cross-validate boot images & skew enforcement

djoshy · djoshy · commit bcad2088d8ac · 2025-09-18T16:44:05.000-04:00
diff --git a/operator/v1/tests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml b/operator/v1/tests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml
@@ -220,6 +220,12 @@ tests:
         kind: MachineConfiguration
         spec: {}
         status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All        
           bootImageSkewEnforcementStatus:
             mode: Automatic
             automatic:
@@ -232,8 +238,263 @@ tests:
           logLevel: Normal
           operatorLogLevel: Normal
         status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All        
           bootImageSkewEnforcementStatus:
             mode: Automatic
             automatic:
               ocpVersion: "4.18.2"
-              rhcosVersion: "416.94.202411201433-0"                 
+              rhcosVersion: "416.94.202411201433-0"
+    - name: Should require boot image configuration to be set to All when bootImageSkewEnforcementStatus.mode is Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: 
+          managedBootImages:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expectedError: "when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+    - name: Should not be able to set boot image configuration to an empty list if bootImageSkewEnforcementStatus.mode is set to Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: 
+          managedBootImages:
+            machineManagers:
+              []
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expectedError: "when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+    - name: Should require boot image configuration status to be set to All when bootImageSkewEnforcementStatus.mode is Automatic
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Automatic         
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec: {}
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+          bootImageSkewEnforcementStatus:
+            mode: Automatic
+            automatic:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expectedStatusError: "when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets"            
+    - name: Should be able change boot image configuration if bootImageSkewEnforcementStatus.mode is set to Manual
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          bootImageSkewEnforcement:
+            mode: Manual
+            manual:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "9.6.20250523-1"
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Manual         
+            manual:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          managedBootImages:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+          bootImageSkewEnforcement:
+            mode: Manual
+            manual:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "9.6.20250523-1"              
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Manual
+            manual:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal  
+          managedBootImages:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+          bootImageSkewEnforcement:
+            mode: Manual
+            manual:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "9.6.20250523-1"              
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: Manual
+            manual:
+              ocpVersion: "4.18.2"
+              rhcosVersion: "416.94.202411201433-0"
+    - name: Should be able change boot image configuration if bootImageSkewEnforcementStatus.mode is set to None
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          bootImageSkewEnforcement:
+            mode: None
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: None         
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          managedBootImages:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+          bootImageSkewEnforcement:
+            mode: None           
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: None
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: MachineConfiguration
+        spec:
+          logLevel: Normal
+          operatorLogLevel: Normal  
+          managedBootImages:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: None
+          bootImageSkewEnforcement:
+            mode: None            
+        status:
+          managedBootImagesStatus:
+            machineManagers:
+              - resource: machinesets
+                apiGroup: machine.openshift.io
+                selection:
+                  mode: All
+          bootImageSkewEnforcementStatus:
+            mode: None               
diff --git a/operator/v1/types_machineconfiguration.go b/operator/v1/types_machineconfiguration.go
@@ -17,6 +17,9 @@ import (
 //
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 // +openshift:compatibility-gen:level=1
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue() : true",message="when skew enforcement is in Automatic mode, a boot image configuration is required"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io') : true",message="when skew enforcement is in Automatic mode, managedBootImages must contain a MachineManager opting in all MachineAPI MachineSets"
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=BootImageSkewEnforcement,rule="self.?status.bootImageSkewEnforcementStatus.mode.orValue(\"\") == 'Automatic' ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) || self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode == 'All' && m.resource == 'machinesets' && m.apiGroup == 'machine.openshift.io'): true",message="when skew enforcement is in Automatic mode, managedBootImagesStatus must contain a MachineManager opting in all MachineAPI MachineSets"
 type MachineConfiguration struct {
 	metav1.TypeMeta `json:",inline"`
 
diff --git a/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml
@@ -1460,6 +1460,25 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: when skew enforcement is in Automatic mode, a boot image configuration
+            is required
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
+            : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImages must
+            contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
+            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
+            == ''machine.openshift.io'') : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
+            must contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) ||
+            self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode
+            == ''All'' && m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io''):
+            true'
     served: true
     storage: true
     subresources:
diff --git a/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml
@@ -1460,6 +1460,25 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: when skew enforcement is in Automatic mode, a boot image configuration
+            is required
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
+            : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImages must
+            contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
+            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
+            == ''machine.openshift.io'') : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
+            must contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) ||
+            self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode
+            == ''All'' && m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io''):
+            true'
     served: true
     storage: true
     subresources:
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/machineconfigurations.operator.openshift.io/BootImageSkewEnforcement.yaml
@@ -1174,6 +1174,25 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: when skew enforcement is in Automatic mode, a boot image configuration
+            is required
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
+            : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImages must
+            contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
+            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
+            == ''machine.openshift.io'') : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
+            must contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) ||
+            self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode
+            == ''All'' && m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io''):
+            true'
     served: true
     storage: true
     subresources:
diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-CustomNoUpgrade.crd.yaml
@@ -1460,6 +1460,25 @@ spec:
         required:
         - spec
         type: object
+        x-kubernetes-validations:
+        - message: when skew enforcement is in Automatic mode, a boot image configuration
+            is required
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? self.?spec.managedBootImages.hasValue() || self.?status.managedBootImagesStatus.hasValue()
+            : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImages must
+            contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?spec.managedBootImages.machineManagers.hasValue()) || self.spec.managedBootImages.machineManagers.exists(m,
+            m.selection.mode == ''All'' && m.resource == ''machinesets'' && m.apiGroup
+            == ''machine.openshift.io'') : true'
+        - message: when skew enforcement is in Automatic mode, managedBootImagesStatus
+            must contain a MachineManager opting in all MachineAPI MachineSets
+          rule: 'self.?status.bootImageSkewEnforcementStatus.mode.orValue("") == ''Automatic''
+            ? !(self.?status.managedBootImagesStatus.machineManagers.hasValue()) ||
+            self.status.managedBootImagesStatus.machineManagers.exists(m, m.selection.mode
+            == ''All'' && m.resource == ''machinesets'' && m.apiGroup == ''machine.openshift.io''):
+            true'
     served: true
     storage: true
     subresources:
diff --git a/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_machineconfigurations-DevPreviewNoUpgrade.crd.yaml
