fix: make account verifier flag enum

[mfrancisc]

Description

Change account verifier flag to enum so it supports: enabled/disabled/log config options

Checks

1. Did you run make generate target? yes

2. Did make generate change anything in other projects (host-operator)? yes

3. In case of new CRD, did you the following? N/A

   • make/generate.mk in this repository
   • resources/setup/roles/host.yaml in the sandbox-sre repository
   • PROJECT file: https://github.com/codeready-toolchain/host-operator/blob/master/PROJECT
   • CSV file: https://github.com/codeready-toolchain/host-operator/blob/master/config/manifests/bases/host-operator.clusterserviceversion.yaml

4. In case other projects are changed, please provides PR links.

   • host-operator: fix: make account verifier flag enum host-operator#1266

Summary by CodeRabbit

• New Features
  • Account verifier configuration now supports operational modes (disabled, log, enabled) instead of a binary toggle. The default mode is log. This enhancement provides more granular control over account verification behavior to align with your deployment requirements.

[coderabbitai]

Walkthrough

The PR migrates RegistrationServiceConfig from a boolean AccountVerifierEnabled field to a string AccountVerifierMode field supporting three discrete modes: disabled, log, and enabled (default log). Type definition, API documentation, deepcopy logic, and OpenAPI schema are all updated consistently.

Changes

Account Verifier Mode Configuration

Layer / File(s)	Summary
Type definition and API reference api/v1alpha1/toolchainconfig_types.go, api/v1alpha1/docs/apiref.adoc	RegistrationServiceConfig replaces AccountVerifierEnabled *bool with AccountVerifierMode *string, adding kubebuilder enum validation for disabled, log, and enabled modes. API documentation describes the new field and its default value.
Generated deepcopy and OpenAPI schema api/v1alpha1/zz_generated.deepcopy.go, api/v1alpha1/zz_generated.openapi.go	DeepCopyInto method and OpenAPI schema properties automatically updated to deep-copy and document the new AccountVerifierMode string field instead of the removed boolean field.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

feature

Suggested reviewers

• MatousJobanek
• metlos

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: converting a boolean account verifier flag to an enum.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description covers the main objective and addresses most template requirements, but lacks detail on host-operator PR link.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/v1alpha1/toolchainconfig_types.go`:
- Around line 265-270: The API field rename removed AccountVerifierEnabled and
introduced AccountVerifierMode, which is out-of-sync with downstream repos
(e.g., references in toolchain-common and host-operator); restore compatibility
by either reintroducing the old pointer field AccountVerifierEnabled (keeping it
deprecated) or add a conversion/validation path that maps between
AccountVerifierEnabled and AccountVerifierMode in the API types (update the
struct in api/v1alpha1/toolchainconfig_types.go and implement conversion logic
or defaulting so callers using AccountVerifierEnabled still work), and update
CRD generation and unit/test helpers used by
codeready-toolchain/toolchain-common and codeready-toolchain/host-operator to
use the new field or the compatibility layer.
- Around line 265-270: Add a kubebuilder default annotation for
AccountVerifierMode so the CRD/OpenAPI schema reflects the documented default
"log": add the comment directive `+kubebuilder:default=log` above the
AccountVerifierMode field in the ToolchainConfig struct (the symbol is
AccountVerifierMode in api/v1alpha1/toolchainconfig_types.go), then regenerate
the CRD/OpenAPI (controller-gen/codegen) so zz_generated.openapi.go includes
Default: "log".

In `@api/v1alpha1/zz_generated.openapi.go`:
- Around line 2661-2665: The change replaced the boolean
RegistrationServiceOption.AccountVerifierEnabled /
registrationService.accountVerifierEnabled with a string enum
accountVerifierMode (values "disabled"|"log"|"enabled"), causing downstream CRD
and test helpers to drift; update the downstream code to accept the new enum (or
add compatibility): modify places referencing accountVerifierEnabled (e.g.,
RegistrationServiceOption.AccountVerifierEnabled, CRD generation for
registrationService) to use accountVerifierMode (map true->"enabled",
false->"disabled" or default to "log" as appropriate), update the
toolchain-common test helper to expose/accept the enum, and/or add
migration/compatibility logic where parsing the old boolean is still supported
by converting it to the new enum before validation/enforcement (ensure symbols
accountVerifierMode, accountVerifierEnabled, and
RegistrationServiceOption.AccountVerifierEnabled are reconciled).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: e3ad711c-2ea5-4b4b-bbdc-ffa4eaf074a8

📥 Commits

Reviewing files that changed from the base of the PR and between bbb0ba8 and b6f17d9.

📒 Files selected for processing (4)

• api/v1alpha1/docs/apiref.adoc
• api/v1alpha1/toolchainconfig_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• api/v1alpha1/zz_generated.openapi.go

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Verify Dependencies

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• api/v1alpha1/docs/apiref.adoc
• api/v1alpha1/zz_generated.openapi.go
• api/v1alpha1/zz_generated.deepcopy.go
• api/v1alpha1/toolchainconfig_types.go

🔀 Multi-repo context codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

[::codeready-toolchain/toolchain-common::]

• pkg/test/config/toolchainconfig.go:294-296 — RegistrationServiceOption.AccountVerifierEnabled(value bool) sets config.Spec.Host.RegistrationService.AccountVerifierEnabled = &value (test config helper still references the removed boolean field).

[::codeready-toolchain/host-operator::]

• config/crd/bases/toolchain.dev.openshift.com_toolchainconfigs.yaml:162-163 — CRD contains property accountVerifierEnabled with description referencing AccountVerifierEnabled (OpenAPI/CRD still declares the old boolean field).

[::codeready-toolchain/toolchain-e2e::]

• No matches for AccountVerifierEnabled / AccountVerifierMode found.

🔇 Additional comments (1)

api/v1alpha1/zz_generated.deepcopy.go (1)

1940-1943: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

This API field rename is currently out-of-sync with linked repositories.

The change removes AccountVerifierEnabled, but linked findings show codeready-toolchain/toolchain-common test config helper and codeready-toolchain/host-operator CRD still reference the old field. Merge without coordinated companion changes risks downstream breakage and schema drift.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/toolchainconfig_types.go` around lines 265 - 270, The API field
rename removed AccountVerifierEnabled and introduced AccountVerifierMode, which
is out-of-sync with downstream repos (e.g., references in toolchain-common and
host-operator); restore compatibility by either reintroducing the old pointer
field AccountVerifierEnabled (keeping it deprecated) or add a
conversion/validation path that maps between AccountVerifierEnabled and
AccountVerifierMode in the API types (update the struct in
api/v1alpha1/toolchainconfig_types.go and implement conversion logic or
defaulting so callers using AccountVerifierEnabled still work), and update CRD
generation and unit/test helpers used by codeready-toolchain/toolchain-common
and codeready-toolchain/host-operator to use the new field or the compatibility
layer.

---

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking AccountVerifierMode markers and generated docs/schema..."
rg -n -C2 'AccountVerifierMode|kubebuilder:default|accountVerifierMode' \
  api/v1alpha1/toolchainconfig_types.go \
  api/v1alpha1/docs/apiref.adoc \
  api/v1alpha1/zz_generated.openapi.go

Repository: codeready-toolchain/api

Length of output: 3181

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== toolchainconfig_types.go markers ==="
rg -n --context 2 'AccountVerifierMode|kubebuilder:default' api/v1alpha1/toolchainconfig_types.go

echo
echo "=== zz_generated.openapi.go stanza around accountVerifierMode ==="
# Print a focused window around the property definition
sed -n '2630,2705p' api/v1alpha1/zz_generated.openapi.go | nl -ba | sed -n '25,110p'

echo
echo "=== search for Default near accountVerifierMode in zz_generated.openapi.go ==="
# limit to vicinity by grepping a small range output
rg -n 'Default:|default' api/v1alpha1/zz_generated.openapi.go | head -n 50

echo
echo "=== check docs line for default marker presence ==="
rg -n --context 2 'accountVerifierMode' api/v1alpha1/docs/apiref.adoc

Repository: codeready-toolchain/api

Length of output: 1110

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="api/v1alpha1/zz_generated.openapi.go"

echo "=== rg -n accountVerifierMode (line numbers) ==="
rg -n 'accountVerifierMode' "$file" | head -n 20

echo
echo "=== python: print contexts around accountVerifierMode and nearby Default ==="
python3 - <<'PY'
import re, pathlib
path = pathlib.Path("api/v1alpha1/zz_generated.openapi.go")
text = path.read_text(errors="ignore").splitlines()
hits = [i for i,l in enumerate(text) if "accountVerifierMode" in l]
for i in hits[:5]:
    start=max(0,i-40); end=min(len(text), i+80)
    print("\n--- context at line", i+1, "---")
    for j in range(start,end):
        l=text[j]
        if j+1==i+1 or re.search(r'Default:|default', l):
            mark=">>"
        else:
            mark="  "
        print(f"{mark} {j+1:5d}: {l}")
PY

echo
echo "=== rg Default: log / default log anywhere in openapi file (bounded) ==="
rg -n 'Default:\s*"log"|default.*log' "$file" || true

echo
echo "=== rg Default: near accountVerifierMode only ==="
# Print all lines containing Default: plus 3 lines of context around each accountVerifierMode match
python3 - <<'PY'
import pathlib
import re
p=pathlib.Path("api/v1alpha1/zz_generated.openapi.go")
lines=p.read_text(errors="ignore").splitlines()
out=[]
for i,l in enumerate(lines):
    if "accountVerifierMode" in l:
        # search within window for Default/default
        for j in range(max(0,i-60), min(len(lines), i+120)):
            if re.search(r'Default:|default', lines[j]):
                out.append((j+1, lines[j]))
if not out:
    print("No Default/default lines found near accountVerifierMode matches.")
else:
    for ln, l in out[:100]:
        print(f"{ln}: {l}")
PY

Repository: codeready-toolchain/api

Length of output: 6861

---

Add a kubebuilder default for AccountVerifierMode so CRD/OpenAPI matches the documented default ("log").

toolchainconfig_types.go says the default is "log", but the generated schema for accountVerifierMode in api/v1alpha1/zz_generated.openapi.go has no Default, so omitting the field won’t default to "log".

Proposed fix

 	// AccountVerifierMode controls how the registration service handles responses from the account-verifier service.
 	// Valid values are "disabled" (do not call the verifier), "log" (call but only log the response),
 	// and "enabled" (call and enforce the response). Defaults to "log".
 	// +optional
+	// +kubebuilder:default=log
 	// +kubebuilder:validation:Enum=disabled;log;enabled
 	AccountVerifierMode *string `json:"accountVerifierMode,omitempty"`

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// AccountVerifierMode controls how the registration service handles responses from the account-verifier service.
	// Valid values are "disabled" (do not call the verifier), "log" (call but only log the response),
	// and "enabled" (call and enforce the response). Defaults to "log".
	// +optional
	AccountVerifierEnabled *bool `json:"accountVerifierEnabled,omitempty"`
	// +kubebuilder:validation:Enum=disabled;log;enabled
	AccountVerifierMode *string `json:"accountVerifierMode,omitempty"`
	// AccountVerifierMode controls how the registration service handles responses from the account-verifier service.
	// Valid values are "disabled" (do not call the verifier), "log" (call but only log the response),
	// and "enabled" (call and enforce the response). Defaults to "log".
	// +optional
	// +kubebuilder:default=log
	// +kubebuilder:validation:Enum=disabled;log;enabled
	AccountVerifierMode *string `json:"accountVerifierMode,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/toolchainconfig_types.go` around lines 265 - 270, Add a
kubebuilder default annotation for AccountVerifierMode so the CRD/OpenAPI schema
reflects the documented default "log": add the comment directive
`+kubebuilder:default=log` above the AccountVerifierMode field in the
ToolchainConfig struct (the symbol is AccountVerifierMode in
api/v1alpha1/toolchainconfig_types.go), then regenerate the CRD/OpenAPI
(controller-gen/codegen) so zz_generated.openapi.go includes Default: "log".