feat: add new notebook lint checks and harden code

New checks:
- ConnectionIntegrityCheck: verifies that Notebooks referencing
  connections via the opendatahub.io/connections annotation have
  backing Secrets that exist. Uses a two-pass approach — collect
  referenced namespaces, then list Secrets only in those namespaces
  — to avoid cluster-wide Secret queries.
- HardwareProfileIntegrityCheck: verifies that Notebooks referencing
  infrastructure HardwareProfiles (infrastructure.opendatahub.io)
  via annotations point to profiles that exist. Uses the same
  namespace-scoped two-pass pattern as ConnectionIntegrityCheck.
- RunningWorkloadsCheck: detects Notebooks that are currently running
  (missing the kubeflow-resource-stopped annotation) before a 2.x to
  3.x upgrade.

All three new checks and AcceleratorMigrationCheck use
validate.WorkloadsMetadata().Run() with callbacks. WorkloadBuilder
handles result creation, target version annotation, CRD-not-found
(empty list), and workload count annotation. Each callback overrides
AnnotationImpactedWorkloadCount with the actual impacted count and
unconditionally calls SetImpactedObjects (which always allocates via
make, preventing WorkloadBuilder's auto-populate).

New shared infrastructure:
- validate.FilterWorkloadsWithAcceleratorRefs: extracted from
  FindWorkloadsWithAcceleratorRefs to process pre-listed items
  without re-listing. FindWorkloadsWithAcceleratorRefs is now a
  thin wrapper (list + delegate) and is still used by kserve.
- constants.go: centralizes check metadata (condition types,
  annotation keys, message templates) used across all notebook
  checks. Inline constants from impacted.go, container_name.go,
  container_name_support.go, and hardwareprofile_migration.go are
  moved here.
- utils.go: adds isWorkbenchesManaged helper, replacing duplicated
  DSC lookup logic in container_name.go, impacted.go, and
  hardwareprofile_migration.go.
- helpers_test.go: shared newNotebook test helper to reduce inline
  notebook construction across test files.
- resources.InfrastructureHardwareProfile: new ResourceType for the
  infrastructure.opendatahub.io/v1 HardwareProfile API group.
- check.CheckTypeDataIntegrity and check.CheckTypeWorkloadState:
new check type constants.

Changes to existing checks:
- AcceleratorMigrationCheck: refactored to WorkloadBuilder with a
  checkAcceleratorRefs callback that delegates to
  FilterWorkloadsWithAcceleratorRefs. Uses ReasonMigrationPending
  instead of ReasonConfigurationInvalid for the auto-migration
  advisory condition.
- HardwareProfileMigrationCheck: CanApply now requires Workbenches
  to be Managed (previously always returned true).
- ImpactedWorkloadsCheck:
  - Pre-compute nginxFixMinRHOAIVersion parsing at package load
    time via mustParseVersionParts, replacing per-call string
    splitting in isCompliantBuildRef.
  - Extract hardcoded check.opendatahub.io annotation keys into
    named constants (AnnotationCheckImageStatus,
    AnnotationCheckImageRef, AnnotationCheckReason).
  - findImageStreamByDockerRepo returns (ootbImageStream, bool)
    instead of *ootbImageStream, consistent with sibling lookup
    functions.
- ContainerNameCheck: CanApply delegates to isWorkbenchesManaged
  instead of inlining DSC lookup.
- buildSecretCache (connection_integrity.go): takes client.Reader
  instead of check.Target, consistent with how
  hardware_profile_integrity.go accesses the client directly.

Removed:
- export_test.go: replaced by helpers_test.go with a more flexible
  newNotebook helper using a notebookMeta options struct.

Signed-off-by: Andy Stoneberg <astonebe@redhat.com>

Author: andyatmiami

pkg/lint/check/constants.go

@@ -9,6 +9,8 @@ const (
 	CheckTypeInstalled                   CheckType = "installed"
 	CheckTypeImpactedWorkloads           CheckType = "impacted-workloads"
 	CheckTypeConfigMigration             CheckType = "config-migration"
+	CheckTypeDataIntegrity               CheckType = "data-integrity"
+	CheckTypeWorkloadState               CheckType = "workload-state"
 	CheckTypeAcceleratorProfileMigration CheckType = "acceleratorprofile-migration"
 )
 

pkg/lint/check/validate/accelerator.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/opendatahub-io/odh-cli/pkg/lint/check"
@@ -39,15 +40,26 @@ func FindWorkloadsWithAcceleratorRefs(
 		return nil, 0, fmt.Errorf("listing %s: %w", workloadType.Kind, err)
 	}
 
+	return FilterWorkloadsWithAcceleratorRefs(ctx, target.Client, workloads)
+}
+
+// FilterWorkloadsWithAcceleratorRefs checks which of the given workload items reference
+// AcceleratorProfiles via annotations, and returns the impacted workload names
+// along with a count of missing profiles.
+func FilterWorkloadsWithAcceleratorRefs(
+	ctx context.Context,
+	c client.Reader,
+	items []*metav1.PartialObjectMetadata,
+) ([]types.NamespacedName, int, error) {
 	// Resolve the applications namespace for AcceleratorProfile lookups.
 	// AcceleratorProfiles live in the applications namespace, but workloads may not
 	// have the namespace annotation set, so we need a proper default.
-	appNS, err := client.GetApplicationsNamespace(ctx, target.Client)
+	appNS, err := client.GetApplicationsNamespace(ctx, c)
 	if err != nil {
 		return nil, 0, fmt.Errorf("getting applications namespace: %w", err)
 	}
 
-	profileCache, err := kube.BuildResourceNameSet(ctx, target.Client, resources.AcceleratorProfile)
+	profileCache, err := kube.BuildResourceNameSet(ctx, c, resources.AcceleratorProfile)
 	if err != nil {
 		return nil, 0, fmt.Errorf("building AcceleratorProfile cache: %w", err)
 	}
@@ -56,7 +68,7 @@ func FindWorkloadsWithAcceleratorRefs(
 
 	missingCount := 0
 
-	for _, w := range workloads {
+	for _, w := range items {
 		profileRef := types.NamespacedName{
 			Namespace: kube.GetAnnotation(w, AnnotationAcceleratorNamespace),
 			Name:      kube.GetAnnotation(w, AnnotationAcceleratorName),

pkg/lint/checks/workloads/notebook/accelerator_migration.go

@@ -2,23 +2,17 @@ package notebook
 
 import (
 	"context"
-	"fmt"
 	"strconv"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/opendatahub-io/odh-cli/pkg/constants"
 	"github.com/opendatahub-io/odh-cli/pkg/lint/check"
 	"github.com/opendatahub-io/odh-cli/pkg/lint/check/result"
 	"github.com/opendatahub-io/odh-cli/pkg/lint/check/validate"
 	"github.com/opendatahub-io/odh-cli/pkg/resources"
-	"github.com/opendatahub-io/odh-cli/pkg/util/client"
-	"github.com/opendatahub-io/odh-cli/pkg/util/components"
 	"github.com/opendatahub-io/odh-cli/pkg/util/version"
 )
 
-const ConditionTypeAcceleratorProfileCompatible = "AcceleratorProfileCompatible"
-
 // AcceleratorMigrationCheck detects Notebook (workbench) CRs referencing deprecated AcceleratorProfiles
 // that will be auto-migrated to HardwareProfiles (infrastructure.opendatahub.io) during RHOAI 3.x upgrade.
 type AcceleratorMigrationCheck struct {
@@ -46,28 +40,28 @@ func (c *AcceleratorMigrationCheck) CanApply(ctx context.Context, target check.T
 		return false, nil
 	}
 
-	dsc, err := client.GetDataScienceCluster(ctx, target.Client)
-	if err != nil {
-		return false, fmt.Errorf("getting DataScienceCluster: %w", err)
-	}
-
-	return components.HasManagementState(dsc, "workbenches", constants.ManagementStateManaged), nil
+	return isWorkbenchesManaged(ctx, target)
 }
 
 // Validate executes the check against the provided target.
 func (c *AcceleratorMigrationCheck) Validate(
 	ctx context.Context,
 	target check.Target,
 ) (*result.DiagnosticResult, error) {
-	dr := c.NewResult()
+	return validate.WorkloadsMetadata(c, target, resources.Notebook).
+		Run(ctx, c.checkAcceleratorRefs)
+}
 
-	if target.TargetVersion != nil {
-		dr.Annotations[check.AnnotationCheckTargetVersion] = target.TargetVersion.String()
-	}
+// checkAcceleratorRefs cross-references notebook accelerator annotations against existing AcceleratorProfiles.
+func (c *AcceleratorMigrationCheck) checkAcceleratorRefs(
+	ctx context.Context,
+	req *validate.WorkloadRequest[*metav1.PartialObjectMetadata],
+) error {
+	dr := req.Result
 
-	impacted, missingCount, err := validate.FindWorkloadsWithAcceleratorRefs(ctx, target, resources.Notebook)
+	impacted, missingCount, err := validate.FilterWorkloadsWithAcceleratorRefs(ctx, req.Client, req.Items)
 	if err != nil {
-		return nil, fmt.Errorf("finding Notebooks with AcceleratorProfiles: %w", err)
+		return err
 	}
 
 	totalImpacted := len(impacted)
@@ -77,12 +71,9 @@ func (c *AcceleratorMigrationCheck) Validate(
 		dr.Status.Conditions,
 		c.newAcceleratorMigrationCondition(totalImpacted, missingCount),
 	)
+	dr.SetImpactedObjects(resources.Notebook, impacted)
 
-	if totalImpacted > 0 {
-		dr.SetImpactedObjects(resources.Notebook, impacted)
-	}
-
-	return dr, nil
+	return nil
 }
 
 func (c *AcceleratorMigrationCheck) newAcceleratorMigrationCondition(
@@ -94,7 +85,7 @@ func (c *AcceleratorMigrationCheck) newAcceleratorMigrationCondition(
 			ConditionTypeAcceleratorProfileCompatible,
 			metav1.ConditionTrue,
 			check.WithReason(check.ReasonVersionCompatible),
-			check.WithMessage("No Notebooks found using deprecated AcceleratorProfiles - no migration needed"),
+			check.WithMessage(MsgNoAcceleratorProfiles),
 		)
 	}
 
@@ -104,7 +95,7 @@ func (c *AcceleratorMigrationCheck) newAcceleratorMigrationCondition(
 			ConditionTypeAcceleratorProfileCompatible,
 			metav1.ConditionFalse,
 			check.WithReason(check.ReasonResourceNotFound),
-			check.WithMessage("Found %d Notebook(s) referencing deprecated AcceleratorProfiles (%d missing): AcceleratorProfiles and Notebook references are automatically migrated to HardwareProfiles (infrastructure.opendatahub.io) during upgrade", totalImpacted, totalMissing),
+			check.WithMessage(MsgAcceleratorProfilesMissing, totalImpacted, totalMissing),
 			check.WithImpact(result.ImpactAdvisory),
 			check.WithRemediation(c.CheckRemediation),
 		)
@@ -114,8 +105,8 @@ func (c *AcceleratorMigrationCheck) newAcceleratorMigrationCondition(
 	return check.NewCondition(
 		ConditionTypeAcceleratorProfileCompatible,
 		metav1.ConditionFalse,
-		check.WithReason(check.ReasonConfigurationInvalid),
-		check.WithMessage("Found %d Notebook(s) using deprecated AcceleratorProfiles: AcceleratorProfiles and Notebook references are automatically migrated to HardwareProfiles (infrastructure.opendatahub.io) during upgrade", totalImpacted),
+		check.WithReason(check.ReasonMigrationPending),
+		check.WithMessage(MsgAcceleratorProfilesMigrating, totalImpacted),
 		check.WithImpact(result.ImpactAdvisory),
 		check.WithRemediation(c.CheckRemediation),
 	)

pkg/lint/checks/workloads/notebook/accelerator_migration_test.go

@@ -1,6 +1,7 @@
 package notebook_test
 
 import (
+	"fmt"
 	"testing"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -45,7 +46,7 @@ func TestAcceleratorMigrationCheck_NoNotebooks(t *testing.T) {
 		"Type":    Equal(notebook.ConditionTypeAcceleratorProfileCompatible),
 		"Status":  Equal(metav1.ConditionTrue),
 		"Reason":  Equal(check.ReasonVersionCompatible),
-		"Message": ContainSubstring("No Notebooks found"),
+		"Message": Equal(notebook.MsgNoAcceleratorProfiles),
 	}))
 	g.Expect(result.Annotations).To(HaveKeyWithValue(check.AnnotationImpactedWorkloadCount, "0"))
 	g.Expect(result.ImpactedObjects).To(BeEmpty())
@@ -56,17 +57,7 @@ func TestAcceleratorMigrationCheck_NotebookWithoutAcceleratorProfile(t *testing.
 	ctx := t.Context()
 
 	// Notebook without accelerator annotations
-	nb := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "test-notebook",
-				"namespace": "test-ns",
-			},
-			"spec": map[string]any{},
-		},
-	}
+	nb := newNotebook("test-notebook", "test-ns", notebookOptions{})
 
 	target := testutil.NewTarget(t, testutil.TargetConfig{
 		ListKinds:      acceleratorListKinds,
@@ -106,21 +97,12 @@ func TestAcceleratorMigrationCheck_NotebookWithExistingAcceleratorProfile(t *tes
 	}
 
 	// Notebook referencing existing AcceleratorProfile
-	nb := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "gpu-notebook",
-				"namespace": "user-ns",
-				"annotations": map[string]any{
-					"opendatahub.io/accelerator-name":              "nvidia-gpu",
-					"opendatahub.io/accelerator-profile-namespace": "redhat-ods-applications",
-				},
-			},
-			"spec": map[string]any{},
+	nb := newNotebook("gpu-notebook", "user-ns", notebookOptions{
+		Annotations: map[string]any{
+			"opendatahub.io/accelerator-name":              "nvidia-gpu",
+			"opendatahub.io/accelerator-profile-namespace": "redhat-ods-applications",
 		},
-	}
+	})
 
 	target := testutil.NewTarget(t, testutil.TargetConfig{
 		ListKinds:      acceleratorListKinds,
@@ -137,8 +119,8 @@ func TestAcceleratorMigrationCheck_NotebookWithExistingAcceleratorProfile(t *tes
 	g.Expect(result.Status.Conditions[0].Condition).To(MatchFields(IgnoreExtras, Fields{
 		"Type":    Equal(notebook.ConditionTypeAcceleratorProfileCompatible),
 		"Status":  Equal(metav1.ConditionFalse),
-		"Reason":  Equal(check.ReasonConfigurationInvalid),
-		"Message": And(ContainSubstring("Found 1 Notebook(s)"), ContainSubstring("HardwareProfiles")),
+		"Reason":  Equal(check.ReasonMigrationPending),
+		"Message": Equal(fmt.Sprintf(notebook.MsgAcceleratorProfilesMigrating, 1)),
 	}))
 	g.Expect(result.Status.Conditions[0].Impact).To(Equal(resultpkg.ImpactAdvisory))
 	g.Expect(result.Status.Conditions[0].Remediation).To(ContainSubstring("HardwareProfiles"))
@@ -154,21 +136,12 @@ func TestAcceleratorMigrationCheck_NotebookWithMissingAcceleratorProfile(t *test
 	ctx := t.Context()
 
 	// Notebook referencing non-existent AcceleratorProfile
-	nb := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "broken-notebook",
-				"namespace": "user-ns",
-				"annotations": map[string]any{
-					"opendatahub.io/accelerator-name":              "missing-profile",
-					"opendatahub.io/accelerator-profile-namespace": "some-ns",
-				},
-			},
-			"spec": map[string]any{},
+	nb := newNotebook("broken-notebook", "user-ns", notebookOptions{
+		Annotations: map[string]any{
+			"opendatahub.io/accelerator-name":              "missing-profile",
+			"opendatahub.io/accelerator-profile-namespace": "some-ns",
 		},
-	}
+	})
 
 	target := testutil.NewTarget(t, testutil.TargetConfig{
 		ListKinds:      acceleratorListKinds,
@@ -186,7 +159,7 @@ func TestAcceleratorMigrationCheck_NotebookWithMissingAcceleratorProfile(t *test
 		"Type":    Equal(notebook.ConditionTypeAcceleratorProfileCompatible),
 		"Status":  Equal(metav1.ConditionFalse),
 		"Reason":  Equal(check.ReasonResourceNotFound),
-		"Message": And(ContainSubstring("1 missing"), ContainSubstring("automatically migrated to HardwareProfiles")),
+		"Message": Equal(fmt.Sprintf(notebook.MsgAcceleratorProfilesMissing, 1, 1)),
 	}))
 	g.Expect(result.Status.Conditions[0].Impact).To(Equal(resultpkg.ImpactAdvisory))
 	g.Expect(result.Status.Conditions[0].Remediation).To(ContainSubstring("HardwareProfiles"))
@@ -211,51 +184,23 @@ func TestAcceleratorMigrationCheck_MixedNotebooks(t *testing.T) {
 	}
 
 	// Notebook without accelerator
-	nb1 := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "plain-notebook",
-				"namespace": "ns1",
-			},
-			"spec": map[string]any{},
-		},
-	}
+	nb1 := newNotebook("plain-notebook", "ns1", notebookOptions{})
 
 	// Notebook with existing accelerator
-	nb2 := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "gpu-notebook",
-				"namespace": "ns2",
-				"annotations": map[string]any{
-					"opendatahub.io/accelerator-name":              "nvidia-gpu",
-					"opendatahub.io/accelerator-profile-namespace": "redhat-ods-applications",
-				},
-			},
-			"spec": map[string]any{},
+	nb2 := newNotebook("gpu-notebook", "ns2", notebookOptions{
+		Annotations: map[string]any{
+			"opendatahub.io/accelerator-name":              "nvidia-gpu",
+			"opendatahub.io/accelerator-profile-namespace": "redhat-ods-applications",
 		},
-	}
+	})
 
 	// Notebook with missing accelerator
-	nb3 := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "broken-notebook",
-				"namespace": "ns3",
-				"annotations": map[string]any{
-					"opendatahub.io/accelerator-name":              "missing-profile",
-					"opendatahub.io/accelerator-profile-namespace": "some-ns",
-				},
-			},
-			"spec": map[string]any{},
+	nb3 := newNotebook("broken-notebook", "ns3", notebookOptions{
+		Annotations: map[string]any{
+			"opendatahub.io/accelerator-name":              "missing-profile",
+			"opendatahub.io/accelerator-profile-namespace": "some-ns",
 		},
-	}
+	})
 
 	target := testutil.NewTarget(t, testutil.TargetConfig{
 		ListKinds:      acceleratorListKinds,
@@ -273,7 +218,7 @@ func TestAcceleratorMigrationCheck_MixedNotebooks(t *testing.T) {
 		"Type":    Equal(notebook.ConditionTypeAcceleratorProfileCompatible),
 		"Status":  Equal(metav1.ConditionFalse),
 		"Reason":  Equal(check.ReasonResourceNotFound),
-		"Message": And(ContainSubstring("2 Notebook(s)"), ContainSubstring("1 missing")),
+		"Message": Equal(fmt.Sprintf(notebook.MsgAcceleratorProfilesMissing, 2, 1)),
 	}))
 	g.Expect(result.Status.Conditions[0].Impact).To(Equal(resultpkg.ImpactAdvisory))
 	g.Expect(result.Status.Conditions[0].Remediation).To(ContainSubstring("HardwareProfiles"))
@@ -401,21 +346,12 @@ func TestAcceleratorMigrationCheck_DefaultNamespace(t *testing.T) {
 	}
 
 	// Notebook with accelerator name but no namespace annotation (should default to applications namespace)
-	nb := &unstructured.Unstructured{
-		Object: map[string]any{
-			"apiVersion": resources.Notebook.APIVersion(),
-			"kind":       resources.Notebook.Kind,
-			"metadata": map[string]any{
-				"name":      "notebook-default-ns",
-				"namespace": "user-ns",
-				"annotations": map[string]any{
-					"opendatahub.io/accelerator-name": "my-gpu",
-					// No namespace annotation - should default to applications namespace
-				},
-			},
-			"spec": map[string]any{},
+	nb := newNotebook("notebook-default-ns", "user-ns", notebookOptions{
+		Annotations: map[string]any{
+			"opendatahub.io/accelerator-name": "my-gpu",
+			// No namespace annotation - should default to applications namespace
 		},
-	}
+	})
 
 	target := testutil.NewTarget(t, testutil.TargetConfig{
 		ListKinds:      acceleratorListKinds,
@@ -433,7 +369,7 @@ func TestAcceleratorMigrationCheck_DefaultNamespace(t *testing.T) {
 	g.Expect(result.Status.Conditions[0].Condition).To(MatchFields(IgnoreExtras, Fields{
 		"Type":   Equal(notebook.ConditionTypeAcceleratorProfileCompatible),
 		"Status": Equal(metav1.ConditionFalse),
-		"Reason": Equal(check.ReasonConfigurationInvalid),
+		"Reason": Equal(check.ReasonMigrationPending),
 	}))
 	g.Expect(result.Status.Conditions[0].Impact).To(Equal(resultpkg.ImpactAdvisory))
 	g.Expect(result.Annotations).To(HaveKeyWithValue(check.AnnotationImpactedWorkloadCount, "1"))