feat: upgrade preflight check (OLM residue scan + cluster guard)

[yhuan123]

Summary

• Preflight residue scan: read-only check before the upgrade loop. For each UpgradePath's baseline (Versions[0]), Get the operator's Subscription, Get the baseline ArtifactVersion (<artifact>.<bundleVersion> in cpaas-system), and List non-terminal InstallPlans filtered by OLM's operators.coreos.com/<pkg>.<ns> label. Any residue → fail with copy-pasteable kubectl delete commands (names/ns escaped via %q, generated by the centralised preflight.NewResidual constructor), a finalizer-unstuck template, and a "wait 30s for OLM" hint. 30s context timeout caps the entire call.

• Cluster identity guard (strict in every mode after code review): when operatorConfig.violet.clusters is set, the user must pass --confirm-cluster=<NAME>. The matching rule is mode-aware:

  • File-mode kubeconfig: --confirm-cluster must equal CurrentContext. Empty CurrentContext is treated as a user error with an actionable kubectl config use-context <name> hint (no silent fallback).
  • In-cluster: there is no CurrentContext to read, so --confirm-cluster must equal violet.clusters — the user explicitly acknowledges the target subcluster. A CI pod with violet.clusters: devops but no --confirm-cluster is now a hard error instead of a log line. This closes the "silent 假成功" symmetry that motivated the guard in the first place.

• CSV intentionally excluded from preflight: independent CSV residue (without Sub or AV) is a degenerate state covered by the other three checks. PackageManifest-driven CSV resolution is documented in the plan as a future-storage option if a real incident requires it.

• Config hardening: pkg/config/config.go::validateConfig now requires namespace for operatorhub type, requires bundleVersion for operatorhub type (empty value used to produce operatorhub-foo. AV names with a trailing dot — preflight reported clean while upgrade failed late with cryptic 404s), and enforces bundleVersion against ^[a-zA-Z0-9._-]+$ (the field is interpolated into kubectl + violet argv, so shell metacharacters here are an injection vector — single chokepoint closes it for every downstream consumer).

• CLI ergonomics: cmd.SilenceUsage = true in AddFlags so cobra does not dump --help over the actionable kubectl-delete lines on a non-zero exit. Flag-parsing errors still print usage (they execute before RunE), so typo'd flags are not stranded.

Code Review Fixes (P1 + P2 closed)

Multi-agent review (8 reviewers in parallel — architecture, performance, security, simplicity, silent-failure, type-design, pr-test, agent-native) surfaced 11 actionable findings; 3 P1 + 4 P2 fixed in commits 1201665 and f721f8e. P3 follow-ups recorded for later triage.

P1 — silent-failure closures (preflight was reporting "clean" while bypassing its own guard):

• feat: add violet config + exec env allowlist + helper functions (PR 1/3) #13 + refactor(operatorhub): install ArtifactVersion via violet binary (PR 2/3) #14 cluster guard: in-cluster mode and empty CurrentContext used to log.Warn then return nil. Both now hard-fail with actionable error messages. The previous behaviour defeated the guard exactly where it mattered most (CI pods, multi-context kubeconfigs).
• chore: rename artifact_version.go + drop 6 P2 todos fixed by PR #14 #15 BundleVersion required for operatorhub: empty value used to slip past validateConfig. The downstream AV-name interpolation produced malformed operatorhub-foo. names → Get returned NotFound → preflight falsely reported clean while upgrade crashed later with cryptic errors. Now required at load time.

P2 — internal hardening:

• chore(skill): add gen-upgrade-config for upgrade.yaml generation #16 Drop seen map from runPreflight: dead code under fail-fast semantics (architecture-strategist + simplicity-reviewer independently flagged it). -14 LOC.
• #018 checkInstallPlanResidue no longer discards the NestedString error. status.phase type drift now surfaces a wrapped error instead of being swallowed and producing an "every IP is non-terminal" noise storm — protects against OLM CRD schema migrations.
• #019 preflight.NewResidual constructor: centralises kubectl cleanup template + %q shell-quoting. Three call sites in operatorhub/preflight.go go from 5-line struct literals to one-line constructor calls. The shell-quoting invariant is now compiler-protected.
• feat: upgrade preflight check (OLM residue scan + cluster guard) #17 cmd-layer test coverage: assertClusterMatch + runPreflight carried zero coverage (pr-test-analyzer criticality 9). New cmd/upgrade_command_test.go adds 15 sub-tests including baseline-only invariant (regression guard against "scan all versions") and fail-fast verification (second path's PreflightBaseline provably not reached).

P3 follow-ups recorded as todos for later:

• todos/020-pending-p3-test-coverage-extensions.md — transient error type variants, IP label fixture drift, regex edge cases
• todos/021-pending-p3-preflight-simplifications.md — checks slice → sequential calls, phases map → switch
• todos/022-pending-p3-agent-ergonomics-followups.md — --preflight-output=json, exit-code taxonomy, optional --preflight-only
• todos/023-pending-p3-misc-cleanups.md — SilenceUsage placement, defensive zero-residual test, local Info log

Real-Cluster Validation

Verified against env3-devops cluster with live tektoncd-operator (Subscription in tekton-operator namespace, multiple historical ArtifactVersions in cpaas-system, terminal InstallPlan install-4pbdf):

Designed behavior	Real-cluster result
Subscription name + namespace match	✓ Detected tekton-operator/tektoncd-operator
ArtifactVersion <artifact>.<bundleVersion> match	✓ Detected tektoncd-operator.v4.11.0-beta.78.gcec2b43
OLM label selector operators.coreos.com/<pkg>.<ns>	✓ Real label is exactly this format; selector hits the right plans
Terminal-phase IP (Complete) filtered out	✓ Not reported as residue (matches plan design)
%q quoting in kubectl hints	✓ kubectl delete subscription "tektoncd-operator" -n "tekton-operator" ready to paste
No cluster mutation when preflight fails	✓ No violet invocation, no Subscription patch — verified by reading IP status.phase is unchanged across runs
Exit code	✓ 1
stdout / stderr split	✓ INFO logs → stdout; Error: preflight failed: ... → stderr

Testing

• 17 new tests in cmd/upgrade_command_test.go (10 assertClusterMatch × all branches + 5 runPreflight × baseline-only / fail-fast / error propagation / empty-versions / clean cluster + 2 PreflightError formatter).
• 12 sub-tests in pkg/operator/operatorhub/preflight_test.go covering clean cluster, single residue per kind, multi-kind aggregation, non-terminal IP phases ("" / Planning / RequiresApproval / Installing), terminal IP phases (Complete / Failed) ignored, transient API error wrap with "retry the run" hint, permanent error wrap chain (errors.Is), and a read-only contract assertion (spy reactor on create/update/patch/delete/deletecollection fails the test on any mutation).
• 9 sub-cases in pkg/config/config_test.go for new validators (shell metachar rejection × 5, realistic version acceptance × 4, namespace required for operatorhub, namespace optional for local, empty bundleVersion rejected for operatorhub).
• go test ./... + go vet ./... all pass with no regressions in existing violet / subscription / config tests.

Plan & Decisions

• Plan (with full Deepen report + 8 sub-agent findings folded in): docs/plans/2026-05-19-feat-upgrade-preflight-check-plan.md — included in the first commit so reviewers can map every design choice back to its source.
• Decision B (--confirm-cluster matching rule): locked at B1 = exact string equality. Implementation note in cmd/upgrade_command.go::assertClusterMatch documents how to switch to substring/regex without changing the flag surface.
• Decision C (PreflightError wording): locked at C1 = all-English. Implementation note in cmd/preflight_error.go::Error() documents the swap point if C2 / C3 is preferred later.

Post-Deploy Monitoring & Validation

• What to monitor:
  • upgrade-test CI runs in sprint envs for the first week after merge — look for an uptick in preflight failed: lines.
  • User-reported issues mentioning "upgrade now fails on a clean env" → potential false positive (namespace defaulting or label-selector miss).
  • CI jobs setting violet.clusters but missing --confirm-cluster: hard fail at startup is the new behaviour — pipeline configs may need a one-time update.
• Validation checks:
  • Sanity: on a known-clean sprint env, ./upgrade --config <real-upgrade.yaml> should reach the upgrade loop within ~2s of starting.
  • Negative: kubectl apply a stray Subscription, then re-run — expect a non-zero exit with the exact kubectl delete cleanup line printed.
  • Cluster-guard sanity: try --confirm-cluster=wrong-name against a real KUBECONFIG; expect a hard-fail with the actual current-context shown.
• Expected healthy behavior: silent preflight pass; upgrade continues as before.
• Failure signal / rollback trigger: user reports preflight false-positive on a clean env. Immediate mitigation: --skip-preflight. Code-level mitigation: revert this PR (no schema migration, no on-disk state).
• Validation window & owner: 1 week after merge / huanyang@alauda.io.

RBAC (smallest verb set for preflight only)

- apiGroups: ["operators.coreos.com"]
  resources: ["subscriptions", "installplans"]
  verbs: ["get", "list"]
- apiGroups: ["app.alauda.io"]
  resources: ["artifactversions"]
  verbs: ["get"]

The upgrade itself still requires the existing write permissions.

[alaudabot]

PR Review: feat/preflight-check

Summary

This PR introduces a preflight check layer and cluster identity guard. The implementation is well-documented, thoroughly tested, and follows the repository's existing conventions. No blocking issues found.

Critical Issues: 0

Warnings (2)

1. pkg/operator/operatorhub/preflight.go:34 — installPlanTerminalPhases is a package-level map[string]struct{} modified via assignment on first use. While not a runtime hazard, a const map or struct init would make immutability intent explicit.

2. pkg/config/config.go:20 — bundleVersionRegex uses regexp.MustCompile which panics on invalid regex at import time. Document the regex format or switch to regexp.Compile with a hardcoded fallback.

Suggestions (4)

1. cmd/preflight_error.go:36 — RecommendedCleanup uses %q for shell-escaping. Verify busybox-based kubectl handles quoted resource names identically. Consider adding a shell-executability test.

2. pkg/operator/operatorhub/preflight.go:119-127 — checkInstallPlanResidue handles errors.IsNotFound on a List call. A List returning zero items is the idiomatic "nothing found" signal in K8s; consider removing the IsNotFound check.

3. pkg/operator/operatorhub/preflight_test.go:44-63 — newIPWithPhase hardcodes label key "operators.coreos.com/tektoncd-operator.test-ns" instead of deriving from operator's name/namespace. Refactor to accept parameters.

4. pkg/operator/operatorhub/preflight_test.go:226-230 — Calling t.Errorf inside a reactor function may not propagate correctly from the fake client's goroutine. Move mutation detection to the main goroutine.

Positive Feedback

• Security-first design with single-chokepoint validation (bundleVersionRegex)
• Excellent test coverage including the read-only contract enforcement
• Clear architectural decisions documented in code comments
• Excellent README documentation on preflight
• Honest TOCTOU acknowledgment with "wait ~30s" hint

Status: PR is good to go. These are all non-blocking suggestions.

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/upgrade-test/pr-review.md
Alauda Skills	✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-component-e2e-release, builders-alauda-component-upgrade, builders-alauda-pipeline, builders-claudetask-submit, builders-component-knowledge, builders-confluence, builders-dev-mesh-qa, builders-edge-ci-trace, builders-gitlab-ops, builders-helm-operator-generator, builders-install-cluster-plugin, builders-jira, builders-notify-wecom, builders-olm-operator-lifecycle, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, builders-violet, builders-webapp-testing, cross-repo-add-mirror, cross-repo-publish, devops-add-bug-release-notes, devops-autodns, devops-bundle-csv-baseline-diff, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-pr-review, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-refresh-results-tag, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at	2026-05-19 12:55:26 UTC

---

Summary

This PR implements a comprehensive preflight check system for the upgrade CLI, including OLM residue scanning (Subscription, ArtifactVersion, InstallPlan) and a cluster identity guard. The implementation is well-structured with good test coverage and proper separation of concerns. The code addresses the silent failure scenarios described in the PR description while maintaining backward compatibility through the --skip-preflight flag.

Review Statistics

Category	Count
Critical Issues	0
Warnings	2
Suggestions	3
Files Reviewed	14

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None identified.

Warnings

Issues that SHOULD be addressed but are not blocking

• [pkg/operator/operatorhub/preflight_test.go:248] (style/dead-code): The compile-time import guard var _ = metav1.GetOptions{} is technically valid but unconventional. While it serves as documentation that the package is used, metav1 is already imported and used elsewhere in the file. Consider removing or replacing with a build tag comment if this pattern is important for the project.

• [pkg/operator/operatorhub/preflight.go:19] (style/convention): installPlanTerminalPhases is a map that's never mutated. Consider using a constant map pattern instead:

  var installPlanTerminalPhases = map[string]struct{}{
      "Complete": {},
      "Failed":   {},
  }

  While functional, this could be made more explicit as a const if the language allows.

Suggestions

Recommendations for improvement (nice to have)

• [cmd/upgrade_command.go:190] (style/clarity): The nil-check cfg.OperatorConfig.Violet == nil is correct, but relies on the reader knowing Violet is a pointer. Consider adding a brief comment:

  // Violet is a pointer - check both nil and empty string

• [pkg/operator/operatorhub/preflight.go:94] (style/naming): The _ config.Version parameter in checkArtifactVersionResidue is unused, consistent with the pattern in other check functions but reduces readability. Consider explicitly naming it _ as is done, but this is a minor style preference.

• [pkg/operator/operatorhub/preflight.go:65] (refactor/clarity): The error message "preflight: %s: %w (transient, retry the run)" includes the kind name but could be more consistent with other error messages in the codebase. This is minor.

Positive Feedback

• Security: The bundleVersionRegex validation (^[a-zA-Z0-9._-]+$) properly prevents shell injection - this is a critical security fix.
• Test Coverage: Excellent coverage including the read-only contract test (TestPreflightBaseline_ReadOnly) that asserts no mutating operations occur.
• Error Handling: Good transient error detection with actionable "retry the run" messages.
• Architecture: Clean separation with preflight.Residual in a leaf package to avoid import cycles.
• Cluster Guard: Comprehensive handling of both in-cluster and file-mode kubeconfig scenarios.
• Documentation: The plan document and CLAUDE.md updates are thorough.

---

Review Note: The existing critical comment about isTransientAPIError being inaccessible is incorrect - the function is defined in artifact_version.go within the same package and is properly accessible. The seen map mentioned in a suggestion was already removed in prior commits as noted in the PR description.

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: e75e733e9aa1b417a8b3c6441e53495dbcb418ad
• No repository-specific prompt configured
• Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-component-e2e-release, builders-alauda-component-upgrade, builders-alauda-pipeline, builders-claudetask-submit, builders-component-knowledge, builders-confluence, builders-dev-mesh-qa, builders-edge-ci-trace, builders-gitlab-ops, builders-helm-operator-generator, builders-install-cluster-plugin, builders-jira, builders-notify-wecom, builders-olm-operator-lifecycle, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, builders-violet, builders-webapp-testing, cross-repo-add-mirror, cross-repo-publish, devops-add-bug-release-notes, devops-autodns, devops-bundle-csv-baseline-diff, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-pr-review, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-refresh-results-tag, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

[alaudabot]

PR Review: feat: upgrade preflight check (OLM residue scan + cluster guard)

Critical Issues

• pkg/operator/operatorhub/preflight.go:65 — isTransientAPIError is called here but is defined in artifact_version.go:107 (sibling file, same package). The call compiles because Go resolves package-internal references at link time, but the dependency is implicit and undocumented in code. Future refactoring of artifact_version.go's internal helpers will silently break preflight with no compile-time warning. Per CLAUDE.md conventions (GVRs declared at the top of operator.go), shared helpers should be in a named utility file, not hidden behind cross-file package resolution.

Suggested fix: Move isTransientAPIError to a shared non-test utility file (e.g., pkg/operator/operatorhub/errors.go) and add a doc comment referencing the original.

// errors.go — shared utility, not internal to artifact_version.go
func isTransientAPIError(err error) bool {
	return errors.IsServerTimeout(err) ||
		errors.IsTooManyRequests(err) ||
		errors.IsServiceUnavailable(err)
}

Warnings

• cmd/upgrade_command.go:119 — assertClusterMatch short-circuits when cfg.OperatorConfig.Violet == nil. This is correct behaviour (nil means not configured), but the pattern relies on the reader noticing the pointer type. A brief comment would prevent future confusion:

// Violet is nil when not configured in YAML — cluster guard is a no-op.
if cfg.OperatorConfig.Violet == nil || cfg.OperatorConfig.Violet.Clusters == "" {
	return nil
}

• pkg/operator/operatorhub/preflight_test.go:248 — A blank-line var _ = metav1.GetOptions{} appears at the end of the file as a compile-time import guard. It is dead code: the metav1 import is already used by the actual tests. Please remove it.

Suggestions

• pkg/operator/operatorhub/preflight.go:19 — installPlanTerminalPhases is a var but is never mutated. Consider making it const.

• pkg/operator/operatorhub/preflight.go:109 — checkArtifactVersionResidue's second parameter _ config.Version is unused (same pattern as checkSubscriptionResidue and checkInstallPlanResidue). For consistency and readability, either remove it or use _ prefix to signal intent.

• cmd/upgrade_command.go:200–204 — runPreflight deduplicates residuals via a seen map, but map iteration order is non-deterministic. Since the primary output is copy-pasteable kubectl delete commands, deterministic ordering (e.g., sort by Kind then Name) would improve reproducibility. Not blocking.

Positive

The 10-sub-test preflight suite (including the spy-reactor read-only contract assertion), the bundleVersion regex chokepoint, and the comprehensive plan document (docs/plans/2026-05-19-feat-upgrade-preflight-check-plan.md) are all excellent. The design decisions are well-documented and traceable.

[alaudabot]

Warning (style/clarity): The nil-check short-circuit is correct, but relies on the reader noticing Violet is a pointer. A one-line comment prevents future confusion when someone reads this guard in isolation.

[alaudabot]

Warning (style/dead-code): The blank-line var _ = metav1.GetOptions{} is a compile-time import guard but metav1 is already used by the actual test code. Dead code — please remove.

[alaudabot]

Suggestion (style/convention): installPlanTerminalPhases is never mutated — consider const instead of var.

[alaudabot]

Suggestion (style/naming): The _ config.Version parameter is unused, consistent with the other two check functions but reduces readability. Consider checkArtifactVersionResidue(ctx, _ config.Version) to signal intent explicitly, or removing the parameter if all callers are updated.

[alaudabot]

Suggestion (style/determinism): The seen map iteration order is non-deterministic, meaning the order of cleanup commands in the error output may vary across runs. For a tool whose primary output is copy-pasteable commands, sorting residuals (e.g., by Kind then Name) would improve reproducibility. Not blocking — just a note for future polish.