Fix: Retry project wait_for_status due to RBAC updates

[rnetser]

Short description:

When a ProjectRequest is created, the project is created and the user is added to the project.
RBAC binding may not have propagated yet, causing transient 403 Forbidden errors, so we need to retry on ForbiddenError as well.

More details:

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for reviewer:

Bug:

Summary by CodeRabbit

• Bug Fixes

  • Improved resilience during resource deployment by gracefully handling transient authentication errors.

• Chores

  • Removed deprecated continuous integration workflow configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Remove GitHub Actions workflow file and introduce configurable exception retry handling in OpenShift resource status polling to handle transient 403 Forbidden errors during RBAC propagation delays.

Changes

Cohort / File(s)	Summary
Workflow cleanup .github/workflows/code-check.yml.old	Removed obsolete GitHub Actions workflow file that performed Python version matrix testing with tox.
Exception handling parameterization ocp_resources/resource.py	Added exceptions_dict parameter to wait_for_status() method with default combining protocol error and cluster retry exceptions; updated TimeoutSampler invocation to use parameterized dictionary.
ForbiddenError retry logic ocp_resources/project_request.py	Added imports for ForbiddenError and exception constants; updated deploy logic to pass composite exceptions dictionary including ForbiddenError to wait_for_status() for retrying transient RBAC propagation failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Exception handling logic parameterization and its default value composition require verification
• Public method signature change (wait_for_status) needs backward compatibility assessment
• RBAC propagation retry pattern and ForbiddenError handling specifics in project_request.py require contextual review

Possibly related PRs

• feat: Add retry on resource creation #2572 — Adds configurable exception-retry behavior to resource methods using similar exception dictionary patterns and DEFAULT_CLUSTER_RETRY_EXCEPTIONS.

Suggested labels

size/XS, verified, branch-main, can-be-merged

Suggested reviewers

• dbasunag
• myakove

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides a short explanation of the issue (RBAC propagation delays causing transient 403 errors) but most required template sections are left empty or incomplete.	Fill in the remaining template sections: More details, What this PR does/why we need it, Which issue(s) this PR fixes, Special notes for reviewer, and identify any related Bug.
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and specifically describes the main change: retrying on errors during project wait_for_status due to RBAC propagation delays.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch retry-project-status

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[redhat-qe-bot2]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Pre-commit Checks: pre-commit runs automatically if .pre-commit-config.yaml exists
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest python-module-install - Test Python package installation
• /retest conventional-title - Validate commit message format
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 0 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No WIP, hold, or conflict labels
5. Verified: PR must be marked as verified (if verification is enabled)

📊 Review Process

Approvers and Reviewers

Approvers:

• myakove
• rnetser

Reviewers:

• myakove
• rnetser

Available Labels

• hold
• verified
• wip
• lgtm
• approve
• automerge

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is automatically removed on each new commit
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

ocp_resources/resource.py (1)

975-975: Consider expanding the parameter documentation.

While the parameter is documented, consider adding a note about when custom exception handling might be needed (e.g., "Use custom exceptions_dict when additional transient errors are expected, such as ForbiddenError during RBAC propagation").

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c78e2d9 and 216676c.

📒 Files selected for processing (3)

• .github/workflows/code-check.yml.old (0 hunks)
• ocp_resources/project_request.py (2 hunks)
• ocp_resources/resource.py (3 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/code-check.yml.old

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-11T16:42:27.596Z

Learnt from: servolkov
Repo: RedHatQE/openshift-python-wrapper PR: 2490
File: ocp_resources/route_advertisements.py:5-5
Timestamp: 2025-08-11T16:42:27.596Z
Learning: In the openshift-python-wrapper project, MissingRequiredArgumentError should be imported from ocp_resources.resource (not ocp_resources.exceptions), as it's re-exported there and this is the established pattern used throughout the codebase.

Applied to files:

• ocp_resources/project_request.py

🧬 Code graph analysis (1)

ocp_resources/project_request.py (1)

ocp_resources/resource.py (2)

• wait_for_status (959-1009)
• status (1073-1083)

🔇 Additional comments (4)

ocp_resources/resource.py (1)

959-967: LGTM! Clean parameterization of retry exceptions.

The addition of the exceptions_dict parameter to wait_for_status provides the flexibility needed to handle RBAC propagation delays while maintaining backward compatibility through sensible defaults. The default value preserves the existing retry behavior for callers that don't specify custom exceptions.

ocp_resources/project_request.py (3)

5-5: Import location is correct.

The ForbiddenError exception is correctly imported from kubernetes.dynamic.exceptions, which is the proper source for Kubernetes API exceptions.

---

61-67: Well-implemented fix for RBAC propagation delays.

The changes correctly address the transient 403 Forbidden errors that occur during RBAC propagation after ProjectRequest creation. The implementation is appropriately scoped to only this specific scenario where the delay is expected, rather than globally masking permission errors.

The use of {ForbiddenError: []} with an empty list means all ForbiddenError instances will be retried regardless of error message, which is appropriate since RBAC propagation delays can manifest with various error messages.

---

64-67: Thank you for clarifying the question. I'll search for specific RBAC propagation timing data in OpenShift to verify if 4 minutes is adequate.

Review comment cannot be verified against published standards; recommend confirming timeout empirically in your environment.

The original review asks whether 4 minutes is sufficient for RBAC propagation. However, public OpenShift and Kubernetes documentation do not specify typical RBAC propagation delays. While the 4-minute timeout is conservative relative to typical cache sync defaults (e.g., 2 minutes in controller-runtime), confirming adequacy requires testing against your specific cluster infrastructure, network conditions, and load patterns. Consider validating this timeout by monitoring actual propagation times during project creation workflows in your environment, particularly under peak load.