Skip to content

NE-2217: Add haproxyVersion in IngressController API#2895

Open
jcmoraisjr wants to merge 1 commit into
openshift:masterfrom
jcmoraisjr:NE-2217-haproxy-version-api
Open

NE-2217: Add haproxyVersion in IngressController API#2895
jcmoraisjr wants to merge 1 commit into
openshift:masterfrom
jcmoraisjr:NE-2217-haproxy-version-api

Conversation

@jcmoraisjr

@jcmoraisjr jcmoraisjr commented Jun 19, 2026

Copy link
Copy Markdown
Member

Add haproxyVersion field in IngressController API. This field adds the ability to revert HAProxy version to a previous one, as well as pin the current HAProxy version during OCP upgrades.

EP: openshift/enhancements#1965

Jira: https://redhat.atlassian.net/browse/NE-2217

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 19, 2026
@openshift-ci

openshift-ci Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Hello @jcmoraisjr! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci-robot

openshift-ci-robot commented Jun 19, 2026

Copy link
Copy Markdown

@jcmoraisjr: This pull request references NE-2217 which is a valid jira issue.

Details

In response to this:

Add haproxyOCPVersion field in IngressController API. This field adds the ability to revert HAProxy version to a previous one, as well as pin the current HAProxy version during OCP upgrades.

EP: openshift/enhancements#1965

Jira: https://redhat.atlassian.net/browse/NE-2217

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

IngressController now includes a feature-gated haproxyVersion field in spec and an effectiveHAProxyVersion field in status. A new public HAProxyVersion type restricts values to 2.8 and 3.2. The test CRD adds create and update cases covering supported values, omitted values, invalid values, and version changes under the IngressControllerMultipleHAProxyVersions feature gate.

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main API change by naming the new haproxyVersion field in IngressController.
Description check ✅ Passed The description matches the changeset, describing the new haproxyVersion API field and its purpose during OCP upgrades.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All added test names are literal, descriptive strings; none interpolate runtime data or dynamic identifiers.
Test Structure And Quality ✅ Passed The new YAML test cases are narrowly scoped and match existing operator test patterns; no live-cluster Ginkgo setup, cleanup, or timeout issues apply.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only new test file is declarative CRD YAML, so the MicroShift API-compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Added YAML is a CRD schema test manifest, not a Ginkgo e2e test; it only validates IngressController API field values and has no node/topology assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed PR only adds HAProxy version API fields, CRD validation, and tests; no replica, affinity, nodeSelector, PDB, or topology-aware scheduling logic was introduced.
Ote Binary Stdout Contract ✅ Passed Touched files are API types/YAML only; no main/init/TestMain/RunSpecs hooks or stdout logging calls were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The added test artifact is a CRD YAML scenario file with no Ginkgo e2e code, IPv4 literals, or external connectivity requirements.
No-Weak-Crypto ✅ Passed Changed files only add HAProxy version fields and CRD tests; no weak crypto, custom crypto, or secret/token comparisons appear.
Container-Privileges ✅ Passed No privileged/K8s securityContext settings were added; the only YAML change is a CRD test manifest, and the Go API type change has no container settings.
No-Sensitive-Data-In-Logs ✅ Passed No new logging code or sensitive values were added; the diff only introduces HAProxy version fields and test values (2.8/3.2).
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Jun 19, 2026
@openshift-ci openshift-ci Bot requested review from JoelSpeed and everettraven June 19, 2026 13:35
@openshift-ci

openshift-ci Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Comment thread operator/v1/types_ingresscontroller.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_ingresscontroller.go`:
- Around line 2258-2271: The EffectiveHAProxyOCPVersion field is marked as
optional but its comment does not document the expected behavior when the field
is omitted. Update the comment for the EffectiveHAProxyOCPVersion field to
explicitly specify what it means when this status field is absent, such as
whether omission indicates an unresolved value, feature-gate-disabled state, or
another condition. This clarification is required as per coding guidelines for
all optional fields.
- Around line 2341-2346: The OCPVersion type has kubebuilder validation markers
for MinLength=3 and MaxLength=8, but the comment only documents the format
requirement without mentioning the length constraints. Update the comment for
the OCPVersion type to include explicit documentation of the length constraints
(minimum 3 characters, maximum 8 characters) in human-readable terms alongside
the existing format documentation to match the validation markers and follow
coding guidelines.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 302ef052-c626-4396-a8ab-1df4406a6900

📥 Commits

Reviewing files that changed from the base of the PR and between 5346161 and 2c6e76b.

⛔ Files ignored due to path filters (5)
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerMultipleHAProxyVersions.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
📒 Files selected for processing (1)
  • operator/v1/types_ingresscontroller.go

Comment thread operator/v1/types_ingresscontroller.go Outdated
Comment thread operator/v1/types_ingresscontroller.go Outdated
@jcmoraisjr jcmoraisjr force-pushed the NE-2217-haproxy-version-api branch from 2c6e76b to 6d7c1c8 Compare June 19, 2026 14:23
@jcmoraisjr

Copy link
Copy Markdown
Member Author

@yuqi-zhang here is the API update for the openshift/enhancements#1965 you also reviewed.

Comment thread operator/v1/types_ingresscontroller.go Outdated
@jcmoraisjr jcmoraisjr force-pushed the NE-2217-haproxy-version-api branch from 6d7c1c8 to d75078d Compare July 2, 2026 12:13
@jcmoraisjr jcmoraisjr changed the title NE-2217: Add haproxyOCPVersion in IngressController API NE-2217: Add haproxyVersion in IngressController API Jul 2, 2026
Add haproxyVersion field in IngressController API. This field adds
the ability to revert HAProxy version to a previous one, as well as pin
the current HAProxy version during OCP upgrades.

EP: openshift/enhancements#1965

Jira: https://redhat.atlassian.net/browse/NE-2217
@jcmoraisjr jcmoraisjr force-pushed the NE-2217-haproxy-version-api branch from d75078d to d41e8c5 Compare July 3, 2026 21:21

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerMultipleHAProxyVersions.yaml (1)

86-185: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Missing onUpdate negative test for invalid haproxyVersion.

onCreate tests reject empty ("") and unsupported ("2.6") values, but onUpdate only covers valid transitions (unset↔2.8, 2.8→3.2). Add an update case setting an unsupported/empty value to confirm the enum validation is enforced symmetrically on update.

➕ Suggested additional test case
    - name: Should not be able to update to an unsupported version
      initial: |
        apiVersion: operator.openshift.io/v1
        kind: IngressController
        metadata:
          name: default
          namespace: openshift-ingress-operator
        spec:
          httpEmptyRequestsPolicy: Respond
          idleConnectionTerminationPolicy: Immediate
          closedClientConnectionPolicy: Continue
          haproxyVersion: "2.8"
      updated: |
        apiVersion: operator.openshift.io/v1
        kind: IngressController
        metadata:
          name: default
          namespace: openshift-ingress-operator
        spec:
          httpEmptyRequestsPolicy: Respond
          idleConnectionTerminationPolicy: Immediate
          closedClientConnectionPolicy: Continue
          haproxyVersion: "2.6"
      expectedError: 'Unsupported value: "2.6": supported values: "2.8", "3.2"'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerMultipleHAProxyVersions.yaml`
around lines 86 - 185, The onUpdate coverage in
IngressControllerMultipleHAProxyVersions is missing a negative validation case
for haproxyVersion, so add an update test that changes a valid existing value to
an unsupported or empty value and expects the enum rejection. Use the existing
onUpdate scenarios in IngressControllerMultipleHAProxyVersions and mirror the
validation style already used in onCreate so the update path is checked
symmetrically for haproxyVersion.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_ingresscontroller.go`:
- Around line 389-413: The HAProxyVersion field comment repeats the same phrase
twice in the upgrade-preflight sentence, so tighten the wording to remove the
duplicate “block the cluster upgrade” phrasing. Update the comment near
HAProxyVersion in types_ingresscontroller.go to say the preflight check blocks
the upgrade until the field is updated, keeping the rest of the migration
guidance intact and concise.

---

Nitpick comments:
In
`@operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerMultipleHAProxyVersions.yaml`:
- Around line 86-185: The onUpdate coverage in
IngressControllerMultipleHAProxyVersions is missing a negative validation case
for haproxyVersion, so add an update test that changes a valid existing value to
an unsupported or empty value and expects the enum rejection. Use the existing
onUpdate scenarios in IngressControllerMultipleHAProxyVersions and mirror the
validation style already used in onCreate so the update path is checked
symmetrically for haproxyVersion.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 23c20d00-d012-4aff-8d68-022b90037948

📥 Commits

Reviewing files that changed from the base of the PR and between d75078d and d41e8c5.

⛔ Files ignored due to path filters (7)
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
  • operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerMultipleHAProxyVersions.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
📒 Files selected for processing (2)
  • operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerMultipleHAProxyVersions.yaml
  • operator/v1/types_ingresscontroller.go

Comment on lines +389 to +413
// haproxyVersion specifies the HAProxy version to use for this
// IngressController.
//
// OpenShift 5.0 introduces HAProxy 3.2 as its default version and supports
// HAProxy 2.8 from OpenShift 4.22 for migration purposes. When an OpenShift
// release introduces a new default HAProxy version, that HAProxy version
// becomes available as a pinnable value in subsequent OpenShift releases,
// providing a smooth migration path for administrators who want to defer
// HAProxy upgrades.
//
// Valid values for OpenShift 5.0:
// - Unset (default): Uses HAProxy 3.2 (the default for OpenShift 5.0)
// - "3.2": Explicitly pins HAProxy 3.2 for preservation during cluster
// upgrades to future OpenShift releases
// - "2.8": Uses HAProxy 2.8 from OpenShift 4.22 (migration support, will
// be dropped in the next OpenShift release)
//
// If a specific HAProxy version is set and would become unsupported in a
// target cluster upgrade, a preflight check would block the cluster upgrade,
// blocking the cluster upgrade until this field is updated to unset or a
// supported version.
//
// +optional
// +openshift:enable:FeatureGate=IngressControllerMultipleHAProxyVersions
HAProxyVersion HAProxyVersion `json:"haproxyVersion,omitempty"`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Redundant phrasing in field comment.

Line 407-408 repeats "block the cluster upgrade" twice: "a preflight check would block the cluster upgrade, blocking the cluster upgrade until...". Tighten the wording.

✏️ Proposed fix
 	// If a specific HAProxy version is set and would become unsupported in a
-	// target cluster upgrade, a preflight check would block the cluster upgrade,
-	// blocking the cluster upgrade until this field is updated to unset or a
-	// supported version.
+	// target cluster upgrade, a preflight check will block the cluster upgrade
+	// until this field is updated to unset or a supported version.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// haproxyVersion specifies the HAProxy version to use for this
// IngressController.
//
// OpenShift 5.0 introduces HAProxy 3.2 as its default version and supports
// HAProxy 2.8 from OpenShift 4.22 for migration purposes. When an OpenShift
// release introduces a new default HAProxy version, that HAProxy version
// becomes available as a pinnable value in subsequent OpenShift releases,
// providing a smooth migration path for administrators who want to defer
// HAProxy upgrades.
//
// Valid values for OpenShift 5.0:
// - Unset (default): Uses HAProxy 3.2 (the default for OpenShift 5.0)
// - "3.2": Explicitly pins HAProxy 3.2 for preservation during cluster
// upgrades to future OpenShift releases
// - "2.8": Uses HAProxy 2.8 from OpenShift 4.22 (migration support, will
// be dropped in the next OpenShift release)
//
// If a specific HAProxy version is set and would become unsupported in a
// target cluster upgrade, a preflight check would block the cluster upgrade,
// blocking the cluster upgrade until this field is updated to unset or a
// supported version.
//
// +optional
// +openshift:enable:FeatureGate=IngressControllerMultipleHAProxyVersions
HAProxyVersion HAProxyVersion `json:"haproxyVersion,omitempty"`
// If a specific HAProxy version is set and would become unsupported in a
// target cluster upgrade, a preflight check will block the cluster upgrade
// until this field is updated to unset or a supported version.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_ingresscontroller.go` around lines 389 - 413, The
HAProxyVersion field comment repeats the same phrase twice in the
upgrade-preflight sentence, so tighten the wording to remove the duplicate
“block the cluster upgrade” phrasing. Update the comment near HAProxyVersion in
types_ingresscontroller.go to say the preflight check blocks the upgrade until
the field is updated, keeping the rest of the migration guidance intact and
concise.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@jcmoraisjr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants