NO-ISSUE: Fixes KubeletConfig API doc and adds tests

[ngopalak-redhat]

This PR improves the documentation for the KubeletConfigSpec API to make it more accurate and user-friendly.

Fixes the doc: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/machine_apis/kubeletconfig-machineconfiguration-openshift-io-v1#spec-4

It also adds test coverage similar to the pattern established in #2370.

AutoSizingReserved will default to true from 4.21 onwards. The default value and the description was not documented until now.

Why is this a breaking change?

• The additional kubebuilder validation makes this a breaking change.
• If the user provides tlsSecurityProfile with just modern or custom fields but omits the type field, the validation passes because !has(self.type) evaluates to true.

Test Coverage

Created test file: machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a YAML test suite for the KubeletConfig CRD covering onCreate and onUpdate scenarios (single-field, multi-field, and invalid-value cases). Adds two optional fields to KubeletConfigSpec: AutoSizingReserved (*bool) and LogLevel (*int32) with validation (0–10). Updates generated Swagger/docs and the CRD: clarifies kubeletConfig and machineConfigPoolSelector descriptions, expands logLevel and tlsSecurityProfile descriptions, and adds x-kubernetes-validations to restrict tlsSecurityProfile to Old and Intermediate.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: documentation fixes for KubeletConfig API and addition of test coverage.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation for documentation improvements and test additions, including details about breaking changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hello @ngopalak-redhat! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[ngopalak-redhat]

/test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ngopalak-redhat]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml`:
- Around line 118-123: The tlsSecurityProfile description in the KubeletConfig
CRD is inconsistent with the schema: the text claims "Only Old and Intermediate
profiles are supported; maximum minTLSVersion is VersionTLS12" while the schema
allows Modern and Custom (and VersionTLS13) because it relies on
configv1.TLSSecurityProfile which has no kubelet-specific restrictions; to fix,
either add explicit validation to the CRD (e.g., CEL rules or a validating
webhook) to reject profile.type values "Modern" and "Custom" and enforce max
minTLSVersion of "VersionTLS12", or update the tlsSecurityProfile description to
accurately reflect that the schema permits Modern and Custom and VersionTLS13 by
referencing configv1.TLSSecurityProfile semantics; locate and change the
tlsSecurityProfile block in the KubeletConfig CRD (symbol: tlsSecurityProfile,
resource: KubeletConfig) and implement one of the two options consistently
(validation rules if you want to forbid Modern/Custom, otherwise update the
descriptive text).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 12dcb66 and 8e0b9d6.

⛔ Files ignored due to path filters (2)

• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (4)

• machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml
• machineconfiguration/v1/types.go
• machineconfiguration/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• machineconfiguration/v1/types.go

🔇 Additional comments (2)

machineconfiguration/v1/zz_generated.swagger_doc_generated.go (1)

216-223: Docs read well and are consistent with the CRD updates.
The KubeletConfigSpec descriptions are clear and actionable.

machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml (1)

1-275: Solid coverage for create/update scenarios.
The matrix of single-field and combined updates looks thorough.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[openshift-ci-robot]

@ngopalak-redhat: This pull request explicitly references no jira issue.

Details

In response to this:

This PR improves the documentation for the KubeletConfigSpec API to make it more accurate and user-friendly.
The focus is AutoSizingReserved. I have ignored adding the tests and the validation for TLSSecurityProfile. Also I haven't added the kubebuilder validation for LogLevel. They can be done in a different PR as this one focusses on API doc only.

It also adds test coverage similar to the pattern established in #2370.

AutoSizingReserved will default to true from 4.21 onwards. The default value and the description was not documented until now.

Test Coverage

Created test file: machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ngopalak-redhat]

cc: @haircommander @sairameshv

[saschagrunert]

Thank you for the PR, I have a bunch of improvements sggested.

Please note that we need to add integration tests for the new validations.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@machineconfiguration/v1/types.go`:
- Around line 769-774: The CEL XValidation currently permits profiles without an
explicit type and thus allows Modern/Custom via embedded fields; update the
validation on TLSSecurityProfile to require that the type field is present and
equal to either "Old" or "Intermediate" (e.g. change the rule to require
has(self.type) && (self.type == 'Old' || self.type == 'Intermediate')), so
TLSSecurityProfile (the TLSSecurityProfile *configv1.TLSSecurityProfile field)
cannot be set to Modern/Custom without an explicit allowed type.

♻️ Duplicate comments (1)

payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml (1)

268-271: Keep the CRD validation in sync with the tightened TLS rule.

Same concern as in machineconfiguration/v1/types.go: regenerate this CRD after tightening the CEL rule so missing type can’t bypass the restriction.

🧹 Nitpick comments (1)

machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml (1)

173-220: Add a negative case for tlsSecurityProfile without type.

This will lock in the stricter validation and prevent bypasses if the object is provided without a type.

🧪 Suggested test case

@@
     - name: Should reject tlsSecurityProfile with Custom type
       initial: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
           tlsSecurityProfile:
             type: Custom
             custom:
               ciphers:
                 - ECDHE-ECDSA-AES128-GCM-SHA256
               minTLSVersion: VersionTLS12
       expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
+    - name: Should reject tlsSecurityProfile without type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"

[ngopalak-redhat]

Thank you for the PR, I have a bunch of improvements sggested.

Please note that we need to add integration tests for the new validations.

@saschagrunert I made the code changes as suggested. I also added the validations and tests to machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml.

Are these the integration tests you were referring to?

[saschagrunert]

Looks like we have not enforced this in production clusters? Hm, then it would be a breaking change and we can't apply it now.

[ngopalak-redhat]

This is a good opportunity to fix this. I understand it's a breaking change from an API perspective, but it's already validated in the MCO: https://github.com/openshift/machine-config-operator/blob/main/pkg/controller/kubelet-config/helpers.go#L353
We are effectively adding a first line of defense to reject values < 0 or > 10 immediately.

[saschagrunert]

Sounds good, but two things to clarify:

• Does the cluster degrade when this is being enforced now and users put in an invalid value?
• Let's compare the scenarios of putting an invalid value in a running cluster. What are the error messages and is the user feedback now more or less useful?

[ngopalak-redhat]

@saschagrunert Thanks for the review. I have addressed your comments. Could you take another look? I also replied to the specific discussion here: #2651 (comment)

[saschagrunert]

There are still many redundant CRUD tests part of this file, which don't validate anything.

1. Lines 7-37: autoSizingReserved true/false/omitted - Basic CRUD, no validation
2. Lines 40-50: logLevel = 4 - Not a boundary, no validation value
3. Lines 51-59: logLevel omitted - Redundant
4. Lines 98-136: machineConfigPoolSelector worker/master/omitted - No validation logic
5. Lines 139-160: kubeletConfig with maxPods/omitted - Basic CRUD
6. Lines 163-188: tlsSecurityProfile Old/Intermediate - Redundant (both valid values, no validation difference)
7. Lines 220-228: tlsSecurityProfile omitted - Redundant
8. Lines 231-253: Combined fields - No validation logic
9. Lines 257-272: Update autoSizingReserved - No validation logic
10. Lines 275-288: Remove logLevel - Redundant with onCreate omit

Tests that should be kept (validation logic):

1. Lines 60-70: logLevel = 0 (minimum boundary)
2. Lines 71-81: logLevel = 10 (maximum boundary)
3. Lines 82-88: logLevel = -1 (reject below min)
4. Lines 89-95: logLevel = 11 (reject above max)
5. Lines 189-196: tlsSecurityProfile Modern (CEL XValidation rejection)
6. Lines 197-208: tlsSecurityProfile Custom (CEL XValidation rejection)
7. Lines 209-219: tlsSecurityProfile without type (CEL XValidation rejection)

[openshift-ci]

@ngopalak-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crdify	1b89d6b	link	true	/test verify-crdify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.