openshift
OCPNODE-3863: Add CRIOCredentialProviderConfig API
-
enhancement: https://github.com/openshift/enhancements/pull/1861
-
Add CRIOCredentialProviderConfig API setting configs https://github.com/cri-o/crio-credential-provider for retrieving mirror pull secrets
-
Add feature gate for CRIOCredentialProviderConfig feature gate.
Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @QiWang19! Some important instructions when contributing to openshift/api: API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.
PR has been reviewed by claude code /api-review. It helped run make lint and correct the failures.
@QiWang19: This pull request references OCPNODE-3863 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.
In response to this:
Add CRIOCredentialProviderConfig API setting configs https://github.com/cri-o/crio-credential-provider for retrieving mirror pull secrets
Add feature gate for CRIOCredentialProviderConfig feature gate.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@QiWang19: This pull request references OCPNODE-3863 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.
In response to this:
enhancement: https://github.com/openshift/enhancements/pull/1861
Add CRIOCredentialProviderConfig API setting configs https://github.com/cri-o/crio-credential-provider for retrieving mirror pull secrets
Add feature gate for CRIOCredentialProviderConfig feature gate.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
β Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
π Walkthrough
Walkthrough
Adds a cluster-scoped singleton v1alpha1 API CRIOCredentialProviderConfig (types, spec validation, status), registers it, and includes generated deepcopy, OpenAPI/Swagger, CRD manifests, tests, featureβgate entries, payload updates, and supporting scripts/docs.
Changes
| Cohort / File(s) | Summary |
|---|---|
API types & registration config/v1alpha1/types_crio_credential_provider_config.go, config/v1alpha1/register.go |
New public API types: CRIOCredentialProviderConfig, CRIOCredentialProviderConfigList, CRIOCredentialProviderConfigSpec, CRIOCredentialProviderConfigStatus, MatchImage alias, condition/reason constants; types registered in v1alpha1. |
CRD manifests (generated & feature-gated) config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_criocredentialproviderconfigs-*.crd.yaml, config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml, config/v1alpha1/zz_generated.featuregated-crd-manifests/.../CRIOCredentialProviderConfig.yaml |
Adds cluster-scoped singleton CRD manifests (CustomNoUpgrade / DevPreviewNoUpgrade / TechPreviewNoUpgrade) with OpenAPI schema enforcing metadata.name == "cluster", spec.matchImages (1β50, set semantics, regex/wildcard/port/path/length validations) and status.conditions. |
Payload CRD manifests payload-manifests/crds/0000_10_config-operator_01_criocredentialproviderconfigs-*.crd.yaml |
Adds payload CRD YAMLs mirroring generated CRDs for preview tiers. |
Deepcopy, OpenAPI & Swagger config/v1alpha1/zz_generated.deepcopy.go, config/v1alpha1/zz_generated.swagger_doc_generated.go, openapi/generated_openapi/zz_generated.openapi.go, openapi/openapi.json |
Adds autogenerated DeepCopy implementations, Swagger doc maps/methods, OpenAPI schema generator functions, and registers new types in the OpenAPI registry and openapi.json. |
Tests config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml |
Adds create tests: one valid matchImages case and multiple invalid cases exercising invalid characters, uppercase host/path, wildcard misuse, partial-subdomain wildcards, and global wildcard. |
Feature gates (code & payloads) features/features.go, payload-manifests/featuregates/featureGate-*-*.yaml |
Adds FeatureGateCRIOCredentialProviderConfig and inserts CRIOCredentialProviderConfig into multiple feature-gate payload manifests (enabled in Dev/Tech preview variants; present/disabled in Default/OKD variants). |
Tooling & docs hack/update-payload-crds.sh, features.md |
Updates CRD globs in payload update script and inserts CRIOCredentialProviderConfig entry into features.md. |
Estimated code review effort
π― 3 (Moderate) | β±οΈ ~20β30 minutes
Points to review closely:
- MatchImage validation semantics (regex, wildcard rules, path/port handling, max length, deduplication) across types, CRD schemas, and tests.
- Singleton enforcement (
metadata.name == "cluster") consistency across types and all CRD variants. - Status condition definitions and constant names used by controllers.
- Feature-gate placements in payload manifests to confirm correct enable/disable per preview tier.
π₯ Pre-merge checks | β 2 | β 1
β Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | β οΈ Warning | Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. |
β Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | β Passed | The title clearly describes the main change: adding the CRIOCredentialProviderConfig API, which is the primary focus of this pull request. |
| Description check | β Passed | The description is directly related to the changeset, explaining the enhancement to add CRIOCredentialProviderConfig API for crio-credential-provider configuration and its feature gate. |
βοΈ Tip: You can configure your own custom pre-merge checks in the settings.
β¨ Finishing touches
- [ ] π Generate docstrings
[!WARNING] There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.
π§ golangci-lint (2.5.0)
Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
Comment @coderabbitai help to get the list of available commands and usage tips.
Hows the EP for this feature going? Has it been merged?
Hi @JoelSpeed, the enhancement PR got merged. https://github.com/openshift/enhancements/pull/1861. we will need to followup on the enhancement to address the CRIOCredentialProvider resource a singleton.
Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
@QiWang19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/okd-scos-e2e-aws-ovn | cc9c041a91b97f9b8f41d25bfe2f69c5b4690d95 | link | false | /test okd-scos-e2e-aws-ovn |
| ci/prow/e2e-aws-ovn | e504b5eb558fc1062c3ccb47fb5e2fbc71268e9e | link | true | /test e2e-aws-ovn |
| ci/prow/e2e-aws-ovn-hypershift-conformance | e504b5eb558fc1062c3ccb47fb5e2fbc71268e9e | link | true | /test e2e-aws-ovn-hypershift-conformance |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: saschagrunert Once this PR has been reviewed and has the lgtm label, please ask for approval from joelspeed. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
/verified by tests api/config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
@QiWang19: This PR has been marked as verified by tests api/config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml``.
In response to this:
/verified by tests
api/config/v1alpha1/tests/criocredentialproviderconfigs.config.openshift.io/CRIOCredentialProviderConfig.yaml
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@QiWang19 Can you try and get the OC PR merged before we merge this one please?
Can you try and get the OC PR merged before we merge this one please?
ok, https://github.com/openshift/kubernetes/pull/2549 is open.