OCPCLOUD-3327: Rewrite manifests-gen to support upgrade safety

[mdbooth]

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

  • Operator now reads and caches provider image metadata and applies per-provider manifests during installation.
  • Added manifest generator that creates provider manifests and metadata per profile.
  • Operator exposes a provider-images mount and PROVIDER_IMAGE_DIR env var for provider artifacts.
  • New RBAC Role/RoleBinding enables pull-secret access for image retrieval.

• Chores

  • Updated module dependencies to support image fetching and manifest generation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

📝 Walkthrough

Walkthrough

Operator startup now reads provider image manifests from a provider image directory (PROVIDER_IMAGE_DIR), fetches and caches provider profiles from OCI images, and passes those profiles into reconciler wiring; a new manifests generator compiles kustomize assets into typed client.Object resources and manifests/metadata files.

Changes

Cohort / File(s)	Summary
Provider image subsystem pkg/providerimages/providerimages.go, pkg/providerimages/pullsecret.go, pkg/providerimages/providerimages_test.go	New package to fetch OCI images (with a keychain from openshift-config/pull-secret), extract /capi-operator-manifests across image layers, discover profiles, write manifests with content-hash, and return []ProviderImageManifests. Includes comprehensive tests.
Operator main & reconciler wiring cmd/cluster-capi-operator/main.go, pkg/controllers/capiinstaller/capi_installer_controller.go, pkg/controllers/capiinstaller/capi_installer_controller_test.go	Reads PROVIDER_IMAGE_DIR (default /var/lib/provider-images), computes image refs, calls ReadProviderImages, threads providerProfiles into setupPlatformReconcilers/setupReconcilers, injects InstallerSuccessful channel and ProviderImages into controller wiring, and adds provider-image reconcile/apply flows with ordered processing.
Manifest generator (manifests-gen) manifests-gen/* (e.g., generate.go, main.go, customizations.go, util.go, kustomization.yaml, go.mod)	New Go-based manifest generator: compiles kustomize assets (krusty), converts to []client.Object, processes typed objects, writes manifests.yaml and metadata.yaml per provider profile; CLI flags and validation added.
Removed legacy provider pipeline & customizations manifests-gen/providers.go (deleted), manifests-gen/providercustomizations.go (deleted)	Deleted previous provider-loading, component compilation, and provider-specific customization dispatchers (Azure/GCP/PowerVS); replaced by new generator and typed processing.
RBAC and Deployment updates manifests/0000_30_cluster-api_03_rbac_roles.yaml, manifests/0000_30_cluster-api_04_rbac_bindings.yaml, manifests/0000_30_cluster-api_11_deployment.yaml	Adds Role/RoleBinding permitting read of pull-secret in openshift-config; adds PROVIDER_IMAGE_DIR env var, provider-images emptyDir volume and mount to operator Deployment.
Config parsing / util changes pkg/util/readconfig.go	Removed ReadProvidersFile; ReadImagesFile now parses JSON into map[string]string (was YAML).
Minor code hygiene pkg/controllers/infracluster/azure.go, pkg/conversion/capi2mapi/aws.go	Removed nolint:gosec comments only; no behavioral changes.
Dependency updates go.mod, e2e/go.mod, hack/tools/go.mod, manifests-gen/go.mod	Added/updated dependencies for container image handling and kustomize tooling (e.g., google/go-containerregistry, docker/, estargz, updated golang.org/x/); manifest-generator module adjustments.

Sequence Diagram(s)

sequenceDiagram
    participant Operator as Cluster-CAPI Operator
    participant ProviderMgr as Provider Image Manager
    participant PullSecret as PullSecret (k8s)
    participant Registry as Container Registry
    participant FileCache as Local provider-images dir
    participant CAPI as CAPI Installer Controller

    Operator->>ProviderMgr: ReadProviderImages(ctx, containerImages, providerImageDir)
    ProviderMgr->>PullSecret: Read pull-secret
    ProviderMgr->>ProviderMgr: Build auth keychain

    par Concurrent fetch
        ProviderMgr->>Registry: Fetch image (using keychain)
        Registry-->>ProviderMgr: Return image layers
        ProviderMgr->>FileCache: Extract /capi-operator-manifests (layers top->bottom)
        ProviderMgr->>ProviderMgr: Discover profiles (metadata.yaml + manifests.yaml)
        ProviderMgr->>FileCache: Write manifests with SHA256 ContentID
    end

    ProviderMgr-->>Operator: []ProviderImageManifests
    Operator->>CAPI: Wire ProviderImages & InstallerSuccessful channel
    CAPI->>CAPI: reconcileProviderImages() -> sort by InstallOrder
    CAPI->>FileCache: Read manifests for provider
    CAPI->>CAPI: Apply manifests (envsubst + kubernetes apply)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I dug through images, layer by layer bright,
Found manifests tucked away out of sight,
Cached them with hashes, handed them to the crew,
Controllers now start in ordered queue,
Hoppity hops—manifests take flight! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: rewriting manifests-gen to support upgrade safety via embedding CAPI manifests in provider images.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign racheljpg for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

• Remove provider customisation for PowerVS
• manifests-gen: Rewrite to support Update Safety
• capiinstaller: Compatibility with new manifests-gen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mdbooth]

/test e2e-aws-ovn-techpreview

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

[mdbooth]

/test e2e-aws-ovn-techpreview

[mdbooth]

/test e2e-aws-ovn-techpreview
/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

[mdbooth]

/test e2e-aws-ovn-techpreview

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[mdbooth]

The e2e-aws-ovn-techpreview pass shows the modifications to the capiinstaller controller are backwards compatible with current transport configmaps.

openshift/cluster-api-provider-aws#584 and openshift/cluster-api#259 update CAPA and core CAPI to publish manifests only in the provider images. They do not publish transport configmaps.

The multi-pr test pass with these 2 PRs shows that pulling manifests from images is working.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Provider image metadata support with runtime caching to surface provider manifests used during installation.

• Infrastructure

• RBAC Role and RoleBinding added to allow reading the image pull-secret.

• Operator Deployment updated to mount a provider-image cache and set the cache directory env var.

• Manifests / Tooling

• New manifest generator writes manifests.yaml and metadata.yaml and supports kustomize components.

• Tests

• Comprehensive tests added for provider image extraction and processing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[theobarberbany]

/testwith openshift/cluster-capi-operator/main/e2e-aws-capi-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[theobarberbany]

/testwith openshift/cluster-capi-operator/main/regression-clusterinfra-aws-ipi-techpreview-capi openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[theobarberbany]

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[theobarberbany]

/testwith openshift/cluster-capi-operator/main/e2e-aws-capi-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Provider image metadata support with runtime caching and propagation to controllers to apply provider manifests during startup.

• Infrastructure

• RBAC Role and RoleBinding added to allow reading the image pull-secret.

• Operator Deployment mounts a provider-image cache and sets the cache directory env var.

• Manifests / Tooling

• New manifest generator writes manifests.yaml and metadata.yaml and supports kustomize-based profiles.

• Tests

• Comprehensive tests added for provider image extraction, layering, and processing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Provider image metadata support with caching; operator applies provider manifests (ordered by type) during startup and signals completion to other controllers.

• Infrastructure

• RBAC Role and RoleBinding added to allow reading the image pull-secret.

• Operator Deployment mounts a provider-image cache and sets the cache directory env var.

• Manifests / Tooling

• New manifest generator producing manifests.yaml and metadata.yaml with kustomize profile support.

• Tests

• Comprehensive tests for provider image extraction, layering, errors, and processing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Added provider image metadata extraction and caching from container images to streamline infrastructure setup.

• Introduced structured provider profile discovery and manifest management.

• Added enhanced role-based access controls for credential handling.

• Chores

• Updated and added container registry and Kubernetes dependencies to support new provider image functionality.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Provider image metadata extraction and caching with structured provider profile discovery for per-provider manifests.

• Manifest generator: produces provider manifests and metadata for profiles.

• Operator now exposes a provider-images mount and env var to surface provider artifacts.

• Added RBAC Role/RoleBinding to allow pull-secret access for image retrieval.

• Chores

• Updated module/dependency pins to support image fetching and manifest generation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

manifests-gen/customizations.go (1)

34-170: Guard against empty webhook lists / nil Service refs to avoid panics.
mwc.Webhooks[0] and vwc.Webhooks[0] assume at least one webhook with a Service target. If a provider ships a webhook config with zero webhooks or a URL-based client config, manifest generation will panic. Consider returning a clear error instead.

🐛 Suggested fix (propagate an explicit error)

- serviceSecretNames := findWebhookServiceSecretName(objs)
+ serviceSecretNames, err := findWebhookServiceSecretName(objs)
+ if err != nil {
+     return nil, err
+ }

-func findWebhookServiceSecretName(objs []client.Object) map[string]string {
+func findWebhookServiceSecretName(objs []client.Object) (map[string]string, error) {
     serviceSecretNames := map[string]string{}
     certSecretNames := map[string]string{}
@@
-            serviceSecretNames[mwc.Webhooks[0].ClientConfig.Service.Name] = secretName
+            if len(mwc.Webhooks) == 0 || mwc.Webhooks[0].ClientConfig.Service == nil {
+                return nil, fmt.Errorf("mutating webhook %q has no service reference", mwc.Name)
+            }
+            serviceSecretNames[mwc.Webhooks[0].ClientConfig.Service.Name] = secretName
@@
-            serviceSecretNames[vwc.Webhooks[0].ClientConfig.Service.Name] = secretName
+            if len(vwc.Webhooks) == 0 || vwc.Webhooks[0].ClientConfig.Service == nil {
+                return nil, fmt.Errorf("validating webhook %q has no service reference", vwc.Name)
+            }
+            serviceSecretNames[vwc.Webhooks[0].ClientConfig.Service.Name] = secretName
@@
-    return serviceSecretNames
+    return serviceSecretNames, nil
 }

🤖 Fix all issues with AI agents

In `@pkg/controllers/capiinstaller/capi_installer_controller.go`:
- Around line 228-249: The deferred errors.Join call in applyProviderImage
currently never affects the returned error because the function uses an unnamed
error return; change applyProviderImage to use a named error return (e.g., err
error) and update the defer to join the reader.Close() error into that named err
(using errors.Join(err, reader.Close())) so any close failure is preserved and
returned; reference the applyProviderImage function, the deferred reader.Close()
call, and errors.Join when making the change.

🧹 Nitpick comments (3)

manifests/0000_30_cluster-api_11_deployment.yaml (1)

95-96: Consider bounding the provider-images cache size.
An unbounded emptyDir can consume node ephemeral storage if the cache grows.

♻️ Suggested size limit (tune as appropriate)

-      - name: provider-images
-        emptyDir: {}
+      - name: provider-images
+        emptyDir:
+          sizeLimit: 1Gi

pkg/providerimages/pullsecret.go (1)

29-33: Confirm behavior when the pull-secret is empty.
authn.DefaultKeychain can pick up ambient Docker creds; if missing pull-secret should be treated as “anonymous only” or as an error, consider narrowing the fallback.

💡 Optional stricter fallback

 func parseDockerConfig(pullSecret []byte) (authn.Keychain, error) {
 	if len(pullSecret) == 0 {
-		return authn.DefaultKeychain, nil
+		return anonymousKeychain{}, nil
 	}
@@
 	return &configFileKeychain{cf: cf}, nil
 }
 
+// anonymousKeychain always resolves to anonymous auth.
+type anonymousKeychain struct{}
+
+func (anonymousKeychain) Resolve(_ authn.Resource) (authn.Authenticator, error) {
+	return authn.Anonymous, nil
+}

manifests-gen/customizations.go (1)

30-32: Consider making the registry check configurable.
The hard-coded expectedRegistry will fail manifest generation for any provider image that isn’t already in registry.ci.openshift.org. If this tool is used outside that pipeline, a flag/option or allowlist would be safer.

Also applies to: 194-201

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Close errors are currently dropped in applyProviderImage.
Because the function has an unnamed return, the deferred errors.Join doesn’t affect the returned error.

🐛 Suggested fix (use named return)

-func (r *CapiInstallerController) applyProviderImage(ctx context.Context, log logr.Logger, providerImage providerimages.ProviderImageManifests) error {
+func (r *CapiInstallerController) applyProviderImage(ctx context.Context, log logr.Logger, providerImage providerimages.ProviderImageManifests) (err error) {
     log.Info("reconciling CAPI provider", "name", providerImage.Name)

     reader, err := providerManifestReader(providerImage)
     if err != nil {
         return fmt.Errorf("failed to create provider manifest reader: %w", err)
     }

     defer func() {
         err = errors.Join(err, reader.Close())
     }()
@@
     log.Info("finished reconciling CAPI provider", "name", providerImage.Name)

     return nil
 }

🤖 Prompt for AI Agents

In `@pkg/controllers/capiinstaller/capi_installer_controller.go` around lines 228
- 249, The deferred errors.Join call in applyProviderImage currently never
affects the returned error because the function uses an unnamed error return;
change applyProviderImage to use a named error return (e.g., err error) and
update the defer to join the reader.Close() error into that named err (using
errors.Join(err, reader.Close())) so any close failure is preserved and
returned; reference the applyProviderImage function, the deferred reader.Close()
call, and errors.Join when making the change.

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

• New Features

• Operator now reads and caches provider image metadata and applies per-provider manifests during installation.

• Added manifest generator that creates provider manifests and metadata per profile.

• Operator exposes a provider-images mount and PROVIDER_IMAGE_DIR env var for provider artifacts.

• New RBAC Role/RoleBinding enables pull-secret access for image retrieval.

• Chores

• Updated module dependencies to support image fetching and manifest generation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mdbooth]

/test e2e-azure-ovn-techpreview e2e-azure-capi-techpreview

[openshift-ci]

@mdbooth: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal3-capi-techpreview	3da26fb	link	false	/test e2e-metal3-capi-techpreview
ci/prow/e2e-azure-ovn-techpreview	1b4e131	link	false	/test e2e-azure-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

Needs rebase/renaming potentially.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.