ROSAENG-6793 | feat: read noproxy default domains from ocm api

[marcolan018]

PR Summary

Detailed Description of the Issue

Current in production env, for zero egress enabled clusters, client can query the default domains in noproxy thru OCM API. This PR removes the hardcoded domain templates in TF provider, changes to read the default domain list from OCM API.

Related Issues and PRs

• Jira: ROSAENG-6793
• Fixes: #
• Related PR(s):
• Related design/docs:

Type of Change

• feat - adds a new user-facing capability.
• fix - resolves an incorrect behavior or bug.
• docs - updates documentation only.
• style - formatting or naming changes with no logic impact.
• refactor - code restructuring with no behavior change.
• test - adds or updates tests only.
• chore - maintenance work (tooling, housekeeping, non-product code).
• build - changes build system, packaging, or dependencies for build output.
• ci - changes CI pipelines, jobs, or automation workflows.
• perf - improves performance without changing intended behavior.

Previous Behavior

Behavior After This Change

How to Test (Step-by-Step)

Preconditions

Test Steps

1. Create a hcp cluster with zero egress enabled. Related blocks in the main.tf as below

resource "rhcs_cluster_rosa_hcp" "rosa_sts_hcp_cluster" {
...
...
  properties = {
    rosa_creator_arn = data.aws_caller_identity.current.arn,
    zero_egress = "true"
  }
  proxy = {
    http_proxy = "http://test.com",
    no_proxy = "127.0.0.1"
  }
}

2. Run command terraform apply

Expected Results

the terraform apply command should complete successfully

Proof of the Fix

• Screenshots:
• Videos:
• Logs/CLI output:
• Other artifacts:

Breaking Changes

• No breaking changes
• Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

Developer Verification Checklist

• Commit subject/title follows [JIRA-TICKET] | [TYPE][(scope)][!]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• make install-hooks has been run in this clone.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make pre-push-checks passes.
• make fmt-check passes.
• make build passes.
• Documentation was added/updated where appropriate.
• Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

• Bug Fixes
  • Improved proxy handling for zero-egress clusters: user-defined proxy exclusion entries are preserved while automatic default domains are removed during create, update, and refresh/read flows; API-returned proxy values are stored raw and de-duplication is applied before state is persisted. Helper failures now emit warnings without overwriting existing proxy settings.

[coderabbitai]

Warning

Review limit reached

@marcolan018, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 25 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4ca0b31c-c3e2-455a-8389-0803126bf69e

📥 Commits

Reviewing files that changed from the base of the PR and between 809441d and 72e76e4.

📒 Files selected for processing (4)

• provider/clusterrosa/hcp/resource.go
• provider/proxy/utils.go
• provider/proxy/utils_test.go
• subsystem/hcp/cluster_resource_test.go

Walkthrough

Refactors proxy no_proxy filtering to accept caller-supplied default domains and adds a cluster helper (reviseZeroEgressNoProxy) that fetches API zero-egress defaults and removes them from state.Proxy.NoProxy during Create, Read, and Update. Tests and PATCH expectations updated accordingly.

Changes

Zero-egress proxy domain filtering

Layer / File(s)	Summary
Proxy filtering utility refactor provider/proxy/utils.go, provider/proxy/utils_test.go	RemoveNoProxyZeroEgressDefaultDomains now accepts a defaultDomains []string, uses a lookup set plus a deprecated regex for removals, and rejoins tokens using the provided separator. Tests updated to pass explicit default domain lists per scenario.
Zero-egress filtering in cluster resource operations provider/clusterrosa/hcp/resource.go, subsystem/hcp/cluster_resource_test.go	Added reviseZeroEgressNoProxy helper that, when properties.zero_egress == "true", fetches cluster defaults with fetch_service_inquiries=true, filters those defaults from state.Proxy.NoProxy, and is invoked before persisting state in Create, Read, and Update. populateRosaHcpClusterState now stores raw API no_proxy; de-duplication is deferred to the helper. Tests and proxy PATCH expectations updated/added.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Pr Checklist Claims Vs Evidence (Generic)	❓ Inconclusive	Cannot access the actual PR body with checked checklist items; pr_objectives notes a checklist exists but status of each item is unavailable.	Access GitHub PR #1174 body to view the markdown checklist [x]/[ ] items to verify claims and evidence.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: reading no-proxy default domains from the OCM API instead of using hardcoded templates, which aligns with the changeset.
Description check	✅ Passed	The PR description covers the problem (hardcoded domains vs API-retrieved defaults), context (production use case), and includes test steps, but key sections like 'Behavior After This Change' and proof of testing are incomplete.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

provider/proxy/utils.go (1)

9-10: ⚡ Quick win

Remove unused regex pattern variables.

These regex patterns are no longer used after the refactor from regex-based to exact-match filtering.

♻️ Proposed fix

-var awsRegionRegexFmt = "(?:af|ap|ca|eu|me|sa|us)(?:-gov)?-(?:central|north|(?:north(?:east|west))|south|south(?:east|west)|east|west)-\\d+(?:[a-z]{1})?"
-var awsAccountIdRegexFmt = "\\d{12}"
-
 func RemoveNoProxyZeroEgressDefaultDomains(input string, separator string, defaultDomains []string) string {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/proxy/utils.go` around lines 9 - 10, Remove the now-unused regex
pattern variables awsRegionRegexFmt and awsAccountIdRegexFmt from
provider/proxy/utils.go; locate and delete the declarations of awsRegionRegexFmt
and awsAccountIdRegexFmt so the file no longer contains dead variables after the
refactor to exact-match filtering.

provider/clusterrosa/hcp/resource.go (2)

2251-2254: ⚡ Quick win

Wrap error with actionable context.

The error should include context identifying the operation that failed.

♻️ Proposed fix

 	get, err := r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries", true).SendContext(ctx)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to fetch cluster with service inquiries for zero-egress no_proxy filtering: %w", err)
 	}

As per coding guidelines: "In helper functions, wrap errors with fmt.Errorf("...: %w", err)."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/clusterrosa/hcp/resource.go` around lines 2251 - 2254, The call to
r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries",
true).SendContext(ctx) returns err but is returned as-is; wrap this error with
actionable context using fmt.Errorf, e.g. return fmt.Errorf("failed to fetch
cluster via ClusterCollection.Cluster(%s).Get().SendContext: %w", object.ID(),
err) so callers know which operation failed; update the error return where get,
err are assigned in the helper function.

---

2234-2259: ⚡ Quick win

Add defensive nil check before accessing state.Proxy.NoProxy.

While the call sites ensure populateRosaHcpClusterState runs first (which initializes state.Proxy when the API object has a proxy), a defensive nil check would make this function safer and more self-contained.

🛡️ Proposed fix

 	defaultDomains := get.Body().AWS().ZeroEgress().NoProxyDefaultDomains()
 	deDuplicatedNoProxy := proxy.RemoveNoProxyZeroEgressDefaultDomains(noProxy, ",", defaultDomains)
+	if state.Proxy == nil {
+		state.Proxy = &proxy.Proxy{}
+	}
 	state.Proxy.NoProxy = types.StringValue(deDuplicatedNoProxy)
 	return nil
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/clusterrosa/hcp/resource.go` around lines 2234 - 2259, In
reviseZeroEgressNoProxy, guard against state.Proxy being nil before assigning
state.Proxy.NoProxy: check if state.Proxy == nil and if so initialize it (e.g.,
state.Proxy = &<proxy-struct-type>{}) then set state.Proxy.NoProxy =
types.StringValue(deDuplicatedNoProxy); this makes reviseZeroEgressNoProxy
self-contained and prevents nil-pointer panics when writing to
state.Proxy.NoProxy.

subsystem/hcp/cluster_resource_test.go (1)

4538-4670: ⚡ Quick win

Consider adding an Update scenario test.

The test correctly verifies zero-egress default domain filtering during Create and Read operations. However, per the PR description, the filtering should also apply during Update. Consider adding a test case that:

1. Creates a cluster with zero_egress and custom no_proxy
2. Updates the no_proxy value
3. Verifies the updated state correctly filters defaults from the new value

This would ensure the filtering logic works correctly across all CRUD operations mentioned in the PR objectives.

As per coding guidelines, behavior-changing changes should add or update subsystem tests that cover the changed behavior. The Update path is part of the behavior change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@subsystem/hcp/cluster_resource_test.go` around lines 4538 - 4670, Add an
Update-path test mirroring the existing "Filters zero-egress default domains
from no_proxy during read" It block: create the cluster as currently done, then
simulate an Update by appending TestServer handlers for the update request (use
VerifyRequest for the cluster update endpoint—same route used for Read, e.g.,
cluster123Route—and RespondWithPatchedJSON to return a payload where the
proxy.no_proxy contains the custom value plus appended zero_egress default
domains), run a Terraform update/apply with a changed proxy.no_proxy value, and
then assert (using Terraform.Resource("rhcs_cluster_rosa_hcp", "my_cluster") and
MatchJQ on .attributes.proxy.no_proxy) that the state filters out the default
domains; reference the existing test helpers VerifyRequest,
RespondWithPatchedJSON, Terraform.Apply(), and Terraform.Resource() to locate
where to add the new handlers and assertions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@provider/proxy/utils.go`:
- Around line 12-23: The function RemoveNoProxyZeroEgressDefaultDomains splits
by the provided separator but mistakenly rejoins using a hardcoded ","; change
the final join to use the same separator parameter (replace
strings.Join(domains, ",") with strings.Join(domains, separator)) so the output
matches the input delimiter; locate the code in the
RemoveNoProxyZeroEgressDefaultDomains function and update that call.

---

Nitpick comments:
In `@provider/clusterrosa/hcp/resource.go`:
- Around line 2251-2254: The call to
r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries",
true).SendContext(ctx) returns err but is returned as-is; wrap this error with
actionable context using fmt.Errorf, e.g. return fmt.Errorf("failed to fetch
cluster via ClusterCollection.Cluster(%s).Get().SendContext: %w", object.ID(),
err) so callers know which operation failed; update the error return where get,
err are assigned in the helper function.
- Around line 2234-2259: In reviseZeroEgressNoProxy, guard against state.Proxy
being nil before assigning state.Proxy.NoProxy: check if state.Proxy == nil and
if so initialize it (e.g., state.Proxy = &<proxy-struct-type>{}) then set
state.Proxy.NoProxy = types.StringValue(deDuplicatedNoProxy); this makes
reviseZeroEgressNoProxy self-contained and prevents nil-pointer panics when
writing to state.Proxy.NoProxy.

In `@provider/proxy/utils.go`:
- Around line 9-10: Remove the now-unused regex pattern variables
awsRegionRegexFmt and awsAccountIdRegexFmt from provider/proxy/utils.go; locate
and delete the declarations of awsRegionRegexFmt and awsAccountIdRegexFmt so the
file no longer contains dead variables after the refactor to exact-match
filtering.

In `@subsystem/hcp/cluster_resource_test.go`:
- Around line 4538-4670: Add an Update-path test mirroring the existing "Filters
zero-egress default domains from no_proxy during read" It block: create the
cluster as currently done, then simulate an Update by appending TestServer
handlers for the update request (use VerifyRequest for the cluster update
endpoint—same route used for Read, e.g., cluster123Route—and
RespondWithPatchedJSON to return a payload where the proxy.no_proxy contains the
custom value plus appended zero_egress default domains), run a Terraform
update/apply with a changed proxy.no_proxy value, and then assert (using
Terraform.Resource("rhcs_cluster_rosa_hcp", "my_cluster") and MatchJQ on
.attributes.proxy.no_proxy) that the state filters out the default domains;
reference the existing test helpers VerifyRequest, RespondWithPatchedJSON,
Terraform.Apply(), and Terraform.Resource() to locate where to add the new
handlers and assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0203422d-61e2-4db8-a4f5-59979cb758e8

📥 Commits

Reviewing files that changed from the base of the PR and between 86d5ab5 and 20e43b9.

📒 Files selected for processing (4)

• provider/clusterrosa/hcp/resource.go
• provider/proxy/utils.go
• provider/proxy/utils_test.go
• subsystem/hcp/cluster_resource_test.go

[marcolan018]

/retest

[marcolan018]

/retest

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

provider/proxy/utils.go (1)

23-26: 💤 Low value

Consider using struct{} for map values when using map as a set.

Using map[string]struct{}{} instead of map[string]string is more idiomatic in Go when the map is used purely for membership checks, as it makes the intent clearer and saves a few bytes per entry.

♻️ Optional refactor

-	defaultDomainsMap := make(map[string]string)
+	defaultDomainsMap := make(map[string]struct{})
 	for _, item := range defaultDomains {
-		defaultDomainsMap[item] = ""
+		defaultDomainsMap[item] = struct{}{}
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/proxy/utils.go` around lines 23 - 26, The map defaultDomainsMap is
created as map[string]string but used as a set; change its type to
map[string]struct{} and populate it with defaultDomainsMap[item] = struct{}{} in
the loop that iterates over defaultDomains; also update any membership checks
(places using defaultDomainsMap[item] or lookups) to use the idiomatic _, ok :=
defaultDomainsMap[key] pattern so the code compiles and reflects the set
semantics.

provider/clusterrosa/hcp/resource.go (3)

2254-2255: ⚡ Quick win

Add defensive nil check for state.Proxy before dereferencing.

Although the current calling sequence ensures state.Proxy is non-nil when this line executes (because populateRosaHcpClusterState initializes it when the object has proxy), a defensive check would make the code more robust and self-documenting.

🛡️ Proposed defensive check

 	defaultDomains := zeroEgress.NoProxyDefaultDomains()
 	deDuplicatedNoProxy := proxy.RemoveNoProxyZeroEgressDefaultDomains(noProxy, ",", defaultDomains)
+	if state.Proxy == nil {
+		return fmt.Errorf("internal error: state.Proxy is nil but object has proxy configured")
+	}
 	state.Proxy.NoProxy = types.StringValue(deDuplicatedNoProxy)
 	return nil

As per coding guidelines: "Prefer explicit over implicit — especially in exported APIs" and defensive coding against possible future refactoring.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/clusterrosa/hcp/resource.go` around lines 2254 - 2255, Add a
defensive nil check for state.Proxy before assigning state.Proxy.NoProxy: verify
that state.Proxy != nil and if nil, initialize it (e.g., allocate a Proxy
struct) or skip the assignment so you don't dereference a nil pointer; update
the block around deDuplicatedNoProxy :=
proxy.RemoveNoProxyZeroEgressDefaultDomains(noProxy, ",", defaultDomains) and
the subsequent state.Proxy.NoProxy = types.StringValue(deDuplicatedNoProxy) to
first ensure state.Proxy is non-nil (or create it) before setting NoProxy.

---

2249-2251: ⚡ Quick win

Wrap error with context to identify the operation.

The function returns the raw error from SendContext without adding context about which operation failed. This makes debugging harder for users.

📝 Proposed fix

 	get, err := r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries", true).SendContext(ctx)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to fetch cluster with service inquiries for zero-egress no_proxy filtering: %w", err)
 	}

As per coding guidelines: "In helper functions, wrap errors with fmt.Errorf(\"...: %w\", err). Error messages must identify their origin (e.g., \"package: message\")."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/clusterrosa/hcp/resource.go` around lines 2249 - 2251, The call to
r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries",
true).SendContext(ctx) returns a raw error; wrap that error with context per
guidelines so callers can identify the failing operation. Replace the direct
return of err in the surrounding helper (the function that invokes
Cluster(...).Get().SendContext) with a wrapped error using fmt.Errorf including
the package/origin and a short description like "provider/clusterrosa: failed to
get cluster (Cluster.Get().SendContext) for id %s: %w", referencing object.ID()
and the original err; ensure you import fmt if not already imported.

---

2231-2232: 💤 Low value

Add a doc comment explaining the function's purpose.

While this is an unexported function, a brief comment would help maintainers understand its purpose and when it should be called, especially given the subtle contract with populateRosaHcpClusterState.

📝 Suggested comment

+// reviseZeroEgressNoProxy filters zero-egress default no_proxy domains from state.Proxy.NoProxy
+// when the cluster has zero_egress enabled. Must be called after populateRosaHcpClusterState.
 func (r *ClusterRosaHcpResource) reviseZeroEgressNoProxy(ctx context.Context,
 	object *cmv1.Cluster, state *ClusterRosaHcpState) error {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/clusterrosa/hcp/resource.go` around lines 2231 - 2232, Add a short
doc comment immediately above the unexported function reviseZeroEgressNoProxy
describing its purpose, when it should be called, and its contract with
populateRosaHcpClusterState; explicitly state preconditions (what fields in
ClusterRosaHcpState or *cmv1.Cluster are expected), side-effects (what the
function mutates or returns), and why it only runs for the zero-egress/no-proxy
case so future maintainers understand its intent and interaction with
populateRosaHcpClusterState.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@provider/clusterrosa/hcp/resource.go`:
- Around line 2249-2253: The call that assigns defaultDomains chains through
get.Body().AWS().ZeroEgress().NoProxyDefaultDomains() without nil checks and can
panic; modify the code around get, err :=
r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries",
true).SendContext(ctx) to validate get and its nested responses before calling
NoProxyDefaultDomains(): verify get != nil, then body := get.Body(); check body
!= nil, body.AWS() != nil, body.AWS().ZeroEgress() != nil and only then call
NoProxyDefaultDomains(); if any intermediate is nil, return an informative error
(or use a safe default) rather than dereferencing nil. Ensure the checks
reference get, get.Body(), AWS(), ZeroEgress(), and NoProxyDefaultDomains() so
reviewers can find and update the exact call site.

In `@subsystem/hcp/cluster_resource_test.go`:
- Around line 4539-4884: Add a new test case that asserts the zero-egress
default-domain filtering runs on update: implement an It block (e.g., "Filters
zero-egress default domains from no_proxy during update (patch)") that first
creates the resource (reuse the POST/GET handlers similar to the Create test),
then simulates an update by changing proxy.no_proxy in Terraform.Source and
triggering Terraform.Apply to perform a PATCH (verify a VerifyRequest with
http.MethodPatch to cluster123Route and respond with a patched JSON body that
includes aws.zero_egress.no_proxy_default_domains and the API-appended domains
in proxy.no_proxy), and finally assert
Terraform.Resource("rhcs_cluster_rosa_hcp","my_cluster").attributes.proxy.no_proxy
equals only the user-specified domains (e.g., "new.custom.domain"); follow the
same handler patterns used in the Create/Read tests so the update path exercises
the same filtering helper.

---

Nitpick comments:
In `@provider/clusterrosa/hcp/resource.go`:
- Around line 2254-2255: Add a defensive nil check for state.Proxy before
assigning state.Proxy.NoProxy: verify that state.Proxy != nil and if nil,
initialize it (e.g., allocate a Proxy struct) or skip the assignment so you
don't dereference a nil pointer; update the block around deDuplicatedNoProxy :=
proxy.RemoveNoProxyZeroEgressDefaultDomains(noProxy, ",", defaultDomains) and
the subsequent state.Proxy.NoProxy = types.StringValue(deDuplicatedNoProxy) to
first ensure state.Proxy is non-nil (or create it) before setting NoProxy.
- Around line 2249-2251: The call to
r.ClusterCollection.Cluster(object.ID()).Get().Parameter("fetch_service_inquiries",
true).SendContext(ctx) returns a raw error; wrap that error with context per
guidelines so callers can identify the failing operation. Replace the direct
return of err in the surrounding helper (the function that invokes
Cluster(...).Get().SendContext) with a wrapped error using fmt.Errorf including
the package/origin and a short description like "provider/clusterrosa: failed to
get cluster (Cluster.Get().SendContext) for id %s: %w", referencing object.ID()
and the original err; ensure you import fmt if not already imported.
- Around line 2231-2232: Add a short doc comment immediately above the
unexported function reviseZeroEgressNoProxy describing its purpose, when it
should be called, and its contract with populateRosaHcpClusterState; explicitly
state preconditions (what fields in ClusterRosaHcpState or *cmv1.Cluster are
expected), side-effects (what the function mutates or returns), and why it only
runs for the zero-egress/no-proxy case so future maintainers understand its
intent and interaction with populateRosaHcpClusterState.

In `@provider/proxy/utils.go`:
- Around line 23-26: The map defaultDomainsMap is created as map[string]string
but used as a set; change its type to map[string]struct{} and populate it with
defaultDomainsMap[item] = struct{}{} in the loop that iterates over
defaultDomains; also update any membership checks (places using
defaultDomainsMap[item] or lookups) to use the idiomatic _, ok :=
defaultDomainsMap[key] pattern so the code compiles and reflects the set
semantics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6a0fd42c-e127-4291-954a-b85a6f9e73a2

📥 Commits

Reviewing files that changed from the base of the PR and between 20e43b9 and 786d650.

📒 Files selected for processing (4)

• provider/clusterrosa/hcp/resource.go
• provider/proxy/utils.go
• provider/proxy/utils_test.go
• subsystem/hcp/cluster_resource_test.go

[marcolan018]

/retest

[olucasfreitas]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment