CNTRLPLANE-3030: ignition-server os-stream consumption and ValidOSImageStream condition

[sdminonne]

Summary

This PR implements the consumer side of dual-stream RHEL NodePool support (enhancement), enabling the ignition server to inject an OSImageStream custom resource into the ignition payload based on the os-stream key written to the token secret by the NodePool controller.

It also adds a dedicated ValidOSImageStream condition to NodePool status for granular validation feedback on spec.osImageStream.

Commit 1 — ValidOSImageStream condition

Adds a new NodePool condition (ValidOSImageStream) that validates spec.osImageStream.Name independently:

• Removed when osImageStream.Name is empty (no opinion needed)
• True when the name is a supported stream (rhel-9, rhel-10)
• False with InvalidOSImageStream reason for unsupported names

This complements PR #8730's validation inside validMachineConfigCondition by providing a separate, user-facing signal specifically for osImageStream issues.

Commit 2 — Ignition server os-stream consumption (InPlace)

Reads the os-stream key from the token secret and injects an OSImageStream CR manifest (99_osimagestream.yaml) into the MCC input directory between runMCO() and runMCC(). This is the mechanism by which InPlace nodes learn which RHEL stream to rebase to.

Changes:

• tokensecret_controller.go — reads os-stream from token secret, passes it to GetPayload()
• local_ignitionprovider.go — accepts osStream param, writes OSImageStream CR via writeOSImageStreamManifest()
• run_local_ignitionprovider.go — reads os-stream from token secret for the debug path
• Tests for both the manifest writing and end-to-end token secret propagation

Upgrade strategy coverage

InPlace

Fully functional. The ignition server reads the resolved stream from the token secret and injects the OSImageStream CR into the ignition payload. MCO/MCC on the node uses this to determine which RHEL stream to rebase to during in-place updates.

Replace

Not directly addressed by this PR. Replace strategy relies on the NodePool controller selecting the correct boot image (AMI/GCP image) for the target stream — that wiring is fully handled by PR #8730 for both AWS (StreamForName in defaultNodePoolAMI) and GCP (StreamForName in defaultNodePoolGCPImage). This PR's ValidOSImageStream condition applies to both strategies since it validates the spec field.

What this PR does NOT cover

The following are handled by PR #8730 (CNTRLPLANE-3553) and deliberately excluded here:

• rhelStream threading through resolveAWSAMI, defaultNodePoolAMI, resolveGCPImage, defaultNodePoolGCPImage
• StreamForName integration for both AWS and GCP boot image selection
• resolvedRHELStream in rolloutConfig and config hash computation
• Token secret os-stream write (TokenSecretOSStreamKey, writing resolvedRHELStream)
• setOSImageStreamStatus() for setting nodePool.Status.OSImageStream
• getRHELStream() wrapper in osstream.go

Relationship with PR #8730

This PR is the consumer to #8730's producer:

Concern	PR #8730 (producer)	This PR (consumer)
Resolve RHEL stream from spec + version	getRHELStream()	—
Write os-stream to token secret	TokenSecretOSStreamKey	—
Thread stream into AMI/image selection	AWS + GCP wiring via StreamForName	—
Set status.osImageStream	setOSImageStreamStatus()	—
Read os-stream from token secret	—	tokensecret_controller.go
Inject OSImageStream CR into ignition	—	local_ignitionprovider.go
Dedicated ValidOSImageStream condition	—	osstream.go + API constants

This PR depends on #8730 and should be rebased after it merges. The expected rebase conflicts are limited to osstream.go and osstream_test.go (both PRs create these files) and are resolved by keeping all functions from both sides.

Known limitations

• MCO ExternalTopologyMode guard: MCO currently blocks OSImageStream processing for HyperShift topology. MCO-side changes are needed before the injected CR takes effect.
• Other platforms: Azure, OpenStack, PowerVS, and KubeVirt do not yet have stream-aware boot image resolution. Their release metadata structures would need per-stream image entries before code changes can be made. InPlace works for all platforms once the MCO guard is lifted.

Test plan

• Unit tests pass: TestValidOSImageStreamCondition, TestWriteOSImageStreamManifest, TestReconcileOSStreamPropagation
• make verify passes clean
• Rebase on top of CNTRLPLANE-3553: Wire osImageStream into NodePool controller (hash, token, status, validation) #8730 once merged and verify no regressions
• e2e validation after MCO ExternalTopologyMode guard is lifted

Depends-on: #8730

🤖 Generated with Claude Code

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@sdminonne: This pull request references CNTRLPLANE-3030 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

This PR implements the consumer side of dual-stream RHEL NodePool support (enhancement), enabling the ignition server to inject an OSImageStream custom resource into the ignition payload based on the os-stream key written to the token secret by the NodePool controller.

It also adds a dedicated ValidOSImageStream condition to NodePool status for granular validation feedback on spec.osImageStream.

Commit 1 — ValidOSImageStream condition

Adds a new NodePool condition (ValidOSImageStream) that validates spec.osImageStream.Name independently:

• Removed when osImageStream.Name is empty (no opinion needed)
• True when the name is a supported stream (rhel-9, rhel-10)
• False with InvalidOSImageStream reason for unsupported names

This complements PR #8730's validation inside validMachineConfigCondition by providing a separate, user-facing signal specifically for osImageStream issues.

Commit 2 — Ignition server os-stream consumption (InPlace)

Reads the os-stream key from the token secret and injects an OSImageStream CR manifest (99_osimagestream.yaml) into the MCC input directory between runMCO() and runMCC(). This is the mechanism by which InPlace nodes learn which RHEL stream to rebase to.

Changes:

• tokensecret_controller.go — reads os-stream from token secret, passes it to GetPayload()
• local_ignitionprovider.go — accepts osStream param, writes OSImageStream CR via writeOSImageStreamManifest()
• run_local_ignitionprovider.go — updated CLI entrypoint signature
• Tests for both the manifest writing and end-to-end token secret propagation

Upgrade strategy coverage

InPlace

Fully functional. The ignition server reads the resolved stream from the token secret and injects the OSImageStream CR into the ignition payload. MCO/MCC on the node uses this to determine which RHEL stream to rebase to during in-place updates.

Replace

Not directly addressed by this PR. Replace strategy relies on the NodePool controller selecting the correct boot image (AMI/GCP image) for the target stream — that wiring is handled entirely by PR #8730. This PR's ValidOSImageStream condition applies to both strategies since it validates the spec field.

What this PR does NOT cover

The following are handled by PR #8730 (CNTRLPLANE-3553) and deliberately excluded here:

• rhelStream threading through resolveAWSAMI, defaultNodePoolAMI, defaultNodePoolGCPImage
• resolvedRHELStream in rolloutConfig and config hash computation
• Token secret os-stream write (TokenSecretOSStreamKey, writing resolvedRHELStream)
• setOSImageStreamStatus() for setting nodePool.Status.OSImageStream
• getRHELStream() wrapper in osstream.go
• GCP StreamForName integration

Relationship with PR #8730

This PR is the consumer to #8730's producer:

Concern	PR #8730 (producer)	This PR (consumer)
Resolve RHEL stream from spec + version	getRHELStream()	—
Write os-stream to token secret	TokenSecretOSStreamKey	—
Thread stream into AMI/image selection	AWS + GCP wiring	—
Set status.osImageStream	setOSImageStreamStatus()	—
Read os-stream from token secret	—	tokensecret_controller.go
Inject OSImageStream CR into ignition	—	local_ignitionprovider.go
Dedicated ValidOSImageStream condition	—	osstream.go + API constants

This PR depends on #8730 and should be rebased after it merges. The expected rebase conflicts are limited to osstream.go and osstream_test.go (both PRs create these files) and are resolved by keeping all functions from both sides.

Known limitations

• MCO ExternalTopologyMode guard: MCO currently blocks OSImageStream processing for HyperShift topology. MCO-side changes are needed before the injected CR takes effect.
• AWS-only boot image resolution: GCP stream-aware image selection is plumbing-only in CNTRLPLANE-3553: Wire osImageStream into NodePool controller (hash, token, status, validation) #8730 (CNTRLPLANE-3553 tracks full GCP support).

Test plan

• Unit tests pass: TestValidOSImageStreamCondition, TestWriteOSImageStreamManifest, TestReconcileOSStreamPropagation
• make verify passes clean
• Rebase on top of CNTRLPLANE-3553: Wire osImageStream into NodePool controller (hash, token, status, validation) #8730 once merged and verify no regressions
• e2e validation after MCO ExternalTopologyMode guard is lifted

Depends-on: #8730

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds OS image stream support across two subsystems. In the NodePool controller, two new API constants (NodePoolValidOSImageStreamConditionType, NodePoolInvalidOSImageStreamReason) back a new validOSImageStreamCondition reconciler helper that validates spec.osImageStream.name against rhel-9/rhel-10, setting or removing the corresponding status condition. This helper is wired into the existing signalConditions short-circuit loop.

In the ignition server, a new TokenSecretOSStreamKey ("os-stream") constant is added; the IgnitionProvider.GetPayload interface gains an osStream parameter; TokenSecretReconciler reads this key from the token secret and passes it to GetPayload; and LocalIgnitionProvider.GetPayload conditionally writes a 99_osimagestream.yaml manifest into the MCC working directory via a new writeOSImageStreamManifest helper.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main changes: adding OS-stream consumption to ignition-server and introducing ValidOSImageStream condition, covering both key deliverables.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests (It, Describe, Context, When). Uses standard Go testing framework with table-driven tests. All test case names are stable and descriptive with no dynamic content.
Test Structure And Quality	✅ Passed	Custom check targets Ginkgo tests, but PR uses standard Go testing pattern. All 3 new tests follow repo convention (444 std tests vs 23 Ginkgo tests) with proper table-driven structure and cleanup.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no scheduling constraints. Changes are limited to API constants, condition validation, ignition payload generation, and token secret propagation—none involving pod specs, affinity rul...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds only unit tests (TestValidOSImageStreamCondition, TestWriteOSImageStreamManifest, TestReconcileOSStreamPropagation) using Go's testing package, not Ginkgo e2e tests. The check applies...
No-Weak-Crypto	✅ Passed	No weak cryptography patterns found. The PR adds osStream parameter handling for OS image stream configuration, not cryptographic operations. No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, or non-con...
Container-Privileges	✅ Passed	PR contains only Go source code files; no container/K8s manifests with privileged configurations, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation settings are present.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure in logging. osStream values logged are constrained to "rhel-9" or "rhel-10" (non-sensitive internal identifiers). Actual secrets, tokens, and credentials are never logged.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 70.58824% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 42.12%. Comparing base (8019810) to head (3a5a608).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ition-server/controllers/local_ignitionprovider.go	40.90%	13 Missing ⚠️
ignition-server/cmd/run_local_ignitionprovider.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8792      +/-   ##
==========================================
+ Coverage   42.09%   42.12%   +0.02%     
==========================================
  Files         766      767       +1     
  Lines       95047    95081      +34     
==========================================
+ Hits        40012    40050      +38     
+ Misses      52221    52218       -3     
+ Partials     2814     2813       -1     

Files with missing lines	Coverage Δ
...erator/controllers/nodepool/nodepool_controller.go	43.24% <100.00%> (+0.06%)	⬆️
...pershift-operator/controllers/nodepool/osstream.go	100.00% <100.00%> (ø)
...ition-server/controllers/tokensecret_controller.go	59.18% <100.00%> (+0.16%)	⬆️
ignition-server/cmd/run_local_ignitionprovider.go	0.00% <0.00%> (ø)
...ition-server/controllers/local_ignitionprovider.go	39.02% <40.90%> (+0.87%)	⬆️

... and 1 file with indirect coverage changes

Flag	Coverage Δ
cmd-support	35.42% <ø> (ø)
cpo-hostedcontrolplane	44.48% <ø> (ø)
cpo-other	44.25% <ø> (ø)
hypershift-operator	51.98% <100.00%> (+0.06%)	⬆️
other	31.63% <42.30%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

ignition-server/controllers/tokensecret_controller_test.go (1)

708-751: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add a missing-key compatibility case for TokenSecretOSStreamKey.

Current cases only validate when the key exists (including empty). Add a case where the key is omitted entirely, so the test locks in behavior for pre-upgrade secrets.

Small test extension

 testCases := []struct {
 	name             string
 	osStream         string
 	expectedOSStream string
+	includeOSStreamKey bool
 }{
 	{
 		name:             "When os-stream is set to rhel-10 it should pass rhel-10 to GetPayload",
 		osStream:         "rhel-10",
 		expectedOSStream: "rhel-10",
+		includeOSStreamKey: true,
 	},
@@
 	{
 		name:             "When os-stream is empty it should pass empty string to GetPayload",
 		osStream:         "",
 		expectedOSStream: "",
+		includeOSStreamKey: true,
+	},
+	{
+		name:               "When os-stream key is absent it should pass empty string to GetPayload",
+		expectedOSStream:   "",
+		includeOSStreamKey: false,
 	},
 }
@@
-			secret := &corev1.Secret{
+			data := map[string][]byte{
+				TokenSecretTokenKey:                     []byte(uuid.New().String()),
+				TokenSecretReleaseKey:                   []byte("release"),
+				TokenSecretConfigKey:                    compressedConfig.Bytes(),
+				TokenSecretPullSecretHashKey:            []byte("pull-hash"),
+				TokenSecretHCConfigurationHashKey:       []byte("hc-hash"),
+				TokenSecretAdditionalTrustBundleHashKey: []byte("bundle-hash"),
+			}
+			if tc.includeOSStreamKey {
+				data[TokenSecretOSStreamKey] = []byte(tc.osStream)
+			}
+			secret := &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
@@
-				Data: map[string][]byte{
-					...
-					TokenSecretOSStreamKey:                  []byte(tc.osStream),
-				},
+				Data: data,
 			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ignition-server/controllers/tokensecret_controller_test.go` around lines 708
- 751, Add a new test case to the testCases slice that validates backward
compatibility when the TokenSecretOSStreamKey is completely missing from the
secret's Data map. Create a test case with a descriptive name indicating the key
is missing, set expectedOSStream to an empty string as the default behavior, and
then in the test setup for this case, ensure the TokenSecretOSStreamKey is not
included in the Data map at all (unlike the other cases which all include this
key). This will verify that the code correctly handles pre-upgrade secrets that
don't have the os-stream key defined.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ignition-server/cmd/run_local_ignitionprovider.go`:
- Line 114: The GetPayload method call is hardcoding the osStream parameter to
an empty string instead of using the value from the token secret. Extract the
os-stream value from the token secret (similar to how other parameters like
config are extracted) and pass it as the osStream argument to the GetPayload
call instead of the empty string, so that stream-specific payload generation can
be properly reproduced in the debug path.

In `@ignition-server/controllers/tokensecret_controller.go`:
- Around line 275-278: The osStream variable extracted from the Secret data on
line 275 is passed directly to r.IgnitionProvider.GetPayload without validation,
creating a trust-boundary vulnerability where unsupported values could produce
invalid manifests. Add an allow-list validation check before the GetPayload call
to ensure osStream is one of the supported values: empty string, "rhel-9", or
"rhel-10". If the value does not match the allow-list, return an appropriate
error to prevent downstream processing with invalid osStream values.

---

Nitpick comments:
In `@ignition-server/controllers/tokensecret_controller_test.go`:
- Around line 708-751: Add a new test case to the testCases slice that validates
backward compatibility when the TokenSecretOSStreamKey is completely missing
from the secret's Data map. Create a test case with a descriptive name
indicating the key is missing, set expectedOSStream to an empty string as the
default behavior, and then in the test setup for this case, ensure the
TokenSecretOSStreamKey is not included in the Data map at all (unlike the other
cases which all include this key). This will verify that the code correctly
handles pre-upgrade secrets that don't have the os-stream key defined.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1e670da7-7d19-442c-9153-6fcd9693989c

📥 Commits

Reviewing files that changed from the base of the PR and between 8019810 and 5062eb4.

⛔ Files ignored due to path filters (1)

• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/nodepool_conditions.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (9)

• api/hypershift/v1beta1/nodepool_conditions.go
• hypershift-operator/controllers/nodepool/nodepool_controller.go
• hypershift-operator/controllers/nodepool/osstream.go
• hypershift-operator/controllers/nodepool/osstream_test.go
• ignition-server/cmd/run_local_ignitionprovider.go
• ignition-server/controllers/local_ignitionprovider.go
• ignition-server/controllers/local_ignitionprovider_test.go
• ignition-server/controllers/tokensecret_controller.go
• ignition-server/controllers/tokensecret_controller_test.go

[sdminonne]

/cc @enxebre

[sdminonne]

/cc @jparrill

[sdminonne]

Addressed @coderabbitai review feedback:

• Finding 1 (debug path osStream hardcoded to ""): Fixed in 3a5a608 — now reads os-stream from the token secret.
• Finding 2 (allow-list validation in ignition server): Pushed back — os-stream is internal controller data, not a trust-boundary input. Validation is already done upstream by validOSImageStreamCondition and GetRHELStream.
• Finding 3 (missing-key backward-compat test): Fixed in 3a5a608 — added a test case where TokenSecretOSStreamKey is absent from the secret data (pre-upgrade compatibility).

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@sdminonne Thanks for the detailed follow-up!

• Finding 1: Confirmed — reading os-stream from the token secret is the correct approach.
• Finding 2: Your reasoning holds. Since os-stream flows from the NodePool controller's own internal data (already gated by validOSImageStreamCondition and GetRHELStream), adding a redundant allow-list in the ignition server would create a maintenance burden without meaningfully improving security. Withdrawing that suggestion.
• Finding 3: Good addition — the absent-key test case is important for pre-upgrade compatibility, ensuring nodes without os-stream in the secret continue to work correctly.

[openshift-ci]

@sdminonne: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[JoelSpeed]

/approve for API

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: JoelSpeed, sdminonne
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• api/OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment