Fix node label matching in triggerReconciliation

[smulje]

Fixes OCPBUGS-86839

Replace reflect.DeepEqual with proper label selector matching.
This ensures the operator correctly creates IngressNodeFirewallNodeState
objects for nodes added after the operator starts.

The previous implementation used DeepEqual which required exact
label match. The new implementation uses labels.SelectorFromSet
which properly handles label selectors per Kubernetes semantics.

- What this PR does and why is it needed
When a new worker node is added to the cluster after the Ingress Node Firewall operator has started, the operator does NOT create an IngressNodeFirewallNodeState object for that node.

Root Cause: The triggerReconciliation function was using reflect.DeepEqual to compare node labels against the IngressNodeFirewall's nodeSelector.MatchLabels. This method requires exact label equality, which doesn't match Kubernetes label selector semantics.

The Fix: Replace reflect.DeepEqual with the proper labels.SelectorFromSet().Matches() approach. This ensures the operator correctly evaluates whether a node matches the IngressNodeFirewall selector when new nodes are added or existing nodes are labeled.

- Special notes for reviewers

• The reflect package import has been removed as it's no longer needed.
• The new implementation uses k8s.io/apimachinery/pkg/labels which is the standard Kubernetes approach for label selector matching.
• This fix ensures nodes added dynamically (via auto-scaling, manual addition, or label changes) are properly picked up by the operator.
• The change is in the triggerReconciliation function in controllers/ingressnodefirewall_controller.go.

- How to verify it

1. Setup: Deploy an IngressNodeFirewall with a specific node selector:
   • Add a new worker node to the cluster (via MachineSet or manual addition)
   • Verify IngressNodeFirewallNodeState is automatically created for the new node

Created test image quay.io/smulje/ingress-node-firewall-operator:fix-node-matching with fix and verified that fix is working :

- Description for the changelog
Fix operator not creating IngressNodeFirewallNodeState for nodes added after startup.
The triggerReconciliation function now uses proper Kubernetes label selector matching
(labels.SelectorFromSet) instead of reflect.DeepEqual, ensuring nodes added dynamically
or through label changes are correctly reconciled.

Summary by CodeRabbit

• Bug Fixes
  • Improved node selection matching for IngressNodeFirewall to properly use Kubernetes label selector semantics instead of exact equality comparison.

[coderabbitai]

Walkthrough

In controllers/ingressnodefirewall_controller.go, the triggerReconciliation predicate is changed from using reflect.DeepEqual to compare label maps exactly to using labels.SelectorFromSet(...).Matches(...) for subset/selector-based matching. The reflect import is removed and k8s.io/apimachinery/pkg/labels is added.

Changes

Label Selector Matching Fix

Layer / File(s)	Summary
Replace DeepEqual with labels.SelectorFromSet in triggerReconciliation controllers/ingressnodefirewall_controller.go	Removes reflect import and adds k8s.io/apimachinery/pkg/labels; changes the node-watch enqueue predicate from exact label map equality (reflect.DeepEqual) to labels.SelectorFromSet(...).Matches(...), allowing nodes with a superset of the specified labels to match.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Tests have multiple violations: (1) 4 of 7 Eventually blocks lack timeout parameters (lines 102, 119, 402, 419, 566); (2) 17 assertions lack meaningful failure messages; (3) no test covers the bug...	Add timeout/interval parameters to all Eventually blocks; include descriptive failure messages in assertions; add test case for node creation after IngressNodeFirewall is deployed.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New Ginkgo e2e tests were added (test/e2e/functional/tests/e2e.go) without SNO compatibility protections. Tests verify node state counts match nodes with matching labels, assuming multiple nodes ex...	Add [Skipped:SingleReplicaTopology] label to multi-node tests, or guard with exutil.IsSingleNode() check and skip with appropriate message for SNO deployments.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: fixing node label matching in the triggerReconciliation function by replacing reflect.DeepEqual with proper Kubernetes label selector matching.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names (It, Describe, Context, When) contain only static, deterministic values. Two test files use fmt.Sprintf, but with hardcoded constants ("worker-daemon") and literal map keys, n...
Microshift Test Compatibility	✅ Passed	This PR only modifies controllers/ingressnodefirewall_controller.go to replace reflect.DeepEqual with label selector matching. No new Ginkgo e2e tests are added, so the MicroShift compatibility che...
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes only label matching logic in triggerReconciliation function. No deployment manifests, pod affinity, topology constraints, replica counts, or node selectors targeting control-plane nodes...
Ote Binary Stdout Contract	✅ Passed	PR modifies only controllers/ingressnodefirewall_controller.go with no process-level code changes; no fmt.Print*, klog, or stdout writes introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The custom check only applies to new e2e tests; this PR only modifies controller code in ingressnodefirewall_controller.go.
No-Weak-Crypto	✅ Passed	The PR changes label matching logic from reflect.DeepEqual to Kubernetes label selectors—no cryptographic operations, weak crypto, or secret comparisons are introduced or modified.
Container-Privileges	✅ Passed	PR only modifies Go source code (ingressnodefirewall_controller.go), not container/K8s manifests; check for container privilege escalation is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements in the modified code expose sensitive data. Labels are matched using labels.SelectorFromSet but never logged; only object names and namespaces are logged.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @smulje. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[danwinship]

/ok-to-test
/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, smulje

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@smulje: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[danwinship]

Created test image quay.io/smulje/ingress-node-firewall-operator:fix-node-matching with fix and verified that fix is working

/verified by @smulje

[openshift-ci-robot]

@danwinship: This PR has been marked as verified by @smulje.

Details

In response to this:

Created test image quay.io/smulje/ingress-node-firewall-operator:fix-node-matching with fix and verified that fix is working

/verified by @smulje

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.