OCPBUGS-84491: Set terminationMessagePolicy on gateway proxy containers

[gcs278]

Summary

• Extends the Istio gatewayclass customization to include a deployment overlay that sets terminationMessagePolicy=FallbackToLogsOnError on the istio-proxy container, satisfying the OCP platform policy enforced by the termination-message-policy monitor test.
• Renames buildHorizontalPodAutoscalerConfig to buildGatewayClassesConfig since it now builds all per-gatewayclass overlays (HPA + deployment).
• Adds an E2E assertion in ensureGatewayObjectSuccess to verify the policy is applied.

Test plan

• Unit tests pass (go test ./pkg/operator/controller/gatewayclass/...)
• E2E: TestGatewayAPI verifies terminationMessagePolicy=FallbackToLogsOnError on the gateway proxy deployment

🤖 Generated with Claude Code

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-84491, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Extends the Istio gatewayclass customization to include a deployment overlay that sets terminationMessagePolicy=FallbackToLogsOnError on the istio-proxy container, satisfying the OCP platform policy enforced by the termination-message-policy monitor test.
• Renames buildHorizontalPodAutoscalerConfig to buildGatewayClassesConfig since it now builds all per-gatewayclass overlays (HPA + deployment).
• Adds an E2E assertion in ensureGatewayObjectSuccess to verify the policy is applied.

Test plan

• Unit tests pass (go test ./pkg/operator/controller/gatewayclass/...)
• E2E: TestGatewayAPI verifies terminationMessagePolicy=FallbackToLogsOnError on the gateway proxy deployment

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR replaces the previous HPA-focused config builder with a new buildGatewayClassesConfig that produces per-GatewayClass JSON overlays containing horizontalPodAutoscaler (min/max replicas) and a deployment.template.spec.containers entry for the istio-proxy container with terminationMessagePolicy: FallbackToLogsOnError. Call sites in Istio install paths and controller logic now use buildGatewayClassesConfig. Tests were updated to create combined gateway class configs via gatewayclassConfig/gatewayclassesConfig, and an e2e helper plus invocation were added to assert the terminationMessagePolicy on gateway deployments. A new unexported constant gatewayProxyContainerName was added.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: setting terminationMessagePolicy on gateway proxy containers, which aligns with the primary modification across all affected files.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the summary of changes, renames, and E2E assertions that correspond to the actual modifications in the files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR does not use Ginkgo tests. All tests use Go's standard testing.T framework with static, deterministic test names. The custom check for Ginkgo test stability is not applicable here.
Test Structure And Quality	✅ Passed	Tests have proper timeouts (2-minute max), meaningful messages, cleanup patterns, and follow existing conventions. assertTerminationMessagePolicy is consistent with other assertions.
Microshift Test Compatibility	✅ Passed	PR does not introduce new Ginkgo e2e tests. Only modifies existing test helpers using standard Kubernetes APIs available on MicroShift. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR adds helper function assertTerminationMessagePolicy, not a test. Function checks deployment containers—works on all topologies. SNO already handled in code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR maintains topology-aware HPA config (minReplicas=1 for SNO, 2 for HA). No scheduling constraints (affinity, nodeSelector, topology spread) introduced. Only adds terminationMessagePolicy config.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations detected. All modified files avoid process-level stdout writes. New constant in const block. Test assertions use framework-intercepted logging.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. It only adds standard Go test helpers with *testing.T. The custom check targets Ginkgo definitions (It/Describe/Context/When), which are not present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/operator/controller/gatewayclass/controller_test.go (1)

186-196: ⚠️ Potential issue | 🟠 Major

Sort the expected GatewayClass names before serializing JSON.

gatewayclassesConfig preserves caller order, but buildGatewayClassesConfig marshals a Go map (line 287 of istio_sail_installer.go), which causes json.Marshal to sort keys lexicographically. The multi-class case at Line 697 passes "openshift-default", "openshift-internal", "openshift-custom", which produces JSON keys in a different order than the production code's alphabetically sorted output.

🔧 Proposed fix

+import "sort"
+
 func gatewayclassesConfig(config string, gatewayclasses ...string) json.RawMessage {
+    sort.Strings(gatewayclasses)
     return json.RawMessage(fmt.Appendf(nil, `{%s}`, strings.Join(func() []string {
         var result []string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/controller/gatewayclass/controller_test.go` around lines 186 -
196, The test helper gatewayclassesConfig preserves caller order, but
buildGatewayClassesConfig marshals a map which results in lexicographically
sorted keys; to make tests match production, sort the gatewayclasses slice
before building the JSON in gatewayclassesConfig so the serialized keys are in
alphabetical order (e.g., apply a sort.Strings(gatewayclasses) step inside
gatewayclassesConfig) so multi-class cases like the test passing
"openshift-default", "openshift-internal", "openshift-custom" produce the same
key order as buildGatewayClassesConfig.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@pkg/operator/controller/gatewayclass/controller_test.go`:
- Around line 186-196: The test helper gatewayclassesConfig preserves caller
order, but buildGatewayClassesConfig marshals a map which results in
lexicographically sorted keys; to make tests match production, sort the
gatewayclasses slice before building the JSON in gatewayclassesConfig so the
serialized keys are in alphabetical order (e.g., apply a
sort.Strings(gatewayclasses) step inside gatewayclassesConfig) so multi-class
cases like the test passing "openshift-default", "openshift-internal",
"openshift-custom" produce the same key order as buildGatewayClassesConfig.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e96c66c0-732d-460d-96d0-f1693667cb2b

📥 Commits

Reviewing files that changed from the base of the PR and between 9e5261e and c411daf.

📒 Files selected for processing (5)

• pkg/operator/controller/gatewayclass/controller_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go
• test/e2e/gateway_api_test.go
• test/e2e/util_gatewayapi_test.go

[coderabbitai]

🧹 Nitpick comments (1)

pkg/operator/controller/gatewayclass/controller_test.go (1)

187-200: ⚡ Quick win

Build the fixture from structured data instead of hand-assembling JSON.

Sorting the input slice and concatenating strings makes this helper side-effectful and easy to drift from buildGatewayClassesConfig. A small map[string]json.RawMessage + json.Marshal here would mirror production, remove the manual sort, and avoid future JSON-shape mismatches.

♻️ Proposed fix

 func gatewayclassesConfig(config string, gatewayclasses ...string) json.RawMessage {
-	sort.Strings(gatewayclasses)
-	return fmt.Appendf(nil, `{%s}`, strings.Join(func() []string {
-		var result []string
-
-		for _, name := range gatewayclasses {
-			result = append(result, fmt.Sprintf(`"%s":%s`, name, config))
-		}
-
-		return result
-	}(), ","))
+	payload := make(map[string]json.RawMessage, len(gatewayclasses))
+	for _, name := range gatewayclasses {
+		payload[name] = json.RawMessage(config)
+	}
+	b, _ := json.Marshal(payload)
+	return b
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/controller/gatewayclass/controller_test.go` around lines 187 -
200, The helpers gatewayclassesConfig and gatewayclassConfig should build JSON
from structured data instead of hand-assembling strings: replace
gatewayclassesConfig's manual sort/concatenation with constructing a
map[string]json.RawMessage (or map[string]interface{}) populated by iterating
gatewayclasses and using json.RawMessage of gatewayclassConfig, then
json.Marshal the map; change gatewayclassConfig to return a structured value
(map or struct) or json.RawMessage built via json.Marshal rather than a
formatted string so the test fixture mirrors buildGatewayClassesConfig and
avoids ordering/shape drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/operator/controller/gatewayclass/controller_test.go`:
- Around line 187-200: The helpers gatewayclassesConfig and gatewayclassConfig
should build JSON from structured data instead of hand-assembling strings:
replace gatewayclassesConfig's manual sort/concatenation with constructing a
map[string]json.RawMessage (or map[string]interface{}) populated by iterating
gatewayclasses and using json.RawMessage of gatewayclassConfig, then
json.Marshal the map; change gatewayclassConfig to return a structured value
(map or struct) or json.RawMessage built via json.Marshal rather than a
formatted string so the test fixture mirrors buildGatewayClassesConfig and
avoids ordering/shape drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: eeb1b9d7-ee49-4780-8807-96c392a0fb42

📥 Commits

Reviewing files that changed from the base of the PR and between c411daf and 4a97fc4.

📒 Files selected for processing (5)

• pkg/operator/controller/gatewayclass/controller_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go
• test/e2e/gateway_api_test.go
• test/e2e/util_gatewayapi_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• test/e2e/util_gatewayapi_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/util_gatewayapi_test.go`:
- Around line 830-836: The test currently only verifies terminationMessagePolicy
for all containers but doesn't assert the presence of the istio-proxy container;
update the check to first ensure a container with Name == "istio-proxy" exists
in dep.Spec.Template.Spec.Containers, fail/return false if not found, and then
verify that container's TerminationMessagePolicy equals
corev1.TerminationMessageFallbackToLogsOnError (or, alternatively, locate the
istio-proxy container by iterating dep.Spec.Template.Spec.Containers and assert
c.Name == "istio-proxy" before checking c.TerminationMessagePolicy); reference
the existing loop and symbols c.Name, c.TerminationMessagePolicy, and
corev1.TerminationMessageFallbackToLogsOnError when implementing this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1700a141-8bcd-4cf5-a05f-d26b7328c988

📥 Commits

Reviewing files that changed from the base of the PR and between 4a97fc4 and 65ca117.

📒 Files selected for processing (5)

• pkg/operator/controller/gatewayclass/controller_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go
• test/e2e/gateway_api_test.go
• test/e2e/util_gatewayapi_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/gateway_api_test.go

[gcs278]

hypershift flake
/test hypershift-e2e-aks

techpreview is failing because #1408 needs to merge

[Miciah]

#1408 has merged.

/test e2e-aws-operator-techpreview

[rikatz]

change lgtm, thanks @gcs278
/lgtm
/approve

let's wait now for verified label

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/controller/gatewayclass/istio_sail_installer.go`:
- Around line 265-278: The overlay currently sets
deployment.spec.template.spec.containers to a single-entry list (using
gatewayProxyContainerName), which will replace the entire containers list under
Strategic Merge Patch and drop other containers; fix it by removing this partial
"containers" entry from the overlay or by replacing it with a targeted patch
that modifies only the istio-proxy container's terminationMessagePolicy (e.g.,
use a JSONPatch/JSON6902 or a strategic-merge entry that includes the container
"name" and full container spec), referencing the
deployment.spec.template.spec.containers overlay and gatewayProxyContainerName
so you either supply all containers in that list or use a patch that updates
only terminationMessagePolicy for the container named by
gatewayProxyContainerName.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4c9190ad-d24a-4277-a60d-ea81a9f44b3c

📥 Commits

Reviewing files that changed from the base of the PR and between 65ca117 and da0bcdf.

📒 Files selected for processing (6)

• pkg/operator/controller/gatewayclass/controller.go
• pkg/operator/controller/gatewayclass/controller_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go
• test/e2e/gateway_api_test.go
• test/e2e/util_gatewayapi_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e/gateway_api_test.go

[melvinjoseph86]

/retest-required

[openshift-ci]

@gcs278: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-techpreview	da0bcdf	link	false	/test e2e-aws-operator-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rikatz]

/lgtm
thanks for fixing the thing we discussed on Slack :D wasn't really urgent, but sounds good!

[gcs278]

Update - we may get this for free in https://github.com/istio/istio/pull/60102/changes#diff-25656c65a83f75b949b39ee2750b8b72d0936e4aece66265979cee93a3326892 (we don't need this PR if that merges)
/hold