OCPBUGS-86564: Use stable username hash for user-settings ConfigMap names

[pedjak]

Analysis / Root cause:

The SelfSubjectReview API returns the identity UID, not the stable User
resource UID. With mappingMethod: add and multiple identity providers
(e.g. LDAP + OpenID), the same user receives different identity UIDs
across logins, causing a new user-settings-* ConfigMap (plus Role and
RoleBinding) to be created each time. A customer observed ~21,594
ConfigMaps for ~3,869 users.

Introduced in commit a186aa1 which migrated from the OCP User API
(Users().Get("~")) to SelfSubjectReview.

https://redhat.atlassian.net/browse/OCPBUGS-86564

Solution description:

• Backend (pkg/usersettings/): Change ResourceIdentifier from
  UID to SHA256(username). The username is stable across identity
  providers for the same OpenShift user. UID is still used in
  OwnerReferences for garbage collection.
• Migration: On first login post-upgrade, if the new ConfigMap does
  not yet exist, the backend lists all ConfigMaps in the namespace and
  finds old ones via OwnerReference (matching Kind: User and the
  username). If multiple old ConfigMaps exist (e.g. from different
  identity provider UIDs), data is migrated from the most recently
  created one. All old ConfigMaps and their associated Roles and
  RoleBindings are cleaned up. If the new ConfigMap already exists,
  the handler short-circuits without listing.
  Best-effort — errors are logged but never block creation.
• Frontend (console-shared/src/hooks/): Remove uid from the
  ConfigMap name priority chain so the frontend watches the same
  hash-based name the backend creates. Extract duplicated
  hashNameOrKubeadmin into a shared hashUsernameForSettings utility.

Screenshots / screen recording:

Test setup:
Cluster with multiple identity providers configured with
mappingMethod: add (e.g. LDAP + OpenID).

Test cases:

• Log in, verify ConfigMap created as user-settings-{SHA256(username)}
• Log out and back in — same ConfigMap reused, no new one created
• Log in via a different identity provider — same ConfigMap reused
• On a cluster with existing UID-based ConfigMaps: upgrade, log in,
  verify old settings are preserved in the new ConfigMap and old
  resources are cleaned up
• On a cluster with multiple old ConfigMaps for the same user: verify
  the most recent one is migrated and all old ones are removed
• kube:admin (no UID) still uses user-settings-kubeadmin
• Backend: go test ./pkg/usersettings/...
• Frontend: cd frontend && yarn test packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Summary by CodeRabbit

• New Features

  • Automatic migration of legacy user settings into new hash-named resources with best-effort cleanup; preserves existing settings when a target already exists.

• Bug Fixes

  • Stable, deterministic naming for user settings (hash-based, stable across UID changes).
  • Impersonation now takes precedence when selecting a user settings resource.
  • Username-only resolution is synchronous (no initial async null).

• Tests

  • Expanded tests covering creation, migration, preservation, selection, and cleanup scenarios.

[openshift-ci-robot]

@pedjak: This pull request references Jira Issue OCPBUGS-86564, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:

The SelfSubjectReview API returns the identity UID, not the stable User
resource UID. With mappingMethod: add and multiple identity providers
(e.g. LDAP + OpenID), the same user receives different identity UIDs
across logins, causing a new user-settings-* ConfigMap (plus Role and
RoleBinding) to be created each time. A customer observed ~21,594
ConfigMaps for ~3,869 users.

Introduced in commit a186aa1 which migrated from the OCP User API
(Users().Get("~")) to SelfSubjectReview.

https://redhat.atlassian.net/browse/OCPBUGS-86564

Solution description:

• Backend (pkg/usersettings/): Change ResourceIdentifier from
  UID to SHA256(username). The username is stable across identity
  providers for the same OpenShift user. UID is still used in
  OwnerReferences for garbage collection.
• Migration: On first login post-upgrade, the backend looks up the
  old UID-based ConfigMap, copies its data into the new hash-based
  ConfigMap, then cleans up the old ConfigMap/Role/RoleBinding.
  Best-effort — errors are logged but never block creation.
• Frontend (console-shared/src/hooks/): Remove uid from the
  ConfigMap name priority chain so the frontend watches the same
  hash-based name the backend creates. Extract duplicated
  hashNameOrKubeadmin into a shared hashUsernameForSettings utility.

Screenshots / screen recording:

Test setup:
Cluster with multiple identity providers configured with
mappingMethod: add (e.g. LDAP + OpenID).

Test cases:

• Log in, verify ConfigMap created as user-settings-{SHA256(username)}
• Log out and back in — same ConfigMap reused, no new one created
• Log in via a different identity provider — same ConfigMap reused
• On a cluster with existing UID-based ConfigMaps: upgrade, log in,
  verify old settings are preserved in the new ConfigMap and old
  resources are cleaned up
• kube:admin (no UID) still uses user-settings-kubeadmin
• Backend: go test ./pkg/usersettings/...
• Frontend: cd frontend && yarn test packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Additional info:
Existing UID-based ConfigMaps from other IDPs (not matching the current
session's UID) remain as harmless orphans. A follow-up admin script
could clean these up, but it is out of scope for this fix.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

User settings ConfigMap resource names transition from UID-based to username-hash-based identification. A shared hashUsernameForSettings function provides deterministic SHA256-derived names. Backend newUserSettingMeta uses this hash for resource naming and includes migration helpers to copy data from old UID-based ConfigMaps. Frontend hooks are refactored to compute identifiers synchronously via the same hashing utility.

Changes

User Settings Hash-based Naming

Layer / File(s)	Summary
Hashing utility foundation frontend/packages/console-shared/src/utils/user-settings.ts	New hashUsernameForSettings(name, uid) function computes SHA256 hashes of usernames; special-cases kube:admin when UID is absent; returns null for empty names. Shared between frontend and backend.
Frontend hooks & tests frontend/packages/console-shared/src/hooks/useGetUserSettingConfigMap.ts, frontend/packages/console-shared/src/hooks/useUserPreference.ts, frontend/packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts, frontend/packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts	Hooks eliminate local async hashing state and import hashUsernameForSettings to compute userUid synchronously from Redux selectors (user, impersonate). Impersonation takes precedence; falls back to username hash or empty string. Tests updated to mock selector-callback behavior and expect synchronous hash-derived resource names.
Backend meta and types pkg/usersettings/helpers.go, pkg/usersettings/types.go, pkg/usersettings/helpers_test.go	newUserSettingMeta derives resourceIdentifier as kubeadmin for real kubeadmin (no UID) or SHA256(username) otherwise; OwnerReferences are set only when UID is present. Tests added/updated to assert stable hashed identifiers across UIDs and special-character usernames.
Backend migration & cleanup pkg/usersettings/handlers.go, pkg/usersettings/handlers_test.go	createUserSettings attempts migration from legacy UID-based ConfigMap by listing owned ConfigMaps, selects the most recent, seeds new hashed ConfigMap Data when present, creates Role/RoleBinding, and performs best-effort cleanup (cleanupOldUserSettings) of old RoleBinding/Role/ConfigMap. Ownership checks ensure safe migration; tests cover creation, existing-create short-circuit, migration selection and cleanup, and ignore cases.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

component/core, tide/merge-method-squash, verified

Suggested reviewers

• fsgreco
• Leo6Leo

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adopting a stable username hash for ConfigMap naming instead of unstable identity UIDs.
Description check	✅ Passed	The description is comprehensive with all key sections completed: root cause analysis, detailed solution description, test setup, test cases, and browser conformance checklist. All required template sections are addressed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are stable and deterministic with no dynamic values, generated suffixes, timestamps, UUIDs, or other values that change between runs.
Test Structure And Quality	✅ Passed	PR uses standard Go testing, not Ginkgo, making the check inapplicable. Tests follow best practices: single responsibility, meaningful assertions, fake clients, consistent patterns.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests; only frontend Jest tests and backend Go unit tests using standard testing package.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR contains only unit tests using Go testing package (backend) and Jest (frontend), which are not applicable to SNO compatibility check.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies user-settings ConfigMap naming and migration logic with no deployment manifests, operator code, controllers, or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR modifies console-bridge HTTP server code, not OTE test binaries. All klog calls are in HTTP request handlers, not process-level code. Check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes consist of Go unit tests (testing.T) and Jest frontend tests only.
No-Weak-Crypto	✅ Passed	PR uses only SHA-256 from standard crypto libraries. No weak algorithms (MD5, SHA1, DES, RC4, etc.), custom crypto, or non-constant-time secret comparisons found.
Container-Privileges	✅ Passed	PR contains no Kubernetes manifests or container configs. All changes are Go backend code and TypeScript/JavaScript hooks for user settings; no privilege escalation settings present.
No-Sensitive-Data-In-Logs	✅ Passed	All new logging statements in the PR use hashed resource names or generic errors with no exposure of passwords, tokens, APIs keys, PII, session IDs, or sensitive customer data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pedjak
Once this PR has been reviewed and has the lgtm label, please assign jhadvig for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS
• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/usersettings/handlers.go`:
- Around line 119-122: The AlreadyExists branch in the Create path (detected
with apierrors.IsAlreadyExists(err)) currently returns immediately after
logging, which prevents retrying cleanup of legacy UID-based resources when a
migration source is present; update the handler in handlers.go so that when
apierrors.IsAlreadyExists(err) and the migration source is detected you do not
early-return from the create flow but instead trigger/reenqueue the old-resource
cleanup logic (the same cleanup used elsewhere for migration), then perform the
ConfigMap fetch via
h.internalProxiedClient.CoreV1().ConfigMaps(namespace).Get(ctx,
userSettingMeta.getConfigMapName(), meta.GetOptions{}) to return the existing
data; apply the same change to the analogous block around lines 127-129 to
ensure cleanup retries run before returning existing resources.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 93878d20-787d-4d4d-8036-040b1a96227a

📥 Commits

Reviewing files that changed from the base of the PR and between c38dedf and 82f153e.

📒 Files selected for processing (9)

• frontend/packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts
• frontend/packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts
• frontend/packages/console-shared/src/hooks/useGetUserSettingConfigMap.ts
• frontend/packages/console-shared/src/hooks/useUserPreference.ts
• frontend/packages/console-shared/src/utils/user-settings.ts
• pkg/usersettings/handlers.go
• pkg/usersettings/helpers.go
• pkg/usersettings/helpers_test.go
• pkg/usersettings/types.go

[pedjak]

/jira refresh

[openshift-ci-robot]

@pedjak: This pull request references Jira Issue OCPBUGS-86564, which is invalid:

• expected the bug to target only the "5.0.0" version, but multiple target versions were set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Analysis / Root cause:

The SelfSubjectReview API returns the identity UID, not the stable User
resource UID. With mappingMethod: add and multiple identity providers
(e.g. LDAP + OpenID), the same user receives different identity UIDs
across logins, causing a new user-settings-* ConfigMap (plus Role and
RoleBinding) to be created each time. A customer observed ~21,594
ConfigMaps for ~3,869 users.

Introduced in commit a186aa1 which migrated from the OCP User API
(Users().Get("~")) to SelfSubjectReview.

https://redhat.atlassian.net/browse/OCPBUGS-86564

Solution description:

• Backend (pkg/usersettings/): Change ResourceIdentifier from
  UID to SHA256(username). The username is stable across identity
  providers for the same OpenShift user. UID is still used in
  OwnerReferences for garbage collection.
• Migration: On first login post-upgrade, the backend looks up the
  old UID-based ConfigMap, copies its data into the new hash-based
  ConfigMap, then cleans up the old ConfigMap/Role/RoleBinding.
  Best-effort — errors are logged but never block creation.
• Frontend (console-shared/src/hooks/): Remove uid from the
  ConfigMap name priority chain so the frontend watches the same
  hash-based name the backend creates. Extract duplicated
  hashNameOrKubeadmin into a shared hashUsernameForSettings utility.

Screenshots / screen recording:

Test setup:
Cluster with multiple identity providers configured with
mappingMethod: add (e.g. LDAP + OpenID).

Test cases:

• Log in, verify ConfigMap created as user-settings-{SHA256(username)}
• Log out and back in — same ConfigMap reused, no new one created
• Log in via a different identity provider — same ConfigMap reused
• On a cluster with existing UID-based ConfigMaps: upgrade, log in,
  verify old settings are preserved in the new ConfigMap and old
  resources are cleaned up
• kube:admin (no UID) still uses user-settings-kubeadmin
• Backend: go test ./pkg/usersettings/...
• Frontend: cd frontend && yarn test packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Additional info:
Existing UID-based ConfigMaps from other IDPs (not matching the current
session's UID) remain as harmless orphans. A follow-up admin script
could clean these up, but it is out of scope for this fix.

Summary by CodeRabbit

• New Features

• Automatic migration of existing user settings from legacy UID-based resources into the new hash-based naming scheme, with cleanup of old resources when migrated.

• Bug Fixes

• Deterministic SHA-256 hashing for stable user settings resource names (stable across UID changes).

• Impersonation now takes precedence when selecting a user settings resource.

• Username-only resolution is synchronous (no initial async null).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@pedjak: This pull request references Jira Issue OCPBUGS-86564, which is invalid:

• expected the bug to target only the "5.0.0" version, but multiple target versions were set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pedjak]

/jira refresh

[openshift-ci-robot]

@pedjak: This pull request references Jira Issue OCPBUGS-86564, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

[openshift-ci-robot]

@pedjak: This pull request references Jira Issue OCPBUGS-86564, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Analysis / Root cause:

The SelfSubjectReview API returns the identity UID, not the stable User
resource UID. With mappingMethod: add and multiple identity providers
(e.g. LDAP + OpenID), the same user receives different identity UIDs
across logins, causing a new user-settings-* ConfigMap (plus Role and
RoleBinding) to be created each time. A customer observed ~21,594
ConfigMaps for ~3,869 users.

Introduced in commit a186aa1 which migrated from the OCP User API
(Users().Get("~")) to SelfSubjectReview.

https://redhat.atlassian.net/browse/OCPBUGS-86564

Solution description:

• Backend (pkg/usersettings/): Change ResourceIdentifier from
  UID to SHA256(username). The username is stable across identity
  providers for the same OpenShift user. UID is still used in
  OwnerReferences for garbage collection.
• Migration: On first login post-upgrade, if the new ConfigMap does
  not yet exist, the backend lists all ConfigMaps in the namespace and
  finds old ones via OwnerReference (matching Kind: User and the
  username). If multiple old ConfigMaps exist (e.g. from different
  identity provider UIDs), data is migrated from the most recently
  created one. All old ConfigMaps and their associated Roles and
  RoleBindings are cleaned up. If the new ConfigMap already exists,
  the handler short-circuits without listing.
  Best-effort — errors are logged but never block creation.
• Frontend (console-shared/src/hooks/): Remove uid from the
  ConfigMap name priority chain so the frontend watches the same
  hash-based name the backend creates. Extract duplicated
  hashNameOrKubeadmin into a shared hashUsernameForSettings utility.

Screenshots / screen recording:

Test setup:
Cluster with multiple identity providers configured with
mappingMethod: add (e.g. LDAP + OpenID).

Test cases:

• Log in, verify ConfigMap created as user-settings-{SHA256(username)}
• Log out and back in — same ConfigMap reused, no new one created
• Log in via a different identity provider — same ConfigMap reused
• On a cluster with existing UID-based ConfigMaps: upgrade, log in,
  verify old settings are preserved in the new ConfigMap and old
  resources are cleaned up
• On a cluster with multiple old ConfigMaps for the same user: verify
  the most recent one is migrated and all old ones are removed
• kube:admin (no UID) still uses user-settings-kubeadmin
• Backend: go test ./pkg/usersettings/...
• Frontend: cd frontend && yarn test packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Summary by CodeRabbit

• New Features

• Automatic migration of existing user settings from legacy UID-based resources into the new hash-based naming scheme, with cleanup of old resources when migrated.

• Bug Fixes

• Deterministic SHA-256 hashing for stable user settings resource names (stable across UID changes).

• Impersonation now takes precedence when selecting a user settings resource.

• Username-only resolution is synchronous (no initial async null).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/usersettings/helpers.go (1)

24-26: ⚡ Quick win

Use sha256.Sum256 instead of ignoring Write's return values.

Line 25 drops the Write results entirely. For a one-shot hash, sha256.Sum256 is simpler and avoids the repo's Go error-handling violation.

Suggested change

-		sha256Hash := sha256.New()
-		sha256Hash.Write([]byte(name))
-		resourceIdentifier = hex.EncodeToString(sha256Hash.Sum(nil))
+		sum := sha256.Sum256([]byte(name))
+		resourceIdentifier = hex.EncodeToString(sum[:])

As per coding guidelines, "Never ignore error returns".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/usersettings/helpers.go` around lines 24 - 26, The code builds a SHA256
by calling sha256.New(), then sha256Hash.Write([]byte(name)) and ignores its
return values; replace this one-shot hashing with sha256.Sum256 to avoid
ignoring Write results: compute sum := sha256.Sum256([]byte(name)) and set
resourceIdentifier = hex.EncodeToString(sum[:]); update the block that currently
declares sha256Hash and calls Write/Sum to use sha256.Sum256 instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/usersettings/handlers.go`:
- Around line 95-97: The code currently returns early when the ConfigMap exists
(the call to h.internalProxiedClient.CoreV1().ConfigMaps(namespace).Get
returning nil error), which skips reconciling RBAC; change the flow in the
handler function that calls userSettingMeta.getConfigMapName() so that after
detecting an existing ConfigMap you still proceed to ensure the associated Role
and RoleBinding are created/updated (reconcile RBAC) before returning;
specifically, remove the early return and invoke the same Role/RoleBinding
reconciliation logic used for the POST path (or call the
reconcileRoles/reconcileRoleBinding helper if present) so RBAC is repaired even
when the ConfigMap already exists.

---

Nitpick comments:
In `@pkg/usersettings/helpers.go`:
- Around line 24-26: The code builds a SHA256 by calling sha256.New(), then
sha256Hash.Write([]byte(name)) and ignores its return values; replace this
one-shot hashing with sha256.Sum256 to avoid ignoring Write results: compute sum
:= sha256.Sum256([]byte(name)) and set resourceIdentifier =
hex.EncodeToString(sum[:]); update the block that currently declares sha256Hash
and calls Write/Sum to use sha256.Sum256 instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 67e66cc3-d342-4e2c-a8e3-dd47488fffa9

📥 Commits

Reviewing files that changed from the base of the PR and between 47bcadc and 7c817b1.

📒 Files selected for processing (10)

• frontend/packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts
• frontend/packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts
• frontend/packages/console-shared/src/hooks/useGetUserSettingConfigMap.ts
• frontend/packages/console-shared/src/hooks/useUserPreference.ts
• frontend/packages/console-shared/src/utils/user-settings.ts
• pkg/usersettings/handlers.go
• pkg/usersettings/handlers_test.go
• pkg/usersettings/helpers.go
• pkg/usersettings/helpers_test.go
• pkg/usersettings/types.go

🚧 Files skipped from review as they are similar to previous changes (7)

• pkg/usersettings/types.go
• frontend/packages/console-shared/src/utils/user-settings.ts
• frontend/packages/console-shared/src/hooks/tests/useUserPreference.spec.ts
• frontend/packages/console-shared/src/hooks/useGetUserSettingConfigMap.ts
• frontend/packages/console-shared/src/hooks/useUserPreference.ts
• pkg/usersettings/helpers_test.go
• frontend/packages/console-shared/src/hooks/tests/useGetUserSettingConfigMap.spec.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't short-circuit before RBAC is reconciled.

Returning at Line 97 skips Role/RoleBinding creation entirely. If the hashed ConfigMap already exists but either RBAC object was removed or never created, this POST path no longer repairs access and the user can be left with an unreadable/unwritable settings ConfigMap.

Suggested direction

-	existing, err := h.internalProxiedClient.CoreV1().ConfigMaps(namespace).Get(ctx, userSettingMeta.getConfigMapName(), meta.GetOptions{})
-	if err == nil {
-		return existing, nil
-	}
-	if !apierrors.IsNotFound(err) {
+	existing, err := h.internalProxiedClient.CoreV1().ConfigMaps(namespace).Get(ctx, userSettingMeta.getConfigMapName(), meta.GetOptions{})
+	configMapExists := err == nil
+	if err != nil && !apierrors.IsNotFound(err) {
 		return nil, err
 	}
@@
-	configMap := createConfigMap(userSettingMeta)
-	if migrateFrom != nil {
+	configMap := createConfigMap(userSettingMeta)
+	if !configMapExists && migrateFrom != nil {
 		configMap.Data = migrateFrom.Data
 	}
@@
+	if configMapExists {
+		return existing, nil
+	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/usersettings/handlers.go` around lines 95 - 97, The code currently
returns early when the ConfigMap exists (the call to
h.internalProxiedClient.CoreV1().ConfigMaps(namespace).Get returning nil error),
which skips reconciling RBAC; change the flow in the handler function that calls
userSettingMeta.getConfigMapName() so that after detecting an existing ConfigMap
you still proceed to ensure the associated Role and RoleBinding are
created/updated (reconcile RBAC) before returning; specifically, remove the
early return and invoke the same Role/RoleBinding reconciliation logic used for
the POST path (or call the reconcileRoles/reconcileRoleBinding helper if
present) so RBAC is repaired even when the ConfigMap already exists.

[pedjak]

The Role and RoleBinding are always created before the ConfigMap in createUserSettings, so if the ConfigMap exists, RBAC was necessarily already set up in a prior call. The only way RBAC could be missing with the ConfigMap present is manual admin deletion — that's not a scenario this code path should self-heal from. Skipping this one.

[coderabbitai]

@pedjak, that's a fair point — the creation order (Role → RoleBinding → ConfigMap) provides a strong invariant: a successfully created ConfigMap implies RBAC was established in the same call. Treating manual admin deletion as a self-heal scenario would also risk re-instating access that an admin intentionally removed. Acknowledged, skipping this one.

[pedjak]

/retest

[pedjak]

/retest

[openshift-ci]

@pedjak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/backend	91ca2db	link	true	/test backend

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

🧹 Nitpick comments (1)

frontend/packages/console-shared/src/hooks/useUserPreference.ts (1)

74-79: 💤 Low value

Widen hashUsernameForSettings’ name parameter to match UserInfo.username?: string.

username can be undefined (UserInfo.username?: string), but hashUsernameForSettings currently types name: string even though it already guards if (!name) return null at runtime—so widen the signature to name: string | undefined (or name?: string) for correct type alignment.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/packages/console-shared/src/hooks/useUserPreference.ts` around lines
74 - 79, The function signature for hashUsernameForSettings is too narrow: it
currently declares name: string but callers like useUserPreference (in the
selector using getUser()?.username) can pass undefined; widen the parameter to
accept undefined (e.g., name?: string or name: string | undefined) and keep the
existing runtime guard (if (!name) return null) intact; update the function
declaration for hashUsernameForSettings (and any exported type references) so
TypeScript matches the runtime behavior and the call site in useUserPreference
no longer requires a cast.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@frontend/packages/console-shared/src/hooks/useUserPreference.ts`:
- Around line 74-79: The function signature for hashUsernameForSettings is too
narrow: it currently declares name: string but callers like useUserPreference
(in the selector using getUser()?.username) can pass undefined; widen the
parameter to accept undefined (e.g., name?: string or name: string | undefined)
and keep the existing runtime guard (if (!name) return null) intact; update the
function declaration for hashUsernameForSettings (and any exported type
references) so TypeScript matches the runtime behavior and the call site in
useUserPreference no longer requires a cast.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 16ee83a5-a7dc-4862-add5-9a237a13a4cd

📥 Commits

Reviewing files that changed from the base of the PR and between 7c817b1 and fcb4628.

📒 Files selected for processing (10)

• frontend/packages/console-shared/src/hooks/__tests__/useGetUserSettingConfigMap.spec.ts
• frontend/packages/console-shared/src/hooks/__tests__/useUserPreference.spec.ts
• frontend/packages/console-shared/src/hooks/useGetUserSettingConfigMap.ts
• frontend/packages/console-shared/src/hooks/useUserPreference.ts
• frontend/packages/console-shared/src/utils/user-settings.ts
• pkg/usersettings/handlers.go
• pkg/usersettings/handlers_test.go
• pkg/usersettings/helpers.go
• pkg/usersettings/helpers_test.go
• pkg/usersettings/types.go

✅ Files skipped from review due to trivial changes (1)

• frontend/packages/console-shared/src/hooks/tests/useUserPreference.spec.ts

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/usersettings/helpers_test.go
• pkg/usersettings/helpers.go
• frontend/packages/console-shared/src/hooks/useGetUserSettingConfigMap.ts
• pkg/usersettings/handlers_test.go
• frontend/packages/console-shared/src/hooks/tests/useGetUserSettingConfigMap.spec.ts
• pkg/usersettings/handlers.go