OSAC-1533: Fix --network-attachment ignored with --catalog-item

[obochan-rh]

Summary

• buildSpecFromCatalogItem() was missing the applyNetworkingFlags() call, causing --network-attachment flags to be silently dropped when creating compute instances via --catalog-item
• The sibling buildSpec() function (used by --template) already included this call
• Added unit tests for buildSpecFromCatalogItem to verify network attachments are correctly applied

Root Cause

When --catalog-item support was added, buildSpecFromCatalogItem() duplicated all optional flag handling from buildSpec() (image, cores, memory, ssh-key, disks, etc.) but omitted the applyNetworkingFlags() call at the end. The CLI accepted --network-attachment without error but never included it in the gRPC request.

Fix

Added applyNetworkingFlags(&spec) in buildSpecFromCatalogItem() before returning — same pattern as buildSpec() (3 lines).

Test Plan

• Existing unit tests pass (20/20 specs, was 18 before)
• New buildSpecFromCatalogItem tests verify network attachments are populated
• Tested on edge-04: error changed from "at least one network attachment is required" (network attachment dropped) to "subnet does not exist" (network attachment correctly sent to server)

Fixes: https://redhat.atlassian.net/browse/OSAC-1533

Summary by CodeRabbit

• New Features

  • Network attachment flags are now supported when creating compute instances from catalog items.

• Tests

  • Added test coverage for network attachment spec building when using catalog item-based instance creation, including scenarios with and without network attachments.

[openshift-ci-robot]

@obochan-rh: This pull request references OSAC-1533 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• buildSpecFromCatalogItem() was missing the applyNetworkingFlags() call, causing --network-attachment flags to be silently dropped when creating compute instances via --catalog-item
• The sibling buildSpec() function (used by --template) already included this call
• Added unit tests for buildSpecFromCatalogItem to verify network attachments are correctly applied

Root Cause

When --catalog-item support was added, buildSpecFromCatalogItem() duplicated all optional flag handling from buildSpec() (image, cores, memory, ssh-key, disks, etc.) but omitted the applyNetworkingFlags() call at the end. The CLI accepted --network-attachment without error but never included it in the gRPC request.

Fix

Added applyNetworkingFlags(&spec) in buildSpecFromCatalogItem() before returning — same pattern as buildSpec() (3 lines).

Test Plan

• Existing unit tests pass (20/20 specs, was 18 before)
• New buildSpecFromCatalogItem tests verify network attachments are populated
• Tested on edge-04: error changed from "at least one network attachment is required" (network attachment dropped) to "subnet does not exist" (network attachment correctly sent to server)

Fixes: https://redhat.atlassian.net/browse/OSAC-1533

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: obochan-rh
Once this PR has been reviewed and has the lgtm label, please assign ygalblum for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

buildSpecFromCatalogItem now calls applyNetworkingFlags on the constructed ComputeInstanceSpec and propagates any error before building the final spec. Tests replace the prior buildSpec attachment test with a buildSpecFromCatalogItem suite covering both populated and empty network attachment flag cases.

Changes

Network Attachment Flags in Catalog-Item Spec Builder

Layer / File(s)	Summary
applyNetworkingFlags wired into buildSpecFromCatalogItem with tests internal/cmd/cli/create/computeinstance/create_compute_instance_cmd.go, internal/cmd/cli/create/computeinstance/create_compute_instance_cmd_test.go	buildSpecFromCatalogItem now invokes applyNetworkingFlags(&spec) and returns any error before calling spec.Build(). Tests verify that NetworkAttachments are parsed and populated from runnerContext.args.networkAttachments (bare subnet ID and subnet=...,security-groups=... form), and that the field is absent when no flags are provided.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

⚠️ A network flag left unapplied,
Could leave your NICs misconfigured, untried.
Now applyNetworkingFlags gets its due call,
Catalog items stand guarded — attached, one and all.
Risk severity: patched. The blast radius: small. 🛡️

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically summarizes the main change: fixing the bug where --network-attachment flags were ignored when using --catalog-item option.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets detected: test data uses only mock IDs (cat-001, n1, g1, etc.); no API keys, tokens, passwords, base64 strings >32 chars, or embedded credentials found.
No-Weak-Crypto	✅ Passed	PR introduces no weak cryptographic primitives, custom crypto implementations, or non-constant-time secret comparisons. Changes add networking flag handling to buildSpecFromCatalogItem and tests; n...
No-Injection-Vectors	✅ Passed	No injection vectors found. Code properly validates network attachment CLI flags using safe string parsing and converts them to protobuf messages with no SQL/shell/eval/yaml/pickle usage.
Container-Privileges	✅ Passed	PR modifies only Go source files for CLI command logic; no container or Kubernetes manifests added/modified. No privileged container configurations (privileged, hostPID, hostNetwork, hostIPC, SYS_A...
No-Sensitive-Data-In-Logs	✅ Passed	No new logging statements introduced; code only calls existing applyNetworkingFlags function and tests use non-sensitive placeholder values. No passwords, tokens, keys, PII, or sensitive data expos...
Ai-Attribution	✅ Passed	No AI tool usage mentioned in PR description or commits; no attribution trailers required. Check only applies if AI tools were explicitly mentioned.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/cmd/cli/create/computeinstance/create_compute_instance_cmd_test.go`:
- Around line 76-103: Add a new test case (It block) to the
buildSpecFromCatalogItem describe suite that validates error handling for
invalid input. Create a runnerContext with invalid or malformed values in the
networkAttachments field (such as a string that cannot be parsed correctly),
then call buildSpecFromCatalogItem and assert that it returns an error using
Expect(err).To(HaveOccurred()). This ensures the function properly rejects and
reports invalid network attachment input rather than silently ignoring it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 0c1643c5-4e52-4a45-8607-79571a46f6bf

📥 Commits

Reviewing files that changed from the base of the PR and between dc987c9 and 6f07494.

📒 Files selected for processing (2)

• internal/cmd/cli/create/computeinstance/create_compute_instance_cmd.go
• internal/cmd/cli/create/computeinstance/create_compute_instance_cmd_test.go

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add a catalog-item error-path test for invalid network attachment input.

This suite validates success/empty cases but not parse failure propagation; add one case where networkAttachments contains an invalid value and assert buildSpecFromCatalogItem returns an error, so future regressions don’t silently drop invalid networking input.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cmd/cli/create/computeinstance/create_compute_instance_cmd_test.go`
around lines 76 - 103, Add a new test case (It block) to the
buildSpecFromCatalogItem describe suite that validates error handling for
invalid input. Create a runnerContext with invalid or malformed values in the
networkAttachments field (such as a string that cannot be parsed correctly),
then call buildSpecFromCatalogItem and assert that it returns an error using
Expect(err).To(HaveOccurred()). This ensures the function properly rejects and
reports invalid network attachment input rather than silently ignoring it.