CCO-711: docs: improve the filter when getting the capi pod

[jstuever]

Previously, a validation step in sts-migrate-to-private-bucket.md fetched the name of the CAPI pod from the cluster. However, it was fetching more than the desired pod, which caused a followup command to fail.

This change adds additional filters to the command fetching the pod in order to ensure it is only fetching the desired pod. As a result, the followup command will now succeed.

Summary by CodeRabbit

• Documentation
  • Enhanced STS private bucket migration documentation with additional pod selection constraints. Users migrating to private buckets will now find more precise guidance for identifying the correct Kubernetes pod when extracting authentication tokens, ensuring more reliable and accurate token retrieval during the migration process.

[openshift-ci-robot]

@jstuever: This pull request references CCO-711 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Previously, a validation step in sts-migrate-to-private-bucket.md fetched the name of the CAPI pod from the cluster. However, it was fetching more than the desired pod, which caused a followup command to fail.

This change adds additional filters to the command fetching the pod in order to ensure it is only fetching the desired pod. As a result, the followup command will now succeed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This change updates documentation for STS migration by adding an additional Kubernetes label selector (k8s-app=controller) to refine pod selection criteria when extracting the web identity token from the openshift-machine-api pod.

Changes

Cohort / File(s)	Summary
Documentation Update docs/sts-migrate-to-private-bucket.md	Added a Kubernetes label constraint to narrow the pod selection when executing oc exec commands for token extraction.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: improving the filter for fetching the CAPI pod, which aligns with the changeset that adds a Kubernetes label constraint to narrow pod selection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only markdown documentation without Ginkgo test code or test names, making the custom check not applicable.
Test Structure And Quality	✅ Passed	PR modifies only documentation (sts-migrate-to-private-bucket.md), not Ginkgo test code.
Microshift Test Compatibility	✅ Passed	PR contains only documentation changes to docs/sts-migrate-to-private-bucket.md. No new Ginkgo e2e tests are added or modified, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only a documentation file and does not add any Ginkgo e2e tests, making the check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only documentation (markdown file) without adding or modifying deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check validates executable binaries don't emit non-JSON stdout. This PR only modifies docs/sts-migrate-to-private-bucket.md, a documentation file.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only markdown documentation file; no Ginkgo e2e tests or Go test code added, so check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jstuever]

/verified by manually, @jstuever

[openshift-ci-robot]

@jstuever: This PR has been marked as verified by manually,@jstuever.

Details

In response to this:

/verified by manually, @jstuever

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

docs/sts-migrate-to-private-bucket.md (1)

122-125: Make pod selection deterministic to prevent intermittent oc exec failures.

Good improvement with the extra label filter, but jsonpath='{.items[*].metadata.name}' can still return multiple pods during rollouts. That can break Line 128 (oc exec ... ${CAPI_POD}) again. Please select exactly one running pod (or fail early with a clear message).

Suggested doc command update

-# Get Controler's pod
-CAPI_POD=$(oc get pods -n openshift-machine-api \
-    -l api=clusterapi \
-    -l k8s-app=controller \
-    -o jsonpath='{.items[*].metadata.name}')
+# Get Controller pod (single running pod)
+CAPI_POD=$(oc get pods -n openshift-machine-api \
+    -l api=clusterapi \
+    -l k8s-app=controller \
+    --field-selector=status.phase=Running \
+    -o jsonpath='{.items[0].metadata.name}')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/sts-migrate-to-private-bucket.md` around lines 122 - 125, The pod
selection can return multiple names and break the later oc exec using
${CAPI_POD}; change the oc get pods command that sets CAPI_POD to pick exactly
one running pod (or fail fast) by filtering items for status.phase == "Running"
and selecting the first match, and add a short check after assignment that
verifies CAPI_POD is non-empty and contains exactly one pod name (or prints a
clear error and exits), so locate the CAPI_POD assignment and the subsequent oc
exec usage and implement the deterministic selection + validation there.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/sts-migrate-to-private-bucket.md`:
- Around line 122-125: The pod selection can return multiple names and break the
later oc exec using ${CAPI_POD}; change the oc get pods command that sets
CAPI_POD to pick exactly one running pod (or fail fast) by filtering items for
status.phase == "Running" and selecting the first match, and add a short check
after assignment that verifies CAPI_POD is non-empty and contains exactly one
pod name (or prints a clear error and exits), so locate the CAPI_POD assignment
and the subsequent oc exec usage and implement the deterministic selection +
validation there.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: d1c58448-e8ee-4d33-ad7c-5e87dcda1cee

📥 Commits

Reviewing files that changed from the base of the PR and between 374560d and 2abf67e.

📒 Files selected for processing (1)

• docs/sts-migrate-to-private-bucket.md

[jstuever]

/assign @dlom

[dlom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dlom,jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

@jstuever I was reading PRs and just noticed this. Which is fine as a change per se.

This is called CAPI_POD but I suspect this is in reality MAPI, and the api=clusterapi bit is because of legacy reasons where MAPI has been forked out of upstream CAPI originally.

I'd maybe rename CAPI_POD to MAPI_POD or something, and maybe add a comment to explain this