OCPCLOUD-3327: Rewrite manifests-gen to support upgrade safety

[mdbooth]

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

  • Load and cache provider manifests from container images with profile discovery.
  • Generate InfraCluster protection policies for matching CRDs.

• Improvements

  • Streamlined manifest generation and CLI validation with clearer error reporting.
  • Deployment mounts a provider-images volume and respects PROVIDER_IMAGE_DIR.
  • Enhanced RBAC: added Role and RoleBinding for pull-secret access.

• Tests

  • Added extensive tests for provider image discovery, extraction, and processing.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Migrate manifest generation to a typed client.Object pipeline, add a Go-based manifest generator and a provider image subsystem that fetches/extracts manifests from container images, remove the legacy provider pipeline, integrate provider images into controllers, and add RBAC and deployment changes for provider-image handling.

Changes

Cohort / File(s)	Summary
Manifest generation core manifests-gen/generate.go, manifests-gen/customizations.go, manifests-gen/main.go, manifests-gen/util.go, manifests-gen/kustomization.yaml, manifests-gen/go.mod	Add Go manifest generator and CLI validation; migrate processing from unstructured to client.Object (new signatures like processObjects([]client.Object, opts) ([]client.Object, error)), add helpers (stripStatus, setTypeMetadataFromScheme, mustConvert), extraObjects generation, and metadata/manifests writing.
Removed legacy provider pipeline manifests-gen/providercustomizations.go (deleted), manifests-gen/providers.go (deleted)	Remove previous provider customization dispatcher and provider orchestration code.
Provider image subsystem pkg/providerimages/providerimages.go, pkg/providerimages/pullsecret.go, pkg/providerimages/providerimages_test.go	New package to read/fetch/container-image-extract provider manifests: discover profiles, extract /capi-operator-manifests, write manifests with hashes, parse docker pull-secret into a keychain, and extensive tests.
Controller & CLI integration pkg/controllers/capiinstaller/capi_installer_controller.go, pkg/controllers/capiinstaller/capi_installer_controller_test.go, cmd/capi-operator/main.go	Add ProviderImages field and reconcileProviderImages flow (sort by InstallOrder/Name), provider image application helpers (applyProviderImage, extractManifests), startup loading of provider images via ReadProviderImages, and tests for ordering and manifest extraction.
Manifests: RBAC and deployment manifests/0000_30_cluster-api_03_rbac_roles.yaml, manifests/0000_30_cluster-api_04_rbac_bindings.yaml, manifests/0000_30_cluster-api_11_deployment.yaml	Add Role and RoleBinding to grant pull-secret access; modify capi-controllers Deployment to include PROVIDER_IMAGE_DIR env var, provider-images emptyDir volume, and mount.
Config & dependency updates pkg/util/readconfig.go, go.mod, manifests-gen/go.mod, e2e/go.mod, hack/tools/go.mod	Remove ReadProvidersFile; change ReadImagesFile parsing to JSON; reorganize module dependencies to add container/image tooling (google/go-containerregistry, docker/cli, opencontainers/image-spec) and related indirect updates.
Utilities & conversion helpers manifests-gen/util.go, pkg/providerimages/pullsecret.go	Add generic convert/mustConvert helpers using scheme.Convert and a docker-config backed keychain implementation for image fetching.
Small lint/cleanup pkg/controllers/infracluster/azure.go, pkg/conversion/capi2mapi/aws.go	Remove nolint:gosec comments; no behavioral changes.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI
    participant Loader as loadProviderImages
    participant PullSecret as PullSecret Reader
    participant Fetcher as Image Fetcher
    participant Registry as Image Registry
    participant Extractor as Manifest Extractor
    participant Disk as Filesystem
    participant Controller as CapiInstallerController

    CLI->>Loader: generateManifests / loadProviderImages(imagesFile)
    Loader->>PullSecret: read pull-secret from openshift-config
    PullSecret-->>Loader: docker keychain
    Loader->>Fetcher: fetch image (with keychain)
    Fetcher->>Registry: request image layers
    Registry-->>Fetcher: layers + manifest blobs
    Fetcher->>Extractor: extract /capi-operator-manifests
    Extractor->>Disk: write files (profiles, metadata.yaml, manifests.yaml)
    Disk-->>Loader: extracted paths / profile list
    Loader->>CLI: return providerProfiles + containerImages
    CLI->>Controller: setup with providerProfiles
    Controller->>Controller: reconcileProviderImages (sorted)
    loop for each provider
      Controller->>Disk: read manifests.yaml
      Controller->>Controller: extractManifests -> resources
      Controller->>Controller: applyProviderComponents (CRDs, Deployments, others)
    end
    Controller-->>CLI: reconciliation complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I nudged through manifests, tidy and bright,

Typed objects hopping in clear, careful rows.
Images came tumbling down from registries by night,
Extracted, hashed, mounted — ready to compose.
A nibble of joy for builders — the pipeline grows!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: rewriting manifests-gen to support upgrade safety. It references the Jira ticket OCPCLOUD-3327, is concise, and accurately reflects the substantial refactoring of the manifest generation system described in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

• Remove provider customisation for PowerVS
• manifests-gen: Rewrite to support Update Safety
• capiinstaller: Compatibility with new manifests-gen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mdbooth]

/test e2e-aws-ovn-techpreview

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

[mdbooth]

/test e2e-aws-ovn-techpreview

[mdbooth]

/test e2e-aws-ovn-techpreview
/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

[mdbooth]

/test e2e-aws-ovn-techpreview

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[mdbooth]

The e2e-aws-ovn-techpreview pass shows the modifications to the capiinstaller controller are backwards compatible with current transport configmaps.

openshift/cluster-api-provider-aws#584 and openshift/cluster-api#259 update CAPA and core CAPI to publish manifests only in the provider images. They do not publish transport configmaps.

The multi-pr test pass with these 2 PRs shows that pulling manifests from images is working.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: theobarberbany

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [theobarberbany]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[theobarberbany]

/hold

[theobarberbany]

/testwith openshift/cluster-capi-operator/main/e2e-aws-capi-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Load provider manifests from container images with discovery, caching and profile extraction.

• Generate InfraCluster protection policies when matching CRDs are present.

• Improvements

• Streamlined manifest generation flow and CLI validation with clearer error reporting.

• Deployment now mounts a provider-images volume and respects PROVIDER_IMAGE_DIR for image files.

• Enhanced RBAC: added Role and RoleBinding for pull-secret access.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[theobarberbany]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[theobarberbany]

Installs work - only failures are VAP ones where we have flaky tests, that dont give signal for this sort of change.

[theobarberbany]

/lgtm
/unhold

[theobarberbany]

@CodeRabbit full

[coderabbitai]

@theobarberbany: I'll perform a full review of all the changes in this PR.

✅ Actions performed

Full review triggered.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Load and cache provider manifests from container images with profile discovery.

• Generate InfraCluster protection policies for matching CRDs.

• Improvements

• Streamlined manifest generation and CLI validation with clearer error reporting.

• Deployment mounts a provider-images volume and respects PROVIDER_IMAGE_DIR.

• Enhanced RBAC: added Role and RoleBinding for pull-secret access.

• Tests

• Added extensive tests for provider image discovery, extraction, and processing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

pkg/conversion/capi2mapi/aws.go (2)

525-531: ⚠️ Potential issue | 🟡 Minor

Validate negative throughput before narrowing.

Line 526 only guards > MaxInt32. A negative throughput will still be encoded into the provider config, which is invalid for AWS and can fail later. Add a lower-bound check and surface a field error.

Suggested fix

 	if volume.Throughput != nil {
-		if *volume.Throughput > math.MaxInt32 {
+		if *volume.Throughput < 0 || *volume.Throughput > math.MaxInt32 {
 			return mapiv1beta1.BlockDeviceMappingSpec{}, field.Invalid(fldPath.Child("throughput"), *volume.Throughput, "throughput exceeds maximum int32 value")
 		}
 
 		bdm.EBS.ThroughputMib = ptr.To(int32(*volume.Throughput))
 	}

---

548-554: ⚠️ Potential issue | 🟠 Major

Prevent overflow on placement group partition narrowing.

Line 553 narrows int64 → int32 with no bounds check, which can overflow and silently corrupt the provider spec. With the nolint removed, this is also likely to re-trigger gosec. Consider adding explicit bounds validation and returning a field error to the caller.

Suggested fix (function)

-func convertAWSPlacementGroupPartition(in int64) *int32 {
+func convertAWSPlacementGroupPartition(fldPath *field.Path, in int64) (*int32, *field.Error) {
 	if in == 0 {
-		return nil
+		return nil, nil
 	}
 
-	return ptr.To(int32(in))
+	if in < math.MinInt32 || in > math.MaxInt32 {
+		return nil, field.Invalid(fldPath, in, "placementGroupPartition out of int32 range")
+	}
+	return ptr.To(int32(in)), nil
 }

Additional call-site update (outside this hunk) would be needed to append the error to errors in toProviderSpec when setting PlacementGroupPartition.

manifests-gen/customizations.go (1)

161-165: ⚠️ Potential issue | 🟡 Minor

Typo in panic message.

The panic message has a concatenation issue: "can't find secret from cert:CustomResourceDefinition " should likely just include the certNN value without "CustomResourceDefinition".

Suggested fix

-				panic("can't find secret from cert:CustomResourceDefinition " + certNN)
+				panic("can't find secret from cert: " + certNN)

🤖 Fix all issues with AI agents

In `@pkg/providerimages/providerimages_test.go`:
- Around line 409-424: The test case "missing manifest image name" is using
legacy metadata keys so it doesn't properly test the "missing selfImageRef"
scenario; update the YAML passed into createCapiManifestsImage in the
setupFetcher closure to use the current metadata schema (same field names as
production tests) but simply omit the selfImageRef line so the test isolates the
missing selfImageRef behavior; locate the setupFetcher in providerimages_test.go
that calls createCapiManifestsImage and replace the legacy metadata block with a
schema-correct block missing only selfImageRef.

🧹 Nitpick comments (4)

pkg/providerimages/pullsecret.go (1)

60-66: Consider a clearer empty-config check.

The current approach mutates cfg.ServerAddress before comparison. While safe (cfg is a value copy), the intent would be clearer by checking meaningful fields directly:

♻️ Suggested alternative

-	// Check if we got an empty config
-	empty := types.AuthConfig{}
-	cfg.ServerAddress = "" // Clear for comparison
-
-	if cfg == empty {
+	// Check if we got an empty config (no credentials)
+	if cfg.Username == "" && cfg.Password == "" && cfg.Auth == "" &&
+		cfg.IdentityToken == "" && cfg.RegistryToken == "" {
 		return authn.Anonymous, nil
 	}

manifests/0000_30_cluster-api_11_deployment.yaml (1)

35-61: Consider explicit securityContext hardening for capi-controllers.
With a writable volume mounted, you can still set readOnlyRootFilesystem: true and disable privilege escalation while keeping /var/lib/provider-images writable.

🔒 Example hardening (optional)

       - name: capi-controllers
         image: registry.ci.openshift.org/openshift:cluster-capi-operator
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true

Also applies to: 94-100

manifests-gen/generate.go (2)

102-102: O_APPEND flag is redundant with O_TRUNC.

Since O_TRUNC empties the file and writes are sequential via the buffered writer, O_APPEND has no effect here.

Suggested simplification

-	manifestsFile, err := os.OpenFile(manifestsPathname, os.O_CREATE|os.O_TRUNC|os.O_WRONLY|os.O_APPEND, 0600)
+	manifestsFile, err := os.OpenFile(manifestsPathname, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)

---

137-137: Same redundant O_APPEND flag.

Consistent with the earlier comment, O_APPEND is unnecessary here.

Suggested simplification

-	metadataFile, err := os.OpenFile(metadataPathname, os.O_CREATE|os.O_TRUNC|os.O_WRONLY|os.O_APPEND, 0600)
+	metadataFile, err := os.OpenFile(metadataPathname, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use current metadata schema when testing “missing selfImageRef”.
The YAML in this case uses legacy keys, so the test no longer isolates “missing selfImageRef” behavior; it may pass for the wrong reason. Prefer a schema-correct metadata block that simply omits the selfImageRef line.

🔧 Suggested adjustment

-				// Create metadata YAML without manifestImageName field
-				img, err := createCapiManifestsImage(
-					`providerName: aws
-providerType: infrastructure
-providerVersion: v1.0.0
-ocpPlatform: aws
-contentID: id
-`,
+				// Create metadata YAML without selfImageRef field
+				img, err := createCapiManifestsImage(
+					`name: aws
+ocpPlatform: aws
+installOrder: 20
+attributes:
+  type: infrastructure
+  version: v1.0.0
+`,
 					"image: some-other-image:latest\n",
 				)

🤖 Prompt for AI Agents

In `@pkg/providerimages/providerimages_test.go` around lines 409 - 424, The test
case "missing manifest image name" is using legacy metadata keys so it doesn't
properly test the "missing selfImageRef" scenario; update the YAML passed into
createCapiManifestsImage in the setupFetcher closure to use the current metadata
schema (same field names as production tests) but simply omit the selfImageRef
line so the test isolates the missing selfImageRef behavior; locate the
setupFetcher in providerimages_test.go that calls createCapiManifestsImage and
replace the legacy metadata block with a schema-correct block missing only
selfImageRef.

[theobarberbany]

/verified by e2es + test with + and manual testing

[openshift-ci-robot]

@theobarberbany: This PR has been marked as verified by e2es + test with + and manual testing.

Details

In response to this:

/verified by e2es + test with + and manual testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[theobarberbany]

/test okd-scos-images

[theobarberbany]

/test e2e-openstack-ovn-techpreview

[theobarberbany]

Across the last 3 open stack runs we have every test going green, it's just a flaky e2e :(

/override e2e-openstack-ovn-techpreview

[openshift-ci]

@theobarberbany: Overrode contexts on behalf of theobarberbany: ci/prow/e2e-openstack-ovn-techpreview

Details

In response to this:

Across the last 3 open stack runs we have every test going green, it's just a flaky e2e :(

/override ci/prow/e2e-openstack-ovn-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[theobarberbany]

/tide refresh

[openshift-ci]

@mdbooth: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal3-capi-techpreview	f2238b7	link	false	/test e2e-metal3-capi-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.