[HYPERFLEET-265] Fake GCP validation and related k8s resources

[86254860]

Summary

Adds a fake GCP validator for testing the adapter validation framework without making actual GCP API calls.

Changes

• Validation simulator (validate.sh): Shell script that simulates various validation scenarios (success, failure, hang, crash, invalid-json, missing-status)
• Container image: Dockerfile and Makefile for building and publishing the validator image
• Kubernetes resources: RBAC configuration and Job template for running the validator with a status-reporter sidecar
• Documentation: Comprehensive README with usage examples, configuration options, and testing instructions

Use Cases

• Local development and testing of the validation framework
• Quick feedback loops for adapter contract validation
• Simulating edge cases and failure scenarios

Testing result

// Adapter with Success result

sed -e 's|<scenario>|success|g' \
       -e 's|<namespace>|dawang|g' \
       -e 's|<fake-validator-image>|quay.io/rh-ee-dawang/fake-gcp-validator:dev-3253941|g' \
       -e 's|<status-reporter-image>|quay.io/rh-ee-dawang/status-reporter:dev-04e8d0a|g' \
       job-template.yaml | kubectl apply -f -

// Success
status:
  completionTime: "2025-12-15T11:00:57Z"
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-12-15T11:00:54Z"
    message: GCP environment validated successfully (simulated)
    reason: ValidationPassed
    status: "True"
    type: Available
  - lastProbeTime: "2025-12-15T11:00:57Z"
    lastTransitionTime: "2025-12-15T11:00:57Z"
    message: Reached expected number of succeeded pods
    reason: CompletionsReached
    status: "True"
    type: SuccessCriteriaMet
  - lastProbeTime: "2025-12-15T11:00:57Z"
    lastTransitionTime: "2025-12-15T11:00:57Z"
    message: Reached expected number of succeeded pods
    reason: CompletionsReached
    status: "True"
    type: Complete
  ready: 0
  startTime: "2025-12-15T11:00:50Z"
  succeeded: 1
  terminating: 0
  uncountedTerminatedPods: {}

// Adapter with Failure result

sed -e 's|<scenario>|failure|g' \
       -e 's|<namespace>|dawang|g' \
       -e 's|<fake-validator-image>|quay.io/rh-ee-dawang/fake-gcp-validator:dev-3253941|g' \
       -e 's|<status-reporter-image>|quay.io/rh-ee-dawang/status-reporter:dev-04e8d0a|g' \
       job-template.yaml | kubectl apply -f -

// Failure
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-12-15T11:02:14Z"
    message: Service account lacks required IAM permissions (simulated)
    reason: MissingPermissions
    status: "False"
    type: Available
  - lastProbeTime: "2025-12-15T11:02:16Z"
    lastTransitionTime: "2025-12-15T11:02:16Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: FailureTarget
  - lastProbeTime: "2025-12-15T11:02:16Z"
    lastTransitionTime: "2025-12-15T11:02:16Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: Failed
  failed: 1
  ready: 0
  startTime: "2025-12-15T11:02:10Z"
  terminating: 0
  uncountedTerminatedPods: {}

// Adapter with timeout without result file

sed -e 's|<scenario>|hang|g' \
       -e 's|<namespace>|dawang|g' \
       -e 's|<fake-validator-image>|quay.io/rh-ee-dawang/fake-gcp-validator:dev-3253941|g' \
       -e 's|<status-reporter-image>|quay.io/rh-ee-dawang/status-reporter:dev-04e8d0a|g' \
       job-template.yaml | kubectl apply -f -

// Timeout
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-12-15T11:10:29Z"
    message: Adapter did not produce results within 5m0s
    reason: AdapterTimeout
    status: "False"
    type: Available
  - lastProbeTime: "2025-12-15T11:10:38Z"
    lastTransitionTime: "2025-12-15T11:10:38Z"
    message: Job was active longer than specified deadline
    reason: DeadlineExceeded
    status: "True"
    type: FailureTarget
  - lastProbeTime: "2025-12-15T11:11:09Z"
    lastTransitionTime: "2025-12-15T11:11:09Z"
    message: Job was active longer than specified deadline
    reason: DeadlineExceeded
    status: "True"
    type: Failed
  failed: 1
  ready: 0
  startTime: "2025-12-15T11:05:28Z"
  terminating: 0
  uncountedTerminatedPods: {}

// Adapter with exit -1 without result file

sed -e 's|<scenario>|crash|g' \
       -e 's|<namespace>|dawang|g' \
       -e 's|<fake-validator-image>|quay.io/rh-ee-dawang/fake-gcp-validator:dev-3253941|g' \
       -e 's|<status-reporter-image>|quay.io/rh-ee-dawang/status-reporter:dev-04e8d0a|g' \
       job-template.yaml | kubectl apply -f -

// Exit -1 without result file
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-12-15T11:08:13Z"
    message: 'Adapter container exited with code 1: Error'
    reason: AdapterExitedWithError
    status: "False"
    type: Available
  - lastProbeTime: "2025-12-15T11:08:16Z"
    lastTransitionTime: "2025-12-15T11:08:16Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: FailureTarget
  - lastProbeTime: "2025-12-15T11:08:16Z"
    lastTransitionTime: "2025-12-15T11:08:16Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: Failed
  failed: 1
  ready: 0
  startTime: "2025-12-15T11:08:01Z"
  terminating: 0
  uncountedTerminatedPods: {}

// Adapter with result of invalid json

sed -e 's|<scenario>|invalid-json|g' \
       -e 's|<namespace>|dawang|g' \
       -e 's|<fake-validator-image>|quay.io/rh-ee-dawang/fake-gcp-validator:dev-3253941|g' \
       -e 's|<status-reporter-image>|quay.io/rh-ee-dawang/status-reporter:dev-04e8d0a|g' \
       job-template.yaml | kubectl apply -f -

// Invalid json
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-12-15T11:09:12Z"
    message: 'Adapter container exited successfully (code 0) but did not produce a
      valid result file: Completed'
    reason: AdapterMissingResults
    status: "False"
    type: Available
  - lastProbeTime: "2025-12-15T11:09:15Z"
    lastTransitionTime: "2025-12-15T11:09:15Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: FailureTarget
  - lastProbeTime: "2025-12-15T11:09:15Z"
    lastTransitionTime: "2025-12-15T11:09:15Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: Failed
  failed: 1
  ready: 0
  startTime: "2025-12-15T11:09:10Z"
  terminating: 0
  uncountedTerminatedPods: {}

// Adapter with result missing status

sed -e 's|<scenario>|missing-status|g' \
       -e 's|<namespace>|dawang|g' \
       -e 's|<fake-validator-image>|quay.io/rh-ee-dawang/fake-gcp-validator:dev-3253941|g' \
       -e 's|<status-reporter-image>|quay.io/rh-ee-dawang/status-reporter:dev-04e8d0a|g' \
       job-template.yaml | kubectl apply -f -

// Result missing status
tatus:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2025-12-15T11:10:49Z"
    message: 'Adapter container exited successfully (code 0) but did not produce a
      valid result file: Completed'
    reason: AdapterMissingResults
    status: "False"
    type: Available
  - lastProbeTime: "2025-12-15T11:10:52Z"
    lastTransitionTime: "2025-12-15T11:10:52Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: FailureTarget
  - lastProbeTime: "2025-12-15T11:10:52Z"
    lastTransitionTime: "2025-12-15T11:10:52Z"
    message: Job has reached the specified backoff limit
    reason: BackoffLimitExceeded
    status: "True"
    type: Failed
  failed: 1
  ready: 0
  startTime: "2025-12-15T11:10:47Z"
  terminating: 0
  uncountedTerminatedPods: {}

Summary by CodeRabbit

• Documentation

  • Added a comprehensive README for the Fake GCP Validator covering overview, quick-start, configuration, example result JSON, monitoring, scenarios, and architecture.

• New Features

  • Introduced a Fake GCP Validator supporting multiple scenarios (success, failure, hang, crash, invalid JSON, missing status).
  • Added a deployable Kubernetes Job template with a monitoring sidecar and RBAC setup for cluster testing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request adds a Fake GCP Validator testing tool composed of three files: a README describing usage, scenarios, and architecture; a Kubernetes Job template (job-template.yaml) that runs an Alpine-based fake validator container (configurable via SIMULATE_RESULT) and a status-reporter sidecar sharing an emptyDir /results volume; and RBAC manifests (rbac.yaml) creating a gcp-validator ServiceAccount, a status-reporter Role, and a RoleBinding for the status-reporter to read/update Job status.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Kube as Kubernetes (Job controller)
  participant Validator as fake-validator container
  participant Volume as shared /results (emptyDir)
  participant Reporter as status-reporter sidecar
  participant API as Kubernetes API

  Kube->>Validator: Start Pod with validator + sidecar
  Validator->>Volume: Write /results/adapter-result.json (per SIMULATE_RESULT)
  Note right of Volume: JSON includes result and exit-code mapping
  Reporter->>Volume: Poll/read /results/adapter-result.json
  Reporter->>API: Patch/Update Job status based on result
  API-->>Reporter: Acknowledge status update
  Reporter->>Kube: Exit/terminate indicating reported state

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Areas for extra attention:

• RBAC permissions and namespace placeholders in fake-validator/rbac.yaml
• Placeholder substitution and templating in fake-validator/job-template.yaml (<namespace>, <scenario>, <status-reporter-image>)
• Environment variables, volume mounts, and result file path alignment between validator and status-reporter
• Consistency between README scenarios and the Job template's simulated outcomes and JSON result formats

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a fake GCP validator and associated Kubernetes resources. It is concise, specific, and clearly reflects the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

fake-validator/README.md (1)

171-195: Specify language for fenced code block.

The architecture diagram is a text block without a language specifier. Add a language identifier (e.g., text) to the opening fence for consistency with other code blocks in the documentation.

-```
+```text
 ┌─────────────────────────────────────────┐

fake-validator/job-template.yaml (1)

40-103: Consider adding security constraints for container execution.

While this is a test/fake validator, adding basic security constraints would improve posture and serve as a good template for production use. Define a securityContext at the pod or container level to prevent running as root.

      securityContext:
        runAsNonRoot: true
        runAsUser: 65534  # nobody user
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault

Alternatively, add to each container:

        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 65534

Note: The fake-validator script may need adjustment to work with a non-root user (e.g., ensuring /results directory is writable).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e51f3f9 and 2db4bdb.

📒 Files selected for processing (6)

• fake-validator/Dockerfile (1 hunks)
• fake-validator/Makefile (1 hunks)
• fake-validator/README.md (1 hunks)
• fake-validator/job-template.yaml (1 hunks)
• fake-validator/rbac.yaml (1 hunks)
• fake-validator/validate.sh (1 hunks)

🧰 Additional context used

🪛 checkmake (0.2.2)

fake-validator/Makefile

[warning] 41-41: Target body for "test" exceeds allowed length of 5 (25).

(maxbodylength)

---

[warning] 115-115: Missing required phony target "all"

(minphony)

🪛 Checkov (3.2.334)

fake-validator/job-template.yaml

[medium] 18-103: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[medium] 18-103: Minimize the admission of root containers

(CKV_K8S_23)

🪛 LanguageTool

fake-validator/README.md

[style] ~141-~141: ‘with success’ might be wordy. Consider a shorter alternative.
Context: ...ferent Scenarios Replace the with success, failure, hang, crash, invalid-json, mi...

(EN_WORDINESS_PREMIUM_WITH_SUCCESS)

🪛 markdownlint-cli2 (0.18.1)

fake-validator/README.md

173-173: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (4)

fake-validator/validate.sh (1)

1-102: LGTM! The script effectively simulates all required validation scenarios with appropriate exit codes and output handling.

The defensive design (unknown value fallback to success) is sound, and the use of set -e combined with explicit exit statements in the case branches prevents unintended fallthrough. The date expansion within heredocs correctly generates timestamps at runtime.

fake-validator/Dockerfile (1)

1-17: LGTM! The Dockerfile is minimal, efficient, and follows best practices. Alpine 3.19 is a sensible base image choice, and the metadata labels are comprehensive.

fake-validator/rbac.yaml (1)

1-43: LGTM! The RBAC configuration properly implements least-privilege access for the status-reporter sidecar, with appropriate permissions to read job status and update conditions.

fake-validator/Makefile (1)

35-117: LGTM! The Makefile is well-structured with robust runtime detection and helpful error messages. The test target's comprehensive validation (script existence, executability, multiple scenarios) outweighs checkmake's default style preference for shorter bodies.

The leading - on line 58 correctly allows the failure scenario to run without halting the test suite, which is the intended behavior.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

fake-validator/README.md (1)

168-169: Specify language for code fence.

The architecture diagram is rendered as a code block but lacks a language identifier. Add an identifier (e.g., text or plaintext) for consistency with markdown linting standards.

-```
+```text

fake-validator/job-template.yaml (1)

40-103: Add securityContext for container hardening.

The containers lack a securityContext to enforce security best practices, leaving the manifest vulnerable to privilege escalation (CKV_K8S_20) and root container execution (CKV_K8S_23) alerts. While this is a testing tool, adding these mitigations is a straightforward improvement that aligns with Kubernetes security standards.

Add a securityContext to both containers to prevent privilege escalation and enforce non-root execution:

      containers:
      # Adapter container (fake-validator)
      - name: fake-validator
        image: <fake-validator-image>
        imagePullPolicy: Always
+       securityContext:
+         allowPrivilegeEscalation: false
+         runAsNonRoot: true
+         runAsUser: 1000
+         readOnlyRootFilesystem: true
+         capabilities:
+           drop:
+           - ALL
        env:
        # Configure simulation scenario
        # Valid values: success, failure, hang, crash, invalid-json, missing-status
        - name: SIMULATE_RESULT
          value: "<scenario>"
        - name: RESULTS_PATH
          value: "/results/adapter-result.json"
        volumeMounts:
        - name: results
          mountPath: /results

Apply the same securityContext to the status-reporter container as well. If the containers require root access for specific operations, adjust runAsUser and capabilities accordingly.

fake-validator/Makefile (2)

41-66: Expand test coverage for all scenarios.

The test target currently validates only 3 of the 6 supported scenarios (success, failure, invalid-json). Consider adding tests for the remaining scenarios: hang, crash, and missing-status to ensure comprehensive validation before deployment.

Extend the test target to cover all scenarios:

 @echo "=== Testing invalid-json scenario ==="
 @SIMULATE_RESULT=invalid-json RESULTS_PATH=$(TEST_RESULTS_PATH) ./validate.sh
 @cat $(TEST_RESULTS_PATH)
 @echo ""
+@echo "=== Testing crash scenario ==="
+-@SIMULATE_RESULT=crash RESULTS_PATH=$(TEST_RESULTS_PATH) ./validate.sh || true
+@echo "Crash scenario executed (result file not expected)"
+@echo ""
+@echo "=== Testing missing-status scenario ==="
+@SIMULATE_RESULT=missing-status RESULTS_PATH=$(TEST_RESULTS_PATH) ./validate.sh
+@cat $(TEST_RESULTS_PATH)
+@echo ""
+@echo "Note: hang scenario is not tested (would block indefinitely)"
+@echo ""
 @echo "✅ All scenarios tested"
 @rm -f $(TEST_RESULTS_PATH)

The hang scenario intentionally cannot be tested in a sequential test flow without additional infrastructure (e.g., timeout management).

---

35-39: Add "all" target as conventional entrypoint.

While not strictly required, following Makefile conventions by providing an all target helps users discover the primary workflow. The help target is well-designed, but an explicit all target can serve as a sensible default.

 .PHONY: help
 help: ## Display this help message
 	@echo "Available targets:"
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: all
+all: test image ## Run tests and build image

This provides a conventional entry point for common CI/CD workflows.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2db4bdb and 38ed114.

📒 Files selected for processing (6)

• fake-validator/Dockerfile (1 hunks)
• fake-validator/Makefile (1 hunks)
• fake-validator/README.md (1 hunks)
• fake-validator/job-template.yaml (1 hunks)
• fake-validator/rbac.yaml (1 hunks)
• fake-validator/validate.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• fake-validator/rbac.yaml
• fake-validator/validate.sh
• fake-validator/Dockerfile

🧰 Additional context used

🪛 checkmake (0.2.2)

fake-validator/Makefile

[warning] 41-41: Target body for "test" exceeds allowed length of 5 (25).

(maxbodylength)

---

[warning] 115-115: Missing required phony target "all"

(minphony)

🪛 Checkov (3.2.334)

fake-validator/job-template.yaml

[medium] 18-103: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[medium] 18-103: Minimize the admission of root containers

(CKV_K8S_23)

🪛 markdownlint-cli2 (0.18.1)

fake-validator/README.md

168-168: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

fake-validator/README.md (1)

155-155: Add language identifier to the fenced code block.

The architecture diagram should specify a language identifier (e.g., text) to follow Markdown best practices and satisfy the linter.

Apply this diff:

-```
+```text
 ┌─────────────────────────────────────────┐
 │           Kubernetes Job                │

fake-validator/job-template.yaml (2)

134-150: Consider failing for unknown simulation scenarios.

The default case currently logs a warning and exits successfully when SIMULATE_RESULT has an unknown value. This could mask configuration errors—if a user mistypes a scenario name, the job would succeed unexpectedly.

Apply this diff to exit with an error for unknown scenarios:

               *)
                 echo "Unknown SIMULATE_RESULT value: ${SIMULATE_RESULT}"
                 echo "Valid values: success, failure, hang, crash, invalid-json, missing-status"
-                echo "Defaulting to success..."
-                cat > "${RESULTS_PATH}" <<EOF
-            {
-              "status": "success",
-              "reason": "ValidationPassed",
-              "message": "GCP environment validated successfully (default simulation)",
-              "details": {
-                "simulation": true,
-                "note": "Unknown SIMULATE_RESULT value, defaulted to success"
-              }
-            }
-            EOF
-                exit 0
+                exit 1
                 ;;

---

170-210: LGTM: Status-reporter configuration is well-structured.

The sidecar configuration is appropriate:

• imagePullPolicy: Always ensures the latest status-reporter image is used (good for development)
• Environment variables provide comprehensive configuration
• MAX_WAIT_TIME_SECONDS: 300 correctly aligns with the Job's activeDeadlineSeconds: 310
• Resource allocation is reasonable for a monitoring sidecar

Optional: Consider adding security context for defense in depth.

While this is a testing tool, you could optionally add security context to both containers:

        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
          capabilities:
            drop:
              - ALL

This addresses the static analysis hints, though it's lower priority for internal testing tools.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 38ed114 and 017f0f3.

📒 Files selected for processing (3)

• fake-validator/README.md (1 hunks)
• fake-validator/job-template.yaml (1 hunks)
• fake-validator/rbac.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• fake-validator/rbac.yaml

🧰 Additional context used

🪛 Checkov (3.2.334)

fake-validator/job-template.yaml

[medium] 21-210: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[medium] 21-210: Minimize the admission of root containers

(CKV_K8S_23)

🪛 markdownlint-cli2 (0.18.1)

fake-validator/README.md

155-155: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (3)

fake-validator/job-template.yaml (3)

21-42: LGTM: Job configuration is appropriate for testing scenarios.

The configuration choices are well-suited for a testing tool:

• backoffLimit: 0 prevents unwanted retries
• activeDeadlineSeconds: 310 provides appropriate buffer beyond the status-reporter's max wait time
• restartPolicy: Never is standard for Jobs
• emptyDir volume enables clean inter-container communication

---

43-83: LGTM: Success scenario implementation is correct.

The success case properly:

• Writes valid JSON with all required fields
• Includes a dynamic timestamp
• Exits with code 0

The use of set -e ensures the script fails fast on errors, and IfNotPresent is appropriate for the stable Alpine image.

---

152-169: LGTM: Container configuration is appropriate.

The environment variables, volume mounts, and resource limits are well-configured:

• Placeholders align with documented usage
• Resource requests/limits are modest and appropriate for a lightweight test script
• Volume mount correctly enables result sharing with the status-reporter

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if Makefile exists in fake-validator directory and list all files
echo "=== Searching for Makefile in fake-validator ==="
fd --type f "Makefile" fake-validator/

echo ""
echo "=== Listing all files in fake-validator directory ==="
fd --type f . fake-validator/ | head -20

Repository: openshift-hyperfleet/adapter-validation-gcp

Length of output: 299

---

Add Makefile or update local testing instructions.

The README instructs users to run make test for local testing, but no Makefile exists in the fake-validator directory. Either create a Makefile with a test target, or replace this section with actual testing instructions for this project.

🤖 Prompt for AI Agents

In fake-validator/README.md around lines 42 to 48, the README tells users to run
`make test` but there is no Makefile in the fake-validator directory; either add
a simple Makefile with a test target that runs the project's tests/commands
(e.g., runs the test runner or relevant script) or update the README to replace
`make test` with concrete local testing steps (install deps, run the appropriate
test command or script, and any environment setup) and include exact commands to
run so readers can test locally without a missing Makefile.

[rh-amarin]

/lgtm

[xueli181114]

/lgtm

[xueli181114]

/approve

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

fake-validator/job-template.yaml (2)

45-168: Consider adding a securityContext for container hardening.

While the fake-validator container configuration is functional, adding a securityContext would follow Kubernetes security best practices:

      - name: fake-validator
        image: alpine:3.19
        imagePullPolicy: IfNotPresent
+       securityContext:
+         allowPrivilegeEscalation: false
+         runAsNonRoot: true
+         runAsUser: 1000
+         capabilities:
+           drop:
+           - ALL
        command: ["/bin/sh", "-c"]

Since this is a testing tool, the security risk is lower, but hardening the container aligns with best practices.

---

170-210: Consider adding a securityContext to the status-reporter sidecar.

Similar to the fake-validator container, adding a securityContext to the status-reporter would improve security posture:

      - name: status-reporter
        image: <status-reporter-image>
        imagePullPolicy: Always
+       securityContext:
+         allowPrivilegeEscalation: false
+         runAsNonRoot: true
+         runAsUser: 1000
+         capabilities:
+           drop:
+           - ALL
        env:

The container configuration is otherwise correct with appropriate environment variables, volume mounts, and resource limits.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 017f0f3 and 64019d7.

📒 Files selected for processing (3)

• fake-validator/README.md (1 hunks)
• fake-validator/job-template.yaml (1 hunks)
• fake-validator/rbac.yaml (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

fake-validator/job-template.yaml

[medium] 21-210: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[medium] 21-210: Minimize the admission of root containers

(CKV_K8S_23)

🪛 markdownlint-cli2 (0.18.1)

fake-validator/README.md

155-155: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (10)

fake-validator/rbac.yaml (3)

1-7: LGTM!

The ServiceAccount definition is correct and follows standard Kubernetes conventions.

---

9-27: LGTM!

The Role permissions are minimal and appropriate for the status-reporter functionality. The permissions follow the principle of least privilege.

---

29-43: LGTM!

The RoleBinding correctly links the ServiceAccount to the Role with consistent namespace references.

fake-validator/job-template.yaml (4)

21-42: LGTM!

The Job configuration is appropriate for testing scenarios. The backoffLimit: 0 prevents retries, and activeDeadlineSeconds: 310 provides timeout protection. The emptyDir volume correctly facilitates result sharing between containers.

---

50-83: LGTM!

The script initialization and success scenario implementation are correct. The use of set -e ensures proper error handling, and the JSON structure is valid with appropriate exit codes.

---

85-115: LGTM!

All three scenarios are correctly implemented:

• failure: Writes valid failure JSON and exits with code 1
• hang: Simulates indefinite hang with large sleep value
• crash: Exits without writing results to simulate crash behavior

---

117-151: LGTM!

The remaining test scenarios are well-implemented:

• invalid-json: Correctly writes malformed JSON for validation testing
• missing-status: Writes valid JSON without the required status field
• Default case provides defensive handling with clear logging

fake-validator/README.md (3)

1-21: LGTM!

The overview and features sections accurately describe the fake GCP validator and its capabilities.

---

22-33: LGTM!

The supported scenarios table accurately documents all test scenarios and matches the implementation in the job template.

---

179-184: Update the files list to reflect actual files.

The files section lists Makefile: Local testing automation, but based on previous review comments, this file may not exist in the repository. Please verify and either:

• Add the Makefile if it's intended to exist, or
• Remove this line from the documentation

This relates to the same Makefile verification needed for the Quick Start section.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

fake-validator/README.md (1)

145-145: Add language identifier to architecture code block.

The architecture diagram is missing a language specifier on the fenced code block, which triggers an linting warning (MD040). Add a language identifier after the opening backticks.

-```
+```text
 ┌─────────────────────────────────────────┐

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64019d7 and b5747b0.

📒 Files selected for processing (1)

• fake-validator/README.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

fake-validator/README.md

145-145: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

fake-validator/README.md (1)

169-174: Remove stale Makefile reference from the Files section.

Line 173 references a Makefile that does not exist in the fake-validator/ directory. Based on the PR discussion, testing instructions now use direct commands rather than a Makefile target. Remove this line to keep the Files section accurate.

 ## Files

 - `job-template.yaml`: Kubernetes Job template with embedded validation script
 - `rbac.yaml`: Kubernetes RBAC configuration (ServiceAccount, Role, RoleBinding)
-- `Makefile`: Local testing automation
 - `README.md`: This file

🧹 Nitpick comments (1)

fake-validator/README.md (1)

145-167: Add language specifier to the architecture diagram code block.

The fenced code block containing the ASCII art diagram is missing a language specifier. Add text to the opening fence to satisfy markdown linting standards.

-```
+```text
 ┌─────────────────────────────────────────┐
 │           Kubernetes Job                │

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5747b0 and ef4556d.

📒 Files selected for processing (1)

• fake-validator/README.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

fake-validator/README.md

145-145: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

[xueli181114]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xueli181114

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [xueli181114]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment