Fix default pull secret configuration for new service accounts

[rzhabbarov]

Summary

Fix configuring a namespace default pull secret when the default ServiceAccount does not already have imagePullSecrets.

The change now:

• creates imagePullSecrets when the field is missing
• appends to the existing array when it is present
• updates the namespace page state after successful configuration so the new pull secret appears without a page reload
• adds regression coverage for the UI update path

Testing

• cd frontend && HOME=/home/openshift-cluster-console/.test-home node .yarn/releases/yarn-4.14.1.cjs test public/components/__tests__/namespace.spec.tsx --runInBand
• cd frontend && HOME=/home/openshift-cluster-console/.test-home node .yarn/releases/yarn-4.14.1.cjs eslint public/components/__tests__/namespace.spec.tsx public/components/namespace.jsx public/components/modals/configure-ns-pull-secret-modal.tsx
• Manually verified against a Killercoda Kubernetes cluster through bridge

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved pull secret configuration handling for namespaces without existing imagePullSecrets fields
  • Enhanced UI state updates to accurately reflect pull secret configuration status after creation

• Tests

  • Added test coverage for pull secret configuration workflows

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rzhabbarov
Once this PR has been reviewed and has the lgtm label, please assign logonoff for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The ConfigureNamespacePullSecretModal gains two new props: hasImagePullSecretsField (drives a conditional JSON patch strategy via getDefaultServiceAccountPatch) and onSubmitSuccess (callback invoked after the patch resolves). PullSecret in namespace.jsx tracks hasImagePullSecretsField state from the ServiceAccount fetch and passes it plus an onSubmitSuccess handler to the modal overlay. Tests verify the in-place UI update after a successful modal submit.

Changes

PullSecret imagePullSecrets field tracking and modal submit callback

Layer / File(s)	Summary
Modal props, patch helper, and submit callback frontend/public/components/modals/configure-ns-pull-secret-modal.tsx	ConfigureNamespacePullSecretProps adds hasImagePullSecretsField and optional onSubmitSuccess; getDefaultServiceAccountPatch selects /imagePullSecrets/- append vs /imagePullSecrets create based on the flag; the submit handler calls onSubmitSuccess?.(pullSecretName) before close().
PullSecret state wiring and tests frontend/public/components/namespace.jsx, frontend/public/components/__tests__/namespace.spec.tsx	PullSecret initializes hasImagePullSecretsField to false, sets it from imagePullSecrets on fetch success, clears it on error, and flips it to true in onPullSecretCreated; both props are forwarded to the overlay. Tests mock useOverlay, trigger onSubmitSuccess, and assert the pull-secret link appears while the "Not configured" button disappears.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is missing several required sections from the template including Analysis/Root cause, Solution description, Screenshots, Test setup, Browser conformance, and the required Jira issue prefix in the title.	Add the missing sections from the template: include Jira issue prefix in title, provide root cause analysis, detailed solution description, test setup instructions, and browser conformance checklist.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix default pull secret configuration for new service accounts' is clear and directly related to the main change: fixing a configuration issue when the default ServiceAccount lacks an imagePullSecrets field.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Check not applicable to this PR. Custom check targets Ginkgo tests (Go), but PR only modifies Jest tests (.spec.tsx) and React components (TypeScript/JavaScript). No Ginkgo tests present in PR.
Test Structure And Quality	✅ Passed	Check is not applicable—this PR contains Jest/React tests, not Ginkgo (Go) tests. The custom check is designed for Ginkgo test code review only.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The PR modifies only frontend unit tests (Jest/TypeScript) and UI components. The custom check applies only to Ginkgo e2e tests, which are not present here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds Jest frontend tests, not Ginkgo e2e tests. The check applies only to Ginkgo e2e tests added to the repository. The jest tests mock API calls and test UI behavior in isolation without S...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies only OpenShift Console frontend UI components (React/TypeScript). It contains no deployment manifests, operator code, controllers, or scheduling constraints relevant to topology-aw...
Ote Binary Stdout Contract	✅ Passed	PR modifies only frontend TypeScript/JSX files (.tsx, .jsx); OTE Binary Stdout Contract applies only to Go test code with Ginkgo tests, not frontend Jest tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds Jest frontend unit tests (TypeScript/React), not Ginkgo e2e tests. The custom check specifically targets "When new Ginkgo e2e tests are added" - this check does not apply to Jest front...
No-Weak-Crypto	✅ Passed	No weak cryptographic usage found. Code uses Base64 encoding (not cryptography) for standard Kubernetes secret transport. The string comparison checks pull secret names (resource identifiers), not...
Container-Privileges	✅ Passed	PR contains only JavaScript/TypeScript React frontend code; no container or K8s manifest files with security configurations to check.
No-Sensitive-Data-In-Logs	✅ Passed	No logging of sensitive data (passwords, tokens, API keys, PII) found in PR changes; pre-existing console.error statements log non-sensitive API errors only.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix-namespace-default-pull-secret

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @rzhabbarov. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rzhabbarov]

@rhamilto I don't have a Jira/OCPBUGS issue for this bug yet. Could you please advise whether I should create one, or can this PR be triaged as-is?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

frontend/public/components/__tests__/namespace.spec.tsx (1)

71-91: ⚡ Quick win

Add a test for the existing-field branch (hasImagePullSecretsField: true).

This regression covers the missing-field path well, but the modal has a second patch strategy for when imagePullSecrets already exists. Add a case with k8sGetMock.mockResolvedValue({ imagePullSecrets: [] }) and assert launched modal props set hasImagePullSecretsField to true.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/public/components/__tests__/namespace.spec.tsx` around lines 71 -
91, Add a new test case similar to the existing "shows a newly configured
default pull secret without reloading the page" test that covers the scenario
where imagePullSecrets already exist. In this new test, change
k8sGetMock.mockResolvedValue to pass an object with imagePullSecrets field
(e.g., imagePullSecrets: []) instead of an empty object, then verify that the
launched modal receives modalProps.hasImagePullSecretsField set to true instead
of false, ensuring both code paths (existing and missing imagePullSecrets field)
are tested.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/public/components/modals/configure-ns-pull-secret-modal.tsx`:
- Around line 67-82: The getDefaultServiceAccountPatch function relies on stale
cached state (hasImagePullSecretsField) to determine the patch strategy, which
can lead to destructive overwrites of existing imagePullSecrets if the field was
concurrently created. Instead of deriving the patch strategy from cached state
at modal creation time, fetch the fresh ServiceAccount state at the moment the
patch is being submitted/applied, inspect the current state of the
imagePullSecrets field, and use that real-time information to decide whether to
append to the existing list (add to array) or initialize the field. This ensures
the patch strategy reflects the actual current state rather than potentially
stale cached information.

---

Nitpick comments:
In `@frontend/public/components/__tests__/namespace.spec.tsx`:
- Around line 71-91: Add a new test case similar to the existing "shows a newly
configured default pull secret without reloading the page" test that covers the
scenario where imagePullSecrets already exist. In this new test, change
k8sGetMock.mockResolvedValue to pass an object with imagePullSecrets field
(e.g., imagePullSecrets: []) instead of an empty object, then verify that the
launched modal receives modalProps.hasImagePullSecretsField set to true instead
of false, ensuring both code paths (existing and missing imagePullSecrets field)
are tested.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 890bd20c-6b35-4120-ab7b-2bb8cc287741

📥 Commits

Reviewing files that changed from the base of the PR and between 49745c2 and fa7f51e.

📒 Files selected for processing (3)

• frontend/public/components/__tests__/namespace.spec.tsx
• frontend/public/components/modals/configure-ns-pull-secret-modal.tsx
• frontend/public/components/namespace.jsx