OCPCLOUD-3263: CAPI MachineSet creation validation

[theobarberbany]

Should merge after #412 as it's stacked.

Summary by CodeRabbit

• New Features

  • Added admission control policies to enforce creation rules for cluster machines and machine sets, ensuring proper authorization state and pause conditions are met during provisioning.

• Tests

  • Expanded test coverage for machine set creation validation under various authorization scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

Adds ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources to enforce creation controls on CAPI Machine and MachineSet resources, correcting status path expressions and gating creation based on authoritativeAPI state and pause conditions. Corresponding test suite validates machine set creation scenarios across authorization modes.

Changes

Cohort / File(s)	Summary
Admission policy definitions manifests/0000_30_cluster-api_09_admission-policies.yaml	Fixes status path expressions from params.?status.?authoritativeAPI to params.status.authoritativeAPI. Adds two new ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding pairs: one for machine creation (openshift-validate-capi-machine-creation) and one for machine set creation (openshift-validate-capi-machine-set-creation). Each policy enforces creation restrictions based on authoritativeAPI state (MachineAPI vs. ClusterAPI) and paused conditions with corresponding denial messages.
Machine set creation validation tests pkg/controllers/machinesetsync/machineset_vap_test.go	Adds comprehensive test context validating CAPI machine set creation under various MAPI authorization modes. Introduces test cases covering: missing MAPI MachineSet sentinel, authoritativeAPI=MachineAPI with paused/unpaused scenarios, and authoritativeAPI=ClusterAPI with pause state toggles. Tests verify denial and allowance expectations based on pause conditions and authoritative status. Includes metav1 import for metadata handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Manifest file: Review new admission policy definitions for correctness of validation expressions, status path references, and constraint logic across machine and machine set policies
• Test file: Verify test scenarios comprehensively cover the authorization modes, pause state transitions, and expected allow/deny outcomes; confirm duplication patterns reflect intentional test coverage

Poem

🐰 A rabbit hops through policies new,
Machines and sets in tidy review,
Status paths fixed, authoritative and true,
Pause gates the flow—a validation queue! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: adding validation for CAPI MachineSet creation, which aligns with the primary additions in the changeset (ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding for machine set creation).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Should merge after #412 as it's stacked.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Should merge after #412 as it's stacked.

Summary by CodeRabbit

• New Features

• Introduced validating admission policies that enforce creation rules for cluster API machines and machine sets, ensuring proper state management and authorization during resource creation.

• Tests

• Added comprehensive test coverage for cluster API machine and machine set creation validation scenarios, including authoritativeAPI state and paused condition handling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/controllers/machinesetsync/machineset_vap_test.go (1)

391-391: Potential nil builder usage.

mapiMachineSetBuilder is declared at line 352 but not initialized with a namespace before line 391. The code attempts to call .WithNamespace() on a zero-value builder. While this might work if the builder handles zero values gracefully, it's inconsistent with the pattern in the existing test at lines 289-290 where the builder is freshly created.

🔎 Suggested fix

-			By("Configuring the MAPI MachineSet Builder")
-			mapiMachineSetBuilder = mapiMachineSetBuilder.WithNamespace(mapiNamespace.Name)
+			By("Configuring the MAPI MachineSet Builder")
+			mapiMachineSetBuilder = machinev1resourcebuilder.MachineSet().
+				WithNamespace(mapiNamespace.Name)

manifests/0000_30_cluster-api_09_admission-policies.yaml (1)

531-536: Minor: Comment references "Machine" instead of "MachineSet".

The comment at line 531 says "parameter Machine (MAPI)" but this policy is for MachineSet resources. While this doesn't affect functionality, it could cause confusion during maintenance.

🔎 Suggested fix

-        # True when the **parameter Machine (MAPI)** is already paused
+        # True when the **parameter MachineSet (MAPI)** is already paused
         - name: mapiPaused

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between c68e590 and a0c6760.

📒 Files selected for processing (3)

• manifests/0000_30_cluster-api_09_admission-policies.yaml (1 hunks)
• pkg/controllers/machinesetsync/machineset_vap_test.go (2 hunks)
• pkg/controllers/machinesync/machine_sync_controller_test.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/controllers/machinesync/machine_sync_controller_test.go (2)

pkg/admissionpolicy/testutils/util.go (3)

• AddSentinelValidation (185-190)
• UpdateVAPBindingNamespaces (216-239)
• VerifySentinelValidation (193-197)

pkg/conversion/mapi2capi/interface.go (1)

• Machine (24-26)

🔇 Additional comments (5)

pkg/controllers/machinesync/machine_sync_controller_test.go (2)

1643-1692: Test setup follows established patterns.

The new test context for "Validate creation of CAPI machine" mirrors the structure of existing VAP tests in this file, including:

• Loading and patching the VAP to include UPDATE operations for easier testing
• Updating the VAP binding namespaces
• Creating sentinel resources and verifying sentinel validation

---

1694-1781: Test coverage for CAPI machine creation validation is comprehensive.

The test cases properly validate:

1. Creation allowed when no MAPI counterpart exists (parameterNotFoundAction=Allow)
2. Denial of unpaused CAPI machine when MAPI has authoritativeAPI=MachineAPI
3. Allowance of CAPI machine with paused annotation when MAPI is authoritative
4. Denial when MAPI has authoritativeAPI=ClusterAPI but is not paused
5. Allowance when MAPI machine has Paused condition set

pkg/controllers/machinesetsync/machineset_vap_test.go (1)

405-493: Test coverage for CAPI MachineSet creation validation is comprehensive.

The test cases properly validate the same scenarios as the Machine tests:

1. Creation allowed when no MAPI counterpart exists
2. Denial of unpaused CAPI machineset when MAPI has authoritativeAPI=MachineAPI
3. Allowance with paused annotation
4. Denial when MAPI has authoritativeAPI=ClusterAPI but is not paused
5. Allowance when MAPI machineset has Paused condition

manifests/0000_30_cluster-api_09_admission-policies.yaml (2)

402-478: New CAPI Machine creation validation policy looks correct.

The policy:

• Properly excludes service account requests (machine-api-controllers, cluster-capi-operator)
• Uses parameterNotFoundAction: Allow to avoid blocking when no MAPI counterpart exists
• Checks both MachineAPI and ClusterAPI authoritative states with appropriate pause requirements
• CEL expressions correctly handle optional fields with .orValue()

---

480-556: CAPI MachineSet creation validation policy implementation is correct.

The policy mirrors the Machine creation policy with appropriate adjustments:

• Correct paramKind (MachineSet)
• Correct resource rules targeting machinesets
• Same service account exclusions
• Consistent validation logic for pause requirements

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Should merge after #412 as it's stacked.

Summary by CodeRabbit

• New Features

• Added validating admission policies and bindings that gate creation of Cluster API Machines and MachineSets based on authoritative API, pause conditions, name/parameter matching, and user-access constraints.

• Tests

• Added end-to-end validation tests covering Machine and MachineSet creation scenarios (authoritativeAPI variants, paused/unpaused states, sentinel validation); duplicate test context also appears in the changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

manifests/0000_30_cluster-api_09_admission-policies.yaml (2)

477-477: Remove unnecessary second optional chaining operator.

Based on learnings, only the first ? is needed when using the optional chaining operator. The expression params.?status.?authoritativeAPI should be params.?status.authoritativeAPI.

🔎 Proposed fix

-        messageExpression: "'Can\\'t create Cluster API Machine ' + object.metadata.name + ' as a Machine API Machine with status.authoritativeAPI: ' + params.?status.?authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"
+        messageExpression: "'Can\\'t create Cluster API Machine ' + object.metadata.name + ' as a Machine API Machine with status.authoritativeAPI: ' + params.?status.authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"

Based on learnings, this follows the pattern identified in the previous review.

---

555-555: Remove unnecessary second optional chaining operator.

Based on learnings, only the first ? is needed when using the optional chaining operator. The expression params.?status.?authoritativeAPI should be params.?status.authoritativeAPI.

🔎 Proposed fix

-        messageExpression: "'Can\\'t create Cluster API machine set ' + object.metadata.name + ' as a Machine API machine set with status.authoritativeAPI: ' + params.?status.?authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"
+        messageExpression: "'Can\\'t create Cluster API machine set ' + object.metadata.name + ' as a Machine API machine set with status.authoritativeAPI: ' + params.?status.authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"

Based on learnings, this follows the pattern identified in the previous review.

🧹 Nitpick comments (1)

manifests/0000_30_cluster-api_09_admission-policies.yaml (1)

419-478: Consider extracting common validation logic to reduce duplication.

The Machine and MachineSet validation policies (lines 419-478 and 497-556) share nearly identical structure with only minor differences in resource types and message wording. While this duplication ensures correctness and clarity, consider whether CEL expressions support composition patterns that could reduce maintenance burden.

Also applies to: 497-556

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between a0c6760 and 9a011dc.

📒 Files selected for processing (2)

• manifests/0000_30_cluster-api_09_admission-policies.yaml (1 hunks)
• pkg/controllers/machinesetsync/machineset_vap_test.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/controllers/machinesetsync/machineset_vap_test.go (2)

pkg/admissionpolicy/testutils/util.go (3)

• AddSentinelValidation (185-190)
• UpdateVAPBindingNamespaces (216-239)
• VerifySentinelValidation (193-197)

pkg/conversion/mapi2capi/interface.go (1)

• MachineSet (29-31)

🔇 Additional comments (3)

pkg/controllers/machinesetsync/machineset_vap_test.go (2)

32-32: LGTM!

The metav1 import is correctly added to support the metav1.Now() call on line 481 for setting LastTransitionTime.

---

350-494: Well-structured test coverage for CAPI MachineSet creation validation.

The test comprehensively covers the three key scenarios:

• Creation when no MAPI counterpart exists (parameterNotFoundAction=Allow)
• Denial when authoritativeAPI=MachineAPI and CAPI is unpaused
• Proper handling when authoritativeAPI=ClusterAPI based on MAPI pause state

The structure mirrors the machine creation tests, ensuring consistency across the codebase.

manifests/0000_30_cluster-api_09_admission-policies.yaml (1)

402-556: Well-designed admission policies for CAPI creation validation.

The new policies correctly implement the creation validation logic:

• Bindings properly configure parameterNotFoundAction: Allow to permit creation when no corresponding MAPI resource exists
• Variables clearly define authoritative API states and pause conditions
• Validations enforce the correct pause-state requirements based on the authoritative API

The structure aligns well with existing policies and provides comprehensive protection for CAPI resource creation.

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Should merge after #412 as it's stacked.

Summary by CodeRabbit

• New Features

• Added validating admission policies and bindings to gate creation of Cluster API Machines and MachineSets based on authoritative API, pause state, name/parameter matching, and user-access constraints.

• Tests

• Added end-to-end validation tests covering Machine and MachineSet creation across authoritativeAPI variants and paused/unpaused scenarios; a duplicate test context is also present.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

manifests/0000_30_cluster-api_09_admission-policies.yaml (2)

477-477: Remove redundant safe-navigation operator.

Line 477 uses two ? operators (params.?status.?authoritativeAPI) when only one is needed. The safe-navigation should only be applied after params.

🔎 Proposed fix

-        messageExpression: "'Can\\'t create Cluster API Machine ' + object.metadata.name + ' as a Machine API Machine with status.authoritativeAPI: ' + params.?status.?authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"
+        messageExpression: "'Can\\'t create Cluster API Machine ' + object.metadata.name + ' as a Machine API Machine with status.authoritativeAPI: ' + params.?status.authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"

Based on past review comments, the safe-navigation operator pattern should be params.?status.authoritativeAPI (as correctly used in lines 447 and 451).

---

555-555: Remove redundant safe-navigation operator.

Line 555 uses two ? operators (params.?status.?authoritativeAPI) when only one is needed. The safe-navigation should only be applied after params.

🔎 Proposed fix

-        messageExpression: "'Can\\'t create Cluster API machine set ' + object.metadata.name + ' as a Machine API machine set with status.authoritativeAPI: ' + params.?status.?authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"
+        messageExpression: "'Can\\'t create Cluster API machine set ' + object.metadata.name + ' as a Machine API machine set with status.authoritativeAPI: ' + params.?status.authoritativeAPI.orValue('<unset>') + ' already exists and is not paused. '"

Based on past review comments, the safe-navigation operator pattern should be params.?status.authoritativeAPI (as correctly used in lines 525 and 529).

🧹 Nitpick comments (1)

pkg/controllers/machinesetsync/machineset_vap_test.go (1)

397-397: Rename variable to match the resource type.

The variable is named capiSentinelMachine but creates a MachineSet. Consider renaming to capiSentinelMachineSet for clarity.

🔎 Proposed fix

-			capiSentinelMachine := clusterv1resourcebuilder.MachineSet().WithName("sentinel-machineset").WithNamespace(capiNamespace.Name).Build()
-			Eventually(k8sClient.Create(ctx, capiSentinelMachine)).Should(Succeed())
+			capiSentinelMachineSet := clusterv1resourcebuilder.MachineSet().WithName("sentinel-machineset").WithNamespace(capiNamespace.Name).Build()
+			Eventually(k8sClient.Create(ctx, capiSentinelMachineSet)).Should(Succeed())

-			Eventually(k.Get(capiSentinelMachine)).Should(Succeed())
+			Eventually(k.Get(capiSentinelMachineSet)).Should(Succeed())

-			admissiontestutils.VerifySentinelValidation(k, capiSentinelMachine, timeout)
+			admissiontestutils.VerifySentinelValidation(k, capiSentinelMachineSet, timeout)

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9a011dc and ea29ded.

📒 Files selected for processing (2)

• manifests/0000_30_cluster-api_09_admission-policies.yaml (1 hunks)
• pkg/controllers/machinesetsync/machineset_vap_test.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/controllers/machinesetsync/machineset_vap_test.go (1)

pkg/admissionpolicy/testutils/util.go (3)

• AddSentinelValidation (185-190)
• UpdateVAPBindingNamespaces (216-239)
• VerifySentinelValidation (193-197)

🔇 Additional comments (4)

pkg/controllers/machinesetsync/machineset_vap_test.go (2)

32-32: LGTM!

The import addition and test context setup follow established patterns in the codebase.

Also applies to: 350-352

---

405-494: LGTM!

The test cases comprehensively cover the validation scenarios:

• Creating CAPI MachineSet without MAPI counterpart (parameterNotFoundAction=Allow)
• Paused/unpaused states for both authoritativeAPI values
• Error message expectations align with the VAP policy definitions

manifests/0000_30_cluster-api_09_admission-policies.yaml (2)

402-417: LGTM!

The ValidatingAdmissionPolicyBinding is properly configured with namespace selectors and parameterNotFoundAction=Allow, which correctly allows CAPI Machine creation when no corresponding MAPI Machine exists.

---

480-495: LGTM!

The MachineSet creation binding mirrors the Machine creation binding with appropriate resource type changes, maintaining consistency across the admission policy set.

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Should merge after #412 as it's stacked.

Summary by CodeRabbit

• New Features

• Added validating admission policies and bindings to gate creation of Cluster API Machines and MachineSets based on authoritative API, pause state, name/parameter matching, and deny messages to enforce pause/status requirements.

• Bug Fixes

• Fixed an expression path used in machine-creation logic to ensure correct evaluation.

• Tests

• Added end-to-end validation tests covering Machine and MachineSet creation across authoritativeAPI variants and paused/unpaused scenarios; a duplicated test context is present.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[JoelSpeed]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[theobarberbany]

/test unit

[openshift-ci-robot]

@theobarberbany: This pull request references OCPCLOUD-3263 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Should merge after #412 as it's stacked.

Summary by CodeRabbit

• New Features

• Added admission control policies to enforce creation rules for cluster machines and machine sets, ensuring proper authorization state and pause conditions are met during provisioning.

• Tests

• Expanded test coverage for machine set creation validation under various authorization scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/controllers/machinesetsync/machineset_vap_test.go (1)

397-398: Minor: Variable naming inconsistency.

The variable capiSentinelMachine is a MachineSet, not a Machine. Consider renaming to capiSentinelMachineSet for consistency with the MAPI sentinel variable naming.

🔎 Suggested rename

-			capiSentinelMachine := clusterv1resourcebuilder.MachineSet().WithName("sentinel-machineset").WithNamespace(capiNamespace.Name).Build()
-			Eventually(k8sClient.Create(ctx, capiSentinelMachine)).Should(Succeed())
+			capiSentinelMachineSet := clusterv1resourcebuilder.MachineSet().WithName("sentinel-machineset").WithNamespace(capiNamespace.Name).Build()
+			Eventually(k8sClient.Create(ctx, capiSentinelMachineSet)).Should(Succeed())

-			Eventually(k.Get(capiSentinelMachine)).Should(Succeed())
+			Eventually(k.Get(capiSentinelMachineSet)).Should(Succeed())

-			admissiontestutils.VerifySentinelValidation(k, capiSentinelMachine, timeout)
+			admissiontestutils.VerifySentinelValidation(k, capiSentinelMachineSet, timeout)

manifests/0000_30_cluster-api_09_admission-policies.yaml (1)

531-532: Copy-paste error in comment.

The comment says "parameter Machine (MAPI)" but this policy is for MachineSets. This should be corrected for clarity.

🔎 Suggested fix

-        # True when the **parameter Machine (MAPI)** is already paused
+        # True when the **parameter MachineSet (MAPI)** is already paused

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between a2fd054 and 4e77276.

📒 Files selected for processing (2)

• manifests/0000_30_cluster-api_09_admission-policies.yaml (3 hunks)
• pkg/controllers/machinesetsync/machineset_vap_test.go (2 hunks)

🔇 Additional comments (6)

pkg/controllers/machinesetsync/machineset_vap_test.go (2)

32-32: LGTM!

The metav1 import is correctly added for the metav1.Now() usage in the Paused condition's LastTransitionTime on line 481.

---

405-493: LGTM!

The test cases comprehensively cover the validation scenarios:

• parameterNotFoundAction=Allow when no MAPI counterpart exists
• Denial of unpaused CAPI MachineSet when MAPI has authoritativeAPI=MachineAPI
• Allowance when CAPI has paused annotation
• Denial when MAPI has authoritativeAPI=ClusterAPI but is not paused
• Allowance when MAPI has Paused condition

The status updates correctly target the MAPI MachineSet's status.authoritativeAPI and status.conditions, matching the VAP expressions.

manifests/0000_30_cluster-api_09_admission-policies.yaml (4)

207-207: LGTM!

The expression correctly uses params.?status.authoritativeAPI.orValue("") with only the first ? for optional chaining. This addresses the previous review feedback.

---

447-477: LGTM!

The expressions for authoritativeAPIMAPI and authoritativeAPICAPI correctly use optional chaining with orValue("") for safe status field access. The updated messageExpression on line 477 properly references the status path.

---

479-495: LGTM!

The binding correctly configures:

• matchResources targeting openshift-cluster-api namespace for CAPI MachineSets
• paramRef referencing openshift-machine-api for MAPI MachineSet parameters
• parameterNotFoundAction: Allow to permit creation when no MAPI counterpart exists

This mirrors the machine creation binding appropriately.

---

547-556: LGTM!

The validation expressions correctly implement the creation rules:

1. When MAPI is authoritative (authoritativeAPIMAPI), CAPI MachineSet must be paused
2. When CAPI is authoritative (authoritativeAPICAPI), MAPI MachineSet must be paused

The message expressions clearly communicate the denial reasons. The logic mirrors the Machine creation policy appropriately.

[JoelSpeed]

/lgtm
/approve

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@theobarberbany: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal3-capi-techpreview	4e77276	link	false	/test e2e-metal3-capi-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[theobarberbany]

/retest-required

[theobarberbany]

/verified by units and e2es

[openshift-ci-robot]

@theobarberbany: This PR has been marked as verified by units and e2es.

Details

In response to this:

/verified by units and e2es

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[theobarberbany]

🤞 those two jobs are no longer permafailing

[theobarberbany]

/override ci/prow/okd-scos-images

[theobarberbany]

/override okd-scos-images

[openshift-ci]

@theobarberbany: Overrode contexts on behalf of theobarberbany: ci/prow/okd-scos-images

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@theobarberbany: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• okd-scos-images

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/build
• ci/prow/e2e-aws-capi-techpreview
• ci/prow/e2e-aws-ovn
• ci/prow/e2e-aws-ovn-serial-1of2
• ci/prow/e2e-aws-ovn-serial-2of2
• ci/prow/e2e-aws-ovn-techpreview
• ci/prow/e2e-aws-ovn-techpreview-upgrade
• ci/prow/e2e-azure-capi-techpreview
• ci/prow/e2e-azure-ovn-techpreview
• ci/prow/e2e-azure-ovn-techpreview-upgrade
• ci/prow/e2e-gcp-capi-techpreview
• ci/prow/e2e-gcp-ovn-techpreview
• ci/prow/e2e-metal3-capi-techpreview
• ci/prow/e2e-openstack-capi-techpreview
• ci/prow/e2e-openstack-ovn-techpreview
• ci/prow/e2e-vsphere-capi-techpreview
• ci/prow/images
• ci/prow/lint
• ci/prow/okd-scos-images
• ci/prow/regression-clusterinfra-aws-ipi-techpreview-capi
• ci/prow/unit
• ci/prow/vendor
• ci/prow/verify-deps
• pull-ci-openshift-cluster-capi-operator-main-build
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-serial-1of2
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-serial-2of2
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-techpreview-upgrade
• pull-ci-openshift-cluster-capi-operator-main-e2e-azure-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-azure-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-azure-ovn-techpreview-upgrade
• pull-ci-openshift-cluster-capi-operator-main-e2e-gcp-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-gcp-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-metal3-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-openstack-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-openstack-ovn-techpreview
• pull-ci-openshift-cluster-capi-operator-main-e2e-vsphere-capi-techpreview
• pull-ci-openshift-cluster-capi-operator-main-images
• pull-ci-openshift-cluster-capi-operator-main-lint
• pull-ci-openshift-cluster-capi-operator-main-okd-scos-images
• pull-ci-openshift-cluster-capi-operator-main-regression-clusterinfra-aws-ipi-techpreview-capi
• pull-ci-openshift-cluster-capi-operator-main-unit
• pull-ci-openshift-cluster-capi-operator-main-vendor
• pull-ci-openshift-cluster-capi-operator-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.