Skip to content

NO-ISSUE: Fixes KubeletConfig API doc, adds tests and kubebuilder validation#2651

Open
ngopalak-redhat wants to merge 2 commits intoopenshift:masterfrom
ngopalak-redhat:ngopalak/autonode_doc
Open

NO-ISSUE: Fixes KubeletConfig API doc, adds tests and kubebuilder validation#2651
ngopalak-redhat wants to merge 2 commits intoopenshift:masterfrom
ngopalak-redhat:ngopalak/autonode_doc

Conversation

@ngopalak-redhat
Copy link
Contributor

@ngopalak-redhat ngopalak-redhat commented Jan 16, 2026
edited
Loading

This PR improves the documentation for the KubeletConfigSpec API to make it more accurate and user-friendly.

Fixes the doc: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/machine_apis/kubeletconfig-machineconfiguration-openshift-io-v1#spec-4

It also adds test coverage similar to the pattern established in #2370.

AutoSizingReserved will default to true from 4.21 onwards. The default value and the description was not documented until now.

Why is this a breaking change?

  • The additional kubebuilder validation makes this a breaking change.
  • If the user provides tlsSecurityProfile with just modern or custom fields but omits the type field, the validation passes because !has(self.type) evaluates to true.

Test Coverage

Created test file: machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 16, 2026

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 16, 2026
@coderabbitai
Copy link

coderabbitai bot commented Jan 16, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds a YAML test suite for the KubeletConfig CRD covering onCreate and onUpdate scenarios (single-field, multi-field, and invalid-value cases). Adds two optional fields to KubeletConfigSpec: AutoSizingReserved (*bool) and LogLevel (*int32) with validation (0–10). Updates generated Swagger/docs and the CRD: clarifies kubeletConfig and machineConfigPoolSelector descriptions, expands logLevel and tlsSecurityProfile descriptions, and adds x-kubernetes-validations to restrict tlsSecurityProfile to Old and Intermediate.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The description is directly related to the changeset, explaining the documentation improvements, the new AutoSizingReserved field defaults, and test coverage added.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title accurately describes the main changes: documenting KubeletConfig API, adding tests, and introducing kubebuilder validation rules.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

Hello @ngopalak-redhat! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci openshift-ci bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 16, 2026
@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Jan 16, 2026

/test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Jan 16, 2026

@coderabbitai review

@coderabbitai
Copy link

coderabbitai bot commented Jan 16, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@ngopalak-redhat ngopalak-redhat marked this pull request as ready for review January 16, 2026 06:31
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 16, 2026
coderabbitai[bot]
coderabbitai bot reviewed Jan 16, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml`:
- Around line 118-123: The tlsSecurityProfile description in the KubeletConfig
CRD is inconsistent with the schema: the text claims "Only Old and Intermediate
profiles are supported; maximum minTLSVersion is VersionTLS12" while the schema
allows Modern and Custom (and VersionTLS13) because it relies on
configv1.TLSSecurityProfile which has no kubelet-specific restrictions; to fix,
either add explicit validation to the CRD (e.g., CEL rules or a validating
webhook) to reject profile.type values "Modern" and "Custom" and enforce max
minTLSVersion of "VersionTLS12", or update the tlsSecurityProfile description to
accurately reflect that the schema permits Modern and Custom and VersionTLS13 by
referencing configv1.TLSSecurityProfile semantics; locate and change the
tlsSecurityProfile block in the KubeletConfig CRD (symbol: tlsSecurityProfile,
resource: KubeletConfig) and implement one of the two options consistently
(validation rules if you want to forbid Modern/Custom, otherwise update the
descriptive text).
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 12dcb66 and 8e0b9d6.

⛔ Files ignored due to path filters (2)
  • machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
📒 Files selected for processing (4)
  • machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml
  • machineconfiguration/v1/types.go
  • machineconfiguration/v1/zz_generated.swagger_doc_generated.go
  • payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • machineconfiguration/v1/types.go
🔇 Additional comments (2)
machineconfiguration/v1/zz_generated.swagger_doc_generated.go (1)

216-223: Docs read well and are consistent with the CRD updates.
The KubeletConfigSpec descriptions are clear and actionable.

machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml (1)

1-275: Solid coverage for create/update scenarios.
The matrix of single-field and combined updates looks thorough.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

@ngopalak-redhat ngopalak-redhat changed the title Fixes KubeletConfig API doc and adds tests NO-ISSUE: Fixes KubeletConfig API doc and adds tests Jan 16, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 16, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 16, 2026

@ngopalak-redhat: This pull request explicitly references no jira issue.

Details

In response to this:

This PR improves the documentation for the KubeletConfigSpec API to make it more accurate and user-friendly.
The focus is AutoSizingReserved. I have ignored adding the tests and the validation for TLSSecurityProfile. Also I haven't added the kubebuilder validation for LogLevel. They can be done in a different PR as this one focusses on API doc only.

It also adds test coverage similar to the pattern established in #2370.

AutoSizingReserved will default to true from 4.21 onwards. The default value and the description was not documented until now.

Test Coverage

Created test file: machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Jan 16, 2026

cc: @haircommander @sairameshv

saschagrunert
saschagrunert reviewed Jan 22, 2026
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR, I have a bunch of improvements sggested.

Please note that we need to add integration tests for the new validations.

@openshift-ci openshift-ci bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 22, 2026
coderabbitai[bot]
coderabbitai bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@machineconfiguration/v1/types.go`:
- Around line 769-774: The CEL XValidation currently permits profiles without an
explicit type and thus allows Modern/Custom via embedded fields; update the
validation on TLSSecurityProfile to require that the type field is present and
equal to either "Old" or "Intermediate" (e.g. change the rule to require
has(self.type) && (self.type == 'Old' || self.type == 'Intermediate')), so
TLSSecurityProfile (the TLSSecurityProfile *configv1.TLSSecurityProfile field)
cannot be set to Modern/Custom without an explicit allowed type.
♻️ Duplicate comments (1)
payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml (1)

268-271: Keep the CRD validation in sync with the tightened TLS rule.

Same concern as in machineconfiguration/v1/types.go: regenerate this CRD after tightening the CEL rule so missing type can’t bypass the restriction.

🧹 Nitpick comments (1)
machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml (1)

173-220: Add a negative case for tlsSecurityProfile without type.

This will lock in the stricter validation and prevent bypasses if the object is provided without a type.

🧪 Suggested test case 
@@
     - name: Should reject tlsSecurityProfile with Custom type
       initial: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
           tlsSecurityProfile:
             type: Custom
             custom:
               ciphers:
                 - ECDHE-ECDSA-AES128-GCM-SHA256
               minTLSVersion: VersionTLS12
       expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
+    - name: Should reject tlsSecurityProfile without type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"

@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Jan 23, 2026

Thank you for the PR, I have a bunch of improvements sggested.

Please note that we need to add integration tests for the new validations.

@saschagrunert I made the code changes as suggested. I also added the validations and tests to machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml.

Are these the integration tests you were referring to?

saschagrunert
saschagrunert reviewed Jan 26, 2026
View reviewed changes
@openshift-ci openshift-ci bot removed the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Jan 27, 2026
@openshift-ci openshift-ci bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 27, 2026
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/autonode_doc branch 2 times, most recently from 33fda82 to 1b89d6b Compare January 27, 2026 11:35
@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Jan 27, 2026

@saschagrunert Thanks for the review. I have addressed your comments. Could you take another look? I also replied to the specific discussion here: #2651 (comment)

@ngopalak-redhat ngopalak-redhat changed the title NO-ISSUE: Fixes KubeletConfig API doc and adds tests NO-ISSUE: Fixes KubeletConfig API doc, adds tests and kubebuilder validation Feb 19, 2026
saschagrunert
saschagrunert reviewed Feb 23, 2026
View reviewed changes
@ngopalak-redhat ngopalak-redhat force-pushed the ngopalak/autonode_doc branch from abafcac to 13eaa95 Compare March 2, 2026 12:54
saschagrunert
saschagrunert reviewed Mar 6, 2026
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for iterating on this. The PR is in good shape. The documentation improvements follow the API conventions well and the ratcheting tests properly cover the upgrade path.

The verify-crdify failure is expected since this PR intentionally tightens logLevel bounds and adds a CEL rule on tlsSecurityProfile. We can /override once the inline comments are addressed.

Putting it into shadow review complete since the required changes are already suggested.

everettraven
everettraven reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

@everettraven everettraven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple comments to add to @saschagrunert 's review but overall this looks pretty good.

@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Mar 11, 2026

/hold
There is a bug fix for the log-level in the MCO: openshift/machine-config-operator#5757

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 11, 2026
@ngopalak-redhat
Copy link
Contributor Author

ngopalak-redhat commented Mar 16, 2026

@saschagrunert @everettraven

Please review

everettraven
everettraven reviewed Mar 16, 2026
View reviewed changes
machineconfiguration/v1/types.go
Comment on lines +773 to +775
// When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility.
// maximum minTLSVersion is VersionTLS13.
// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type == 'Old' || self.type == 'Intermediate' || self.type == 'Modern' || self.type == 'Custom'",message="only Old, Intermediate, Modern and Custom TLS profiles are supported for kubelet"
Copy link
Contributor

@everettraven everettraven Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are allowing the type to be any of the types that are valid for the TLSSecurityProfile.Type field you probably don't need this validation - the type alias for that field already enforces an enum constraint with these same values.

Copy link
Contributor Author

@ngopalak-redhat ngopalak-redhat Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@everettraven Let's say there is a addition to TLSSecurityProfile.Type enum which kubelet doesn't support yet, then we need this validation right?

Copy link
Contributor

@everettraven everettraven Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory, yes. In practice, this is unlikely. Any changes to the TLSSecurityProfile API will need to go through the feature promotion process which will include ensuring that all components either support the changes or they have been explicitly updated to not handle them prior to the promotion of the field.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 16, 2026

@ngopalak-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify-crdify 2dc542b link true /test verify-crdify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@everettraven everettraven everettraven left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@qodo-code-review qodo-code-review[bot] qodo-code-review[bot] left review comments

@sinnykumari sinnykumari Awaiting requested review from sinnykumari

+3 more reviewers

@saschagrunert saschagrunert saschagrunert left review comments

@bitoku bitoku bitoku left review comments

@sairameshv sairameshv sairameshv left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ngopalak-redhat @openshift-ci-robot @saschagrunert @bitoku @sairameshv @everettraven