HYPERFLEET-839 - fix: require explicit NAMESPACE to prevent Pub/Sub c…

[ma-hill]

Summary

Removes hardcoded default namespace of hyperfleet-e2e in deploy-clm.sh to enforce that users must set NAMESPACE via .env or --namespace flag. This prevents GCP Pub/Sub topic/subscription collisions when multiple users run tests concurrently.

Changes

• Set default NAMESPACE = hyperfleet-e2e-$USER in env.example
• Update documentation to reflect required namespace flag
• Verified that it looks like tests already specify a unique namespace of hyperlfeet-e2e-<build_id>

Test Plan

• deploy-clm.sh scripts successful
• make test passes
• make e2e passes
• make lint passes
• E2E tests passed (if cross-component or major changes)

Jira Issue

• HYPERFLEET-839

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR makes namespace usage per-user and stricter across deploy scripts and docs: deploy-scripts/.env.example now defaults NAMESPACE to hyperfleet-e2e-$(echo ${USER:-default} | tr '[:upper:]' '[:lower:]') and adds notes about Pub/Sub naming. deploy-clm.sh removes the internal default, requires NAMESPACE (env or --namespace), and enforces DNS-1123 label constraints plus a 63-character max, exiting with usage on validation failure. deploy-scripts/README.md examples and commands were updated to use per-user or explicit <unique_namespace> placeholders and adjusted an LB IP extraction to use $NAMESPACE.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: requiring explicit NAMESPACE to prevent Pub/Sub collisions, which is the core objective of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly describes the purpose of removing hardcoded namespace defaults and relates directly to the changes in .env.example, README.md, and deploy-clm.sh.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy-scripts/README.md`:
- Around line 180-184: The README example for running
./deploy-scripts/deploy-clm.sh shows a broken multi-line shell command: the line
with "--namespace pr-123" is missing a trailing backslash, causing the next
option lines to be treated as a separate command; update the example so each
continued line ends with a backslash (e.g., add a "\" after "--namespace
pr-123") so the full invocation of deploy-clm.sh with --action, --namespace,
--api-image-repo and --api-image-tag is executed as one multi-line command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6699e988-d74b-4d63-87a0-2b50afe0694b

📥 Commits

Reviewing files that changed from the base of the PR and between 8fb3eaa and b8846a7.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy-scripts/.env.example`:
- Line 12: The NAMESPACE export uses unguarded $USER expansion which can trigger
an "unbound variable" under set -u; update the export for NAMESPACE (the line
that currently reads export NAMESPACE="${NAMESPACE:-hyperfleet-e2e-$USER}") to
use safe parameter expansion such as export
NAMESPACE="${NAMESPACE:-hyperfleet-e2e-${USER:-unknown}}" (or ${USER:-} if you
prefer empty) so that missing USER won’t abort deploy-clm.sh.

In `@deploy-scripts/deploy-clm.sh`:
- Around line 360-366: The script currently only checks NAMESPACE presence; add
DNS-1123 format validation (lowercase alphanumerics and hyphens, no
leading/trailing hyphen, max 63 chars) right after the existing empty check. In
the block around the NAMESPACE check, validate length (<=63) and match the regex
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$; if it fails, call log_error with a clear
message about invalid namespace format and then print_usage and exit 1 (same
flow as the empty-case). Reference: NAMESPACE variable and existing
log_error/print_usage usage in deploy-clm.sh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 357fd5ee-da38-4294-8f22-f05f7ff8e918

📥 Commits

Reviewing files that changed from the base of the PR and between b8846a7 and c96407b.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

✅ Files skipped from review due to trivial changes (1)

• deploy-scripts/README.md

[pnguyen44]

Missing trailing backslash. This breaks the multi-line shell example. The image repo and tag lines would be interpreted as a separate command instead of arguments to deploy-clm.sh.

[pnguyen44]

$USER can contain uppercase characters on some systems, which would produce an invalid Kubernetes namespace (DNS-1123 requires lowercase). Consider lowercasing it here or adding DNS-1123 validation in the script to catch this early.

[ma-hill]

Addressed and added a check for namespace names that must be valid RFC 1123 DNS labels.

[coderabbitai]

🧹 Nitpick comments (1)

deploy-scripts/.env.example (1)

12-12: ⚡ Quick win

Sanitize and bound the USER suffix before composing NAMESPACE.

Line 12 lowercases USER, but it still allows characters/length that fail the DNS-1123 check in deploy-scripts/deploy-clm.sh (Line 368). This can make the default .env value fail on first run for valid system usernames like john_doe or long IDs.

Suggested patch

-export NAMESPACE="${NAMESPACE:-hyperfleet-e2e-$(echo ${USER:-default} | tr '[:upper:]' '[:lower:]')}"
+export NAMESPACE="${NAMESPACE:-hyperfleet-e2e-$(printf '%s' "${USER:-default}" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/-/g; s/^-+|-+$//g; s/^$/default/; s/^(.{48}).*$/\1/')}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy-scripts/.env.example` at line 12, Sanitize and bound the USER suffix
used to build NAMESPACE: when exporting NAMESPACE (the export NAMESPACE= line),
lower-case the USER, replace any chars not in [a-z0-9-] with '-', strip
leading/trailing '-' and enforce a maximum suffix length so the full name
(prefix "hyperfleet-e2e-") stays within the DNS-1123 63-char label limit (i.e.,
cap the suffix to 63 minus the prefix length); ensure an empty result falls back
to "default"; apply this change in the .env.example export NAMESPACE line and
verify it satisfies the DNS-1123 check used in deploy-clm.sh.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@deploy-scripts/.env.example`:
- Line 12: Sanitize and bound the USER suffix used to build NAMESPACE: when
exporting NAMESPACE (the export NAMESPACE= line), lower-case the USER, replace
any chars not in [a-z0-9-] with '-', strip leading/trailing '-' and enforce a
maximum suffix length so the full name (prefix "hyperfleet-e2e-") stays within
the DNS-1123 63-char label limit (i.e., cap the suffix to 63 minus the prefix
length); ensure an empty result falls back to "default"; apply this change in
the .env.example export NAMESPACE line and verify it satisfies the DNS-1123
check used in deploy-clm.sh.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 85cd9844-f0f0-4082-9f38-9899c6b94688

📥 Commits

Reviewing files that changed from the base of the PR and between c96407b and 84e60fa.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• deploy-scripts/README.md

[rafabene]

Tip

nit — non-blocking suggestion

Category: Inconsistency

Two small doc issues with the namespace examples:

1. The README mixes <unique_namespace> (placeholder) and hyperfleet-e2e-$USER (literal) without a consistent rule. For example, Quick Start install uses the placeholder but Quick Start uninstall uses the literal. Consider standardizing — either use <unique_namespace> everywhere with a note explaining the convention, or use hyperfleet-e2e-$USER everywhere for copy-pasteable examples.

2. Option 2 step 3 (line 87) adds --namespace hyperfleet-e2e-$USER to the .env-based workflow, but the whole point of Option 2 is that NAMESPACE is configured in .env. The --namespace CLI flag overrides the .env value, making step 2's config irrelevant. The script's own help text shows the correct pattern:

# Install with .env defaults
deploy-clm.sh --action install

Consider reverting line 87 to just ./deploy-clm.sh --action install (no --namespace) to match the .env-based intent.

[rafabene]

Impact warnings

The following files are NOT in this PR but still reference the old hardcoded hyperfleet-e2e namespace and may need updating:

• docs/runbook.md — kubectl commands use hardcoded namespace (e.g., kubectl get pods -n hyperfleet-e2e, kubectl logs -n hyperfleet-e2e deployment/hyperfleet-api)
• deploy-scripts/lib/gcp.sh — comment examples reference hardcoded namespace (e.g., hyperfleet-e2e-clusters, hyperfleet-e2e-nodepools)

These are outside the PR scope — just flagging for awareness so the migration away from the hardcoded namespace is complete.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy-scripts/README.md (1)

304-322: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use one namespace variable consistently in the E2E snippet.

Line 309 uses $NAMESPACE, but Lines 306 and 321 still use <unique_namespace>. This makes the snippet inconsistent and less copy/pasteable. Define NAMESPACE once and use it for deploy, lookup, and cleanup.

Suggested snippet adjustment

 # Deploy test environment
-./deploy-scripts/deploy-clm.sh --action install --namespace <unique_namespace>
+export NAMESPACE=<unique_namespace>
+./deploy-scripts/deploy-clm.sh --action install --namespace $NAMESPACE

 # Configure E2E test API URL
 EXTERNAL_IP=$(kubectl get svc hyperfleet-api -n $NAMESPACE -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 export HYPERFLEET_API_URL="http://${EXTERNAL_IP}:8000"
@@
-./deploy-scripts/deploy-clm.sh --action uninstall --namespace <unique_namespace>
+./deploy-scripts/deploy-clm.sh --action uninstall --namespace $NAMESPACE

As per coding guidelines, "In any E2E integration steps, use $NAMESPACE when extracting services ... and when passing namespaces to deploy/cleanup."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy-scripts/README.md` around lines 304 - 322, The snippet is inconsistent
about namespace usage—replace all literal "<unique_namespace>" occurrences with
a single exported variable NAMESPACE and use it everywhere; explicitly export
NAMESPACE at the top (e.g., export NAMESPACE="<unique_namespace>"), then call
./deploy-scripts/deploy-clm.sh --namespace "$NAMESPACE" for install and
uninstall and use kubectl get svc hyperfleet-api -n "$NAMESPACE" to populate
EXTERNAL_IP used in HYPERFLEET_API_URL so the deploy-clm.sh invocations, the
kubectl lookup, and the cleanup all reference the same NAMESPACE variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy-scripts/deploy-clm.sh`:
- Around line 132-134: Update the help text in deploy-clm.sh that currently
recommends setting NAMESPACE=hyperfleet-e2e-$USER so it instead references the
canonical default in deploy-scripts/.env.example (which uses the lowercased user
expression) or suggests using the --namespace <unique_namespace> flag; modify
the NAMESPACE recommendation string and any related usage/help output in
deploy-clm.sh to match the .env.example behavior (lowercase user expression)
and/or mention the --namespace option to avoid validation mismatches.

---

Outside diff comments:
In `@deploy-scripts/README.md`:
- Around line 304-322: The snippet is inconsistent about namespace usage—replace
all literal "<unique_namespace>" occurrences with a single exported variable
NAMESPACE and use it everywhere; explicitly export NAMESPACE at the top (e.g.,
export NAMESPACE="<unique_namespace>"), then call ./deploy-scripts/deploy-clm.sh
--namespace "$NAMESPACE" for install and uninstall and use kubectl get svc
hyperfleet-api -n "$NAMESPACE" to populate EXTERNAL_IP used in
HYPERFLEET_API_URL so the deploy-clm.sh invocations, the kubectl lookup, and the
cleanup all reference the same NAMESPACE variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 285be350-01e1-4796-8b83-d373d36a5704

📥 Commits

Reviewing files that changed from the base of the PR and between 84e60fa and 085f33d.

📒 Files selected for processing (3)

• deploy-scripts/.env.example
• deploy-scripts/README.md
• deploy-scripts/deploy-clm.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align the help-text recommendation with the canonical .env default.

Line 133 recommends NAMESPACE=hyperfleet-e2e-$USER, which can drift from the .env.example behavior and lead users to values later rejected by validation. Please point users to the .env.example default expression (lowercased user) or to --namespace <unique_namespace>.

Suggested doc tweak

-    Recommended: set NAMESPACE=hyperfleet-e2e-\$USER in .env file.
+    Recommended: use the default in .env.example (hyperfleet-e2e-<lowercased-user>)
+    or pass --namespace <unique_namespace>.

As per coding guidelines, "deploy-scripts/.env.example ... should remain the canonical place for the default namespace behavior that deploy-clm.sh expects users to use."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy-scripts/deploy-clm.sh` around lines 132 - 134, Update the help text in
deploy-clm.sh that currently recommends setting NAMESPACE=hyperfleet-e2e-$USER
so it instead references the canonical default in deploy-scripts/.env.example
(which uses the lowercased user expression) or suggests using the --namespace
<unique_namespace> flag; modify the NAMESPACE recommendation string and any
related usage/help output in deploy-clm.sh to match the .env.example behavior
(lowercase user expression) and/or mention the --namespace option to avoid
validation mismatches.

[ma-hill]

/retest

[rafabene]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rafabene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rafabene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment