CCO-687: Fix nil pointer dereference in Azure role assignment handling

[kaovilai]

Summary

This PR fixes a panic with nil pointer dereference in the ensureRolesAssignedToManagedIdentity function when processing existing role assignments during Azure STS provisioning retry scenarios.

Issue

https://issues.redhat.com/browse/CCO-687

Problem

The ccoctl azure create-all command encounters a panic when iterating through existing role assignments. The code attempts to dereference existingRoleAssignment.Properties.RoleDefinitionID without checking if Properties or RoleDefinitionID is nil. This occurs especially during retry scenarios after Azure eventual consistency errors, when role assignment objects may have nil Properties or nil fields.

Solution

Added comprehensive nil checks throughout the Azure managed identity creation process:

• Check for nil Properties, RoleDefinitionID, and Scope before dereferencing role assignments
• Add nil checks for managed identity properties (PrincipalID, ClientID, TenantID)
• Add error handling for writeCredReqSecret function calls
• Fix incorrect field access patterns (remove redundant struct nesting)
• Ensure all pointer dereferences are protected with nil checks

Test plan

• Verify ccoctl azure create-all completes successfully on initial run
• Verify ccoctl handles retry scenarios gracefully when encountering Azure eventual consistency errors
• Verify no panics occur when processing existing role assignments with nil properties
• Verify role assignments are properly reconciled during retries

🤖 Generated with Claude Code

[openshift-ci-robot]

@kaovilai: This pull request references CCO-687 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.20.0" version, but no target version was set.

In response to this:

Summary

This PR fixes a panic with nil pointer dereference in the ensureRolesAssignedToManagedIdentity function when processing existing role assignments during Azure STS provisioning retry scenarios.

Issue

https://issues.redhat.com/browse/CCO-687

Problem

The ccoctl azure create-all command encounters a panic when iterating through existing role assignments. The code attempts to dereference existingRoleAssignment.Properties.RoleDefinitionID without checking if Properties or RoleDefinitionID is nil. This occurs especially during retry scenarios after Azure eventual consistency errors, when role assignment objects may have nil Properties or nil fields.

Solution

Added comprehensive nil checks throughout the Azure managed identity creation process:

• Check for nil Properties, RoleDefinitionID, and Scope before dereferencing role assignments
• Add nil checks for managed identity properties (PrincipalID, ClientID, TenantID)
• Add error handling for writeCredReqSecret function calls
• Fix incorrect field access patterns (remove redundant struct nesting)
• Ensure all pointer dereferences are protected with nil checks

Test plan

• Verify ccoctl azure create-all completes successfully on initial run
• Verify ccoctl handles retry scenarios gracefully when encountering Azure eventual consistency errors
• Verify no panics occur when processing existing role assignments with nil properties
• Verify role assignments are properly reconciled during retries

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kaovilai
Once this PR has been reviewed and has the lgtm label, please assign jstuever for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Attention: Patch coverage is 34.37500% with 21 lines in your changes missing coverage. Please review.

Project coverage is 46.89%. Comparing base (57e1b35) to head (04f9b79).

Files with missing lines	Patch %	Lines
...md/provisioning/azure/create_managed_identities.go	34.37%	12 Missing and 9 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #879      +/-   ##
==========================================
- Coverage   46.97%   46.89%   -0.08%     
==========================================
  Files          97       97              
  Lines       11910    11932      +22     
==========================================
+ Hits         5595     5596       +1     
- Misses       5697     5709      +12     
- Partials      618      627       +9     

Files with missing lines	Coverage Δ
...md/provisioning/azure/create_managed_identities.go	55.44% <34.37%> (-2.37%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[kaovilai]

/retest

[kaovilai]

/retest

[openshift-ci]

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.