Skip to content

HYPERFLEET-1229 - chore: disable lifecycle enforcer dry-run mode#65

Open
rafabene wants to merge 1 commit into
openshift-hyperfleet:mainfrom
rafabene:HYPERFLEET-1229-disable-dry-run
Open

HYPERFLEET-1229 - chore: disable lifecycle enforcer dry-run mode#65
rafabene wants to merge 1 commit into
openshift-hyperfleet:mainfrom
rafabene:HYPERFLEET-1229-disable-dry-run

Conversation

@rafabene

@rafabene rafabene commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

  • Switch lifecycle enforcer default from dry_run=true to dry_run=false after 4 days of validated dry-run operation
  • Update documentation (README) to reflect active enforcement as the default
  • Add lifecycle enforcer resources and variables to shared infrastructure README

Test plan

  • make test-lifecycle-function — all 27 unit tests pass
  • make validate-terraform — terraform validates successfully
  • Enforcer confirmed working in production with dry-run since 2026-07-02
  • Enforcer confirmed executing real actions after switching to dry_run=false

Lifecycle enforcer has been validated in dry-run for 4 days. Switch
default to active enforcement (dry_run=false) and update documentation.
@openshift-ci openshift-ci Bot requested review from ldornele and vkareh July 6, 2026 13:42
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ciaranroche for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1d9cf818-f24b-40ec-923e-695a175f0757

📥 Commits

Reviewing files that changed from the base of the PR and between c28c064 and 1aa26b1.

📒 Files selected for processing (4)
  • functions/lifecycle-enforcer/README.md
  • terraform/modules/lifecycle/variables.tf
  • terraform/shared/README.md
  • terraform/shared/variables.tf
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Lifecycle enforcement now runs by default instead of only logging actions.
    • Added support for scheduled lifecycle enforcement in shared infrastructure.
  • Documentation

    • Updated setup and verification steps to match the new default behavior.
    • Revised configuration tables and defaults for lifecycle enforcement settings.

Walkthrough

Terraform variable defaults for dry_run (module terraform/modules/lifecycle) and lifecycle_enforcer_dry_run (terraform/shared/variables.tf) changed from true to false, flipping the lifecycle enforcer to active-by-default instead of dry-run-by-default. Documentation in functions/lifecycle-enforcer/README.md and terraform/shared/README.md was updated to reflect the new default, revised deployment/verification steps, disabling instructions, and configuration tables listing lifecycle_enforcer_dry_run, lifecycle_enforcer_schedule, and the new lifecycle-enforcer Cloud Function/Scheduler components.

Estimated code review effort: 2 (Simple) | ~10 minutes

Related Issues: None referenced in provided context.

Related PRs: None referenced in provided context.

Suggested labels: terraform, documentation, breaking-change

Suggested reviewers: None specified in provided context.

CWE-693 (Protection Mechanism Failure): default dry_run = false means enforcement executes destructive lifecycle actions on infra by default unless explicitly overridden — verify Sentinel/Adapter callers of this module pin dry_run explicitly rather than relying on module default. No test coverage cited in diff confirming actual TTL-deletion behavior against live GCP resources. IDE/CI config unaffected in this diff — no supply-chain surface changed here.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed Title matches the main change: switching lifecycle enforcer out of dry-run mode by default.
Description check ✅ Passed Description is directly aligned with the changes: default flip, docs updates, and test plan.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed PASS: No non-test/non-example log statement references token/password/credential/secret; lifecycle-enforcer logs only cluster/node_pool/error fields. CWE-532.
No Hardcoded Secrets ✅ Passed Touched files contain no hardcoded secrets; only docs/sample creds and Go sum hashes elsewhere. No CWE-798/259/321 findings.
No Weak Cryptography ✅ Passed PASS: PR only changes README/Terraform defaults; no banned primitives, ECB, custom crypto, or secret comparisons were found (CWE-327).
No Injection Vectors ✅ Passed No CWE-89/CWE-78/CWE-79/CWE-502 patterns found; touched files only change defaults/docs, and lifecycle code uses trusted env/API inputs.
No Privileged Containers ✅ Passed HEAD touches only README/Terraform vars; no manifests, Helm templates, or Dockerfiles changed, and no privileged settings were introduced (CWE-250/CWE-269).
No Pii Or Sensitive Data In Logs ✅ Passed PASS: The patch only changes README/Terraform defaults; no logging statements were added or altered, so no PII-bearing logs are introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant