USHIFT-6947: C2CC: Configurable routing table IDs

[pmtk]

Summary by CodeRabbit

• New Features
  • Added clusterToCluster.routing for C2CC Linux policy routing table IDs (routeTableID, serviceRouteTableID) with defaulting, validation (allowed range), and requirement that the two IDs differ.
• Documentation
  • Updated config.yaml examples and the configuration guide to include the new routing block.
  • Updated the published OpenAPI/JSON schema for the new required routing section.
• Tests
  • Added unit tests for routing defaulting, validation, and user override behavior.
  • Added Robot Framework suites verifying both default and custom routing table IDs are applied.

[openshift-ci-robot]

@pmtk: This pull request references USHIFT-6947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds configurable routing block to C2CC config with routeTableID and serviceRouteTableID fields. Introduces C2CCRouting struct with validation (1–252 range, must differ) and resolved config fields. Route managers consume resolved IDs instead of hardcoded constants. Updates OpenAPI schema, docs, packaging, and adds comprehensive custom-routing test suite.

Changes

C2CC Configurable Routing Table IDs

Layer / File(s)	Summary
C2CCRouting type and validation pkg/config/c2cc.go	Adds C2CCRouting struct with optional RouteTableID and ServiceRouteTableID pointers. Extends C2CC with ResolvedRouteTableID and ResolvedServiceRouteTableID fields. Introduces resolveRoutingDefaults() to default unset IDs to 200/201 and validate both are within 1–252 and differ. Refactors DNS TTL checks into C2CCDNS.validate() and updates C2CC.validate() to delegate validation.
Config defaults and user settings pkg/config/config.go	fillDefaults initializes routing ID pointers. incorporateUserSettings merges user routing IDs when non-nil. updateComputedValues invokes routing default resolution.
Route managers consume resolved IDs pkg/controllers/c2cc/routes.go, pkg/controllers/c2cc/service_routes.go, pkg/controllers/c2cc/controller.go	Removes hardcoded route-table and proto constants. linuxRouteManager and serviceRouteManager read table/proto from resolved config fields. Controller logs subscription failures with runtime table IDs.
Config testing and helpers pkg/config/c2cc_test.go, pkg/controllers/c2cc/helpers_test.go	Adds withRoutingDefaults helper to all C2CC config builders. Introduces TestC2CC_RoutingTableValidation covering custom IDs, bounds, duplicates, and defaults. Extends TestC2CC_IncorporateUserSettings for routing overrides. Updates testConfigWithRemotes to set resolved defaults (200, 201).
OpenAPI schema, docs, and packaging cmd/generate-config/config/config-openapi-spec.json, docs/user/howto_config.md, packaging/microshift/config.yaml	OpenAPI spec adds routing to required fields with schema (defaults 200/201, bounds 1–252, mutual-difference constraint). Docs and packaging add annotated routing section with defaults and constraints.
Robot test framework and custom routing suite test/resources/c2cc.resource, test/suites/c2cc/cleanup.robot, test/suites/c2cc/custom-route-tables.robot	Extracts Verify Cluster Is Healthy to shared resource. New custom-route-tables.robot validates C2CC honors custom routing table IDs via config drop-in, verifies route/rule placement in custom tables, confirms default tables (200/201) remain intact. Setup/Teardown and helpers for config application, table cleanup, and health verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: making C2CC routing table IDs configurable instead of hardcoded.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR use stable, static, descriptive strings with no dynamic information like pod names, timestamps, UUIDs, node names, IPs, or namespace suffixes that change between runs.
Test Structure And Quality	✅ Passed	Custom check targets Ginkgo test code; PR adds standard Go tests (testing.T/t.Run) only. No Ginkgo tests found in repo or PR.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Tests added use Go's standard testing package (unit tests) and Robot Framework (integration tests).
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. Tests added are Robot Framework integration tests and Go unit tests, not Ginkgo-style tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies C2CC configuration and controller logic but does not introduce or modify any Kubernetes pod scheduling constraints, deployment manifests, or topology-dependent scheduling assumptions.
Ote Binary Stdout Contract	✅ Passed	PR modifies config, unit tests, and Robot Framework suites for C2CC routing; no OTE test binaries, suite entry points, or process-level stdout writes are introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains no Ginkgo e2e tests. Test changes are standard Go unit tests (testing package) and Robot Framework tests (.robot files), which are outside Ginkgo check scope.
No-Weak-Crypto	✅ Passed	No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto implementations, or non-constant-time secret comparisons detected. PR focuses on routing table configuration only.
Container-Privileges	✅ Passed	PR modifies routing configuration, docs, and tests only. No Kubernetes manifests or container security configurations are added or modified.
No-Sensitive-Data-In-Logs	✅ Passed	Logging statements only expose routing table IDs (non-sensitive kernel parameters) and system errors; no passwords, tokens, PII, session IDs, credentials, or customer data are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user/howto_config.md`:
- Around line 43-45: The routing configuration example in the config format
block uses invalid values for routeTableID and serviceRouteTableID (both set to
0), which violates the runtime contract requiring IDs to be in the range 1..252
and requiring both IDs to differ. Either replace these values with valid
examples (such as routeTableID: 1 and serviceRouteTableID: 2) that satisfy the
constraints, or remove these fields from the documentation example to avoid
misleading users into creating invalid configurations.

In `@pkg/config/c2cc_test.go`:
- Around line 95-96: The mk*C2CCConfig builders are applying
withRoutingDefaults() wrapper in addition to withDNSDefaults(), which masks the
nil-routing default path and prevents proper coverage testing. Remove the
withRoutingDefaults() wrapper from all three mk*C2CCConfig builder methods at
their respective locations (keeping only withDNSDefaults()), so that tests
specifically designed to exercise nil routing input (such as the "defaults are
used when nil" test case) can properly verify the resolveRoutingDefaults()
behavior without having defaults pre-applied by the fixture builders.

In `@pkg/config/config.go`:
- Around line 588-589: The issue is that c.C2CC.resolveRoutingDefaults() is
called unconditionally at line 588, but the validation of routing table IDs only
occurs when C2CC is enabled within the Config.validate() method. This allows
invalid user-supplied routing IDs to reach runtime when C2CC is disabled. To fix
this, ensure that the c.C2CC.validate(c) call in the validate() method runs
unconditionally regardless of whether C2CC is enabled, so that routing table ID
validation happens at the trust boundary before any runtime consumption.
Validate user-configured routing IDs using an allow-list approach before they
are consumed by the disabled-mode cleanup route managers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8e829281-1343-4e22-8cd3-3a827614ee8a

📥 Commits

Reviewing files that changed from the base of the PR and between cc4654e and 90ebcaa.

📒 Files selected for processing (10)

• cmd/generate-config/config/config-openapi-spec.json
• docs/user/howto_config.md
• packaging/microshift/config.yaml
• pkg/config/c2cc.go
• pkg/config/c2cc_test.go
• pkg/config/config.go
• pkg/controllers/c2cc/controller.go
• pkg/controllers/c2cc/helpers_test.go
• pkg/controllers/c2cc/routes.go
• pkg/controllers/c2cc/service_routes.go

[pmtk]

/test ?

[pmtk]

/retest

[pmtk]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/c2cc/custom-route-tables.robot`:
- Around line 116-124: The rule deletion command on line 123 uses only the
priority value to delete rules, which can inadvertently remove unrelated rules
that share the same priority, including default C2CC rules. Instead of deleting
by priority alone using just prio, extract and use the full rule selector from
the original line variable that includes the lookup criteria for the custom
route tables. This way, the deletion command will match and remove only the
exact rules intended rather than any rule with that priority value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 09744e16-a99b-4f7f-8be4-b63427ad8d51

📥 Commits

Reviewing files that changed from the base of the PR and between 8db17da and dc1e877.

📒 Files selected for processing (3)

• test/resources/c2cc.resource
• test/suites/c2cc/cleanup.robot
• test/suites/c2cc/custom-route-tables.robot

💤 Files with no reviewable changes (1)

• test/suites/c2cc/cleanup.robot

[agullon]

/retest

[openshift-ci]

@pmtk: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-el9	aac8f3e	link	true	/test e2e-aws-tests-bootc-el9

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.