NO-ISSUE: Fixes KubeletConfig API doc and adds tests

[ngopalak-redhat]

This PR improves the documentation for the KubeletConfigSpec API to make it more accurate and user-friendly.

Fixes the doc: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/machine_apis/kubeletconfig-machineconfiguration-openshift-io-v1#spec-4

It also adds test coverage similar to the pattern established in #2370.

AutoSizingReserved will default to true from 4.21 onwards. The default value and the description was not documented until now.

Why is this a breaking change?

• The additional kubebuilder validation makes this a breaking change.
• If the user provides tlsSecurityProfile with just modern or custom fields but omits the type field, the validation passes because !has(self.type) evaluates to true.

Test Coverage

Created test file: machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This pull request adds a YAML test suite for the KubeletConfig CRD covering onCreate and onUpdate scenarios with single-field and multi-field cases, including error expectations. It extends KubeletConfigSpec with three optional fields: AutoSizingReserved (*bool), LogLevel (*int32) and TLSSecurityProfile (*configv1.TLSSecurityProfile). It adds LogLevel validation (0–10) and an x-kubernetes-validations rule restricting TLS profiles to Old and Intermediate. Generated Swagger/docs and the CRD descriptions were updated and kubeletConfig/machineConfigPoolSelector wording clarified.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fixes KubeletConfig API doc and adds tests' accurately reflects the main changes: API documentation improvements and test coverage additions for KubeletConfigSpec.
Description check	✅ Passed	The description is directly related to the changeset, explaining the documentation fixes, test coverage additions, and detailing the AutoSizingReserved field default behavior and breaking changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hello @ngopalak-redhat! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[ngopalak-redhat]

/test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ngopalak-redhat]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml`:
- Around line 118-123: The tlsSecurityProfile description in the KubeletConfig
CRD is inconsistent with the schema: the text claims "Only Old and Intermediate
profiles are supported; maximum minTLSVersion is VersionTLS12" while the schema
allows Modern and Custom (and VersionTLS13) because it relies on
configv1.TLSSecurityProfile which has no kubelet-specific restrictions; to fix,
either add explicit validation to the CRD (e.g., CEL rules or a validating
webhook) to reject profile.type values "Modern" and "Custom" and enforce max
minTLSVersion of "VersionTLS12", or update the tlsSecurityProfile description to
accurately reflect that the schema permits Modern and Custom and VersionTLS13 by
referencing configv1.TLSSecurityProfile semantics; locate and change the
tlsSecurityProfile block in the KubeletConfig CRD (symbol: tlsSecurityProfile,
resource: KubeletConfig) and implement one of the two options consistently
(validation rules if you want to forbid Modern/Custom, otherwise update the
descriptive text).

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 12dcb66 and 8e0b9d6.

⛔ Files ignored due to path filters (2)

• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (4)

• machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml
• machineconfiguration/v1/types.go
• machineconfiguration/v1/zz_generated.swagger_doc_generated.go
• payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• machineconfiguration/v1/types.go

🔇 Additional comments (2)

machineconfiguration/v1/zz_generated.swagger_doc_generated.go (1)

216-223: Docs read well and are consistent with the CRD updates.
The KubeletConfigSpec descriptions are clear and actionable.

machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml (1)

1-275: Solid coverage for create/update scenarios.
The matrix of single-field and combined updates looks thorough.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[openshift-ci-robot]

@ngopalak-redhat: This pull request explicitly references no jira issue.

Details

In response to this:

This PR improves the documentation for the KubeletConfigSpec API to make it more accurate and user-friendly.
The focus is AutoSizingReserved. I have ignored adding the tests and the validation for TLSSecurityProfile. Also I haven't added the kubebuilder validation for LogLevel. They can be done in a different PR as this one focusses on API doc only.

It also adds test coverage similar to the pattern established in #2370.

AutoSizingReserved will default to true from 4.21 onwards. The default value and the description was not documented until now.

Test Coverage

Created test file: machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ngopalak-redhat]

cc: @haircommander @sairameshv

[saschagrunert]

Thank you for the PR, I have a bunch of improvements sggested.

Please note that we need to add integration tests for the new validations.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@machineconfiguration/v1/types.go`:
- Around line 769-774: The CEL XValidation currently permits profiles without an
explicit type and thus allows Modern/Custom via embedded fields; update the
validation on TLSSecurityProfile to require that the type field is present and
equal to either "Old" or "Intermediate" (e.g. change the rule to require
has(self.type) && (self.type == 'Old' || self.type == 'Intermediate')), so
TLSSecurityProfile (the TLSSecurityProfile *configv1.TLSSecurityProfile field)
cannot be set to Modern/Custom without an explicit allowed type.

♻️ Duplicate comments (1)

payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml (1)

268-271: Keep the CRD validation in sync with the tightened TLS rule.

Same concern as in machineconfiguration/v1/types.go: regenerate this CRD after tightening the CEL rule so missing type can’t bypass the restriction.

🧹 Nitpick comments (1)

machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml (1)

173-220: Add a negative case for tlsSecurityProfile without type.

This will lock in the stricter validation and prevent bypasses if the object is provided without a type.

🧪 Suggested test case

@@
     - name: Should reject tlsSecurityProfile with Custom type
       initial: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
           tlsSecurityProfile:
             type: Custom
             custom:
               ciphers:
                 - ECDHE-ECDSA-AES128-GCM-SHA256
               minTLSVersion: VersionTLS12
       expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
+    - name: Should reject tlsSecurityProfile without type
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: KubeletConfig
+        spec:
+          tlsSecurityProfile:
+            custom:
+              ciphers:
+                - ECDHE-ECDSA-AES128-GCM-SHA256
+              minTLSVersion: VersionTLS12
+      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"

[ngopalak-redhat]

Thank you for the PR, I have a bunch of improvements sggested.

Please note that we need to add integration tests for the new validations.

@saschagrunert I made the code changes as suggested. I also added the validations and tests to machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml.

Are these the integration tests you were referring to?

[openshift-ci]

@ngopalak-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-crdify	cb2ecfa	link	true	/test verify-crdify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.