wip

[QiWang19]

- What I did

- How to verify it

- Description for the changelog

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for CRI-O Credential Provider Config to enable automatic management and application of container image credentials across machine configuration pools.

• Chores

  • Updated RBAC permissions for credential provider access.
  • Extended kubelet service templates to support credential provider configuration flags.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This PR introduces CRIOCredentialProviderConfig resource support to the machine configuration system, enabling automatic management of CRI-O credential provider configurations across MachineConfigPools. Changes span RBAC permissions, controller implementation with observer wiring and lifecycle handling, helper functions for credential provider config rendering and merging, constants, kubelet service templates, and comprehensive test coverage.

Changes

Cohort / File(s)	Summary
RBAC Cluster Resources install/0000_80_machine-config_00_rbac.yaml, manifests/machineconfigcontroller/clusterrole.yaml	Added ClusterRole and ClusterRoleBinding for node-credential-providers; extended machine-config-controller ClusterRole with permissions for criocredentialproviderconfigs and criocredentialproviderconfigs/status resources.
Container Runtime Controller Implementation pkg/controller/container-runtime-config/container_runtime_config_controller.go	Comprehensive feature addition: CRIOCredentialProviderConfig observer wiring, informer integration, lifecycle methods (criocpConfAdded/Updated/Deleted), sync paths (syncCRIOCredentialProviderConfig, syncCRIOCredentialProviderConfigStatusOnly), ignition generation (generateOriginalCredentialProviderConfig, crioCredentialProviderConfigIgnition), and status propagation with condition handling.
Helper Functions & Types pkg/controller/container-runtime-config/helpers.go	Added credential provider config parsing, merging, and validation utilities: credProviderConfigObject, updateCredentialProviderConfig, generateDropinUnitCredProviderConfig, wrapErrorWithCRIOCredentialProviderConfigCondition, findCredProviderConfig, getManagedKeyCRIOCredentialProvider, and ownerReferenceCredentialProviderConfig functions plus supporting types.
Test Coverage pkg/controller/container-runtime-config/container_runtime_config_controller_test.go, pkg/controller/container-runtime-config/helpers_test.go	Added comprehensive test fixtures, listers, and test cases for CRIOCredentialProviderConfig lifecycle; includes TestWrapErrorWithCRIOCredentialProviderConfigCondition and TestUpdateCredentialProviderConfig with multiple scenarios.
Constants & Configuration pkg/daemon/constants/constants.go, pkg/apihelpers/apihelpers.go	Added KubernetesCredentialProvidersDir and KubeletCrioImageCredProviderConfPath constants; added two credential provider directory entries to default cluster node disruption policies.
Kubelet Service Templates templates/arbiter/01-arbiter-kubelet/_base/units/kubelet.service.yaml, templates/arbiter/01-arbiter-kubelet/on-prem/units/kubelet.service.yaml, templates/master/01-master-kubelet/on-prem/units/kubelet.service.yaml, templates/worker/01-worker-kubelet/on-prem/units/kubelet.service.yaml	Extended kubelet ExecStart commands with $KUBELET_CRIO_IMAGE_CREDENTIAL_PROVIDER_FLAGS argument to enable credential provider configuration at service startup.
Test Framework test/framework/envtest.go	Added CRD manifest paths for CRIOCredentialProviderConfigs in OpenShift config v1alpha1 API group to test environment setup.

Sequence Diagram(s)

sequenceDiagram
    participant Watch as Informer<br/>(Watch)
    participant Controller as Controller<br/>(Sync)
    participant ConfigPool as MachineConfigPool<br/>(Iteration)
    participant Ignition as Ignition<br/>(Generation)
    participant MachineConfig as MachineConfig<br/>(Update)
    participant Status as Status<br/>(Propagation)

    Watch->>Controller: CRIOCredentialProviderConfig Added/Updated/Deleted
    Controller->>Controller: Enqueue config reload in criocpQueue
    Controller->>Controller: syncCRIOCredentialProviderConfig()
    Controller->>ConfigPool: Iterate MachineConfigPools
    ConfigPool->>Ignition: generateOriginalCredentialProviderConfig()
    Ignition->>Ignition: Parse/merge credential provider config
    Ignition->>Ignition: Generate drop-in unit (if needed)
    Ignition->>Ignition: crioCredentialProviderConfigIgnition()
    Ignition-->>Controller: Ignition content
    Controller->>MachineConfig: Apply changes via ignition
    Controller->>Status: syncCRIOCredentialProviderConfigStatusOnly()
    Status->>Status: Update observedGeneration & conditions
    Status-->>Controller: Status updated

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test code has quality issues: CRIOCredentialProviderConfig CRDs lack proper handlers in CreateObjects/CleanEnvironment; assertions missing meaningful failure messages; patterns inconsistent with existing codebase conventions.	Add handler methods for CRIOCP objects, extend CreateObjects/CleanEnvironment for cleanup, add descriptive messages to all assertions, and align verification methods with existing codebase patterns.
Title check	❓ Inconclusive	The title 'wip' is vague and generic, using a non-descriptive abbreviation that does not convey meaningful information about the substantial changes in the changeset.	Replace 'wip' with a clear, specific title describing the main change. For example: 'Add CRIOCredentialProviderConfig support to container runtime controller' or similar descriptive phrase.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Stable And Deterministic Test Names	✅ Passed	This pull request does not contain any Ginkgo-style tests. All test names are static and deterministic with no dynamic information.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: QiWang19
Once this PR has been reviewed and has the lgtm label, please assign umohnani8 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

pkg/controller/container-runtime-config/container_runtime_config_controller_test.go (1)

2167-2172: Exercise both rendered pool outputs in these CRIOCP tests.

These assertions only inspect mcs.Name, but the controller renders role-specific content (pool.Name flows into crioCredentialProviderConfigIgnition). A worker-only regression—or an unexpected drop-in on AWS/GCP/Azure—would still pass here. Please verify both generated MachineConfigs and the “no drop-in” branches as well.

Also applies to: 2221-2227, 2254-2254, 2316-2320

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@pkg/controller/container-runtime-config/container_runtime_config_controller_test.go`
around lines 2167 - 2172, The test only calls
f.verifyCRIOCredentialProviderConfigContents with mcs.Name, so it misses
verifying the role-specific MachineConfig rendered for each pool; update the
test to call verifyCRIOCredentialProviderConfigContents for both mcs.Name and
the generated MachineConfig name that includes pool.Name (i.e., exercise the
worker and master pool outputs), passing the same criocp and verifyOpts, and add
assertions for the "no drop-in" branch by setting verifyOpts.expectDropin=false
and expectDropinPath empty when platform is AWS/GCP/Azure to ensure both
presence and absence of constants.KubeletCrioImageCredProviderConfPath are
checked.

pkg/controller/container-runtime-config/helpers.go (1)

1356-1357: Minor: Redundant condition check.

The check crioCredProviderExist && crioCredProviderIdx != -1 is redundant since crioCredProviderIdx is set to a non-negative value in the same block where crioCredProviderExist becomes true (lines 1305-1306).

♻️ Proposed simplification

-	if crioCredProviderExist && crioCredProviderIdx != -1 {
+	if crioCredProviderExist {
 		credProviderConfigObject.Providers[crioCredProviderIdx].MatchImages = images

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/container-runtime-config/helpers.go` around lines 1356 - 1357,
Remove the redundant boolean check by relying only on crioCredProviderIdx to
determine presence: when updating
credProviderConfigObject.Providers[crioCredProviderIdx].MatchImages, drop
crioCredProviderExist && and keep the index check (crioCredProviderIdx != -1)
or, even better, assume the index is valid in the same block that sets it;
update the block that currently uses crioCredProviderExist and
crioCredProviderIdx to reference only crioCredProviderIdx (and ensure Providers
and MatchImages are accessed via
credProviderConfigObject.Providers[crioCredProviderIdx]).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@pkg/controller/container-runtime-config/container_runtime_config_controller.go`:
- Around line 1189-1218: The status updates for Validated and
MachineConfigRendered are being written inside the per-pool retry loop, allowing
later pools to overwrite earlier pool results; change the logic to aggregate
per-pool results first and write resource-level status once after looping all
pools: call crioCredentialProviderConfigIgnition and syncIgnitionConfig for each
pool as you do now but collect overlappedEntries (merge unique entries), any
per-pool errors, and a boolean "anyApplied" across pools; remove the per-pool
calls to syncCRIOCredentialProviderConfigStatusOnly and instead after the pool
loop call syncCRIOCredentialProviderConfigStatusOnly once — if merged
overlappedEntries non-empty set ConditionTypeValidated with
ReasonConfigurationPartiallyApplied and include the aggregated list, and for
ConditionTypeMachineConfigRendered set ReasonMachineConfigRenderingFailed if any
error occurred or ReasonMachineConfigRenderingSucceeded only if all pools
succeeded (use the collected anyApplied/anyError flags).
- Around line 549-566: In handleQueueErr ensure maxRetries is an actual cap:
when queue.NumRequeues(key) >= maxRetries you should call
utilruntime.HandleError(err), log the drop, call queue.Forget(key) and NOT
requeue the key; remove the queue.AddAfter(key, 1*time.Minute) in that branch
(or only use AddAfter before Forget if you intend a single delayed retry, but do
not re-add after forgetting), updating the logic around handleQueueErr,
queue.Forget, queue.AddAfter so permanent/validation errors are not retried
forever.

In `@test/framework/envtest.go`:
- Around line 119-121: Add handling for the CRIOCredentialProviderConfig type in
the envtest shared helpers so CreateObjects and CleanEnvironment don't treat it
as unknown or leak instances: update the type-switches/known-type lists used by
CreateObjects, CleanEnvironment (and any deleteObject/ensureDeleted helpers) to
include the CRIOCredentialProviderConfig kind/name (and its API group/version
used in the CRD), implement creation logic in CreateObjects and
deletion/checking logic in CleanEnvironment/delete helpers to create/delete that
resource just like the other vendor CRD types referenced in the file.

---

Nitpick comments:
In
`@pkg/controller/container-runtime-config/container_runtime_config_controller_test.go`:
- Around line 2167-2172: The test only calls
f.verifyCRIOCredentialProviderConfigContents with mcs.Name, so it misses
verifying the role-specific MachineConfig rendered for each pool; update the
test to call verifyCRIOCredentialProviderConfigContents for both mcs.Name and
the generated MachineConfig name that includes pool.Name (i.e., exercise the
worker and master pool outputs), passing the same criocp and verifyOpts, and add
assertions for the "no drop-in" branch by setting verifyOpts.expectDropin=false
and expectDropinPath empty when platform is AWS/GCP/Azure to ensure both
presence and absence of constants.KubeletCrioImageCredProviderConfPath are
checked.

In `@pkg/controller/container-runtime-config/helpers.go`:
- Around line 1356-1357: Remove the redundant boolean check by relying only on
crioCredProviderIdx to determine presence: when updating
credProviderConfigObject.Providers[crioCredProviderIdx].MatchImages, drop
crioCredProviderExist && and keep the index check (crioCredProviderIdx != -1)
or, even better, assume the index is valid in the same block that sets it;
update the block that currently uses crioCredProviderExist and
crioCredProviderIdx to reference only crioCredProviderIdx (and ensure Providers
and MatchImages are accessed via
credProviderConfigObject.Providers[crioCredProviderIdx]).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff4b7c37-4de5-4304-91d1-387d9b9d8c5f

📥 Commits

Reviewing files that changed from the base of the PR and between 4b32d3f and 06a5c39.

📒 Files selected for processing (13)

• install/0000_80_machine-config_00_rbac.yaml
• manifests/machineconfigcontroller/clusterrole.yaml
• pkg/apihelpers/apihelpers.go
• pkg/controller/container-runtime-config/container_runtime_config_controller.go
• pkg/controller/container-runtime-config/container_runtime_config_controller_test.go
• pkg/controller/container-runtime-config/helpers.go
• pkg/controller/container-runtime-config/helpers_test.go
• pkg/daemon/constants/constants.go
• templates/arbiter/01-arbiter-kubelet/_base/units/kubelet.service.yaml
• templates/arbiter/01-arbiter-kubelet/on-prem/units/kubelet.service.yaml
• templates/master/01-master-kubelet/on-prem/units/kubelet.service.yaml
• templates/worker/01-worker-kubelet/on-prem/units/kubelet.service.yaml
• test/framework/envtest.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

maxRetries is no longer a real cap.

Line 565 re-adds the key after Forget, so permanently invalid configs and hard failures will be retried forever once per minute. That contradicts the contract documented above and turns validation errors into endless log/queue churn for all three workers.

♻️ Suggested fix

 func (ctrl *Controller) handleQueueErr(queue workqueue.TypedRateLimitingInterface[string], resourceType string, err error, key string) {
 	if err == nil {
 		queue.Forget(key)
 		return
 	}
 
 	if queue.NumRequeues(key) < maxRetries {
 		klog.V(2).Infof("Error syncing %s %v: %v", resourceType, key, err)
 		queue.AddRateLimited(key)
 		return
 	}
 
 	utilruntime.HandleError(err)
 	klog.V(2).Infof("Dropping %s %q out of the queue: %v", resourceType, key, err)
 	queue.Forget(key)
-	queue.AddAfter(key, 1*time.Minute)
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// handleQueueErr handles errors for a given queue and resource type.
	func (ctrl *Controller) handleQueueErr(queue workqueue.TypedRateLimitingInterface[string], resourceType string, err error, key string) {
	if err == nil {
	ctrl.imgQueue.Forget(key)
	queue.Forget(key)
	return
	}
	if ctrl.imgQueue.NumRequeues(key) < maxRetries {
	klog.V(2).Infof("Error syncing image config %v: %v", key, err)
	ctrl.imgQueue.AddRateLimited(key)
	if queue.NumRequeues(key) < maxRetries {
	klog.V(2).Infof("Error syncing %s %v: %v", resourceType, key, err)
	queue.AddRateLimited(key)
	return
	}
	utilruntime.HandleError(err)
	klog.V(2).Infof("Dropping image config %q out of the queue: %v", key, err)
	ctrl.imgQueue.Forget(key)
	ctrl.imgQueue.AddAfter(key, 1*time.Minute)
	klog.V(2).Infof("Dropping %s %q out of the queue: %v", resourceType, key, err)
	queue.Forget(key)
	queue.AddAfter(key, 1*time.Minute)
	}
	// handleQueueErr handles errors for a given queue and resource type.
	func (ctrl *Controller) handleQueueErr(queue workqueue.TypedRateLimitingInterface[string], resourceType string, err error, key string) {
	if err == nil {
	queue.Forget(key)
	return
	}
	if queue.NumRequeues(key) < maxRetries {
	klog.V(2).Infof("Error syncing %s %v: %v", resourceType, key, err)
	queue.AddRateLimited(key)
	return
	}
	utilruntime.HandleError(err)
	klog.V(2).Infof("Dropping %s %q out of the queue: %v", resourceType, key, err)
	queue.Forget(key)
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@pkg/controller/container-runtime-config/container_runtime_config_controller.go`
around lines 549 - 566, In handleQueueErr ensure maxRetries is an actual cap:
when queue.NumRequeues(key) >= maxRetries you should call
utilruntime.HandleError(err), log the drop, call queue.Forget(key) and NOT
requeue the key; remove the queue.AddAfter(key, 1*time.Minute) in that branch
(or only use AddAfter before Forget if you intend a single delayed retry, but do
not re-add after forgetting), updating the logic around handleQueueErr,
queue.Forget, queue.AddAfter so permanent/validation errors are not retried
forever.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Aggregate CRIOCP status across pools before writing it.

crioCredentialProviderConfigIgnition(..., pool.Name, ...) is role-specific, but Validated and MachineConfigRendered are updated inside the per-pool loop. If master and worker resolve different overlap sets, the last pool processed can overwrite an earlier ConfigurationPartiallyApplied result with Succeeded, which misreports the resource-wide state.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@pkg/controller/container-runtime-config/container_runtime_config_controller.go`
around lines 1189 - 1218, The status updates for Validated and
MachineConfigRendered are being written inside the per-pool retry loop, allowing
later pools to overwrite earlier pool results; change the logic to aggregate
per-pool results first and write resource-level status once after looping all
pools: call crioCredentialProviderConfigIgnition and syncIgnitionConfig for each
pool as you do now but collect overlappedEntries (merge unique entries), any
per-pool errors, and a boolean "anyApplied" across pools; remove the per-pool
calls to syncCRIOCredentialProviderConfigStatusOnly and instead after the pool
loop call syncCRIOCredentialProviderConfigStatusOnly once — if merged
overlappedEntries non-empty set ConditionTypeValidated with
ReasonConfigurationPartiallyApplied and include the aggregated list, and for
ConditionTypeMachineConfigRendered set ReasonMachineConfigRenderingFailed if any
error occurred or ReasonMachineConfigRenderingSucceeded only if all pools
succeeded (use the collected anyApplied/anyError flags).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Extend the shared envtest helpers for the new CRD.

Lines 119-121 install the CRIOCredentialProviderConfig CRDs, but Lines 131-227, 229-325, and 327-414 still don't check, delete, or create that type. Tests using CreateObjects / CleanEnvironment will either fall into the Unknown object type branch or leak the resource between cases.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/framework/envtest.go` around lines 119 - 121, Add handling for the
CRIOCredentialProviderConfig type in the envtest shared helpers so CreateObjects
and CleanEnvironment don't treat it as unknown or leak instances: update the
type-switches/known-type lists used by CreateObjects, CleanEnvironment (and any
deleteObject/ensureDeleted helpers) to include the CRIOCredentialProviderConfig
kind/name (and its API group/version used in the CRD), implement creation logic
in CreateObjects and deletion/checking logic in CleanEnvironment/delete helpers
to create/delete that resource just like the other vendor CRD types referenced
in the file.