✨ support join a cluster via grpc

[zhiweiyin318]

Summary

the join command example :
clusteradm join --hub-token <token> --hub-apiserver <hub apiserver> --cluster-name cluster1 --registration-auth=grpc --grpc-server <grpc server>

the managed cluster and hub are the same Kind cluster:
clusteradm join --hub-token <token> --hub-apiserver https://127.0.0.1:35229 --cluster-name cluster1 --registration-auth=grpc --grpc-server cluster-manager-grpc-server.open-cluster-management-hub.svc:8090 --force-internal-endpoint-lookup

Related issue(s)

Fixes #

Summary by CodeRabbit

• New Features
  • Add gRPC support for secure cluster registration and joining; new CLI flags to configure gRPC server and CA (CA can also be sourced from cluster config); examples and help updated.
• Bug Fixes / Improvements
  • Approval flow now accepts CSRs from gRPC-based agents and enforces mutual exclusivity between registration auth types; improved error reporting when waiting for cluster deletion.
• Tests
  • New end-to-end tests validating gRPC-based cluster join and registration.

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

📥 Commits

Reviewing files that changed from the base of the PR and between 339daf8 and c23a4b3.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (8)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (2 hunks)
• pkg/cmd/join/exec.go (11 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)
• test/e2e/util/helper.go (1 hunks)

 _____________________________________________________________________________________________________________________
< The average user doesn't give a damn what happens, as long as (1) it works and (2) it's fast. - Daniel J. Bernstein >
 ---------------------------------------------------------------------------------------------------------------------
  \
   \   (\__/)
       (•ㅅ•)
       / 　 づ

Walkthrough

Adds gRPC-based registration support: new CLI flags and Options fields for gRPC server/CA, CA data sourcing and injection into klusterlet chart, CSR approval extended to accept gRPC signer identities/groups, a new config constant, indirect go.mod dependencies, and a new e2e gRPC join test.

Changes

Cohort / File(s)	Change Summary
Module dependencies go.mod	Added indirect module requirements: cloud.google.com/go/compute/metadata v0.5.0, github.com/cloudevents/sdk-go/v2 v2.16.2, github.com/golang/protobuf v1.5.4
Join command flags & options pkg/cmd/join/cmd.go, pkg/cmd/join/options.go	Added CLI flags --grpc-server and --grpc-ca-file; Options gains fields grpcServer, grpcCAFile, grpcCAData; renamed HubCADate → HubCAData
Join execution & gRPC integration pkg/cmd/join/exec.go	Renamed OperatorNamesapce → OperatorNamespace; added unexported methods setGRPCConfig() and getGRPCCAData() to load/marshal GRPC CA data and inject GRPCConfig into klusterlet chart values; wired grpcServer into complete/validate flows and set RegistrationDriver to GRPC when configured; updated CA data usages to HubCAData
CSR approval logic pkg/cmd/accept/exec.go	Added unexported constants for gRPC serviceaccount and group; expanded CSR approval checks to accept CSRs whose username/group indicate gRPC-based signer identities
Config constants pkg/config/env.go	Added exported constant CABundleConfigMap = ca-bundle-configmap
End-to-end tests test/e2e/clusteradm/joinhubscenario_grpc_test.go	New e2e test for joining a hub via gRPC: hub setup, enable ManagedClusterAutoApproval, configure GRPC registration driver and server exposure, join managed cluster using grpc-server, verify Klusterlet registration uses GRPC auth type, wait for ManagedCluster availability

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Areas needing extra attention:
  • pkg/cmd/join/exec.go: CA data precedence (file vs ConfigMap), YAML marshaling of GRPCConfig, injection into chart values, and renamed identifiers (OperatorNamespace, HubCAData).
  • pkg/cmd/accept/exec.go: CSR username/group checks to ensure gRPC identities are accepted without unintentionally widening approval scope.
  • test/e2e/clusteradm/joinhubscenario_grpc_test.go: test stability, timing, and correctness of assertions for GRPC registration behavior.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title ":sparkles: support join a cluster via grpc" directly and clearly describes the main change in the pull request. The raw_summary shows that the changeset adds gRPC support across multiple files including new CLI flags (--grpc-server, --grpc-ca-file), gRPC integration methods, validation logic, and end-to-end tests. The title accurately captures this feature addition without being vague or overly broad, and a teammate reviewing the history would immediately understand that this PR adds gRPC as a join mechanism for clusters.
Description Check	✅ Passed	The PR description includes both required template sections: a Summary section that provides concrete command examples demonstrating how to use the new gRPC join functionality (including both basic and Kind cluster examples), and a "Related issue(s)" section. While the issue reference number is left blank rather than filled in, the Summary section provides meaningful information about the feature, making the description mostly complete per the guidelines. The description effectively communicates the new capability being added by the pull request.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

pkg/cmd/join/exec.go (1)

51-53: Minor: import alias for clarity

Even with the type fix, aliasing the cloudevents grpc options import improves readability and avoids future name conflicts:

- "open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc"
+ cegrpc "open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c67ac4c and f515086.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (1 hunks)
• pkg/cmd/join/exec.go (10 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (4)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (7)

• ClusterManager (18-29)
• RegistrationHubConfiguration (99-123)
• RegistrationDriverHub (144-164)
• GRPCAuthType (131-131)
• GRPCRegistrationConfig (254-258)
• ServerConfiguration (166-176)
• EndpointExposure (178-195)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (3)

• RegistrationConfiguration (133-189)
• Klusterlet (19-28)
• RegistrationDriver (207-217)

test/e2e/util/helper.go (1)

• WaitClusterManagerApplied (168-208)

vendor/open-cluster-management.io/api/cluster/v1/types.go (1)

• ManagedClusterConditionAvailable (232-232)

pkg/cmd/join/exec.go (7)

vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/render.go (1)

• RenderKlusterletChart (56-62)

pkg/cmd/join/options.go (1)

• Options (13-117)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go (1)

• GRPCConfig (122-139)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go (1)

• CertConfig (29-44)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (2)

• Klusterlet (19-28)
• RegistrationDriver (207-217)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (1)

• GRPCAuthType (131-131)

pkg/config/env.go (2)

• HubClusterNamespace (15-15)
• CABundleConfigmap (19-19)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e-test

🔇 Additional comments (6)

go.mod (1)

43-43: Review comment contains incorrect assumptions about the dependencies; no fixes required.

The script output confirms that the flagged dependencies are legitimate:

1. cloud.google.com/go/compute/metadata is a transitive dependency from golang.org/x/oauth2, not a direct GCP-specific addition. It appears only in the OAuth2 Google provider code, which is standard authentication infrastructure for any cloud platform.

2. cloudevents/sdk-go/v2 is actively used in the project code (pkg/cmd/join/exec.go imports it via open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc). It's core infrastructure for the gRPC protocol implementation, not over-scoped bloat.

3. golang/protobuf v1.5.4 coexisting with the modern version is normal transitive dependency behavior.

All three dependencies serve legitimate purposes and should remain in go.mod.

Likely an incorrect or invalid review comment.

test/e2e/clusteradm/joinhubscenario_grpc_test.go (1)

4-16: Ignore this review comment; the code does not have the described issues.

The variables e2e, operatorClient, and clusterClient are package-level globals declared in e2e_suite_test.go (lines 26, 35, and 32 respectively) and initialized in the BeforeSuite() hook. They are accessible throughout all tests in the clusteradme2e package without any import or re-declaration.

The proposed import path "open-cluster-management.io/clusteradm/test/e2e" does not correspond to an actual package—no package e2e exists in the codebase. The test uses the suite-level setup pattern where globals are initialized once and reused across tests.

The minor redundancy at line 98 (creating managedClusterOperatorClient) is unnecessary but does not constitute a breaking issue.

Likely an incorrect or invalid review comment.

pkg/cmd/join/exec.go (4)

410-410: Namespace constant usage LGTM

Consistent use of OperatorNamespace for chart rendering, Deployment lookup, and Pod watch is correct and improves maintainability.

Also applies to: 472-472, 565-565

---

216-221: GRPC CA fetch placement LGTM; verify RBAC in typical joins

Fetching the GRPC CA using the insecure bootstrap client is reasonable. With the resilience fix above, joins won’t fail if the ConfigMap is unreadable. Please confirm your bootstrap token has list/get on the target ConfigMap in common setups, or expect the fallback path.

---

679-682: HubCAData usage LGTM

Directly setting CertificateAuthorityData when --ca-file is provided is correct and matches the earlier flow.

---

294-298: Verification confirmed—no issues found

The code changes are sound:

• KlusterletChartConfig includes a GRPCConfig string field (line 70)
• setGRPCConfig() properly marshals the gRPC configuration and populates o.klusterletChartConfig.GRPCConfig on line 746
• The field is consumed as part of the chart configuration object used for rendering

The wiring is correct and the call sequence is appropriate.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (1)

70-70: Consider using constants for the auto-approved identity and gRPC server address.

The hardcoded service account identity and gRPC server address work for the current test but could be fragile if service naming changes. Consider defining these as test constants or deriving them from the namespace constants already in use.

Also applies to: 97-97

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f515086 and 7885b42.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (1 hunks)
• pkg/cmd/join/exec.go (10 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/config/env.go
• go.mod
• pkg/cmd/accept/exec.go
• pkg/cmd/join/cmd.go
• pkg/cmd/join/options.go

🧰 Additional context used

🧬 Code graph analysis (2)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (4)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (7)

• ClusterManager (18-29)
• RegistrationHubConfiguration (99-123)
• RegistrationDriverHub (144-164)
• GRPCAuthType (131-131)
• GRPCRegistrationConfig (254-258)
• ServerConfiguration (166-176)
• EndpointExposure (178-195)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (3)

• RegistrationConfiguration (133-189)
• Klusterlet (19-28)
• RegistrationDriver (207-217)

test/e2e/util/helper.go (1)

• WaitClusterManagerApplied (168-208)

vendor/open-cluster-management.io/api/cluster/v1/types.go (1)

• ManagedClusterConditionAvailable (232-232)

pkg/cmd/join/exec.go (6)

vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/render.go (1)

• RenderKlusterletChart (56-62)

pkg/cmd/join/options.go (1)

• Options (13-117)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go (1)

• GRPCConfig (122-139)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go (2)

• CertConfig (29-44)
• Bytes (9-9)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (1)

• GRPCAuthType (131-131)

pkg/config/env.go (2)

• HubClusterNamespace (15-15)
• CABundleConfigMap (19-19)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: e2e-test
• GitHub Check: unit-test
• GitHub Check: verify

🔇 Additional comments (6)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (1)

18-139: LGTM! Comprehensive e2e test for gRPC join flow.

The test properly validates the complete gRPC registration flow: hub initialization, feature gate enablement, gRPC registration driver configuration, join command execution, and managed cluster availability verification. The test structure follows BDD best practices with proper setup/teardown.

pkg/cmd/join/exec.go (5)

40-40: LGTM! Import additions and typo fix.

The new imports support gRPC configuration functionality, and the alias sdkgrpc properly avoids potential naming conflicts. The constant rename from OperatorNamesapce to OperatorNamespace fixes a typo.

Also applies to: 51-52, 58-58

---

728-751: LGTM! GRPC configuration properly marshaled and injected.

The method correctly constructs the gRPC configuration with CA data, URL, and token, marshals it to YAML, and injects it into the klusterlet chart configuration. The type conversion cert.Bytes(o.grpcCAData) properly handles the CA data type mismatch noted in previous reviews.

---

195-195: LGTM! Field rename from HubCADate to HubCAData.

The typo fix is consistently applied across all usages of the hub CA data field.

Also applies to: 679-681

---

410-410: LGTM! Consistent usage of corrected OperatorNamespace constant.

All references properly use the renamed constant.

Also applies to: 472-472, 565-565

---

766-774: Missing ConfigMap key validation is a valid concern, but the resilience requirement needs verification.

The code directly accesses cm.Data["ca-bundle.crt"] without checking if the key exists. While Go won't panic (returns empty string), this is poor defensive programming. However, the core claim in the review—that a "previous review suggested non-fatal handling"—cannot be verified in the codebase (no such comment or evidence found).

What is confirmed:

• The mergeCertificateData() function (line 776+) explicitly handles empty CA bundles, suggesting the system architecture supports graceful degradation with missing/empty CA data
• The caller at line 217 treats errors as fatal (returns immediately)
• gRPC itself is optional (guarded by if o.grpcServer != "")

What needs clarification:

• Whether the CA bundle ConfigMap is guaranteed to exist in your environment
• Whether the join operation should fail hard or proceed with empty CA data when the ConfigMap is unavailable or missing the key
• Whether the suggested diff aligns with intended failure semantics

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/cmd/join/options.go (1)

28-30: Consider referencing the constant in the comment.

The comment mentions "configmap ca-bundle-configmap" but the actual constant config.CABundleConfigMap (defined in pkg/config/env.go and used in exec.go:771) should be referenced for maintainability. This prevents drift if the ConfigMap name changes.

Apply this diff:

-	// The grpc ca file which can be found in the configmap ca-bundle-configmap in open-cluster-management-hub ns
+	// The gRPC CA file (can be found in the ConfigMap config.CABundleConfigMap in the hub namespace)
 	grpcCAFile string

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7885b42 and a3fac9f.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (1 hunks)
• pkg/cmd/join/exec.go (11 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (5)

• go.mod
• pkg/cmd/accept/exec.go
• pkg/config/env.go
• pkg/cmd/join/cmd.go
• test/e2e/clusteradm/joinhubscenario_grpc_test.go

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/cmd/join/exec.go (6)

pkg/cmd/join/options.go (1)

• Options (13-117)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go (1)

• GRPCConfig (122-139)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go (2)

• CertConfig (29-44)
• Bytes (9-9)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (2)

• Klusterlet (19-28)
• RegistrationDriver (207-217)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (1)

• GRPCAuthType (131-131)

pkg/config/env.go (2)

• HubClusterNamespace (15-15)
• CABundleConfigMap (19-19)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: e2e-test
• GitHub Check: verify
• GitHub Check: unit-test

🔇 Additional comments (2)

pkg/cmd/join/exec.go (2)

338-340: LGTM!

The validation correctly prevents conflicting registration methods. The check ensures users cannot configure both --grpc-server and --registration-auth=awsirsa simultaneously, and the error message clearly explains the constraint.

---

732-755: LGTM!

The gRPC configuration logic is well-structured:

• Early return when gRPC is not configured
• Proper type conversion using cert.Bytes()
• Clear error messages on marshal failure
• Correctly sets the registration driver to GRPCAuthType

[zhiweiyin318]

/assign @qiujian16
/assign @skeeey

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/cmd/join/exec.go (2)

189-196: Add empty-file guard for --ca-file (parity with gRPC CA checks)

Mirror the robustness you added for --grpc-ca-file by rejecting an empty --ca-file to prevent confusing TLS failures.

   if o.caFile != "" {
     cabytes, err := os.ReadFile(o.caFile)
     if err != nil {
       return err
     }
+    if len(cabytes) == 0 {
+      return fmt.Errorf("--ca-file %q is empty", o.caFile)
+    }
     o.HubCAData = cabytes
   }

---

745-749: Prefer error wrapping with %w

Wrap the marshal error to preserve cause.

-    return fmt.Errorf("failed to marshal GRPC server configuration. %v", err)
+    return fmt.Errorf("failed to marshal GRPC server configuration: %w", err)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a3fac9f and 8de6ad7.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (1 hunks)
• pkg/cmd/join/exec.go (11 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/cmd/accept/exec.go
• pkg/cmd/join/options.go
• pkg/cmd/join/cmd.go

🧰 Additional context used

🧬 Code graph analysis (2)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (4)

test/e2e/util/helper.go (2)

• WaitClustersDeleted (103-127)
• WaitClusterManagerApplied (168-208)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (8)

• ClusterManager (18-29)
• RegistrationHubConfiguration (99-123)
• FeatureGateModeTypeEnable (330-330)
• RegistrationDriverHub (144-164)
• GRPCAuthType (131-131)
• GRPCRegistrationConfig (254-258)
• ServerConfiguration (166-176)
• EndpointExposure (178-195)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (3)

• RegistrationConfiguration (133-189)
• Klusterlet (19-28)
• RegistrationDriver (207-217)

vendor/open-cluster-management.io/api/cluster/v1/types.go (1)

• ManagedClusterConditionAvailable (232-232)

pkg/cmd/join/exec.go (7)

vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/render.go (1)

• RenderKlusterletChart (56-62)

pkg/cmd/join/options.go (1)

• Options (13-117)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go (1)

• GRPCConfig (122-139)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go (2)

• CertConfig (29-44)
• Bytes (9-9)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (2)

• Klusterlet (19-28)
• RegistrationDriver (207-217)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (1)

• GRPCAuthType (131-131)

pkg/config/env.go (2)

• HubClusterNamespace (15-15)
• CABundleConfigMap (19-19)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: e2e-test
• GitHub Check: verify
• GitHub Check: unit-test

🔇 Additional comments (11)

pkg/config/env.go (1)

19-19: LGTM: new ConfigMap constant

CABundleConfigMap reads well and follows Go/Kubernetes casing. Callers now use a single source of truth.

pkg/cmd/join/exec.go (9)

40-40: Good: cohesive imports and grpc aliasing

Importing config and aliasing the SDK gRPC options avoids collisions with google.golang.org/grpc and keeps env constants centralized.

Also applies to: 51-53

---

57-59: Namespace constants cleanup looks good

AgentNamespacePrefix and OperatorNamespace remove prior misspellings and magic strings.

---

216-220: Gating GRPC CA lookup is correct

Only fetching CA when --grpc-server is set keeps the path minimal for non‑gRPC joins.

---

294-297: LGTM: GRPC config wiring in validate()

Populating chart values during validate keeps run() lean.

---

338-340: Good guard against conflicting registration methods

Early validation avoids silent overrides between awsirsa and grpc.

---

414-414: Consistent use of OperatorNamespace

Using the constant in chart rendering, deployment and pod watches improves portability.

Also applies to: 476-477, 569-570

---

683-686: Direct HubCAData assignment is fine

Honors explicit --ca-file before attempting discovery.

---

757-783: GRPC CA retrieval is solid

Clear errors for unreadable files; validates ConfigMap key presence and non-empty bundle. Nice.

---

732-753: Token correctly stored in Secret and not logged—verification successful

The token in GRPCConfig is properly handled:

• Stored in a Kubernetes Secret resource at data.config.yaml with base64 encoding (bootstrap_kubeconfig_secret.yaml)
• Not logged or printed in the code path (no logging detected around the marshaling and chart config assignment)
• Token is only included in the YAML string assigned to the chart configuration, which is then base64-encoded by the Helm template before storage in the Secret

go.mod (1)

43-43: No action needed—all indirects are verified as necessary.

The go mod why output confirms these are legitimate, non-transient dependencies:

• cloud.google.com/go/compute/metadata is required by google.golang.org/grpc/credentials/oauth
• github.com/cloudevents/sdk-go/v2 is required by open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc
• github.com/golang/protobuf is required by open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1

The go mod tidy command completed successfully and retained all three, confirming they are not dead code or experimental cruft.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/cmd/accept/exec.go (1)

146-151: Tighten CSR requester checks: use equality for SA usernames (security)

Using HasPrefix for SA usernames can approve unintended SAs. Keep prefix check only for system:bootstrap:, and use exact equality for SA names.

Apply:

-           if !strings.HasPrefix(item.Spec.Username, userNameSignatureBootstrapPrefix) &&
-               !strings.HasPrefix(item.Spec.Username, userNameSignatureSA) &&
-               !strings.HasPrefix(item.Spec.Username, userNameGRPCSignatureSA) {
+           if !(strings.HasPrefix(item.Spec.Username, userNameSignatureBootstrapPrefix) ||
+                item.Spec.Username == userNameSignatureSA ||
+                item.Spec.Username == userNameGRPCSignatureSA) {
                continue
            }

🧹 Nitpick comments (2)

pkg/cmd/join/options.go (1)

22-23: Comment nits: prefer “gRPC”, reference constants to avoid drift

Use “gRPC” casing and refer to config constants in comments.

-   // The grpc server of the hub cluster
+   // The gRPC server of the hub cluster
@@
-   // The grpc ca file which can be found in the configmap ca-bundle-configmap in open-cluster-management-hub ns
+   // The gRPC CA file (can be sourced from ConfigMap config.CABundleConfigMap in config.HubClusterNamespace)

Also applies to: 28-30

pkg/cmd/join/exec.go (1)

737-747: Minor naming polish: use grpcConfig for local var

Pure readability; no behavior change.

-   gRPCConfig := sdkgrpc.GRPCConfig{
+   grpcConfig := sdkgrpc.GRPCConfig{
@@
-   configStr, err := yaml.Marshal(gRPCConfig)
+   configStr, err := yaml.Marshal(grpcConfig)

Also applies to: 750-751

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8de6ad7 and 2139461.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (1 hunks)
• pkg/cmd/join/exec.go (11 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• go.mod
• pkg/cmd/join/cmd.go

🧰 Additional context used

🧬 Code graph analysis (2)

pkg/cmd/join/exec.go (6)

vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/render.go (1)

• RenderKlusterletChart (56-62)

pkg/cmd/join/options.go (1)

• Options (13-117)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go (1)

• GRPCConfig (122-139)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go (2)

• CertConfig (29-44)
• Bytes (9-9)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (1)

• GRPCAuthType (131-131)

pkg/config/env.go (2)

• HubClusterNamespace (15-15)
• CABundleConfigMap (19-19)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (4)

test/e2e/util/helper.go (2)

• WaitClustersDeleted (103-127)
• WaitClusterManagerApplied (168-208)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (7)

• ClusterManager (18-29)
• RegistrationHubConfiguration (99-123)
• RegistrationDriverHub (144-164)
• GRPCAuthType (131-131)
• GRPCRegistrationConfig (254-258)
• ServerConfiguration (166-176)
• EndpointExposure (178-195)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (3)

• RegistrationConfiguration (133-189)
• Klusterlet (19-28)
• RegistrationDriver (207-217)

vendor/open-cluster-management.io/api/cluster/v1/types.go (1)

• ManagedClusterConditionAvailable (232-232)

🔇 Additional comments (4)

pkg/config/env.go (1)

19-19: LGTM: well-named constant

CABundleConfigMap matches Go/Kubernetes naming and is referenced correctly elsewhere.

pkg/cmd/accept/exec.go (1)

31-34: LGTM: GRPC SA and group constants

New identifiers align with namespace and RBAC conventions.

pkg/cmd/join/exec.go (1)

51-53: LGTM: GRPC config injection, CA handling, and OperatorNamespace integration

• Correct aliasing and type conversion (cert.Bytes) prevent type mismatch.
• getGRPCCAData properly validates file read and ConfigMap key presence.
• OperatorNamespace use centralizes lookups and rendering.

Also applies to: 56-59, 732-755, 757-783

pkg/cmd/join/options.go (1)

22-30: Flag bindings verified—no issues found

The shell script output confirms that both grpcServer and grpcCAFile fields are properly bound to their corresponding CLI flags (cmd.go:91-92) and actively used throughout exec.go. The implementation is correct.

[skeeey]

when using grpc, we may check if (registrationAuth == "grpc" && o.grpcServer == "") ?

[skeeey]

and grpc ca is also required, right?

[zhiweiyin318]

only need grpcServer=<grpc server>

[skeeey]

OK, this is the join process, the ca is not need

[zhiweiyin318]

the ca is retrieved from the ca bundle configmap on the hub cluster if --grpc-ca-file is not set .

[skeeey]

we don't need the --registration-auth=grpc?

[zhiweiyin318]

I will set Klusterlet.RegistrationConfiguration.RegistrationDriver.AuthType = grpc when --grpc-server is set.
looks like--registration-auth=grpcis not needed .

[qiujian16]

I think we should --registration-auth=grpc and validate --grpc-server when driver is grpc. This could have a consistent behavior comparing to --registration-auth=aws-irsa

[zhiweiyin318]

added grpc to --registration-auth .

[qiujian16]

/approve
leave to @skeeey for final review.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiujian16, zhiweiyin318

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [qiujian16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (3)

44-91: Critical: Initialize operatorClient before use.

operatorClient is used at lines 47 and 91 but never defined or initialized. This will cause a compilation failure.

Initialize the client after line 42:

 		gomega.Expect(err).NotTo(gomega.HaveOccurred(), "clusteradm init error")
 
+		operatorClient, err := operatorclient.NewForConfig(e2e.Cluster().Hub().KubeConfig())
+		gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
 		ginkgo.By("wait for cluster-manager CR to be created and update cluster-manager to enable grpc")
 		var clusterManager *operatorv1.ClusterManager
 		gomega.Eventually(func() error {

---

9-15: Critical: Add missing clientset imports.

The test references operatorClient and clusterClient but the required imports are missing.

Add these imports:

 import (
 	"context"
 	"fmt"
 	"time"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterclient "open-cluster-management.io/api/client/cluster/clientset/versioned"
+	operatorclient "open-cluster-management.io/api/client/operator/clientset/versioned"
 	clusterapiv1 "open-cluster-management.io/api/cluster/v1"
 	operatorv1 "open-cluster-management.io/api/operator/v1"
 	"open-cluster-management.io/clusteradm/test/e2e/util"
 )

---

121-135: Critical: Initialize clusterClient before use.

clusterClient is used at line 123 but never defined or initialized.

Initialize the client before line 122:

 		ginkgo.By(fmt.Sprintf("wait for cluster %s to become available", e2e.Cluster().Hub().Name()))
+		clusterClient, err := clusterclient.NewForConfig(e2e.Cluster().Hub().KubeConfig())
+		gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
 		gomega.Eventually(func() bool {
 			managedCluster, err := clusterClient.ClusterV1().ManagedClusters().Get(

🧹 Nitpick comments (2)

pkg/cmd/join/exec.go (2)

216-220: Consider optimizing CA fetch to only when GRPC auth is used.

Currently, GRPC CA data is fetched whenever grpcServer is set, even if registrationAuth might be configured for a different auth type later. While not harmful, fetching the CA only when registrationAuth == operatorv1.GRPCAuthType would be more efficient.

Consider moving this check into validate() after the registration auth type is confirmed, or add an early check:

-	if o.grpcServer != "" {
+	if o.registrationAuth == operatorv1.GRPCAuthType {
 		if err = o.getGRPCCAData(externalClientUnSecure); err != nil {
 			return err
 		}
 	}

Note: This requires that registrationAuth be set before calling complete().

---

338-351: Consider explicit validation for conflicting auth configuration flags.

While the current switch validates each auth type's requirements, a user could set --grpc-server with --registration-auth=awsirsa, causing the GRPC flag to be silently ignored. An explicit mutual exclusivity check would improve UX by failing fast with a clear error.

Add validation before the switch:

+	// Validate mutual exclusivity of auth configuration
+	if o.registrationAuth == operatorv1.AwsIrsaAuthType && o.grpcServer != "" {
+		return gherrors.New("cannot specify --grpc-server when --registration-auth=awsirsa")
+	}
+	if o.registrationAuth == operatorv1.GRPCAuthType && o.hubClusterArn != "" {
+		return gherrors.New("cannot specify --hub-cluster-arn when --registration-auth=grpc")
+	}
+
 	switch o.registrationAuth {

This provides clearer error messages when incompatible flags are combined.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2139461 and 339daf8.

⛔ Files ignored due to path filters (151)

• go.sum is excluded by !**/*.sum
• vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**
• vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/LICENSE is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/alias.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/binary_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/event_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/finish_message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/format/format.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/attributes.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/match_exact_version.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/spec/spec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/structured_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/to_event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/transformer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/binding/write.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_http.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/client_observed.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/defaulters.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/http_receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/invoker.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/observability.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/client/receiver.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/delegating.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/logger.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/context/retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/content_type.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/data_content_encoding.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/codec.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/json/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/text/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/datacodec/xml/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_data.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_interface.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_marshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_unmarshal.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_validation.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/event_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v03_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_reader.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/eventcontext_v1_writer.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/event/extensions.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/error.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/abuse_protection.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/context.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/headers.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/message.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/options.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_rate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/protocol_retry.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/retries_result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/utility.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_request.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/http/write_responsewriter.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/inbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/lifecycle.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/outbound.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/protocol/result.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/staticcheck.conf is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/allocate.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/doc.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/timestamp.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uri.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/uriref.go is excluded by !vendor/**
• vendor/github.com/cloudevents/sdk-go/v2/types/value.go is excluded by !vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**
• vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/empty/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/golang.org/x/oauth2/authhandler/authhandler.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/appengine.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/default.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/doc.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/error.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/aws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/basecredentials.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/executablecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/filecredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/header.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/programmaticrefreshcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/externalaccount/urlcredsource.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/google.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/externalaccountauthorizeduser/externalaccountauthorizeduser.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/impersonate/impersonate.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/clientauth.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/internal/stsexchange/sts_exchange.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/google/sdk.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jws/jws.go is excluded by !vendor/**
• vendor/golang.org/x/oauth2/jwt/jwt.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/mksyscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/syscall.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !vendor/**
• vendor/google.golang.org/grpc/credentials/oauth/oauth.go is excluded by !vendor/**
• vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/modules.txt is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/rotation.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/agentoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/README.md is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent.proto is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/cloudevent_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protobuf/v1/gen.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/option.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/protocol.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/protocol/write_message.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/sourceoptions.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/options.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/types/types.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/healthcheck.go is excluded by !vendor/**
• vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/server/grpc/heartbeat/heartbeat.go is excluded by !vendor/**

📒 Files selected for processing (7)

• go.mod (3 hunks)
• pkg/cmd/accept/exec.go (2 hunks)
• pkg/cmd/join/cmd.go (2 hunks)
• pkg/cmd/join/exec.go (11 hunks)
• pkg/cmd/join/options.go (2 hunks)
• pkg/config/env.go (1 hunks)
• test/e2e/clusteradm/joinhubscenario_grpc_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/cmd/join/cmd.go
• pkg/cmd/join/options.go
• pkg/config/env.go

🧰 Additional context used

🧬 Code graph analysis (2)

test/e2e/clusteradm/joinhubscenario_grpc_test.go (4)

test/e2e/util/helper.go (2)

• WaitClustersDeleted (103-127)
• WaitClusterManagerApplied (168-208)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (8)

• ClusterManager (18-29)
• RegistrationHubConfiguration (99-123)
• FeatureGateModeTypeEnable (330-330)
• RegistrationDriverHub (144-164)
• GRPCAuthType (131-131)
• GRPCRegistrationConfig (254-258)
• ServerConfiguration (166-176)
• EndpointExposure (178-195)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (3)

• RegistrationConfiguration (133-189)
• Klusterlet (19-28)
• RegistrationDriver (207-217)

vendor/open-cluster-management.io/api/cluster/v1/types.go (1)

• ManagedClusterConditionAvailable (232-232)

pkg/cmd/join/exec.go (7)

vendor/open-cluster-management.io/api/operator/v1/types_clustermanager.go (3)

• AwsIrsaAuthType (127-127)
• GRPCAuthType (131-131)
• CSRAuthType (129-129)

vendor/open-cluster-management.io/ocm/pkg/operator/helpers/chart/render.go (1)

• RenderKlusterletChart (56-62)

pkg/cmd/join/options.go (1)

• Options (13-117)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/grpc/options.go (1)

• GRPCConfig (122-139)

vendor/open-cluster-management.io/sdk-go/pkg/cloudevents/generic/options/cert/config.go (2)

• CertConfig (29-44)
• Bytes (9-9)

vendor/open-cluster-management.io/api/operator/v1/types_klusterlet.go (3)

• Klusterlet (19-28)
• RegistrationConfiguration (133-189)
• RegistrationDriver (207-217)

pkg/config/env.go (2)

• HubClusterNamespace (15-15)
• CABundleConfigMap (19-19)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e-test

🔇 Additional comments (7)

go.mod (1)

43-43: LGTM! Indirect dependencies align with GRPC support.

The three new indirect dependencies (cloud.google.com/go/compute/metadata, cloudevents/sdk-go, golang/protobuf) are appropriate transitive dependencies for the GRPC-based registration flow introduced in this PR.

Also applies to: 57-57, 80-80

pkg/cmd/accept/exec.go (2)

31-33: GRPC service account and group constants added correctly.

The new GRPC-specific constants align with the service account and namespace used by the GRPC server on the hub, enabling CSR approval for GRPC-based registrations.

---

147-157: CSR approval extended to support GRPC authentication.

The approval logic now accepts CSRs from GRPC-based registrations by checking for the GRPC service account username prefix and group membership, complementing the existing bootstrap and service account checks. The group validation at lines 154-157 provides an additional authorization layer.

pkg/cmd/join/exec.go (4)

51-52: Good practice: GRPC import aliased to avoid conflicts.

The sdkgrpc alias prevents potential naming collisions with google.golang.org/grpc.

---

57-58: Typo fix: OperatorNamesapce → OperatorNamespace.

Corrects the constant name and updates all usages throughout the file (lines 421, 483, 576).

---

739-762: GRPC configuration marshaling and injection looks correct.

The function properly:

• Returns early when GRPC auth is not selected
• Constructs GRPCConfig with CA data and credentials
• Marshals to YAML for chart injection
• Sets the RegistrationDriver to GRPC auth type

---

764-790: GRPC CA data retrieval is robust and well-validated.

The implementation correctly:

• Reads from --grpc-ca-file if provided, with validation for empty files
• Falls back to fetching from the Hub ConfigMap
• Validates the ConfigMap key exists and contains non-empty data, returning clear errors otherwise

This aligns with the maintainer's requirement to return an error if CA data is missing or empty.

[skeeey]

/lgtm

[zhiweiyin318]

/cherry-pick release-1.1

[openshift-cherrypick-robot]

@zhiweiyin318: new pull request created: #518

In response to this:

/cherry-pick release-1.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.