kubebuilder validation and clarified API behavior for KubeletConfig API doc and adds tests

Author: ngopalak-redhat

machineconfiguration/v1/tests/kubeletconfigs.machineconfiguration.openshift.io/KubeletConfigSpec.yaml

@@ -41,136 +41,32 @@ tests:
           logLevel: 11
       expectedError: "Invalid value"
 
-    # TLSSecurityProfile CEL Validation tests
-    - name: Should allow tlsSecurityProfile with Old type
-      initial: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Old
-      expected: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Old
-    - name: Should allow tlsSecurityProfile with Intermediate type
-      initial: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Intermediate
-      expected: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Intermediate
-    - name: Should reject tlsSecurityProfile with Modern type
-      initial: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Modern
-      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
-    - name: Should reject tlsSecurityProfile with Custom type
-      initial: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Custom
-            custom:
-              ciphers:
-                - ECDHE-ECDSA-AES128-GCM-SHA256
-              minTLSVersion: VersionTLS12
-      expectedError: "only Old and Intermediate TLS profiles are supported for kubelet"
-    - name: Should allow tlsSecurityProfile without type field for backward compatibility
-      initial: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            custom:
-              ciphers:
-                - ECDHE-ECDSA-AES128-GCM-SHA256
-              minTLSVersion: VersionTLS12
-      expected: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            custom:
-              ciphers:
-                - ECDHE-ECDSA-AES128-GCM-SHA256
-              minTLSVersion: VersionTLS12
-
   onUpdate:
     # Ratcheting tests - ensure existing objects with previously valid values can be updated
-    - name: Should allow updating other fields with a previously valid Custom TLS profile persisted
+    - name: Should allow updating other fields with a previously valid logLevel outside current range
       initialCRDPatches:
         - op: remove
-          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/tlsSecurityProfile/x-kubernetes-validations
-      initial: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          tlsSecurityProfile:
-            type: Custom
-            custom:
-              ciphers:
-                - ECDHE-ECDSA-AES128-GCM-SHA256
-              minTLSVersion: VersionTLS12
-      updated: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          logLevel: 5
-          tlsSecurityProfile:
-            type: Custom
-            custom:
-              ciphers:
-                - ECDHE-ECDSA-AES128-GCM-SHA256
-              minTLSVersion: VersionTLS12
-      expected: |
-        apiVersion: machineconfiguration.openshift.io/v1
-        kind: KubeletConfig
-        spec:
-          logLevel: 5
-          tlsSecurityProfile:
-            type: Custom
-            custom:
-              ciphers:
-                - ECDHE-ECDSA-AES128-GCM-SHA256
-              minTLSVersion: VersionTLS12
-    - name: Should allow updating other fields with a previously valid Modern TLS profile persisted
-      initialCRDPatches:
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/logLevel/maximum
         - op: remove
-          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/tlsSecurityProfile/x-kubernetes-validations
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/logLevel/minimum
       initial: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
-          tlsSecurityProfile:
-            type: Modern
+          logLevel: 15
       updated: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
-          logLevel: 3
-          tlsSecurityProfile:
-            type: Modern
+          logLevel: 15
+          autoSizingReserved: true
       expected: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
-          logLevel: 3
-          tlsSecurityProfile:
-            type: Modern
-    - name: Should allow updating other fields with a previously valid logLevel outside current range
+          logLevel: 15
+          autoSizingReserved: true
+    - name: Should allow migrating from invalid logLevel to valid value
       initialCRDPatches:
         - op: remove
           path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/logLevel/maximum
@@ -185,11 +81,9 @@ tests:
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
-          logLevel: 15
-          autoSizingReserved: true
+          logLevel: 5
       expected: |
         apiVersion: machineconfiguration.openshift.io/v1
         kind: KubeletConfig
         spec:
-          logLevel: 15
-          autoSizingReserved: true
+          logLevel: 5

machineconfiguration/v1/types.go

@@ -740,7 +740,7 @@ type KubeletConfig struct {
 // KubeletConfigSpec configures the kubelet running on cluster nodes.
 type KubeletConfigSpec struct {
 	// autoSizingReserved controls whether system-reserved CPU and memory are automatically
-	// calculated based on each node's installed capacity. When enabled, prevents node failure
+	// calculated based on each node's installed capacity. When set to true, this prevents node failure
 	// from resource starvation of system components (kubelet, CRI-O) without manual configuration.
 	// When omitted, this means the user has no opinion and the platform is left to choose a reasonable default,
 	// which is subject to change over time. The current default is true for worker nodes and false for control plane nodes.
@@ -757,8 +757,8 @@ type KubeletConfigSpec struct {
 	LogLevel *int32 `json:"logLevel,omitempty"`
 
 	// machineConfigPoolSelector selects which pools the KubeletConfig should apply to.
-	// A nil selector results in no pools being selected, meaning this kubelet configuration
-	// will not be applied to any nodes in the cluster.
+	// When omitted or set to an empty selector {}, no pools are selected, which is equivalent
+	// to not matching any MachineConfigPool.
 	// +optional
 	MachineConfigPoolSelector *metav1.LabelSelector `json:"machineConfigPoolSelector,omitempty"`
 	// kubeletConfig contains upstream Kubernetes kubelet configuration fields.
@@ -770,9 +770,7 @@ type KubeletConfigSpec struct {
 
 	// tlsSecurityProfile configures TLS settings for the kubelet.
 	// When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster.
-	// When specified, the type field can be set to either "Old" or "Intermediate", or omitted for backward compatibility.
-	// Modern and Custom TLS profiles are not supported for kubelet; maximum minTLSVersion is VersionTLS12.
-	// +kubebuilder:validation:XValidation:rule="!has(self.type) || self.type == 'Old' || self.type == 'Intermediate'",message="only Old and Intermediate TLS profiles are supported for kubelet"
+	// When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility.
 	// +optional
 	TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
 }

machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml

@@ -49,7 +49,7 @@ spec:
               autoSizingReserved:
                 description: |-
                   autoSizingReserved controls whether system-reserved CPU and memory are automatically
-                  calculated based on each node's installed capacity. When enabled, prevents node failure
+                  calculated based on each node's installed capacity. When set to true, this prevents node failure
                   from resource starvation of system components (kubelet, CRI-O) without manual configuration.
                   When omitted, this means the user has no opinion and the platform is left to choose a reasonable default,
                   which is subject to change over time. The current default is true for worker nodes and false for control plane nodes.
@@ -76,8 +76,8 @@ spec:
               machineConfigPoolSelector:
                 description: |-
                   machineConfigPoolSelector selects which pools the KubeletConfig should apply to.
-                  A nil selector results in no pools being selected, meaning this kubelet configuration
-                  will not be applied to any nodes in the cluster.
+                  When omitted or set to an empty selector {}, no pools are selected, which is equivalent
+                  to not matching any MachineConfigPool.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
@@ -126,8 +126,7 @@ spec:
                 description: |-
                   tlsSecurityProfile configures TLS settings for the kubelet.
                   When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster.
-                  When specified, the type field can be set to either "Old" or "Intermediate", or omitted for backward compatibility.
-                  Modern and Custom TLS profiles are not supported for kubelet; maximum minTLSVersion is VersionTLS12.
+                  When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility.
                 properties:
                   custom:
                     description: |-
@@ -256,10 +255,6 @@ spec:
                     - Custom
                     type: string
                 type: object
-                x-kubernetes-validations:
-                - message: only Old and Intermediate TLS profiles are supported for
-                    kubelet
-                  rule: '!has(self.type) || self.type == ''Old'' || self.type == ''Intermediate'''
             type: object
           status:
             description: status contains observed information about the kubelet configuration.

machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml

@@ -50,7 +50,7 @@ spec:
               autoSizingReserved:
                 description: |-
                   autoSizingReserved controls whether system-reserved CPU and memory are automatically
-                  calculated based on each node's installed capacity. When enabled, prevents node failure
+                  calculated based on each node's installed capacity. When set to true, this prevents node failure
                   from resource starvation of system components (kubelet, CRI-O) without manual configuration.
                   When omitted, this means the user has no opinion and the platform is left to choose a reasonable default,
                   which is subject to change over time. The current default is true for worker nodes and false for control plane nodes.
@@ -77,8 +77,8 @@ spec:
               machineConfigPoolSelector:
                 description: |-
                   machineConfigPoolSelector selects which pools the KubeletConfig should apply to.
-                  A nil selector results in no pools being selected, meaning this kubelet configuration
-                  will not be applied to any nodes in the cluster.
+                  When omitted or set to an empty selector {}, no pools are selected, which is equivalent
+                  to not matching any MachineConfigPool.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
@@ -127,8 +127,7 @@ spec:
                 description: |-
                   tlsSecurityProfile configures TLS settings for the kubelet.
                   When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster.
-                  When specified, the type field can be set to either "Old" or "Intermediate", or omitted for backward compatibility.
-                  Modern and Custom TLS profiles are not supported for kubelet; maximum minTLSVersion is VersionTLS12.
+                  When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility.
                 properties:
                   custom:
                     description: |-
@@ -257,10 +256,6 @@ spec:
                     - Custom
                     type: string
                 type: object
-                x-kubernetes-validations:
-                - message: only Old and Intermediate TLS profiles are supported for
-                    kubelet
-                  rule: '!has(self.type) || self.type == ''Old'' || self.type == ''Intermediate'''
             type: object
           status:
             description: status contains observed information about the kubelet configuration.

machineconfiguration/v1/zz_generated.swagger_doc_generated.go

@@ -49,7 +49,7 @@ spec:
               autoSizingReserved:
                 description: |-
                   autoSizingReserved controls whether system-reserved CPU and memory are automatically
-                  calculated based on each node's installed capacity. When enabled, prevents node failure
+                  calculated based on each node's installed capacity. When set to true, this prevents node failure
                   from resource starvation of system components (kubelet, CRI-O) without manual configuration.
                   When omitted, this means the user has no opinion and the platform is left to choose a reasonable default,
                   which is subject to change over time. The current default is true for worker nodes and false for control plane nodes.
@@ -76,8 +76,8 @@ spec:
               machineConfigPoolSelector:
                 description: |-
                   machineConfigPoolSelector selects which pools the KubeletConfig should apply to.
-                  A nil selector results in no pools being selected, meaning this kubelet configuration
-                  will not be applied to any nodes in the cluster.
+                  When omitted or set to an empty selector {}, no pools are selected, which is equivalent
+                  to not matching any MachineConfigPool.
                 properties:
                   matchExpressions:
                     description: matchExpressions is a list of label selector requirements.
@@ -126,8 +126,7 @@ spec:
                 description: |-
                   tlsSecurityProfile configures TLS settings for the kubelet.
                   When omitted, the TLS configuration defaults to the value from apiservers.config.openshift.io/cluster.
-                  When specified, the type field can be set to either "Old" or "Intermediate", or omitted for backward compatibility.
-                  Modern and Custom TLS profiles are not supported for kubelet; maximum minTLSVersion is VersionTLS12.
+                  When specified, the type field can be set to either "Old", "Intermediate", "Modern", "Custom" or omitted for backward compatibility.
                 properties:
                   custom:
                     description: |-
@@ -256,10 +255,6 @@ spec:
                     - Custom
                     type: string
                 type: object
-                x-kubernetes-validations:
-                - message: only Old and Intermediate TLS profiles are supported for
-                    kubelet
-                  rule: '!has(self.type) || self.type == ''Old'' || self.type == ''Intermediate'''
             type: object
           status:
             description: status contains observed information about the kubelet configuration.