USHIFT-6947: C2CC: Configurable routing table IDs

[pmtk]

Summary by CodeRabbit

• New Features
  • Added clusterToCluster.routing for C2CC Linux policy routing table IDs (routeTableID, serviceRouteTableID) with sensible defaults.
  • Validates IDs are within the allowed range and require the two values to differ.
• Documentation
  • Updated config.yaml and the configuration guide with the new routing block and example values.
• Tests
  • Expanded configuration defaulting and validation tests, including user override scenarios.
  • Added Robot Framework coverage to confirm custom routing table IDs are honored.

[openshift-ci-robot]

@pmtk: This pull request references USHIFT-6947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0ec7257f-5fd6-4b8b-adc5-ed086a3e51bc

📥 Commits

Reviewing files that changed from the base of the PR and between dc1e877 and e47a22e.

📒 Files selected for processing (4)

• pkg/config/c2cc.go
• test/resources/c2cc.resource
• test/suites/c2cc/cleanup.robot
• test/suites/c2cc/custom-route-tables.robot

💤 Files with no reviewable changes (1)

• test/suites/c2cc/cleanup.robot

🚧 Files skipped from review as they are similar to previous changes (3)

• test/resources/c2cc.resource
• test/suites/c2cc/custom-route-tables.robot
• pkg/config/c2cc.go

---

Walkthrough

Adds configurable routing block to C2CC config with routeTableID and serviceRouteTableID fields. Introduces C2CCRouting struct and resolved config fields with validation (1–252 range, must differ). Route managers consume resolved IDs from config instead of hardcoded constants. OpenAPI schema, docs, packaging, and robot test suite updated with custom-routing validation tests.

Changes

C2CC Configurable Routing Table IDs

Layer / File(s)	Summary
C2CCRouting type and validation pkg/config/c2cc.go	Adds C2CCRouting struct with pointer-based routing table ID fields, ResolvedRouteTableID/ResolvedServiceRouteTableID fields to C2CC, resolveRoutingDefaults(), and routing validation enforcing 1–252 range and mutual difference. Refactors DNS TTL validation into C2CCDNS.validate() and updates C2CC.validate() to delegate to both.
Config defaults and user settings integration pkg/config/config.go	fillDefaults initializes routing defaults; incorporateUserSettings merges user routing IDs conditionally; updateComputedValues invokes routing default resolution.
Route managers and hardcoded constant removal pkg/controllers/c2cc/routes.go, pkg/controllers/c2cc/service_routes.go, pkg/controllers/c2cc/controller.go	Removes c2ccRouteTable, c2ccRouteProto, c2ccSvcRouteTable, c2ccSvcRouteProto constants. linuxRouteManager and serviceRouteManager read table/proto from resolved config fields. Controller logs subscription failures with runtime IDs.
Config testing helpers and routing validation tests pkg/config/c2cc_test.go, pkg/controllers/c2cc/helpers_test.go	Adds withRoutingDefaults helper wired into all C2CC config builders. Introduces TestC2CC_RoutingTableValidation covering custom IDs, bounds, duplicates, and defaults. Extends TestC2CC_IncorporateUserSettings for routing overrides. Updates testConfigWithRemotes to set resolved IDs (200, 201).
OpenAPI schema, docs, and packaging configuration cmd/generate-config/config/config-openapi-spec.json, docs/user/howto_config.md, packaging/microshift/config.yaml	OpenAPI spec adds routing to clusterToCluster.required with field definitions, defaults (200, 201), and bounds (1–252, mutual-difference). Docs and packaging add annotated routing section.
Robot test framework and custom routing suite test/resources/c2cc.resource, test/suites/c2cc/cleanup.robot, test/suites/c2cc/custom-route-tables.robot	Extracts Verify Cluster Is Healthy keyword to shared resource file. New custom-route-tables.robot suite validates C2CC honors custom routing table IDs via config drop-in, verifies route and rule placement in custom tables, confirms default tables (200/201) remain intact. Includes Setup/Teardown and helper keywords for config application, table cleanup, and health verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• jerpeter1

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Go test assertions lack descriptive failure messages. Lines like assert.Equal(t, 100, cfg.C2CC.ResolvedRouteTableID) violate the requirement for meaningful assertion messages that help diagnose f...	Add message context to assertions: assert.Equal(t, expected, actual, "description of what failed") for all assert.Equal/NotEqual/NotContains calls in the new test functions.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: making C2CC routing table IDs configurable, which aligns with the changeset's core objective across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are stable and deterministic. Go tests use static string literals in both function names (e.g., TestC2CC_RoutingTableValidation) and t.Run() subtests. Robot Framework test...
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The PR contains Go unit tests and Robot Framework integration tests, which fall outside the scope of this check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. Repository uses Go unit tests (testing.T) and Robot Framework tests, not Ginkgo. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR introduces no new deployment manifests or scheduling constraints. It only modifies configuration schema, Go config/controller code for routing logic, and test files — none of which add sched...
Ote Binary Stdout Contract	✅ Passed	No OTE binary stdout contract violations found. All code changes (Go) are configuration/controller logic with logging inside method bodies (never at process level). Robot Framework test files are n...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. Tests are standard Go unit tests and Robot Framework integration tests, outside scope of this check.
No-Weak-Crypto	✅ Passed	PR contains no cryptographic code; only routing table ID configuration management for C2CC feature.
Container-Privileges	✅ Passed	C2CC deployment uses privileged SCC annotation (justified for host binary access) but the container spec itself lacks privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or...
No-Sensitive-Data-In-Logs	✅ Passed	Logging changes log only non-sensitive routing table IDs (integers 1-252), not passwords, tokens, API keys, PII, or customer data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=warning msg="The linter 'gomodguard' is deprecated (since v2.12.0) due to: new major version. Replaced by gomodguard_v2."
level=warning msg="Suggested new configuration:\nlinters:\n enable:\n - gomodguard_v2\n"
level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/apparentlymart/go-cidr@v1.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/go-systemd@v0.0.0-20190321100706-95778dfbb74e: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/google/go-cmp@v0.7.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/miekg/dns@v1.1.63: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/openshift/api@v0.0.0-20260511191110-9b69e5fa27e9: is

... [truncated 31032 characters] ...

elet: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/metrics: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/mount-utils: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/pod-security-admission: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-apiserver: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-cli-plugin: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-controller: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user/howto_config.md`:
- Around line 43-45: The routing configuration example in the config format
block uses invalid values for routeTableID and serviceRouteTableID (both set to
0), which violates the runtime contract requiring IDs to be in the range 1..252
and requiring both IDs to differ. Either replace these values with valid
examples (such as routeTableID: 1 and serviceRouteTableID: 2) that satisfy the
constraints, or remove these fields from the documentation example to avoid
misleading users into creating invalid configurations.

In `@pkg/config/c2cc_test.go`:
- Around line 95-96: The mk*C2CCConfig builders are applying
withRoutingDefaults() wrapper in addition to withDNSDefaults(), which masks the
nil-routing default path and prevents proper coverage testing. Remove the
withRoutingDefaults() wrapper from all three mk*C2CCConfig builder methods at
their respective locations (keeping only withDNSDefaults()), so that tests
specifically designed to exercise nil routing input (such as the "defaults are
used when nil" test case) can properly verify the resolveRoutingDefaults()
behavior without having defaults pre-applied by the fixture builders.

In `@pkg/config/config.go`:
- Around line 588-589: The issue is that c.C2CC.resolveRoutingDefaults() is
called unconditionally at line 588, but the validation of routing table IDs only
occurs when C2CC is enabled within the Config.validate() method. This allows
invalid user-supplied routing IDs to reach runtime when C2CC is disabled. To fix
this, ensure that the c.C2CC.validate(c) call in the validate() method runs
unconditionally regardless of whether C2CC is enabled, so that routing table ID
validation happens at the trust boundary before any runtime consumption.
Validate user-configured routing IDs using an allow-list approach before they
are consumed by the disabled-mode cleanup route managers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8e829281-1343-4e22-8cd3-3a827614ee8a

📥 Commits

Reviewing files that changed from the base of the PR and between cc4654e and 90ebcaa.

📒 Files selected for processing (10)

• cmd/generate-config/config/config-openapi-spec.json
• docs/user/howto_config.md
• packaging/microshift/config.yaml
• pkg/config/c2cc.go
• pkg/config/c2cc_test.go
• pkg/config/config.go
• pkg/controllers/c2cc/controller.go
• pkg/controllers/c2cc/helpers_test.go
• pkg/controllers/c2cc/routes.go
• pkg/controllers/c2cc/service_routes.go

[pmtk]

/test ?

[pmtk]

/retest

[pmtk]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/c2cc/custom-route-tables.robot`:
- Around line 116-124: The rule deletion command on line 123 uses only the
priority value to delete rules, which can inadvertently remove unrelated rules
that share the same priority, including default C2CC rules. Instead of deleting
by priority alone using just prio, extract and use the full rule selector from
the original line variable that includes the lookup criteria for the custom
route tables. This way, the deletion command will match and remove only the
exact rules intended rather than any rule with that priority value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 09744e16-a99b-4f7f-8be4-b63427ad8d51

📥 Commits

Reviewing files that changed from the base of the PR and between 8db17da and dc1e877.

📒 Files selected for processing (3)

• test/resources/c2cc.resource
• test/suites/c2cc/cleanup.robot
• test/suites/c2cc/custom-route-tables.robot

💤 Files with no reviewable changes (1)

• test/suites/c2cc/cleanup.robot

[openshift-ci]

@pmtk: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-el9	e47a22e	link	true	/test e2e-aws-tests-bootc-el9
ci/prow/e2e-aws-tests-bootc-el10	e47a22e	link	true	/test e2e-aws-tests-bootc-el10
ci/prow/test-rpm	e47a22e	link	true	/test test-rpm
ci/prow/e2e-aws-tests-bootc-arm-el9	e47a22e	link	true	/test e2e-aws-tests-bootc-arm-el9
ci/prow/e2e-aws-tests-arm	e47a22e	link	true	/test e2e-aws-tests-arm
ci/prow/e2e-aws-tests	e47a22e	link	true	/test e2e-aws-tests
ci/prow/e2e-aws-tests-bootc-arm-el10	e47a22e	link	true	/test e2e-aws-tests-bootc-arm-el10
ci/prow/ocp-full-conformance-serial-rhel-eus	e47a22e	link	true	/test ocp-full-conformance-serial-rhel-eus
ci/prow/verify	e47a22e	link	true	/test verify
ci/prow/test-unit	e47a22e	link	true	/test test-unit
ci/prow/ocp-full-conformance-rhel-eus	e47a22e	link	true	/test ocp-full-conformance-rhel-eus

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.