Fix CloudProfile API rejection by skipping invalid SemVer legacy tags

[anton-paulovich]

With the recent GEP-33 updates, cloud-profile-sync was made smarter: it now correctly extracts a valid, clean semantic version (e.g., 1877.9.2) from OCI image annotations. Because this clean version passes the initial filterImages() validation, images with historically malformed, non-SemVer compliant raw tags (e.g., 1877.9.2.0-metal-sci-pxe-amd64-...) are now successfully processed by the controller

However, when it attempts to write these raw tags back into the legacy spec.machineImages[].versions[].version array for backward compatibility, the Gardener API Server strictly enforces SemVer validation. This caused the API server to reject the entire CloudProfile patch as Invalid, silently halting the synchronization process

How it works now with feature flag enabled:

1. Invalid SemVer Tag + Has CleanVersion: NEW format only.

2. Valid SemVer Tag + Has CleanVersion: BOTH formats (the ideal transition state).

3. Valid SemVer Tag + NO/Invalid CleanVersion (Old images): OLD format only.

[coderabbitai]

📝 Walkthrough

Walkthrough

ImageUpdater.Update gains a semver.Parse guard that skips writing non-semver raw tags as legacy MachineImageVersion entries and logs an info message instead. A new Ginkgo test verifies the guard. Separately, a large old-cp.yaml CloudProfile manifest for ironcore-metal is added.

Changes

SemVer validation in ImageUpdater

Layer / File(s)	Summary
SemVer guard implementation and test cloudprofilesync/imageupdater.go, cloudprofilesync/imageupdater_test.go	ImageUpdater.Update calls semver.Parse on sourceImage.Version before appending a legacy MachineImageVersion; invalid versions are skipped with an info log. A new test asserts non-semver raw tags are excluded from cpSpec.MachineImages while the raw tag still reaches the provider via ProviderConfig.Raw.

ironcore-metal CloudProfile manifest

Layer / File(s)	Summary
CloudProfile YAML fixture old-cp.yaml	Adds a full ironcore-metal CloudProfile manifest with metadata, Kubernetes versions, gardenlinux machine image catalog (amd64/containerd), baremetal machine type, provider config with image mappings and region configs for qa-de-1, regions/zones, and seed selector.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• cobaltcore-dev/cloud-profile-sync#10: Modifies ImageUpdater.Update around SemVer handling and logging in the same update flow.
• cobaltcore-dev/cloud-profile-sync#30: Introduces the capability/CleanVersion dual-write behavior in imageupdater.go that this PR's SemVer guard extends.

Suggested reviewers

• adziauho
• defo89

Poem

🐰 A tag came hopping, wild and raw,
"Not semver!" said the updater with awe.
It skipped right past the legacy list,
But provider still got what it missed.
Clean versions only, no chaos allowed —
The bunny hops on, tidy and proud! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: skipping invalid SemVer legacy tags when updating CloudProfiles to prevent API rejection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/gep-33-feature-flag

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Merging this branch will increase overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/cobaltcore-dev/cloud-profile-sync/cloudprofilesync	88.68% (+0.14%)	👍

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/cobaltcore-dev/cloud-profile-sync/cloudprofilesync/imageupdater.go	85.42% (+0.63%)	48 (+2)	41 (+2)	7	👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

• github.com/cobaltcore-dev/cloud-profile-sync/cloudprofilesync/imageupdater_test.go