[Draft] - Adding annotations to manifests for CVO

[miyadav]

Manifests changes , annoations added for capability to be identified by CVO . ( linked PR )
WIP - OCPCLOUD-3368
/hold

Generated by - claude-opus-4-6(2.1.169)

Summary by CodeRabbit

• Chores
  • Added OpenShift capability annotations to ClusterAPI and CompatibilityRequirements operator resources for improved platform identification and management.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

This PR adds OpenShift capability annotations (capability.openshift.io/name) across 39 manifest files. Changes include adding CompatibilityRequirements and ClusterAPI capability values to operator metadata, and updating cluster API credentials requests to append +ClusterAPI to existing values or add the annotation where absent.

Changes

OpenShift Capability Annotations

Layer / File(s)	Summary
Cluster API TLS config role annotation manifests/0000_20_cluster-api-tls-config_role.yaml	Adds capability.openshift.io/name: ClusterAPI annotation to the cluster-api-tls-config ClusterRole.
Compatibility Requirements operator annotations manifests/0000_20_crd-compatibility-checker_*.yaml	Adds capability.openshift.io/name: CompatibilityRequirements annotation to namespace, service account, secrets, RBAC roles, RBAC bindings, deployment, metrics service, webhook service, and NetworkPolicy manifests.
Cluster API installer operator annotations manifests/0000_30_cluster-api-installer_*.yaml	Adds capability.openshift.io/name: ClusterAPI annotation to namespace, service account, ClusterRole, ClusterRoleBinding, metrics service, deployment, ClusterAPI custom resource, and tombstone ConfigMap.
Cluster API core controller annotations and credentials manifests/0000_30_cluster-api_*.yaml	Adds capability.openshift.io/name: ClusterAPI annotation to namespace, service accounts, RBAC roles, RBAC bindings, webhook configuration, deployments, ClusterOperator, metrics services, and NetworkPolicy manifests. Updates credentials requests for AWS, Azure, GCP, OpenStack, and IBM PowerVS from CloudCredential to CloudCredential+ClusterAPI, and adds ClusterAPI annotation for vSphere and baremetal credentials requests.

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Weak-Crypto	❌ Error	RC4 cipher suite (TLS_RSA_WITH_RC4_128_SHA) detected in pkg/controllers/revision/helpers_test.go test code. Though in test code with explicit comment noting insecurity, RC4 is flagged weak crypto.	Remove or replace RC4 cipher suite with stronger alternatives (e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) in test code, or use crypto/tls standard test utilities instead.
Test Structure And Quality	⚠️ Warning	Multiple Eventually calls in webhook_test.go lack explicit timeouts, violating requirement #3 (timeouts required for cluster interactions).	Add explicit timeouts to all Eventually calls: Eventually(..., framework.WaitLong, framework.RetryMedium).Should(Succeed(), "message")
Topology-Aware Scheduling Compatibility	⚠️ Warning	PR adds 3 deployments with nodeSelector targeting control-plane nodes, which breaks on HyperShift where no control-plane nodes exist in-cluster.	Detect HyperShift via infrastructure.Status.ControlPlaneTopology and avoid control-plane nodeSelectors, or use library-go topology-aware utilities like WithControlPlaneNodeSelectorHook.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Adding annotations to manifests for CVO' accurately describes the main purpose of this pull request - adding capability annotations to Kubernetes manifests for CVO (Cluster Version Operator) identification, which is confirmed by all 33 file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the newly added test files are stable and deterministic. No dynamic information (pod names, timestamps, UUIDs, node names, IPs) found in test titles.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR—only manifest files with annotations were modified. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only YAML manifest annotation changes with no Ginkgo e2e tests added. SNO compatibility check only applies to test additions, making it not applicable here.
Ote Binary Stdout Contract	✅ Passed	PR only adds annotations to YAML manifests; no process-level code or stdout operations are modified. Existing logging is properly configured with klog.LogToStderr.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains only YAML Kubernetes manifest changes; no Ginkgo e2e tests were added or modified, so this check does not apply.
Container-Privileges	✅ Passed	PR adds only annotation metadata to manifests. No privileged container configurations (privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or root access) found.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only Kubernetes manifest YAML changes adding capability annotations; no logging statements or code modifications introducing sensitive data logging.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nrb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

manifests/0000_20_crd-compatibility-checker_08_deployment.yaml (1)

38-87: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add explicit securityContext to the container spec.

The container lacks explicit securityContext settings. While the pod template annotation references restricted-v3 SCC, the coding guidelines require explicit security settings in the manifest itself.

As per coding guidelines, Kubernetes manifests should include:

• runAsNonRoot: true
• readOnlyRootFilesystem: true
• allowPrivilegeEscalation: false
• Drop ALL capabilities and add only required ones

🔒 Proposed securityContext addition

       - name: compatibility-requirements-controllers
         image: registry.ci.openshift.org/openshift:cluster-capi-operator
         command:
         - ./crd-compatibility-checker
         args:
           - --diagnostics-address=:8443
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
         env:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml` around lines
38 - 87, Add an explicit securityContext to the container spec for the container
named compatibility-requirements-controllers: set runAsNonRoot: true,
readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, and configure
capabilities to drop ["ALL"] (and only add any specific capabilities if truly
required). Update the container block that contains
ports/volumeMounts/readinessProbe/livenessProbe to include this securityContext
so the manifest no longer relies solely on the pod SCC annotation.

Source: Coding guidelines

🧹 Nitpick comments (1)

manifests/0000_20_crd-compatibility-checker_08_deployment.yaml (1)

76-79: ⚡ Quick win

Consider adding resource limits to complement requests.

The container defines resource requests but no limits. As per coding guidelines, resource limits (cpu, memory) should be set on every container to prevent resource exhaustion and ensure predictable scheduling behavior.

📊 Proposed resource limits addition

         resources:
           requests:
             cpu: 10m
             memory: 50Mi
+          limits:
+            cpu: 100m
+            memory: 200Mi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml` around lines
76 - 79, The container resource spec currently only sets requests (cpu: 10m,
memory: 50Mi) in the resources block; add corresponding resource limits to
prevent resource exhaustion. Update the same resources section for the container
in manifests/0000_20_crd-compatibility-checker_08_deployment.yaml by adding
limits.cpu and limits.memory (e.g., cpu: "100m" and memory: "128Mi" or values
appropriate for the app) alongside the existing requests so both requests and
limits are defined for the container.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml`:
- Around line 38-87: Add an explicit securityContext to the container spec for
the container named compatibility-requirements-controllers: set runAsNonRoot:
true, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, and
configure capabilities to drop ["ALL"] (and only add any specific capabilities
if truly required). Update the container block that contains
ports/volumeMounts/readinessProbe/livenessProbe to include this securityContext
so the manifest no longer relies solely on the pod SCC annotation.

---

Nitpick comments:
In `@manifests/0000_20_crd-compatibility-checker_08_deployment.yaml`:
- Around line 76-79: The container resource spec currently only sets requests
(cpu: 10m, memory: 50Mi) in the resources block; add corresponding resource
limits to prevent resource exhaustion. Update the same resources section for the
container in manifests/0000_20_crd-compatibility-checker_08_deployment.yaml by
adding limits.cpu and limits.memory (e.g., cpu: "100m" and memory: "128Mi" or
values appropriate for the app) alongside the existing requests so both requests
and limits are defined for the container.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 75630441-0604-4f2c-9c0c-02f159d02830

📥 Commits

Reviewing files that changed from the base of the PR and between 05c113e and 623adff.

📒 Files selected for processing (35)

• manifests/0000_20_cluster-api-tls-config_role.yaml
• manifests/0000_20_crd-compatibility-checker_00_namespace.yaml
• manifests/0000_20_crd-compatibility-checker_02_service_account.yaml
• manifests/0000_20_crd-compatibility-checker_03_rbac_roles.yaml
• manifests/0000_20_crd-compatibility-checker_04_rbac_bindings.yaml
• manifests/0000_20_crd-compatibility-checker_05_metrics-service.yaml
• manifests/0000_20_crd-compatibility-checker_07_webhook-service.yaml
• manifests/0000_20_crd-compatibility-checker_08_deployment.yaml
• manifests/0000_20_crd-compatibility-checker_09_allow-egress-operators.yaml
• manifests/0000_20_crd-compatibility-checker_10_allow-ingress-to-webhook.yaml
• manifests/0000_30_cluster-api-installer_00_namespace.yaml
• manifests/0000_30_cluster-api-installer_00_tombstones.yaml
• manifests/0000_30_cluster-api-installer_01_metrics-service.yaml
• manifests/0000_30_cluster-api-installer_01_serviceaccount.yaml
• manifests/0000_30_cluster-api-installer_02_clusterrole.yaml
• manifests/0000_30_cluster-api-installer_03_clusterrolebinding.yaml
• manifests/0000_30_cluster-api-installer_05_deployment.yaml
• manifests/0000_30_cluster-api-installer_06_clusterapi.yaml
• manifests/0000_30_cluster-api_00_namespace.yaml
• manifests/0000_30_cluster-api_00_tombstones-4.22-tpnu.yaml
• manifests/0000_30_cluster-api_01_credentials-request.yaml
• manifests/0000_30_cluster-api_02_service_account.yaml
• manifests/0000_30_cluster-api_02_webhook-service.yaml
• manifests/0000_30_cluster-api_03_rbac_roles.yaml
• manifests/0000_30_cluster-api_04_rbac_bindings.yaml
• manifests/0000_30_cluster-api_10_metrics-service.yaml
• manifests/0000_30_cluster-api_10_webhooks.yaml
• manifests/0000_30_cluster-api_11_deployment.yaml
• manifests/0000_30_cluster-api_12_clusteroperator.yaml
• manifests/0000_30_cluster-api_13_allow-ingress-to-metrics-controllers.yaml
• manifests/0000_30_cluster-api_14_allow-ingress-to-metrics-operators.yaml
• manifests/0000_30_cluster-api_15_allow-egress-controllers.yaml
• manifests/0000_30_cluster-api_16_allow-egress-operators.yaml
• manifests/0000_30_cluster-api_17_default-deny.yaml
• manifests/0000_30_cluster-api_18_allow-ingress-to-webhook.yaml