CM-841: Fix golangci-lint errors

[anandkuma77]

Summary

Fixes multiple golangci-lint errors to ensure the codebase passes all linting checks.

Changes

• forcetypeassert: Replace unsafe type assertions with checked assertions across istiocsr and deployment packages
• contextcheck: Add nolint for SetupSignalHandler (intentionally creates new context)
• wastedassign: Add nolint for deployment assignment (kept for clarity)
• makezero: Initialize slices with zero length and pre-allocate capacity
• depguard: Disabled due to golangci-lint v2 configuration issues

[openshift-ci-robot]

@anandkuma77: This pull request references CM-841 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Fixes multiple golangci-lint errors to ensure the codebase passes all linting checks.

Changes

• forcetypeassert: Replace unsafe type assertions with checked assertions across istiocsr and deployment packages
• contextcheck: Add nolint for SetupSignalHandler (intentionally creates new context)
• wastedassign: Add nolint for deployment assignment (kept for clarity)
• makezero: Initialize slices with zero length and pre-allocate capacity
• depguard: Disabled due to golangci-lint v2 configuration issues

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The PR reconfigures Go linters in .golangci.yaml with expanded scope and exclusion rules, adds lint suppression comments throughout the codebase to address wrapcheck/staticcheck/godot warnings, refactors error handling with type-safe runtime checks in object decoders, renames error variables for consistency across test mocks and utilities, and improves control flow safety in IstioCSR controller components.

Changes

Cohort / File(s)	Summary
Linter Configuration \.golangci\.yaml	Removes depguard from enabled linters; introduces extensive per-path, per-text, and per-linter exclusions; enables linters for specific contexts; configures wrapcheck, staticcheck, unparam, godot, gosec, nestif, and gocritic with customized scope and complexity adjustments.
Type Definitions & Lint Annotations api/operator/v1alpha1/certmanager_types\.go, api/operator/v1alpha1/istiocsr_types\.go	Adds nolint:godot directives and operator-sdk CSV customresourcedefinitions displayName annotations above type definitions; no functional changes to type signatures.
Deployment Controllers pkg/controller/deployment/credentials_request\.go, pkg/controller/deployment/default_cert_manager_controller\.go, pkg/controller/deployment/deployment_overrides\.go, pkg/controller/deployment/deployment_unsupported_overrides\.go, pkg/controller/deployment/generic_deployment_controller\.go	Adds nolint:wrapcheck, nolint:gosec, nolint:staticcheck annotations to error returns and constants; removes local informers slice creation and related append operations; no behavioral changes except lint suppression.
IstioCSR Controller Core Logic pkg/controller/istiocsr/certificates\.go, pkg/controller/istiocsr/client\.go, pkg/controller/istiocsr/controller\.go, pkg/controller/istiocsr/deployments\.go, pkg/controller/istiocsr/networkpolicies\.go, pkg/controller/istiocsr/rbacs\.go, pkg/controller/istiocsr/utils\.go	Refactors type handling with runtime checks and type switches; adds invalidIssuerRefConfigError→errInvalidIssuerRefConfig rename; introduces handleProcessingRejection helper method; replaces type assertions with guarded checks; adds panic-on-bad-type validation in decode and comparison helpers; optimizes DNSNames allocation; updates method parameter names (new→desired) in RBAC status updates.
IstioCSR Test Files pkg/controller/istiocsr/*_test\.go, pkg/controller/istiocsr/test_utils\.go	Systematically replaces testError with errTestClient across mocked client call paths (ExistsCalls, ListCalls, CreateCalls, UpdateWithRetryCalls, StatusUpdateCalls) in certificates, controller, deployments, install, rbacs, serviceaccounts, and services tests; renames test utility variable testError→errTestClient.
Operator & Utility Files main\.go, pkg/features/features\.go, pkg/operator/operatorclient/operatorclient\.go, pkg/operator/optionalinformer/optional_informer\.go, pkg/operator/setup_manager\.go, pkg/operator/starter\.go	Adds nolint:wrapcheck and nolint:contextcheck annotations to error returns; assigns cmd.Help() error to blank identifier in main.go; refactors variable naming (copy→updated) in UpdateOperatorSpec/UpdateOperatorStatus; adjusts finalizer handling; imports slices package.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~65 minutes

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anandkuma77
Once this PR has been reviewed and has the lgtm label, please assign mytreya-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

pkg/controller/deployment/credentials_request.go (1)

46-56: Consider evaluating the wrapcheck suppressions for consistency with error handling patterns.

Lines 48 wraps the error with context (fmt.Errorf), but lines 50 and 55 return errors directly with //nolint:wrapcheck comments claiming "error from lister is already contextual."

While Kubernetes lister/informer errors typically do include method context (e.g., secrets.Get(), infrastructure.Get()), the inconsistency between wrapping some errors and suppressing wrapping for others may warrant clarification: Is the distinction intentional (some errors need additional context, others don't), or should all be wrapped consistently for clarity?

This doesn't block the PR, but ensure the pattern aligns with your team's error handling conventions.

pkg/controller/deployment/deployment_overrides.go (1)

196-201: Consider wrapping the error for consistency and better debugging.

While the lister error includes the resource name and namespace, wrapping it with operation context (similar to line 198) would improve debugging by clarifying this occurred during trusted CA configmap loading.

🔎 Proposed refactor to wrap the error

 		_, err := configmapinformer.Lister().ConfigMaps(operatorclient.TargetNamespace).Get(trustedCAConfigmapName)
 		if err != nil && apierrors.IsNotFound(err) {
 			return fmt.Errorf("(Retrying) trusted CA config map %q doesn't exist due to %w", trustedCAConfigmapName, err)
 		} else if err != nil {
-			return err //nolint:wrapcheck // error from lister is already contextual
+			return fmt.Errorf("failed to get trusted CA config map %q: %w", trustedCAConfigmapName, err)
 		}

pkg/controller/deployment/default_cert_manager_controller.go (1)

58-58: Consider wrapping the error instead of suppressing the linter.

While the Kubernetes client error contains API-level details, wrapping it would add application context about the specific operation that failed (creating the default cert manager). This improves debugging by making error messages more informative in logs and traces.

🔎 Proposed refactor to wrap the error

-	return c.certManagerClient.CertManagers().Create(ctx, cm, metav1.CreateOptions{}) //nolint:wrapcheck // error from client is already contextual
+	cm, err := c.certManagerClient.CertManagers().Create(ctx, cm, metav1.CreateOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create default cert manager: %w", err)
+	}
+	return cm, nil

Don't forget to import fmt if not already present.

pkg/controller/istiocsr/utils.go (1)

404-423: Consider simplifying the redundant type assertions.

In these generic functions, after the type switch on desired, the types are already known. The additional any(desired).(*rbacv1.ClusterRole) assertions are technically redundant since the switch case already confirms the type. However, this doesn't affect correctness and satisfies the linter.

Also applies to: 425-444, 446-465

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between b0b1af8 and c3b053f.

📒 Files selected for processing (29)

• .golangci.yaml
• api/operator/v1alpha1/certmanager_types.go
• api/operator/v1alpha1/istiocsr_types.go
• main.go
• pkg/controller/deployment/credentials_request.go
• pkg/controller/deployment/default_cert_manager_controller.go
• pkg/controller/deployment/deployment_overrides.go
• pkg/controller/deployment/deployment_unsupported_overrides.go
• pkg/controller/deployment/generic_deployment_controller.go
• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/istiocsr/client.go
• pkg/controller/istiocsr/controller.go
• pkg/controller/istiocsr/controller_test.go
• pkg/controller/istiocsr/deployments.go
• pkg/controller/istiocsr/deployments_test.go
• pkg/controller/istiocsr/install_instiocsr_test.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/rbacs_test.go
• pkg/controller/istiocsr/serviceaccounts_test.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/istiocsr/test_utils.go
• pkg/controller/istiocsr/utils.go
• pkg/features/features.go
• pkg/operator/operatorclient/operatorclient.go
• pkg/operator/optionalinformer/optional_informer.go
• pkg/operator/setup_manager.go
• pkg/operator/starter.go

💤 Files with no reviewable changes (1)

• pkg/controller/deployment/generic_deployment_controller.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/controller/istiocsr/controller.go
• pkg/operator/setup_manager.go
• pkg/operator/starter.go
• pkg/controller/deployment/default_cert_manager_controller.go
• pkg/operator/optionalinformer/optional_informer.go
• pkg/controller/deployment/deployment_overrides.go
• api/operator/v1alpha1/istiocsr_types.go
• pkg/features/features.go
• pkg/controller/istiocsr/controller_test.go
• pkg/controller/deployment/deployment_unsupported_overrides.go
• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/rbacs_test.go
• pkg/controller/istiocsr/serviceaccounts_test.go
• pkg/operator/operatorclient/operatorclient.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/istiocsr/client.go
• pkg/controller/istiocsr/deployments.go
• pkg/controller/istiocsr/deployments_test.go
• pkg/controller/deployment/credentials_request.go
• pkg/controller/istiocsr/utils.go
• pkg/controller/istiocsr/certificates_test.go
• api/operator/v1alpha1/certmanager_types.go
• pkg/controller/istiocsr/install_instiocsr_test.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/test_utils.go
• main.go

🧬 Code graph analysis (4)

pkg/controller/istiocsr/rbacs.go (2)

pkg/controller/istiocsr/controller.go (1)

• Reconciler (48-55)

api/operator/v1alpha1/istiocsr_types.go (1)

• IstioCSR (48-64)

pkg/controller/istiocsr/deployments.go (3)

pkg/controller/istiocsr/errors.go (1)

• NewIrrecoverableError (28-37)

api/operator/v1alpha1/istiocsr_types.go (1)

• IstioCSRConfig (80-159)

api/operator/v1alpha1/certmanager_types.go (1)

• CertManager (191-200)

pkg/controller/istiocsr/utils.go (3)

api/operator/v1alpha1/groupversion_info.go (1)

• SchemeGroupVersion (29-29)

api/operator/v1alpha1/istiocsr_types.go (1)

• IstioCSR (48-64)

api/operator/v1alpha1/conditions.go (2)

• Ready (27-27)
• ReasonFailed (31-31)

pkg/controller/istiocsr/networkpolicies.go (2)

api/operator/v1alpha1/certmanager_types.go (1)

• NetworkPolicy (247-272)

pkg/operator/applyconfigurations/operator/v1alpha1/networkpolicy.go (1)

• NetworkPolicy (20-22)

🔇 Additional comments (42)

pkg/features/features.go (1)

22-27: Well-reasoned lint suppression with clear justification.

The //nolint:wrapcheck annotation is appropriate here. The comment clearly explains that featuregate.Set() already returns contextually meaningful errors, eliminating the need for additional error wrapping. This is a pragmatic approach to lint fixes that avoids artificial wrapper layers when they don't add value.

pkg/controller/deployment/credentials_request.go (1)

23-23: Lint suppressions for path/volume constants are appropriate.

The //nolint:gosec comments correctly identify these as path and volume name constants rather than hardcoded credentials. This aligns with the security intent behind the G101 rule.

Also applies to: 29-29

pkg/controller/deployment/deployment_unsupported_overrides.go (2)

42-45: LGTM!

The wrapcheck suppression is appropriate here. json.Unmarshal errors already include sufficient context about the unmarshaling failure, and the calling context (UnsupportedConfigOverrides.Raw) is evident from the surrounding code.

---

47-48: LGTM!

The suppression is well-justified. Since unsupportedConfigOverrides modifies the deployment via pointer, the assignment is technically redundant but keeping it documents the intent that the deployment is being transformed at this point.

pkg/controller/deployment/deployment_overrides.go (1)

35-35: LGTM! Appropriate gosec suppression.

The nolint comment correctly suppresses the G101 (hardcoded credentials) warning. This is a standard Kubernetes service account token directory path, not a credential.

api/operator/v1alpha1/istiocsr_types.go (1)

46-48: LGTM!

The nolint:godot directive with explanatory comment is appropriate for suppressing the linter on operator-sdk annotations that don't require trailing periods.

api/operator/v1alpha1/certmanager_types.go (1)

189-191: LGTM!

Consistent with the same pattern applied to IstioCSR type.

pkg/operator/optionalinformer/optional_informer.go (1)

57-58: LGTM!

The nolint:wrapcheck is justified here since Kubernetes discovery client errors include sufficient context. The inline comment documents the rationale.

pkg/operator/operatorclient/operatorclient.go (3)

172-176: Good rename from copy to updated.

Avoiding the builtin function name copy improves code clarity and prevents potential confusion.

---

207-214: LGTM!

Using slices.Contains is cleaner than manual iteration. The variable reuse for finalizers is functionally equivalent to the previous approach.

---

249-253: LGTM!

The nolint:wrapcheck directives throughout this file are consistent with the configured exclusions for Kubernetes client interfaces where wrapping adds no value.

.golangci.yaml (3)

60-61: LGTM on depguard disable.

Good practice to document the issue reference for the temporary disable.

---

224-250: Comprehensive wrapcheck configuration.

The exclusions for internal packages and Kubernetes client interfaces are well-structured and reduce false positives without compromising error handling quality.

---

275-279: The staticcheck configuration format is correct for golangci-lint v2. The use of checks: ["all", "-SA4006", "-SA4031"] properly disables specific checks while enabling all others, and the explanatory comments justify the disables appropriately.

pkg/controller/istiocsr/test_utils.go (1)

39-41: Good rename following Go conventions.

Prefixing error variables with err (e.g., errTestClient) follows Go naming conventions and improves code consistency.

main.go (1)

30-31: LGTM!

Explicitly ignoring the Help() error is acceptable here since the program exits immediately afterward regardless of success or failure.

pkg/controller/istiocsr/serviceaccounts_test.go (2)

45-50: LGTM!

Consistent usage of the renamed errTestClient variable from test_utils.go.

---

55-63: LGTM!

Test case correctly uses the renamed error variable while maintaining the expected error message.

pkg/controller/istiocsr/networkpolicies.go (1)

47-50: LGTM! Type-safe assertion prevents panics.

The checked type assertion correctly handles type mismatches by returning a descriptive error instead of panicking. This aligns with the PR's forcetypeassert lint fix objective.

pkg/operator/setup_manager.go (1)

82-82: LGTM! Appropriate lint suppression.

The nolint directive is justified since manager errors already provide contextual information, making additional wrapping redundant.

pkg/controller/istiocsr/certificates.go (1)

77-81: LGTM! Efficient slice pre-allocation.

Pre-allocating the slice capacity prevents reallocations during subsequent appends, improving performance while maintaining the same functional behavior.

pkg/controller/istiocsr/services_test.go (1)

48-48: LGTM! Consistent test error naming.

The renaming from testError to errTestClient improves clarity and aligns with the broader test refactoring across IstioCSR test files.

Also applies to: 61-61, 84-84

pkg/controller/istiocsr/certificates_test.go (1)

37-37: LGTM! Consistent test error naming.

These changes align with the test refactoring to use errTestClient consistently across IstioCSR test files.

Also applies to: 67-67, 116-116

pkg/controller/istiocsr/deployments_test.go (1)

119-119: LGTM! Consistent test error naming.

All instances updated to use errTestClient, maintaining consistency with the broader test refactoring effort.

Also applies to: 170-170, 220-220, 363-363, 530-530, 566-566

pkg/controller/istiocsr/controller_test.go (1)

147-147: LGTM! Consistent test error naming.

The error variable renaming maintains consistency with the test refactoring across all IstioCSR controller tests.

Also applies to: 379-379, 401-401, 682-682, 731-731

pkg/controller/istiocsr/install_instiocsr_test.go (1)

75-75: LGTM! Consistent test error naming.

These final updates complete the consistent error variable naming across all IstioCSR test files.

Also applies to: 88-88, 104-104

pkg/controller/istiocsr/controller.go (2)

106-106: LGTM!

The nolint:wrapcheck comment is appropriate here since cache.New returns errors that are already contextual and don't need additional wrapping in this thin wrapper function.

---

130-130: LGTM!

The lint suppression comments are well-justified:

• nestif suppressions for complex but necessary control flow in label processing and deployment reconciliation
• wrapcheck for builder chain that returns contextual errors
• unparam for error return kept for future implementation (as noted in the TODO)

Also applies to: 198-199, 275-275, 332-334

pkg/controller/istiocsr/client.go (2)

78-82: LGTM - Good type-safe object instantiation.

The reflection-based object creation with explicit type assertion prevents potential panics from unchecked type assertions and provides a clear error message if the assertion fails.

---

46-46: LGTM!

The nolint:wrapcheck comments are appropriate for these thin wrapper methods - the underlying client errors are already contextual and wrapping would add redundant information.

Also applies to: 52-52, 58-58, 64-64, 70-70, 92-92, 101-101, 107-107, 115-115

pkg/operator/starter.go (2)

48-48: LGTM!

The nolint:wrapcheck comments are appropriate - NewForConfig errors are already contextual from the Kubernetes client library.

Also applies to: 53-53, 58-58, 83-83

---

149-149: LGTM!

The nolint:contextcheck is correctly applied and well-documented. SetupSignalHandler intentionally creates a new context for OS signal handling rather than using the passed context, which is the expected pattern for graceful shutdown.

pkg/controller/istiocsr/rbacs_test.go (1)

31-31: LGTM!

Consistent renaming of test error variable to errTestClient follows Go conventions for error variable naming (err prefix) and aligns with the updated sentinel defined in test_utils.go.

Also applies to: 47-47, 63-63, 76-76, 90-90, 105-105, 119-119

pkg/controller/istiocsr/deployments.go (3)

32-32: LGTM!

Renaming invalidIssuerRefConfigError to errInvalidIssuerRefConfig follows Go naming conventions for package-level error variables.

---

253-260: LGTM - Type-safe issuer handling.

The type switch with explicit handling for ClusterIssuer and Issuer types, plus a default case that returns an irrecoverable error, eliminates the risk of panics from unchecked type assertions while providing clear error messages for unexpected types.

---

366-373: LGTM!

Consistent application of the same type switch pattern in handleIssuerBasedCA ensures type safety throughout the issuer handling code paths.

pkg/controller/istiocsr/rbacs.go (2)

135-146: LGTM!

Renaming parameter from new to desired avoids shadowing Go's builtin new function and improves code clarity by using consistent terminology (desired vs existing/fetched) throughout the codebase.

---

225-236: LGTM!

Consistent parameter renaming applied to updateClusterRoleBindingNameInStatus.

pkg/controller/istiocsr/utils.go (4)

66-66: LGTM!

The nolint:wrapcheck is appropriate - the retry loop already wraps errors with context before returning.

---

163-173: LGTM - Hardened decode helpers.

Adding checked type assertions to decode functions provides clear panic messages if static assets contain unexpected types. Since these decode static manifests bundled with the operator, a type mismatch indicates a programming/build error that should fail fast.

Also applies to: 175-185, 187-197, 199-209, 211-221, 223-233, 235-245, 247-257

---

265-322: LGTM!

The added type assertions in hasObjectChanged provide defense-in-depth, though the initial reflect.TypeOf check at line 260-262 should already catch type mismatches. The explicit assertions give clearer panic messages.

---

502-517: LGTM - Good helper extraction.

handleProcessingRejection cleanly consolidates the status condition update and annotation handling, reducing duplication and improving maintainability.

[PillaiManish]

/retest

[openshift-ci]

@anandkuma77: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	c3b053f	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[PillaiManish]

Looks good to me, just we need to check why the CI job is failing.

[PillaiManish]

What was the reason to modify this?