Add terminationMessagePolicy and required-scc annotation for OCP 4.21 conformance

[dustman9000]

Summary

• Adds terminationMessagePolicy: FallbackToLogsOnError to the operator container spec in both OLM (deploy/) and PKO (deploy_pko/) deployment manifests
• Adds openshift.io/required-scc: restricted-v2 annotation to pod template metadata in both deployment manifests

These are required for OCP 4.21 conformance. The terminationMessagePolicy ensures container termination messages capture log output on error, and the required-scc annotation explicitly declares the security context constraint the pod needs.

Test plan

• Verify YAML is valid and properly indented
• Deploy to integration and confirm operator starts correctly
• Confirm terminationMessagePolicy appears in pod spec via oc get pod -o yaml
• Confirm required-scc annotation appears in pod metadata

Summary by CodeRabbit

• Chores

  • Enforce restricted security context for operator pods and fall back to logs on container termination errors.
  • Bump build/root and runtime base images; update CI build root tag.
  • Enable code coverage status checks with explicit project/patch targets.
  • Add a project-wide pre-commit configuration.
  • Update ownership aliases.

• Refactor

  • Internal error-handling and small API refinements in VPC endpoint logic.

• Tests

  • Adjusted unit tests to match updated method return signatures.

[coderabbitai]

Walkthrough

Adds OpenShift SCC annotation and container termination policy to pod templates; bumps CI/build images; enables codecov status targets; adds comprehensive pre-commit hooks; removes three OWNERS_ALIASES entries; and refactors/vet-style updates across AWS/VPC endpoint controller code (including a signature change, error-wrapping, nolint directives, and corresponding test update).

Changes

Deployments & Images (CI / Runtime)

Layer / File(s)	Summary
Pod template annotation deploy/20_operator.yaml, deploy_pko/Deployment-aws-vpce-operator.yaml.gotmpl	Adds spec.template.metadata.annotations.openshift.io/required-scc: restricted-v2 to pod templates.
Container termination policy deploy/20_operator.yaml, deploy_pko/Deployment-aws-vpce-operator.yaml.gotmpl	Adds terminationMessagePolicy: FallbackToLogsOnError under container securityContext.
CI root image tag .ci-operator.yaml	Bumps build_root_image.tag from image-v8.3.4 → image-v8.3.5.
Builder/runtime images build/Dockerfile, build/Dockerfile.olm-registry	Updates builder base to ...boilerplate:image-v8.3.5 and runtime UBI minimal to 9.7-1777857961.

Pre-commit & Repo Hooks

Layer / File(s)	Summary
Pre-commit configuration .pre-commit-config.yaml	Adds pre-commit setup: file hygiene and YAML checks, gitleaks secrets scan, golangci-lint static analysis, and local hooks for go-build, go-mod-tidy, and RBAC wildcard checking.

Coverage & Ownership Metadata

Layer / File(s)	Summary
Coverage policy .codecov.yml	Replaces boolean status flags with nested project/patch defaults and explicit targets: project target 35% (threshold 1%), patch target 50% (threshold 1%).
OWNERS aliases OWNERS_ALIASES	Removes abyrne55 from aliases.srep-functional-team-aurora and aliases.srep-functional-leads; removes jharrington22 from aliases.srep-architects.

VpcEndpoint Controller Refactor & Tests

Layer / File(s)	Summary
Signature change / Diff logic controllers/vpcendpoint/helpers.go	diffVpcEndpointSecurityGroups return signature changed from (toAdd, toRemove, error) → (toAdd, toRemove); call sites updated accordingly.
Error wrapping & nolint annotations controllers/vpcendpoint/helpers.go, controllers/vpcendpoint/cleanup.go, controllers/vpcendpoint/validation.go, controllers/vpcendpointtemplate/vpcendpointtemplate_controller.go, main.go, fips.go	Replaced %v with %w to wrap errors; added multiple //nolint:gocyclo, //nolint:exhaustive, and //nolint:nilnil annotations to suppress linters.
Test updates controllers/vpcendpoint/helpers_test.go	Updated tests to match new diffVpcEndpointSecurityGroups two-value return (removed error return and assertions).

Minor formatting / lint-only edits

Layer / File(s)	Summary
Import/format adjustments api/v1alpha1/groupversion_info.go, pkg/aws_client/route53_hosted_zone.go, pkg/aws_client/subnet.go, pkg/aws_client/tags.go, pkg/dnses/dnses_test.go	Whitespace/import ordering and comment formatting tweaks; no behavior changes.
AWS client nilnil nolint pkg/aws_client/security_group.go, pkg/aws_client/vpc_endpoint.go	Annotated specific (nil, nil) return sites with //nolint:nilnil; behavior unchanged.
Error wrapping small changes pkg/secrets/secrets.go, controllers/vpcendpoint/cleanup.go	Switched some fmt.Errorf(...%v...) to %w to preserve error wrapping.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	PR introduces fips.go with fmt.Println() in init() function, which violates OTE Binary Stdout Contract by writing non-JSON to stdout during process startup.	Replace fmt.Println() with fmt.Fprintln(os.Stderr, ...) or use configured logger that outputs to stderr, not stdout.
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and accurately describes the main changes: adding terminationMessagePolicy and required-scc annotation for OCP 4.21 conformance, which aligns with the primary modifications in deploy manifests.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names across 22 test files are stable and deterministic. No dynamic content detected in test titles. Modified test files only had bodies updated, not test names.
Test Structure And Quality	✅ Passed	The custom check addresses Ginkgo test quality. This PR does not modify any Ginkgo tests. Modified test files use standard Go testing package, not Ginkgo. Check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR only modifies manifests, configs, and unit tests using standard Go testing package. Custom check applies only to new Ginkgo tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. Changes are YAML manifests, config files, and Go source modifications. Test file updates only adjust existing tests. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR uses only preferred affinity (not required), 1 replica count, targets optional infra nodes. No topology-aware scheduling constraints introduced. Compatible with all topologies.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add new Ginkgo e2e tests. No test/e2e files were modified, and no Ginkgo test definitions were added. The custom check is not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustman9000

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dustman9000]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

❌ Patch coverage is 19.04762% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.73%. Comparing base (f5ede65) to head (d6c1c36).

Files with missing lines	Patch %	Lines
controllers/vpcendpoint/helpers.go	27.27%	8 Missing ⚠️
controllers/vpcendpoint/cleanup.go	0.00%	4 Missing ⚠️
...endpointtemplate/vpcendpointtemplate_controller.go	0.00%	1 Missing ⚠️
fips.go	0.00%	1 Missing ⚠️
pkg/aws_client/security_group.go	0.00%	1 Missing ⚠️
pkg/aws_client/vpc_endpoint.go	0.00%	1 Missing ⚠️
pkg/secrets/secrets.go	0.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (19.04%) is below the target coverage (50.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #377      +/-   ##
==========================================
+ Coverage   40.69%   40.73%   +0.03%     
==========================================
  Files          32       32              
  Lines        2150     2148       -2     
==========================================
  Hits          875      875              
+ Misses       1171     1170       -1     
+ Partials      104      103       -1     

Files with missing lines	Coverage Δ
controllers/vpcendpoint/validation.go	17.93% <100.00%> (ø)
main.go	0.00% <ø> (ø)
pkg/aws_client/route53_hosted_zone.go	34.44% <ø> (ø)
pkg/aws_client/subnet.go	42.22% <ø> (ø)
pkg/aws_client/tags.go	33.33% <ø> (ø)
...endpointtemplate/vpcendpointtemplate_controller.go	8.20% <0.00%> (ø)
fips.go	0.00% <0.00%> (ø)
pkg/aws_client/security_group.go	70.37% <0.00%> (ø)
pkg/aws_client/vpc_endpoint.go	63.06% <0.00%> (ø)
pkg/secrets/secrets.go	38.09% <0.00%> (ø)
... and 2 more

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joshbranham]

/lgtm

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD f5ede65 and 2 for PR HEAD 2900386 in total

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@dustman9000: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	d6c1c36	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

controllers/vpcendpoint/helpers.go (1)

920-934: ⚠️ Potential issue | 🔴 Critical

Critical: Caller dereferences nil record without nil check.

This function now returns (nil, nil) in success paths—when the endpoint is missing or has no DNS entries during deletion. The only caller in controllers/vpcendpoint/validation.go:377 skips the error check when err == nil and immediately dereferences the record at line 385:

resourceRecord, err := r.generateRoute53Record(ctx, resource)
if err != nil {
    r.log.V(0).Info("Skipping Route53 Record", "error", err.Error())
    return nil
}

input := &route53Types.ResourceRecordSet{
    ...
    ResourceRecords: []route53Types.ResourceRecord{*resourceRecord},  // nil panic here
    ...
}

Either guard against nil before dereferencing or have generateRoute53Record return an error instead of (nil, nil).

🧹 Nitpick comments (2)

.pre-commit-config.yaml (2)

57-60: 🏗️ Heavy lift

Validate the PKO manifest path too.

This hook only checks raw YAML under deploy/, so edits to deploy_pko/Deployment-aws-vpce-operator.yaml.gotmpl—one of the conformance manifests touched in this PR—still have no local syntax guard. Add a rendered-template validation step for deploy_pko/, or narrow the surrounding documentation so contributors do not assume both deployment paths are covered.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 57 - 60, The YAML syntax hook (id:
check-yaml) only targets deploy/ and misses rendered templates under deploy_pko
(e.g. deploy_pko/Deployment-aws-vpce-operator.yaml.gotmpl); update
.pre-commit-config.yaml to either add a second hook that validates rendered
templates in deploy_pko (or extend the existing check-yaml files regex to
include deploy_pko/.*\.(ya?ml|yaml\.gotmpl|gotmpl)$) so changes to deploy_pko
are checked locally, and ensure the new pattern covers .gotmpl files or add a
separate rendered-template validation hook referencing deploy_pko.

---

129-133: ⚡ Quick win

Extend the RBAC wildcard check to deploy_pko/.

Right now this hook skips deploy_pko/*.yaml.gotmpl, so wildcard RBAC regressions in the PKO manifest will not be caught before commit.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml around lines 129 - 133, The RBAC hook with id
"rbac-wildcard-check" currently only matches ^deploy/.*\.ya?ml$ and thus skips
deploy_pko/*.yaml.gotmpl; update its files regex to include both deploy and
deploy_pko directories and the .yaml.gotmpl variant (for example change the
files pattern on the rbac-wildcard-check entry to a regex like
^(?:deploy|deploy_pko)/.*\.ya?ml(?:\.gotmpl)?$ so it catches .yaml, .yml and
.yaml.gotmpl/.yml.gotmpl files).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.pre-commit-config.yaml:
- Around line 57-60: The YAML syntax hook (id: check-yaml) only targets deploy/
and misses rendered templates under deploy_pko (e.g.
deploy_pko/Deployment-aws-vpce-operator.yaml.gotmpl); update
.pre-commit-config.yaml to either add a second hook that validates rendered
templates in deploy_pko (or extend the existing check-yaml files regex to
include deploy_pko/.*\.(ya?ml|yaml\.gotmpl|gotmpl)$) so changes to deploy_pko
are checked locally, and ensure the new pattern covers .gotmpl files or add a
separate rendered-template validation hook referencing deploy_pko.
- Around line 129-133: The RBAC hook with id "rbac-wildcard-check" currently
only matches ^deploy/.*\.ya?ml$ and thus skips deploy_pko/*.yaml.gotmpl; update
its files regex to include both deploy and deploy_pko directories and the
.yaml.gotmpl variant (for example change the files pattern on the
rbac-wildcard-check entry to a regex like
^(?:deploy|deploy_pko)/.*\.ya?ml(?:\.gotmpl)?$ so it catches .yaml, .yml and
.yaml.gotmpl/.yml.gotmpl files).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 57fc4bf1-0a83-4d9a-976c-f6452ccd988f

📥 Commits

Reviewing files that changed from the base of the PR and between f4f4edd and d6c1c36.

📒 Files selected for processing (16)

• .pre-commit-config.yaml
• api/v1alpha1/groupversion_info.go
• controllers/vpcendpoint/cleanup.go
• controllers/vpcendpoint/helpers.go
• controllers/vpcendpoint/helpers_test.go
• controllers/vpcendpoint/validation.go
• controllers/vpcendpointtemplate/vpcendpointtemplate_controller.go
• fips.go
• main.go
• pkg/aws_client/route53_hosted_zone.go
• pkg/aws_client/security_group.go
• pkg/aws_client/subnet.go
• pkg/aws_client/tags.go
• pkg/aws_client/vpc_endpoint.go
• pkg/dnses/dnses_test.go
• pkg/secrets/secrets.go

✅ Files skipped from review due to trivial changes (2)

• pkg/aws_client/subnet.go
• pkg/aws_client/tags.go