CM-1038: Replace istiocsr type-specific decoders with generic DecodeObjBytes

[sebrandon1]

Summary

• Remove 8 type-specific decode*ObjBytes functions from the istiocsr package (~95 lines) and replace all 22 call sites with the existing generic common.DecodeObjBytes[T] helper
• Cache the ServiceAccount name at init time to avoid redundant YAML deserialization on every reconcile cycle
• Aligns the istiocsr package with the pattern already used by the trustmanager package

Test plan

• Unit tests pass (go test ./pkg/controller/istiocsr/...)
• Build succeeds (go build ./pkg/controller/istiocsr/)
• No new lint issues introduced
• CI checks pass

Jira: https://redhat.atlassian.net/browse/CM-1038

Summary by CodeRabbit

• Refactor
  • Unified object decoding across the IstioCSR controller, replacing multiple bespoke decoders with a single shared decoder to simplify resource handling.
  • Added an asset-based cache for the service account name to streamline reconciler lookups and reduce repeated decoding.
  • No changes to public APIs or runtime behavior; existing functionality remains unchanged.

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1038 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Remove 8 type-specific decode*ObjBytes functions from the istiocsr package (~95 lines) and replace all 22 call sites with the existing generic common.DecodeObjBytes[T] helper
• Cache the ServiceAccount name at init time to avoid redundant YAML deserialization on every reconcile cycle
• Aligns the istiocsr package with the pattern already used by the trustmanager package

Test plan

• Unit tests pass (go test ./pkg/controller/istiocsr/...)
• Build succeeds (go build ./pkg/controller/istiocsr/)
• No new lint issues introduced
• CI checks pass

Jira: https://redhat.atlassian.net/browse/CM-1038

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7480e2a4-1db0-4487-9908-9a34db062955

📥 Commits

Reviewing files that changed from the base of the PR and between b622911 and ee01305.

📒 Files selected for processing (7)

• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/deployments.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/serviceaccounts.go
• pkg/controller/istiocsr/services.go
• pkg/controller/istiocsr/test_utils.go
• pkg/controller/istiocsr/utils.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/controller/istiocsr/deployments.go
• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/serviceaccounts.go

---

Walkthrough

Replaces many bespoke decode helpers with a single generic common.DecodeObjBytes[T](codecs, SchemeGroupVersion, asset) across the IstioCSR controller; removes the old decode helpers and adds a package-level cached ServiceAccount name initialized from the ServiceAccount asset.

Changes

Decoding Consolidation

Layer / File(s)	Summary
Caching foundation pkg/controller/istiocsr/utils.go	Adds cachedServiceAccountName and initializes it in init() by decoding the embedded ServiceAccount asset via common.DecodeObjBytes[*corev1.ServiceAccount]; removes the previous unexported decode*ObjBytes helper functions.
Certificate decoding pkg/controller/istiocsr/certificates.go	getCertificateObject now uses common.DecodeObjBytes[*certmanagerv1.Certificate](codecs, certmanagerv1.SchemeGroupVersion, assets.MustAsset(...)) instead of the removed helper.
Deployment decoding pkg/controller/istiocsr/deployments.go	getDeploymentObject switched to common.DecodeObjBytes[*appsv1.Deployment](codecs, appsv1.SchemeGroupVersion, assets.MustAsset(...)).
ServiceAccount decoding pkg/controller/istiocsr/serviceaccounts.go	getServiceAccountObject now decodes via common.DecodeObjBytes[*corev1.ServiceAccount](...).
Service decoding pkg/controller/istiocsr/services.go	getServiceObject and getMetricsServiceObject now decode Service manifests with common.DecodeObjBytes[*corev1.Service](...).
RBAC decoding & SA usage pkg/controller/istiocsr/rbacs.go	All RBAC getters (ClusterRole, ClusterRoleBinding, Role, RoleBinding, and lease variants) now use common.DecodeObjBytes[...]; createOrApplyRBACResource uses cachedServiceAccountName rather than decoding the ServiceAccount inline.
Test utilities pkg/controller/istiocsr/test_utils.go	Test helpers updated to use common.DecodeObjBytes[T] for Certificate, ClusterRole, ClusterRoleBinding, Deployment, Role, RoleBinding, RoleLeases, RoleBindingLeases, Service, and ServiceAccount; adds common import.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: replacing type-specific decoder functions with a generic DecodeObjBytes helper in the istiocsr package, which is the core refactoring throughout all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies istiocsr package decoder functions. No Ginkgo tests present in istiocsr package - only standard Go tests with static test names. Custom check for Ginkgo test stability is not applicable.
Test Structure And Quality	✅ Passed	This PR refactors decoder functions in implementation files, not Ginkgo test files. No test/e2e Ginkgo tests were modified. The custom check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are limited to production code refactoring and unit test updates in the istiocsr package. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New e2e tests in istio_csr_test.go do not assume multi-node clusters. Tests are for gRPC communication, ConfigMap handling, and namespace selectors—all compatible with SNO.
Topology-Aware Scheduling Compatibility	✅ Passed	Refactoring PR that replaces type-specific decoders with generic ones. No topology-unfriendly scheduling constraints introduced. Deployment manifest only has compatible linux nodeSelector.
Ote Binary Stdout Contract	✅ Passed	No stdout contract violations. Init() function adds no fmt.Print, klog, or logging configuration issues. Panic errors write to stderr.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. All changes are in pkg/controller/istiocsr/ and involve refactoring controller decoder functions. The check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@sebrandon1: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	ee01305	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.