 70-72

---

97-115: ConfigMap get + delete semantics are consistent with the documented behavior

• if request.Name != names.AllowlistConfigName { return reconcile.Result{}, nil } ensures we only run the DS flow for the main allowlist ConfigMap, while still using changes to the default map as a trigger for creation.
• getConfigMap returns (nil, nil) on NotFound, and the Reconcile logic treats configMap == nil as a no-op, matching the comment about deletion not breaking pods and relying on the auto-create check above.

This aligns the code with the documented behavior and avoids unnecessary churn on accidental deletes.

Also applies to: 168-178

---

190-191: Pod readiness check correctly scopes to Multus namespace and DS label

Listing pods in names.MultusNamespace with LabelSelector: dsAnnotation ties the readiness check tightly to the DS you just created and avoids interference from pods in other namespaces.

[openshift-ci]

@karampok: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/hypershift-e2e-aks	dbc7837	link	true	/test hypershift-e2e-aks
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	dbc7837	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/verify	dbc7837	link	true	/test verify
ci/prow/4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade	dbc7837	link	false	/test 4.21-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-ovn	dbc7837	link	true	/test e2e-gcp-ovn
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	dbc7837	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/security	dbc7837	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.