OCPNODE-4125: Introduce to v1 CRIOCredentialProviderConfig

[QiWang19]

Introduce v1 type CRIOCredentialProviderConfig, without shipping it in the payload(The change to update-payload-crds.sh). Next, need to migrate consumers, then swap the manifests from v1alpha1 to v1 for feature GA.

• API type definition keeps the same as v1alpha1 CRIOCredentialProviderConfig
• criocredentialprovider implemented by OCPNODE-3880: Add criocredentialproviderconfig event handler machine-config-operator#5487
• e2e tests OCPNODE-4031: Add criocredentialprovider tests origin#30821

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @QiWang19! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2ae57672-d2b3-491f-8e5e-0998fc42ba80

📥 Commits

Reviewing files that changed from the base of the PR and between 09e8c83 and c85beac.

⛔ Files ignored due to path filters (7)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/zz_generated*
• config/v1/zz_generated.featuregated-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1/zz_generated.model_name.go is excluded by !**/zz_generated*
• config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*

📒 Files selected for processing (6)

• config/v1/manual-override-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
• config/v1/register.go
• config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
• config/v1/types_crio_credential_provider_config.go
• hack/update-payload-crds.sh
• payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml

💤 Files with no reviewable changes (2)

• hack/update-payload-crds.sh
• payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml

✅ Files skipped from review due to trivial changes (2)

• config/v1/register.go
• config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• config/v1/types_crio_credential_provider_config.go
• config/v1/manual-override-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml

---

📝 Walkthrough

Walkthrough

This pull request introduces a new CRIOCredentialProviderConfig API type to the OpenShift configuration v1 group. The changes include defining the API type with spec (containing bounded MatchImages patterns with FQDN validation) and status structures with condition tracking, registering the types in the Kubernetes scheme, providing manual v1alpha1 and production v1 CRD manifests with comprehensive OpenAPI validation rules, including validation test cases for valid and invalid image pattern inputs, and updating build infrastructure to migrate storage from v1alpha1 to v1.

Suggested reviewers

• JoelSpeed
• everettraven

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Test framework in tests/generator.go lacks assertion messages required by check requirement #4: multiple Expect() calls in assertOnCreate (lines 174, 178, 188) and assertOnUpdate (lines 235, 270, 2...	Add descriptive messages to all Expect() assertions without them in tests/generator.go assertOnCreate and assertOnUpdate functions, e.g., change Expect(k8sClient.Get(...)) to Expect(k8sClient.Get(...), "failed to fetch created object").

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: introducing a v1 API type for CRIOCredentialProviderConfig while keeping it gated and not shipping it in the payload.
Description check	✅ Passed	The description is directly related to the changeset, explaining the v1 type introduction, payload exclusion, consumer migration plan, and feature GA strategy with relevant references.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the added YAML test file are stable, descriptive, and free of dynamic content like pod names, timestamps, UUIDs, or node names.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The only test file added is a declarative YAML CRD test specification, not a Ginkgo test. E2e tests are in a separate PR (origin PR #30821).
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The PR only adds API type definitions, CRD manifests, and validation specs in YAML format, which are not subject to the SNO compatibility check.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only API type definitions and CRD manifests with no deployment specs, operator code, or scheduling constraints that assume HA topology.
Ote Binary Stdout Contract	✅ Passed	PR adds API type definitions, auto-generated deepcopy/swagger methods, and YAML manifests. No process-level code (main, init, TestMain, BeforeSuite, etc.) writes non-JSON output to stdout. No stdou...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR introduces API type definitions and CRD manifests without adding any Ginkgo e2e tests. E2E tests are in separate openshift/origin PR, not in this API repo PR.
No-Weak-Crypto	✅ Passed	PR introduces v1 API type CRIOCredentialProviderConfig with no cryptographic code: only type definitions, autogenerated deepcopy/swagger methods, CRD manifests, and configuration files. No weak cry...
Container-Privileges	✅ Passed	PR introduces API type definitions and CRD manifests only; no container specifications with privilege escalation, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings found.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no logging code. All changes are API type definitions, autogenerated methods, and CRD manifests with documentation; no log/fmt/klog calls that could expose sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[QiWang19]

/test all

[qodo-code-review]

ⓘ Your monthly quota for Qodo has expired. Upgrade your plan

ⓘ Paying users. Check that your Qodo account is linked with this Git user account

[QiWang19]

/test verify

[qodo-code-review]

ⓘ Your monthly quota for Qodo has expired. Upgrade your plan

ⓘ Paying users. Check that your Qodo account is linked with this Git user account

[QiWang19]

/test all

[qodo-code-review]

ⓘ Your monthly quota for Qodo has expired. Upgrade your plan

ⓘ Paying users. Check that your Qodo account is linked with this Git user account

[QiWang19]

/verified by cluster-bot

[openshift-ci-robot]

@QiWang19: This PR has been marked as verified by cluster-bot.

Details

In response to this:

/verified by cluster-bot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

config/v1/types_crio_credential_provider_config.go (1)

125-127: Keep documented condition types in sync with declared constants.

Line 125 documents only "Validated" as an expected condition type, but Lines 171–176 also define "MachineConfigRendered". Please document both to avoid API contract drift.

Also applies to: 171-176

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/v1/types_crio_credential_provider_config.go` around lines 125 - 127,
The documented list of expected condition types is out of sync with the declared
constants: update the comment block that currently lists only "Validated" to
include both "Validated" and "MachineConfigRendered" so it matches the constants
defined later (the "Validated" and "MachineConfigRendered" condition type
constants in types_crio_credential_provider_config.go); ensure both names are
spelled exactly as the constants and marked +optional if appropriate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/v1/types_crio_credential_provider_config.go`:
- Line 22: Remove the feature-gate annotation that gates the v1 API by deleting
the line containing "+openshift:enable:FeatureGate=CRIOCredentialProviderConfig"
in types_crio_credential_provider_config.go so the v1 CRD is unconditionally
exposed; after removing that annotation, regenerate any CRD manifests or API
docs (e.g., run the project’s codegen/make target) to ensure the CRD and
generated artifacts no longer include the FeatureGate metadata.

---

Nitpick comments:
In `@config/v1/types_crio_credential_provider_config.go`:
- Around line 125-127: The documented list of expected condition types is out of
sync with the declared constants: update the comment block that currently lists
only "Validated" to include both "Validated" and "MachineConfigRendered" so it
matches the constants defined later (the "Validated" and "MachineConfigRendered"
condition type constants in types_crio_credential_provider_config.go); ensure
both names are spelled exactly as the constants and marked +optional if
appropriate.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 1105fd4 and 4b7758f.

⛔ Files ignored due to path filters (3)

• config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1/zz_generated.featuregated-crd-manifests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**

📒 Files selected for processing (9)

• config/v1/register.go
• config/v1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
• config/v1/types_crio_credential_provider_config.go
• config/v1/zz_generated.deepcopy.go
• config/v1/zz_generated.featuregated-crd-manifests.yaml
• config/v1/zz_generated.swagger_doc_generated.go
• hack/update-payload-crds.sh
• payload-command/empty-resources/0000_05_config-operator_02_criocredentialproviderconfig.cr.yaml
• payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs.crd.yaml

💤 Files with no reviewable changes (1)

• hack/update-payload-crds.sh

[openshift-ci-robot]

@QiWang19: This pull request references OCPNODE-4125 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Upgrade v1 type CRIOCredentialProviderConfig, manifests, and corresponding empty resource for API GA in 4.22.

API type definition keeps the same as v1alpha1 CRIOCredentialProviderConfig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[QiWang19]

@JoelSpeed could you help review this PR? Since in the feature https://issues.redhat.com/browse/OCPSTRAT-2853 we targeted GA of this API in 4.22, we haven't done other implementation outside of o/api, so moving to v1 now won't break any external dependencies.

[JoelSpeed]

we haven't done other implementation outside of o/api

@QiWang19 Before we promote a type to v1, we expect it to be feature complete and be in a state to demonstrate the feature is ready for promotion. Based on your comment, it sounds like we aren't there?

Before merging a PR like this, I'd expect to see a feature promotion PR with good data showing we are on track to have the required tests and pass rate soon

[QiWang19]

@JoelSpeed The feature is still in progress, not ready for promotion, which is why it's currently under a TechPreview featuregate.

This PR is to update v1 API early to avoid breaking changes later, but lock the feature under TechPreviewNoUpgrade featuregate. I intended to provide the test pass rate and promotion data when we actually promote the FeatureGate to GA.

I was under the impression that the test pass rate are requirements applied to the featuregate promotion rather than the initial addition of the v1 API type itself.

[JoelSpeed]

We don't want to ship v1 types under tech preview in case we need to change the types later as we learn something during implementation.

The normal path here is that you get the feature implemented in tech preview as v1alpha1, demonstrate it's working, and then we submit a handful of PRs to move the types to v1 once we are confident in the release it will ship GA in

[QiWang19]

/hold

openshift/machine-config-operator#5487

[QiWang19]

@JoelSpeed PTAL

[JoelSpeed]

@QiWang19 Thanks for the updates, changes here look good.

Could you please line up PRs for all component repositories that need to be updated to account for this change, and then we will test them together with payload commands.

I'm expecting that to be client-go, origin and MCO, anything else you think?

[JoelSpeed]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[QiWang19]

/pipeline required

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[QiWang19]

Could you please line up PRs for all component repositories that need to be updated to account for this change, and then we will test them together with payload commands.

I'm expecting that to be client-go, origin and MCO, anything else you think?

I think we also add a PR that upgrade the singlton payload resoucre CRIOCredentialProviderConfig.

Draft PRs that are ready to be tested after this API PR merged:

• Add v1 CRIOCredentialProviderConfig support to OpenShift API client-go#385
• upgrade CRIOCredentialProviderConfig to v1 machine-config-operator#6220
• upgrade to test v1 CRIOCredentialProviderConfig origin#31324
• Upgrade v1 criocp payload resource #2900

After merged above PRs, we can continue on Remove the v1alpha1 manual override, and upgrade the FeatureGate to Default

@JoelSpeed would the above work?

[JoelSpeed]

@QiWang19 Yep, that works. What's a good test suite to test these PRs together? Can we get a smoke test using /testwith to demonstrate that the PRs all work together

[QiWang19]

we can run under MCO PR:
/testwith openshift/machine-config-operator/main/bootstrap-unit ... Job logs and status
/testwith openshift/machine-config-operator/main/e2e-gcp-op-techpreview ... Job logs and status

Both job can pass, for e2e-gcp-op-techpreview,

• multi pr test does not contain below resoucre not installed error in the log
• MCO PR solo run contains the expected error, as the resource doesn't exist yet:log
  "Failed to watch" err="failed to list *v1.CRIOCredentialProviderConfig: the server could not find the requested resource (get criocredentialproviderconfigs.config.openshift.io)" reflector="github.com/openshift/client-go/config/informers/externalversions/factory.go:126" type="*v1.CRIOCredentialProviderConfig"

launch the aws techpreview cluster with the PRs succeeded.(view logs)

[QiWang19]

Should we get this PR in, and then merge a vendor bump openshift/client-go#385 first?

[JoelSpeed]

Ack, those smoke tests look good to me
/lgtm
/verified by @QiWang19
/retest

[openshift-ci-robot]

@JoelSpeed: This PR has been marked as verified by @QiWang19.

Details

In response to this:

Ack, those smoke tests look good to me
/lgtm
/verified by @QiWang19
/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[JoelSpeed]

/hold cancel

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 2259ae9 and 2 for PR HEAD c85beac in total

[JoelSpeed]

/retest

[QiWang19]

/test e2e-aws-ovn-techpreview
/test e2e-gcp

[QiWang19]

should we override test e2e-aws-ovn-techpreview and e2e-gcp?

[openshift-ci]

@QiWang19: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp	c85beac	link	true	/test e2e-gcp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.