Skip to content

[AISOS-2052] CAPO validation webhook rejects OpenStackMachine spec patches during IPI install on OCP 4.22.x#423

Open
forgeSmith-bot wants to merge 9 commits into
openshift:mainfrom
forgeSmith-bot:forge/aisos-2052
Open

[AISOS-2052] CAPO validation webhook rejects OpenStackMachine spec patches during IPI install on OCP 4.22.x#423
forgeSmith-bot wants to merge 9 commits into
openshift:mainfrom
forgeSmith-bot:forge/aisos-2052

Conversation

@forgeSmith-bot

@forgeSmith-bot forgeSmith-bot commented Jul 1, 2026

Copy link
Copy Markdown

Summary

This pull request resolves an issue where the CAPO validation webhook rejects OpenStackMachine spec patches during OpenShift Container Platform (OCP) 4.22.x IPI install by preventing the CAPO controller from mutating the OpenStackMachine spec in-place during conversion. By performing a deep copy of the PortOpts slice and its individual elements, the original OpenStackMachine spec remains unmodified in memory. This prevents the CAPI patch helper from sending mutated spec patches that violate strict spec immutability and are rejected by the validating webhook, thereby ensuring stable machine provisioning and successful bootstrap.

Changes

Controller logic

  • Modified controllers/openstackmachine_controller.go: Updated the conversion logic within openStackMachineSpecToOpenStackServerSpec to deep-copy the Ports slice and each individual PortOpts element using the autogenerated DeepCopyInto helper. This isolates downstream in-place mutations (such as assigned networks, fixed IPs, and security groups) from the original machine spec in memory.

Test suite

  • Modified controllers/openstackmachine_controller_test.go: Enhanced the existing unit test runner TestOpenStackMachineSpecToOpenStackServerSpec to assert that the input OpenStackMachineSpec is never mutated post-conversion. The test now clones the input spec prior to conversion and verifies that the pre-call and post-call states are identical using reflect.DeepEqual.

Implementation Notes

  • Autogenerated deep copy helpers: Utilized Kubebuilder-autogenerated DeepCopyInto functions found in api/v1beta1/zz_generated.deepcopy.go to guarantee a deep copy of all elements, slices, and pointers.
  • Minimal footprint: The fix is entirely self-contained within the controller logic and unit tests, avoiding public API schema modifications or external dependency additions.
  • Bi-directional testing: Verified that the new immutability assertions actively fail when the deep-copy logic is temporarily reverted, confirming that the test suite is robust against regressions.

Testing

  • Unit tests: Enhanced TestOpenStackMachineSpecToOpenStackServerSpec to assert immutability of the input specs.
  • Local verification: Executed the test suite (make test-capo) and confirmed all tests pass cleanly.
  • Linting & Formatting: Verified the codebase is fully compliant with golangci-lint and formatting standards with zero issues.

Related Tickets


Generated by Forge SDLC Orchestrator

Summary by CodeRabbit

  • Bug Fixes

    • Fixed an issue where machine network port settings could be changed unexpectedly during configuration processing.
    • Added a regression check to ensure input settings remain unchanged after conversion.
  • Documentation

    • Updated internal handoff and review notes with completion and verification details.
  • Chores

    • Added repository review guidance and cleanup notes for local project artifacts.

Forge added 4 commits July 1, 2026 08:51
…ec patches during IPI install

Detailed description:
- Modified controllers/openstackmachine_controller.go to deep-copy PortOpts slices and fields when converting an OpenStackMachineSpec to an OpenStackServerSpec, preventing in-place mutations of the original machine spec in memory.
- Enhanced TestOpenStackMachineSpecToOpenStackServerSpec in controllers/openstackmachine_controller_test.go to assert that the input spec is never mutated post-conversion.

Closes: AISOS-2074
…ec patches during IPI install on OCP 4.22.x (openshift/cluster-api-provider-openstack)

Auto-committed by Forge container fallback.
…coverage

Auto-committed by Forge container fallback.
Auto-committed by Forge container fallback.
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown

Hi @forgeSmith-bot. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 1, 2026
@openshift-ci openshift-ci Bot requested review from gryf and mandre July 1, 2026 09:03
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b128f0ce-6eb0-4c23-b96b-c20859cc4499

📥 Commits

Reviewing files that changed from the base of the PR and between 678b676 and e5a7c43.

📒 Files selected for processing (3)
  • .forge/handoff.md
  • .forge/review-comments.md
  • .forge/review-plan.md
✅ Files skipped from review due to trivial changes (3)
  • .forge/review-plan.md
  • .forge/review-comments.md
  • .forge/handoff.md

Walkthrough

The PR deep-copies provided port specs before conversion, adds a regression test that checks the input spec is unchanged, and records related handoff/review notes in .forge/ files.

Changes

OpenStackMachine immutability fix

Layer / File(s) Summary
Conversion copy and regression
controllers/openstackmachine_controller.go, controllers/openstackmachine_controller_test.go
serverPorts now uses deep-copied port entries before mutation, and the test saves a pre-call spec copy then verifies the original spec is unchanged after conversion.

Review and handoff notes

Layer / File(s) Summary
Handoff and review notes
.forge/handoff.md, .forge/review-comments.md, .forge/review-plan.md
Adds completion, review, and repository-tracking notes covering the mutation fix and .forge/ file handling.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main bugfix: CAPO webhook rejection of OpenStackMachine spec patches during OCP 4.22.x IPI installs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The touched tests use static string literals for t.Run names; no timestamps, generated IDs, or other dynamic values appear in test titles.
Test Structure And Quality ✅ Passed PASS: The change is a plain table-driven unit test, not Ginkgo; it adds one focused immutability check, has no cluster waits/resources, and follows local test style.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the modified test is a standard Go unit test, and the PR only changes controller logic/docs with no MicroShift-unsupported APIs.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes controller logic and a standard Go unit test, so SNO topology assumptions aren’t applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Changes only deep-copy PortOpts and add an immutability test; no affinity, topologySpreadConstraints, node selectors, replicas, or tolerations were added.
Ote Binary Stdout Contract ✅ Passed The PR only deep-copies ports and adds an immutability test; the modified controller/test and suite setup contain no direct stdout writes.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Changed files only touch controller logic and a unit test; no new Ginkgo e2e tests, IPv4 literals, IPv4-only URL building, or external connectivity were added.
No-Weak-Crypto ✅ Passed No weak crypto, custom crypto, or secret/token comparisons were introduced; the only new comparison is DeepEqual on specs in the unit test.
Container-Privileges ✅ Passed Touched files are controller/test/docs only; scans found no privileged/hostNetwork/etc in them, and manager.yaml stays false/non-root.
No-Sensitive-Data-In-Logs ✅ Passed The PR only deep-copies port specs and adds an immutability test; I found no new logs or sensitive-value exposure in the changed code.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.forge/handoff.md (1)

44-44: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Minor: Path reference may be environment-specific.

Line 44 references /workspace/docs/ as an absolute path. If this documentation is meant to be shared or persisted, consider using a repository-relative path (e.g., docs/ or ./docs/) for portability across different environments and clones.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.forge/handoff.md at line 44, Replace the absolute path reference in the
handoff documentation with a repository-relative path so it works across
environments; update the relevant text in the markdown entry that currently
points to the docs directory using an absolute `/workspace/...` style path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.forge/handoff.md:
- Line 44: Replace the absolute path reference in the handoff documentation with
a repository-relative path so it works across environments; update the relevant
text in the markdown entry that currently points to the docs directory using an
absolute `/workspace/...` style path.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c3f681ad-81cb-41a7-a950-727cb404e260

📥 Commits

Reviewing files that changed from the base of the PR and between 76198b2 and 678b676.

📒 Files selected for processing (3)
  • .forge/handoff.md
  • controllers/openstackmachine_controller.go
  • controllers/openstackmachine_controller_test.go

@tusharjadhav3302

tusharjadhav3302 commented Jul 1, 2026

Copy link
Copy Markdown

/approve
/lgtm

@ekuris-redhat ekuris-redhat left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the handoff.md file

@forgeSmith-bot

Copy link
Copy Markdown
Author

Forge is addressing PR review feedback now. This status update is informational.

Forge added 4 commits July 1, 2026 12:22
Auto-committed by Forge container fallback.
Detailed description:
- Removed the .forge/ directory and its contents (.forge/handoff.md, .forge/review-comments.md, .forge/review-plan.md) from the Git repository index using git rm -r --cached .forge/.
- This ensures these files are untracked and excluded from the PR commits, fully resolving the reviewer's feedback while preserving them locally on disk to maintain task continuity.
- No source code or documentation files were changed.
- Validated that the project builds cleanly, lints cleanly, and passes all unit tests.

Closes: AISOS-2052-review-fix
Auto-committed by Forge container fallback.
Auto-committed by Forge container fallback.
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tusharjadhav3302
Once this PR has been reviewed and has the lgtm label, please assign eshulman2 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants