OCPBUGS-87001: Move installer and revision controllers to their own deployment

[mdbooth]

Moves the installer and revision controllers into a separate capi-installer deployment which is created by capi-operator.

The reason for this is that these controllers mount release images as volumes. They will always mount the provider images from the current release, but on upgrade they must also mount the provider images from any previous revisions which are still active. Therefore the deployment cannot be static.

A new controller, installerdeployment runs in capi-operator to create the installer deployment.

Needs openshift/origin#31286 to merge before the e2es will pass.

Summary by CodeRabbit

• New Features

  • Adds a dedicated capi-installer component: Deployment, ServiceAccount, headless metrics Service, ServiceMonitor, ClusterRoleBinding, and a ConfigMap of provider image references; operator now deploys and exposes capi-installer diagnostics/metrics.
  • Operator deployment manifest updated to run with the new capi-installer integration.

• Chores

  • Test env Kubernetes version bumped to 1.35.1.
  • Build flow updated to include the capi-installer binary in releases.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@mdbooth: This pull request references OCPCLOUD-3443 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

• Bump envtest k8s version to 1.35.1
• Installer is separate deployment managed by capi-operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The PR extracts an installer into a new capi-installer binary/workload, adds manifests (ServiceAccount, Service, ServiceMonitor, ClusterRoleBinding, provider-images ConfigMap, Deployments, NetworkPolicy updates), introduces provider-image helpers, and implements InstallerDeploymentReconciler plus tests to build and SSA-apply a capi-installer Deployment from image refs.

Changes

Installer Separation and Deployment Management

Layer / File(s)	Summary
Build targets and image packaging Makefile, Dockerfile.rhel	ENVTEST_K8S_VERSION bumped to 1.35.1, build target now depends on bin/capi-installer, and Dockerfile.rhel copies the capi-installer binary into the runtime image.
capi-installer binary and entrypoint cmd/capi-installer/main.go	New entrypoint that initializes controller-runtime manager, accepts --provider-image-dir, loads provider image profiles from the current Pod spec and configured directory, and sets up revision and installer controllers.
Operator startup wiring cmd/capi-operator/main.go	Removes provider-image-dir CLI plumbing and manifest loading; adds pod-image lookup to read the operator container image and configures InstallerDeploymentReconciler with that image and the platform flag.
Operator-level manifests manifests/*	Adds capi-installer ServiceAccount, capi-installer-metrics Service, ServiceMonitor, ClusterRoleBinding openshift-capi-installer, capi-installer-images ConfigMap with component image refs, and a new capi-operator Deployment manifest.
NetworkPolicy updates manifests/0000_30_cluster-api_14_allow-ingress-to-metrics-operators.yaml, manifests/0000_30_cluster-api_16_allow-egress-operators.yaml	Includes capi-installer pods in existing metrics ingress/egress NetworkPolicies.
Embedded capi-installer asset pkg/controllers/installerdeployment/assets/deployment.yaml	Adds base Deployment manifest for capi-installer (probes, metrics TLS mount, downward API env, control-plane scheduling).
Deployment builder & naming helpers pkg/controllers/installerdeployment/deployment.go	Parses embedded Deployment, implements buildDesiredDeployment to set image/namespace/RELEASE_VERSION and add per-image Image volumes and mounts, plus deterministic volumeNameForImageRef.
InstallerDeploymentReconciler core & wiring pkg/controllers/installerdeployment/controller.go	New reconciler that deletes the Deployment when platform unsupported; otherwise reads image refs from capi-installer-images ConfigMap and ClusterAPI revisions, unions refs, builds desired Deployment, and applies via Server-Side Apply; wires watches and mapping functions.
Installer controller tests & suite pkg/controllers/installerdeployment/*_test.go	Envtest suite and controller/unit tests validate Deployment creation/update from ConfigMap/ClusterAPI image refs, deterministic volume naming, and deletion on unsupported platforms.
Provider-image helpers and tests pkg/providerimages/*	Adds ImageRefsFromConfigMap (nil-check) and ImageRefsFromRevisions (deduplicated set) with tests; providerimages tests adjusted to use inline PodSpec fixtures.

Sequence Diagram(s)

sequenceDiagram
  participant ConfigMap as "capi-installer-images ConfigMap"
  participant ClusterAPI as "ClusterAPI singleton"
  participant API_Server as "Kubernetes API Server"
  participant Reconciler as "InstallerDeploymentReconciler"

  ConfigMap->>API_Server: update/create
  ClusterAPI->>API_Server: status update
  API_Server->>Reconciler: watch events (ConfigMap/ClusterAPI/Deployment)
  Reconciler->>API_Server: GET ConfigMap
  Reconciler->>API_Server: GET ClusterAPI
  Reconciler->>Reconciler: build Desired Deployment (container image + image-backed volumes)
  Reconciler->>API_Server: Server-Side Apply Deployment (fieldManager + Force)
  API_Server->>Reconciler: apply result / status

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• openshift/cluster-capi-operator#494: Both PRs modify cmd/capi-operator/main.go to refactor how provider images and installer controllers are wired, with overlapping changes to setupControllers and provider image loading patterns.

Suggested reviewers

• nrb
• RadekManak

🚥 Pre-merge checks | ✅ 4 | ❌ 11

❌ Failed checks (1 warning, 10 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The PR title explicitly describes the main architectural change: moving installer and revision controllers to their own deployment, which aligns with the substantial refactoring across the codebase.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign racheljpg for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

pkg/controllers/installerdeployment/controller_test.go (1)

250-255: ⚡ Quick win

Use apierrors.IsNotFound for precise deletion verification.

The check err != nil could match any error type, not specifically confirming the Deployment was deleted. Use apierrors.IsNotFound(err) for precise verification.

♻️ Proposed fix

+		apierrors "k8s.io/apimachinery/pkg/api/errors"

 		Eventually(func() bool {
 			err := cl.Get(ctx, client.ObjectKey{Name: deploymentName, Namespace: namespace}, deployment)

-			return err != nil
+			return apierrors.IsNotFound(err)
 		}).WithTimeout(testTimeout).WithPolling(testInterval).Should(BeTrue())

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controllers/installerdeployment/controller_test.go` around lines 250 -
255, The test's Eventually block currently returns err != nil which can be any
error; update the predicate to explicitly check for deletion by returning
apierrors.IsNotFound(err) from the closure that calls cl.Get(ctx,
client.ObjectKey{Name: deploymentName, Namespace: namespace}, deployment). Also
add the required import for "k8s.io/apimachinery/pkg/api/errors" (alias
apierrors) so the test compiles and precisely verifies the Deployment was
deleted.

pkg/controllers/installerdeployment/suite_test.go (1)

38-40: 💤 Low value

Unused constant testNamespace.

The testNamespace constant is defined but never used in the test suite. The actual tests in controller_test.go generate unique namespaces with GenerateName. Consider removing this unused constant.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controllers/installerdeployment/suite_test.go` around lines 38 - 40, The
constant testNamespace in suite_test.go is unused; remove the unused declaration
(testNamespace) from the file or, if intended for tests, replace usage so tests
reference testNamespace instead of generating namespaces via GenerateName in
controller_test.go; update any imports/comments accordingly to keep the file
clean.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@manifests/0000_30_cluster-api-operator_06_deployment.yaml`:
- Around line 29-62: The capi-operator container is missing a hardened
securityContext and resource limits; update the container spec for the container
named "capi-operator" to add a container-level securityContext with
allowPrivilegeEscalation: false, runAsNonRoot: true, readOnlyRootFilesystem:
true, and capabilities: drop: ["ALL"], and add resources.limits (cpu and memory)
alongside the existing resources.requests (e.g., set limits slightly above
requests) so both cpu and memory have requests and limits defined.
- Around line 75-84: The manifest uses a hard nodeSelector and broad tolerations
("nodeSelector", tolerations with keys "node-role.kubernetes.io/control-plane"
and "node-role.kubernetes.io/master") which force pods onto control-plane nodes
and reduces scheduling resilience; replace the hard nodeSelector with a softer
nodeAffinity (preferredDuringSchedulingIgnoredDuringExecution) targeting
control-plane nodes and/or use an explicit nodeAffinity nodeSelectorTerm that
excludes arbiter nodes (e.g. a DoesNotExist check for an arbiter label) and
tighten/remove the broad tolerations so the Deployment does not indiscriminately
tolerate all control-plane taints; update the Deployment spec (where
nodeSelector and tolerations are declared) to use nodeAffinity preferences and
more specific tolerations instead.

In `@pkg/controllers/installerdeployment/assets/deployment.yaml`:
- Around line 66-75: The manifest currently hard-pins pods to control-plane
nodes by setting nodeSelector: node-role.kubernetes.io/control-plane and adding
master/control-plane NoSchedule tolerations; remove the nodeSelector block and
the two tolerations (or replace them with a non-control-plane-specific
scheduling rule such as a generic nodeSelector or preferredDuringScheduling
affinity) so pods are not forced onto control-plane/arbiter nodes; update any
related comments and ensure restartPolicy: Always remains unchanged while
testing on both HA and single-node clusters.
- Around line 23-53: Add container hardening and resource limits to the
capi-installer container spec: under the container named "capi-installer" add a
securityContext with runAsNonRoot: true, readOnlyRootFilesystem: true,
allowPrivilegeEscalation: false and capabilities: drop: ["ALL"]; also add
resource.limits (matching or slightly above existing requests) for cpu and
memory to complement the existing requests (e.g., cpu and memory limits) so
every container has both requests and limits defined.

In `@pkg/controllers/installerdeployment/deployment.go`:
- Around line 109-143: The volumeNameForImageRef function can produce names
longer than Kubernetes' 63-character DNS-label limit, causing Deployment
rejections; update volumeNameForImageRef so the final name is DNS-label
compliant and <=63 chars before returning. Keep the shortHash and separator
intact by computing maxImageNameLen = 63 - 1 - len(shortHash) (for the hyphen),
truncate the sanitized imageName to that length, then build volumeName =
fmt.Sprintf("%s-%s", truncatedImageName, shortHash). After prefixing with "img-"
when needed (if first char isn't alphanumeric), re-check length and if >63,
truncate the imageName portion further to ensure total <=63. Also ensure the
final name starts and ends with an alphanumeric character (trim trailing '-'
from the imageName portion if necessary) so the returned value (used as
corev1.Volume.Name and corev1.VolumeMount.Name in buildDesiredDeployment) always
meets Kubernetes DNS-label rules.

In `@pkg/providerimages/configmap_test.go`:
- Around line 62-66: The test in ImageRefsFromConfigMap should assert the exact
error value instead of substring matching; replace the err.Error() +
ContainSubstring assertion with a Gomega MatchError against the predefined
errConfigMapNil (e.g., change the assertion to
Expect(err).To(MatchError(errConfigMapNil))) while keeping the call to
ImageRefsFromConfigMap(nil) and the Expect(result).To(BeNil()) assertion;
reference the ImageRefsFromConfigMap function and the errConfigMapNil error
constant when making this change.

---

Nitpick comments:
In `@pkg/controllers/installerdeployment/controller_test.go`:
- Around line 250-255: The test's Eventually block currently returns err != nil
which can be any error; update the predicate to explicitly check for deletion by
returning apierrors.IsNotFound(err) from the closure that calls cl.Get(ctx,
client.ObjectKey{Name: deploymentName, Namespace: namespace}, deployment). Also
add the required import for "k8s.io/apimachinery/pkg/api/errors" (alias
apierrors) so the test compiles and precisely verifies the Deployment was
deleted.

In `@pkg/controllers/installerdeployment/suite_test.go`:
- Around line 38-40: The constant testNamespace in suite_test.go is unused;
remove the unused declaration (testNamespace) from the file or, if intended for
tests, replace usage so tests reference testNamespace instead of generating
namespaces via GenerateName in controller_test.go; update any imports/comments
accordingly to keep the file clean.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 42ea6dfb-6f8e-4e0e-ac90-0387c7e999b1

📥 Commits

Reviewing files that changed from the base of the PR and between 3f1aa11 and 13fba36.

📒 Files selected for processing (29)

• Dockerfile.rhel
• Makefile
• cmd/capi-installer/main.go
• cmd/capi-operator/main.go
• manifests/0000_30_cluster-api-installer_05_deployment.yaml
• manifests/0000_30_cluster-api-operator_00_namespace.yaml
• manifests/0000_30_cluster-api-operator_00_tombstones.yaml
• manifests/0000_30_cluster-api-operator_01_metrics-service.yaml
• manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml
• manifests/0000_30_cluster-api-operator_03_clusterrole.yaml
• manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml
• manifests/0000_30_cluster-api-operator_06_deployment.yaml
• manifests/0000_30_cluster-api-operator_07_clusterapi.yaml
• pkg/controllers/installerdeployment/assets/deployment.yaml
• pkg/controllers/installerdeployment/controller.go
• pkg/controllers/installerdeployment/controller_test.go
• pkg/controllers/installerdeployment/deployment.go
• pkg/controllers/installerdeployment/deployment_test.go
• pkg/controllers/installerdeployment/suite_test.go
• pkg/providerimages/configmap.go
• pkg/providerimages/configmap_test.go
• pkg/providerimages/providerimages_test.go
• pkg/providerimages/revision_images.go
• pkg/providerimages/revision_images_test.go

💤 Files with no reviewable changes (1)

• manifests/0000_30_cluster-api-installer_05_deployment.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Revisit hard control-plane scheduling constraints.

Hard control-plane nodeSelector plus master/control-plane tolerations assume a specific topology and can reduce scheduling resilience on variant cluster layouts.

As per coding guidelines, "**/*.{go,yaml,yml,json} ... Flag ... nodeSelector/affinity targeting control-plane nodes ... scheduling to all control-plane nodes without excluding arbiter nodes."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/0000_30_cluster-api-operator_06_deployment.yaml` around lines 75 -
84, The manifest uses a hard nodeSelector and broad tolerations ("nodeSelector",
tolerations with keys "node-role.kubernetes.io/control-plane" and
"node-role.kubernetes.io/master") which force pods onto control-plane nodes and
reduces scheduling resilience; replace the hard nodeSelector with a softer
nodeAffinity (preferredDuringSchedulingIgnoredDuringExecution) targeting
control-plane nodes and/or use an explicit nodeAffinity nodeSelectorTerm that
excludes arbiter nodes (e.g. a DoesNotExist check for an arbiter label) and
tighten/remove the broad tolerations so the Deployment does not indiscriminately
tolerate all control-plane taints; update the Deployment spec (where
nodeSelector and tolerations are declared) to use nodeAffinity preferences and
more specific tolerations instead.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit container hardening and resource limits.

The container spec is missing explicit securityContext hardening (runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, drop ALL capabilities), and it defines requests without limits.

As per coding guidelines, "**/*.{yaml,yml}: securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false; Drop ALL capabilities ... Resource limits (cpu, memory) on every container."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controllers/installerdeployment/assets/deployment.yaml` around lines 23 -
53, Add container hardening and resource limits to the capi-installer container
spec: under the container named "capi-installer" add a securityContext with
runAsNonRoot: true, readOnlyRootFilesystem: true, allowPrivilegeEscalation:
false and capabilities: drop: ["ALL"]; also add resource.limits (matching or
slightly above existing requests) for cpu and memory to complement the existing
requests (e.g., cpu and memory limits) so every container has both requests and
limits defined.

[mdbooth]

Which coding guidelines?

[coderabbitai]

@mdbooth, these come from the CodeRabbit path-based review instructions configured for this repository, applied to all **/*.{yaml,yml} files. The relevant rule is:

If this is a Kubernetes/OpenShift manifest or Helm template:

• securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false
• Drop ALL capabilities, add only what is required
• Resource limits (cpu, memory) on every container

That said, it's worth noting that the manifest already sets openshift.io/required-scc: restricted-v2, which enforces many of these constraints at the OpenShift admission layer (no privilege escalation, run as non-root, etc.). If your team considers that annotation sufficient for this operator's deployment context, or if the SCC enforcement makes the explicit securityContext fields redundant by policy, I can acknowledge that and move on. Would you like me to resolve this comment or dismiss it?

[coderabbitai]

🧹 Nitpick comments (1)

pkg/controllers/installerdeployment/controller.go (1)

167-167: 💤 Low value

ConfigMap watch triggers on all ConfigMaps cluster-wide.

The Watches for ConfigMap lacks a namespace predicate, so every ConfigMap create/update/delete in any namespace will invoke mapConfigMapToReconcile. While the map function filters correctly, this generates unnecessary API server traffic and reconcile evaluations.

Consider adding a predicate to filter by namespace:

♻️ Suggested improvement

-		Watches(&corev1.ConfigMap{}, handler.EnqueueRequestsFromMapFunc(r.mapConfigMapToReconcile)).
+		Watches(&corev1.ConfigMap{}, handler.EnqueueRequestsFromMapFunc(r.mapConfigMapToReconcile),
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				return obj.GetNamespace() == r.Namespace && obj.GetName() == configMapName
+			}))).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controllers/installerdeployment/controller.go` at line 167, The ConfigMap
watch currently registers cluster-wide (Watches(&corev1.ConfigMap{},
handler.EnqueueRequestsFromMapFunc(r.mapConfigMapToReconcile))) causing
reconciles for all namespaces; restrict the watch by adding a namespace
predicate that only allows events from the controller's target namespace (e.g.,
use predicate.NewPredicateFuncs or predicate.Funcs comparing obj.GetNamespace()
to r.namespace) so that Watches only enqueues when the ConfigMap namespace
matches, leaving mapConfigMapToReconcile unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/controllers/installerdeployment/controller.go`:
- Line 167: The ConfigMap watch currently registers cluster-wide
(Watches(&corev1.ConfigMap{},
handler.EnqueueRequestsFromMapFunc(r.mapConfigMapToReconcile))) causing
reconciles for all namespaces; restrict the watch by adding a namespace
predicate that only allows events from the controller's target namespace (e.g.,
use predicate.NewPredicateFuncs or predicate.Funcs comparing obj.GetNamespace()
to r.namespace) so that Watches only enqueues when the ConfigMap namespace
matches, leaving mapConfigMapToReconcile unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dfdc8e5a-b67d-4ace-81e2-95d35f883d14

📥 Commits

Reviewing files that changed from the base of the PR and between 13fba36 and 6861ae1.

📒 Files selected for processing (29)

• Dockerfile.rhel
• Makefile
• cmd/capi-installer/main.go
• cmd/capi-operator/main.go
• manifests/0000_30_cluster-api-installer_05_deployment.yaml
• manifests/0000_30_cluster-api-operator_00_namespace.yaml
• manifests/0000_30_cluster-api-operator_00_tombstones.yaml
• manifests/0000_30_cluster-api-operator_01_metrics-service.yaml
• manifests/0000_30_cluster-api-operator_01_serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-metrics-service.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml
• manifests/0000_30_cluster-api-operator_03_clusterrole.yaml
• manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_04_clusterrolebinding.yaml
• manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml
• manifests/0000_30_cluster-api-operator_06_deployment.yaml
• manifests/0000_30_cluster-api-operator_07_clusterapi.yaml
• pkg/controllers/installerdeployment/assets/deployment.yaml
• pkg/controllers/installerdeployment/controller.go
• pkg/controllers/installerdeployment/controller_test.go
• pkg/controllers/installerdeployment/deployment.go
• pkg/controllers/installerdeployment/deployment_test.go
• pkg/controllers/installerdeployment/suite_test.go
• pkg/providerimages/configmap.go
• pkg/providerimages/configmap_test.go
• pkg/providerimages/providerimages_test.go
• pkg/providerimages/revision_images.go
• pkg/providerimages/revision_images_test.go

💤 Files with no reviewable changes (1)

• manifests/0000_30_cluster-api-installer_05_deployment.yaml

✅ Files skipped from review due to trivial changes (1)

• pkg/controllers/installerdeployment/deployment_test.go

🚧 Files skipped from review as they are similar to previous changes (16)

• Dockerfile.rhel
• Makefile
• manifests/0000_30_cluster-api-operator_02_capi-installer-servicemonitor.yaml
• manifests/0000_30_cluster-api-operator_05_provider-images-configmap.yaml
• pkg/providerimages/revision_images.go
• pkg/providerimages/configmap.go
• manifests/0000_30_cluster-api-operator_02_capi-installer-serviceaccount.yaml
• manifests/0000_30_cluster-api-operator_04_capi-installer-clusterrolebinding.yaml
• pkg/providerimages/configmap_test.go
• cmd/capi-installer/main.go
• pkg/providerimages/revision_images_test.go
• manifests/0000_30_cluster-api-operator_06_deployment.yaml
• pkg/controllers/installerdeployment/deployment.go
• cmd/capi-operator/main.go
• pkg/providerimages/providerimages_test.go
• pkg/controllers/installerdeployment/controller_test.go

[mdbooth]

/pipeline auto

[openshift-merge-bot]

Pipeline controller notification

The pipeline-auto label has been added to this PR. Second-stage tests will be triggered automatically when all first-stage tests pass.

[mdbooth]

unit test failure is the same flake fixed by #578

/test unit

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-capi-techpreview-post-install
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[mdbooth]

Pipeline controller has died again. Lets try to kick it manually.

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-capi-techpreview-post-install
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[mdbooth]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-capi-techpreview-post-install
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[mdbooth]

I created #579, which is a manual merge of this PR with #574, to test if it fixes the upgrade jobs.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-capi-techpreview-post-install
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-disconnected-techpreview
/test e2e-aws-capi-techpreview
/test e2e-aws-capi-techpreview-post-install
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[openshift-ci-robot]

@mdbooth: This pull request references Jira Issue OCPBUGS-87001, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

• Bump envtest k8s version to 1.35.1
• Installer is separate deployment managed by capi-operator

Summary by CodeRabbit

• New Features

• Adds a dedicated capi-installer component: Deployment, ServiceAccount, headless metrics Service, ServiceMonitor, ClusterRoleBinding, and a ConfigMap of provider image references; operator now deploys and exposes capi-installer diagnostics/metrics.

• Operator deployment manifest updated to run with the new capi-installer integration.

• Chores

• Test env Kubernetes version bumped to 1.35.1.

• Build flow updated to include the capi-installer binary in releases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mdbooth]

/jira refresh

[openshift-ci-robot]

@mdbooth: This pull request references Jira Issue OCPBUGS-87001, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mdbooth]

Look like flakes:
/test e2e-aws-ovn-techpreview e2e-gcp-ovn-techpreview

Permafailing:
/override e2e-openstack-ovn-techpreview

[openshift-ci]

@mdbooth: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-openstack-ovn-techpreview

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/build
• ci/prow/e2e-aws-capi-disconnected-techpreview
• ci/prow/e2e-aws-capi-techpreview
• ci/prow/e2e-aws-capi-techpreview-post-install
• ci/prow/e2e-aws-ovn
• ci/prow/e2e-aws-ovn-serial-1of2
• ci/prow/e2e-aws-ovn-serial-2of2
• ci/prow/e2e-aws-ovn-techpreview
• ci/prow/e2e-aws-ovn-techpreview-upgrade
• ci/prow/e2e-azure-capi-techpreview
• ci/prow/e2e-azure-ovn-techpreview
• ci/prow/e2e-azure-ovn-techpreview-upgrade
• ci/prow/e2e-gcp-capi-techpreview
• ci/prow/e2e-gcp-ovn-techpreview
• ci/prow/e2e-metal3-capi-techpreview
• ci/prow/e2e-openstack-capi-techpreview
• ci/prow/e2e-openstack-ovn-techpreview
• ci/prow/e2e-vsphere-capi-techpreview
• ci/prow/images
• ci/prow/lint
• ci/prow/okd-scos-images
• ci/prow/regression-clusterinfra-aws-ipi-techpreview-capi
• ci/prow/unit
• ci/prow/vendor
• ci/prow/verify-deps
• pull-ci-openshift-cluster-capi-operator-main-build
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-disconnected-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview-post-install
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-serial-1of2
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-serial-2of2
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-techpreview-upgrade
• pull-ci-openshift-cluster-capi-operator-main-e2e-azure-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-azure-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-azure-ovn-techpreview-upgrade
• pull-ci-openshift-cluster-capi-operator-main-e2e-gcp-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-gcp-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-metal3-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-openstack-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-openstack-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-vsphere-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-images
• pull-ci-openshift-cluster-capi-operator-main-lint
• pull-ci-openshift-cluster-capi-operator-main-okd-scos-images
• pull-ci-openshift-cluster-capi-operator-main-regression-clusterinfra-aws-ipi-techpreview-capi
• pull-ci-openshift-cluster-capi-operator-main-unit
• pull-ci-openshift-cluster-capi-operator-main-vendor
• pull-ci-openshift-cluster-capi-operator-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

Look like flakes:
/test e2e-aws-ovn-techpreview e2e-gcp-ovn-techpreview

Permafailing:
/override e2e-openstack-ovn-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mdbooth]

/override ci/prow/e2e-openstack-ovn-techpreview

[openshift-ci]

@mdbooth: Overrode contexts on behalf of mdbooth: ci/prow/e2e-openstack-ovn-techpreview

Details

In response to this:

/override ci/prow/e2e-openstack-ovn-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-azure-ovn-techpreview openshift/cluster-api-provider-azure#392

[mdbooth]

/testwith openshift/cluster-capi-operator/main/e2e-azure-ovn-techpreview-upgrade openshift/cluster-api-provider-azure#392

[openshift-ci]

@mdbooth: Overrode contexts on behalf of mdbooth: ci/prow/e2e-openstack-ovn-techpreview

Details

In response to this:

/override ci/prow/e2e-openstack-ovn-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@mdbooth: This pull request references Jira Issue OCPBUGS-87001, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Moves the installer and revision controllers into a separate capi-installer deployment which is created by capi-operator.

The reason for this is that these controllers mount release images as volumes. They will always mount the provider images from the current release, but on upgrade they must also mount the provider images from any previous revisions which are still active. Therefore the deployment cannot be static.

A new controller, installerdeployment runs in capi-operator to create the installer deployment.

Summary by CodeRabbit

• New Features

• Adds a dedicated capi-installer component: Deployment, ServiceAccount, headless metrics Service, ServiceMonitor, ClusterRoleBinding, and a ConfigMap of provider image references; operator now deploys and exposes capi-installer diagnostics/metrics.

• Operator deployment manifest updated to run with the new capi-installer integration.

• Chores

• Test env Kubernetes version bumped to 1.35.1.

• Build flow updated to include the capi-installer binary in releases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mdbooth]

/test e2e-aws-ovn-techpreview e2e-gcp-ovn-techpreview

[mdbooth]

/test e2e-aws-ovn-techpreview e2e-gcp-ovn-techpreview

[mdbooth]

openshift/origin#31286 has landed.

/retest-required

[mdbooth]

/test e2e-azure-ovn-techpreview

[openshift-ci]

@mdbooth: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-techpreview	6c74e49	link	true	/test e2e-aws-ovn-techpreview
ci/prow/e2e-azure-ovn-techpreview	6c74e49	link	false	/test e2e-azure-ovn-techpreview
ci/prow/e2e-gcp-ovn-techpreview	6c74e49	link	true	/test e2e-gcp-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.