ROSAENG-9174 | feat(hcp): add component_routes support to HCP default ingress resource

[reedcort]

PR Summary

Add component_routes support to the rhcs_hcp_default_ingress resource, enabling ROSA HCP customers to configure custom hostnames and TLS certificates for Console and Downloads routes — matching feature parity with the Classic rhcs_default_ingress resource.

Detailed Description of the Issue

ROSA HCP customers cannot customize hostnames for Console or Downloads routes. This blocks customers migrating from ROSA Classic who rely on custom component routes, and those with strict enterprise domain/compliance requirements (e.g., GovCloud). The Classic default ingress resource already supports component_routes, but the HCP resource only exposed listening_method.

Related Issues and PRs

• Jira: ROSAENG-9174
• Feature: ROSA-62
• Related PR(s): clusters-service PR (pending) — wires componentRoutes propagation to HostedCluster spec for HCP
• Related design/docs: PRD "Custom Component Routes for ROSA with HCP"

Type of Change

• feat - adds a new user-facing capability.

Previous Behavior

The rhcs_hcp_default_ingress resource only supported the listening_method attribute. Customers could not configure component_routes for HCP clusters via Terraform. The field was silently ignored.

Behavior After This Change

The rhcs_hcp_default_ingress resource now supports an optional component_routes map attribute for Console and Downloads routes (OAuth is not supported on HCP — the OAuth server runs on the management cluster control plane). Customers can set custom hostnames and reference TLS secrets:

resource "rhcs_hcp_default_ingress" "default" {
  cluster          = rhcs_cluster_rosa_hcp.example.id
  listening_method = "external"

  component_routes = {
    console = {
      hostname       = "console.company.com"
      tls_secret_ref = "console-tls"
    }
  }
}

Note: This requires the corresponding clusters-service backend change to propagate componentRoutes to the HostedCluster spec. Without that backend change, the API will accept the value but it won't take effect on the cluster.

How to Test (Step-by-Step)

Preconditions

• A running ROSA HCP cluster
• The hypershift-ingress-day-2 feature toggle enabled
• A TLS secret created in openshift-config namespace on the cluster
• The clusters-service backend change deployed (pending PR)

Test Steps

1. Configure the rhcs_hcp_default_ingress resource with component_routes for console
2. Run terraform plan — should show the component_routes as a new attribute
3. Run terraform apply — should update the ingress via the OCM API
4. Verify on the cluster: oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.componentRoutes}'

Expected Results

• terraform plan shows the component_routes diff correctly
• terraform apply succeeds
• The cluster's ingress config reflects the custom console hostname
• Setting an OAuth component route returns an error from the backend

Proof of the Fix

• Pre-push checks: all 7/7 passed (format, build, generated files, lint, vale, coverage, unit/subsystem tests)
• Pending live cluster validation after clusters-service backend change is deployed

Breaking Changes

• No breaking changes

Developer Verification Checklist

• Commit subject/title follows [JIRA-TICKET] | [TYPE][(scope)][!]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• make install-hooks has been run in this clone.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make pre-push-checks passes.
• make fmt-check passes.
• make build passes.
• Documentation was added/updated where appropriate.
• Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

• New Features

  • HCP default ingress resource now supports an optional component_routes field, enabling configuration of component-specific routes with hostname and TLS secret reference settings.

• Documentation

  • Updated resource documentation with details on the new component_routes configuration option and its available properties.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jerichokeyne for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @reedcort. Thanks for your PR.

I'm waiting for a terraform-redhat member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Warning

Review limit reached

@reedcort, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 2 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a6037772-fdce-4e18-93da-4ff55042156a

📥 Commits

Reviewing files that changed from the base of the PR and between 0590736 and 826b418.

📒 Files selected for processing (3)

• docs/resources/hcp_default_ingress.md
• provider/defaultingress/hcp/resource.go
• provider/defaultingress/hcp/state.go

Walkthrough

This PR extends the HCP default ingress Terraform resource to support an optional component_routes attribute. The change includes state structure updates, resource schema definition, state population logic, write/update flow threading, documentation, and incidental GoMock cleanup.

Changes

Component Routes Feature

Layer / File(s)	Summary
State structure and resource schema provider/defaultingress/hcp/state.go, provider/defaultingress/hcp/resource.go	DefaultIngress struct gains ComponentRoutes types.Map field; resource schema adds optional component_routes attribute modeled as a map of objects using defaultingress.ComponentRouteAttributeTypes.
State population from ingress provider/defaultingress/hcp/resource.go	populateState extracts component routes from the HCP ingress and flattens them into the Terraform state, setting a typed null map when routes are absent.
Component route write and update flow provider/defaultingress/hcp/resource.go	updateIngress and getDefaultIngressBuilder now thread diagnostics context and rebuild component routes by expanding planned routes via ExpandComponentRoute when changes differ from current state.
Resource documentation docs/resources/hcp_default_ingress.md	Documents the new optional component_routes attribute with nested hostname and tls_secret_ref fields.

Mock Cleanup

Layer / File(s)	Summary
GoMock generated file cleanup provider/common/mock_clusterclient.go, provider/common/mock_clusterwait.go	Removes internal isgomock struct{} marker field from MockClusterClient and MockClusterWait structs; public mock APIs and constructor wiring remain unchanged.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Pr Checklist Claims Vs Evidence (Generic)	❓ Inconclusive	Cannot access actual GitHub PR body with markdown checklist items. The pr_objectives mention checklist items exist but specific checked items are not provided in context.	Provide the actual GitHub PR #1187 description containing the markdown checklist with [x] items to verify claims against available evidence.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding component_routes support to the HCP default ingress resource, with the scope (hcp) and feature type (feat) specified.
Description check	✅ Passed	The PR description is comprehensive and follows the template structure with all major sections completed: summary, detailed issue, related items, type, previous/new behavior, testing steps, and verification checklist.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

provider/defaultingress/hcp/resource.go (1)

361-361: 💤 Low value

Consider defensive type assertion for Elements() iteration.

The code casts v to types.Object without a type assertion check. While the schema guarantees ElementType is basetypes.ObjectType, a defensive type assertion would prevent potential panics and provide clearer error handling.

🛡️ Suggested defensive type assertion

 	for k, v := range plan.ComponentRoutes.Elements() {
+		obj, ok := v.(types.Object)
+		if !ok {
+			diags.AddError(
+				"Invalid component route element type",
+				fmt.Sprintf("Expected types.Object, got %T for component route %s", v, k),
+			)
+			continue
+		}
 		componentRouteBuilder := cmv1.NewComponentRoute()
-		hostname, tlsSecretRef := defaultingress.ExpandComponentRoute(ctx, v.(types.Object), diags)
+		hostname, tlsSecretRef := defaultingress.ExpandComponentRoute(ctx, obj, diags)
 		componentRouteBuilder.Hostname(hostname)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@provider/defaultingress/hcp/resource.go` at line 361, The loop over
Elements() calls defaultingress.ExpandComponentRoute(ctx, v.(types.Object),
diags) but uses a direct type assertion that can panic; change it to a defensive
check using the comma-ok form (e.g., obj, ok := v.(types.Object)) inside the
Elements() iteration and only call ExpandComponentRoute when ok is true; if not
ok, append a diagnostic or log an error including the unexpected type and
continue to the next element so ExpandComponentRoute and hostname/tlsSecretRef
are only used with a valid types.Object.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@provider/defaultingress/hcp/resource.go`:
- Line 191: DefaultIngressResource.Update/Create currently pass diag.Diagnostics
by value into updateIngress → getDefaultIngressBuilder →
defaultingress.ExpandComponentRoute so Append calls inside ExpandComponentRoute
don't propagate back to resp.Diagnostics; change the signatures of
updateIngress, getDefaultIngressBuilder and defaultingress.ExpandComponentRoute
to accept *diag.Diagnostics (pointer) instead of diag.Diagnostics, update all
call sites to pass &diags (and &resp.Diagnostics where used), and follow the
same pattern used by ValidateStateAndPlanEquals(..., &diags) to ensure appended
diagnostics are visible to the caller.

---

Nitpick comments:
In `@provider/defaultingress/hcp/resource.go`:
- Line 361: The loop over Elements() calls
defaultingress.ExpandComponentRoute(ctx, v.(types.Object), diags) but uses a
direct type assertion that can panic; change it to a defensive check using the
comma-ok form (e.g., obj, ok := v.(types.Object)) inside the Elements()
iteration and only call ExpandComponentRoute when ok is true; if not ok, append
a diagnostic or log an error including the unexpected type and continue to the
next element so ExpandComponentRoute and hostname/tlsSecretRef are only used
with a valid types.Object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7d3efed8-5d4d-462c-8e71-98ac0a96fe63

📥 Commits

Reviewing files that changed from the base of the PR and between a98a6a4 and 0590736.

📒 Files selected for processing (5)

• docs/resources/hcp_default_ingress.md
• provider/common/mock_clusterclient.go
• provider/common/mock_clusterwait.go
• provider/defaultingress/hcp/resource.go
• provider/defaultingress/hcp/state.go

💤 Files with no reviewable changes (2)

• provider/common/mock_clusterclient.go
• provider/common/mock_clusterwait.go