OCPBUGS-82166: fix etcd snapshot restore for etcd 3.6 and enforce restoreSnapshotURL immutability

[jparrill]

Summary

• Use etcdutl for snapshot restore/status on etcd 3.6+ (OCP 4.21+), falling back to etcdctl for older versions
• Add CEL validation rule (self == oldSelf) to enforce restoreSnapshotURL immutability at admission time, aligning with the existing API contract ("only when the etcd PV is empty")
• Add envtest CEL validation test suite for restoreSnapshotURL field constraints

Changes

1. etcd-init.sh: etcdutl/etcdctl fallback with error when neither tool is available
2. API: CEL immutability rule on restoreSnapshotURL + regenerated CRDs
3. Test suite: envtest YAML-driven tests covering MaxItems enforcement, immutability on update (change/removal rejected), and allowed transitions (initial set, unchanged value, unrelated updates)

Test plan

• Verify etcd snapshot restore works on OCP 4.21 (etcd 3.6) with a valid pre-signed S3 URL
• Verify etcd snapshot restore works on OCP 4.18-4.20 (etcd 3.5.x)
• Verify day-2 modification of restoreSnapshotURL is rejected by CEL validation
• Verify OADP restore workflow (plugin patches HC before CREATE) is not affected by CEL
• envtest suite passes for restoreSnapshotURL CEL validation (make test-envtest-kube)

Bug

https://redhat.atlassian.net/browse/OCPBUGS-82166

🤖 Generated with Claude Code

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 7c158ba8-8ca0-4306-82ce-3734fbb464f3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The etcd init script now prefers /usr/bin/etcdutl for snapshot status/restore and prints an INFO when using it. If etcdutl is unavailable it falls back to ETCDCTL_API=3 etcdctl and prints an INFO about the fallback. If neither binary exists the script logs an ERROR and exits 1. The script still checks /var/lib/data (logging a warning and listing contents if non-empty), validates the downloaded snapshot by inspecting the first five bytes for an XML error header, restores into /var/lib/restore, and replaces /var/lib/data with the restored directory on success.

Sequence Diagram(s)

sequenceDiagram
  participant InitScript as Init Script
  participant ObjStorage as Object Storage (snapshot URL)
  participant FS as Filesystem
  participant Tool as Tool Selector
  participant EtcdUtl as /usr/bin/etcdutl
  participant EtcdCtl as etcdctl

  InitScript->>FS: check /var/lib/data
  alt data non-empty
    InitScript->>InitScript: log warning & list contents
  end
  InitScript->>ObjStorage: curl "snapshot-url" -> /tmp/snapshot
  ObjStorage-->>InitScript: snapshot bytes
  InitScript->>FS: read first 5 bytes of /tmp/snapshot
  alt header == "<?xml"
    InitScript->>InitScript: log error, output snapshot contents
    InitScript-->>InitScript: exit 1
  else header != "<?xml"
    InitScript->>FS: create /var/lib/restore
    InitScript->>Tool: test -x /usr/bin/etcdutl
    alt etcdutl exists
      Tool->>EtcdUtl: INFO + etcdutl snapshot status -w table /tmp/snapshot
      EtcdUtl-->>InitScript: status
      Tool->>EtcdUtl: etcdutl snapshot restore --data-dir=/var/lib/restore ...
      EtcdUtl-->>FS: write /var/lib/restore
    else
      Tool->>Tool: test for etcdctl
      alt etcdctl exists
        Tool->>EtcdCtl: INFO + ETCDCTL_API=3 etcdctl snapshot status /tmp/snapshot
        EtcdCtl-->>InitScript: status
        Tool->>EtcdCtl: ETCDCTL_API=3 etcdctl snapshot restore --data-dir=/var/lib/restore ...
        EtcdCtl-->>FS: write /var/lib/restore
      else neither exists
        Tool->>InitScript: ERROR "no etcdutl or etcdctl available"
        InitScript-->>InitScript: exit 1
      end
    end
    InitScript->>FS: remove /var/lib/data
    InitScript->>FS: move /var/lib/restore -> /var/lib/data
  end

Loading

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/v2/etcd/etcd-init.sh`:
- Line 12: The curl invocation in etcd-init.sh uses an unquoted variable
${RESTORE_URL}, which can be subject to word splitting or globbing; update the
curl command to quote the RESTORE_URL variable (use "${RESTORE_URL}") so the
pre-signed S3 URL is passed as a single argument to curl and special characters
are preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e712833b-5890-4272-b160-6c2d74e1ff25

📥 Commits

Reviewing files that changed from the base of the PR and between c674483 and e1ff42a.

📒 Files selected for processing (1)

• control-plane-operator/controllers/hostedcontrolplane/v2/etcd/etcd-init.sh

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-82166, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Use etcdutl for snapshot restore/status on etcd 3.6+ (OCP 4.21+), falling back to etcdctl for older versions
• Fix S3 XML error detection: replace missing file binary with head -c 5 | grep '<?xml'

Root Cause

etcd 3.6 (shipped in OCP 4.21) removed etcdctl snapshot restore and etcdctl snapshot status subcommands, moving them to etcdutl. The etcd-init.sh script used by the etcd StatefulSet init container breaks on OCP 4.21+ because it calls the removed subcommands.

Additionally, the script used the file command to detect S3 XML error responses from expired pre-signed URLs, but the file binary has never been present in the etcd container image.

Changes

The init script now:

1. Checks for /usr/bin/etcdutl and uses it when available (etcd 3.6+/OCP 4.21+)
2. Falls back to etcdctl for older versions (etcd 3.5.x/OCP ≤4.20)
3. Uses head -c 5 | grep '<?xml' instead of file to detect XML error responses

Test plan

• Verify etcd snapshot restore works on OCP 4.21 (etcd 3.6) with a valid pre-signed S3 URL
• Verify etcd snapshot restore still works on OCP 4.18-4.20 (etcd 3.5.x)
• Verify expired/invalid pre-signed URL is properly detected and logged

Bug

https://redhat.atlassian.net/browse/OCPBUGS-82166

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
• Improved snapshot error detection accuracy during validation
• Enhanced snapshot restore operation reliability with broader tooling compatibility

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jparrill]

/jira refresh

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-82166, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jparrill: This pull request references Jira Issue OCPBUGS-82166, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary

• Use etcdutl for snapshot restore/status on etcd 3.6+ (OCP 4.21+), falling back to etcdctl for older versions
• Fix S3 XML error detection: replace missing file binary with head -c 5 | grep '<?xml'

Root Cause

etcd 3.6 (shipped in OCP 4.21) removed etcdctl snapshot restore and etcdctl snapshot status subcommands, moving them to etcdutl. The etcd-init.sh script used by the etcd StatefulSet init container breaks on OCP 4.21+ because it calls the removed subcommands.

Additionally, the script used the file command to detect S3 XML error responses from expired pre-signed URLs, but the file binary has never been present in the etcd container image.

Changes

The init script now:

1. Checks for /usr/bin/etcdutl and uses it when available (etcd 3.6+/OCP 4.21+)
2. Falls back to etcdctl for older versions (etcd 3.5.x/OCP ≤4.20)
3. Uses head -c 5 | grep '<?xml' instead of file to detect XML error responses

Test plan

• Verify etcd snapshot restore works on OCP 4.21 (etcd 3.6) with a valid pre-signed S3 URL
• Verify etcd snapshot restore still works on OCP 4.18-4.20 (etcd 3.5.x)
• Verify expired/invalid pre-signed URL is properly detected and logged

Bug

https://redhat.atlassian.net/browse/OCPBUGS-82166

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
• Improved snapshot validation accuracy to better detect error-page (XML) responses.
• Logs a clear error when a downloaded snapshot contains an XML error before showing contents.
• More reliable snapshot status and restore: prefers the newer snapshot tool when available, with a fallback to the previous tool for broader compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 33.16%. Comparing base (c674483) to head (f2dab40).
⚠️ Report is 18 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8186      +/-   ##
==========================================
+ Coverage   33.11%   33.16%   +0.04%     
==========================================
  Files         768      768              
  Lines       93116    93163      +47     
==========================================
+ Hits        30840    30902      +62     
+ Misses      59665    59646      -19     
- Partials     2611     2615       +4     

see 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-04-10T11:24:30Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-04-10T11:24:53Z
• View Job
• View Job History

[jparrill]

/retest-required

[jparrill]

/retest-required

[muraee]

this should not pass

[enxebre]

can we also have a case for when unset after set it should fail

[jparrill]

Fixed

[muraee]

This is difficult to read and reason about. Here I would just add:

// +kubebuilder:validation:XValidation:rule="has(self.restoreSnapshotURL) == has(oldSelf.restoreSnapshotURL)",message="restoreSnapshotURL cannot be added or removed after creation"
Storage ManagedEtcdStorageSpec `json:"storage"`

and add the equality check back ontop of restoreSnapshotUR field directly

// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="restoreSnapshotURL is immutable"
RestoreSnapshotURL []string `json:"restoreSnapshotURL,omitempty"`

[enxebre]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, enxebre, jparrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,enxebre,jparrill]
• api/OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[muraee]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-21
/test e2e-aws-4-21
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[enxebre]

can we please update the gdoc to reflect clearly this is only settable on creation

[jparrill]

/retest-required

[jparrill]

/verified bypass

More info in here: https://redhat-internal.slack.com/archives/G01QS0P2F6W/p1775814810815969?thread_ts=1775808691.857879&cid=G01QS0P2F6W

[openshift-ci-robot]

@jparrill: The verified label has been added.

Details

In response to this:

/verified bypass

More info in here: https://redhat-internal.slack.com/archives/G01QS0P2F6W/p1775814810815969?thread_ts=1775808691.857879&cid=G01QS0P2F6W

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jparrill]

/retest-required

[enxebre]

/test images
/test security

[openshift-ci]

@jparrill: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jparrill: Jira Issue Verification Checks: Jira Issue OCPBUGS-82166
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-82166 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary

• Use etcdutl for snapshot restore/status on etcd 3.6+ (OCP 4.21+), falling back to etcdctl for older versions
• Add CEL validation rule (self == oldSelf) to enforce restoreSnapshotURL immutability at admission time, aligning with the existing API contract ("only when the etcd PV is empty")
• Add envtest CEL validation test suite for restoreSnapshotURL field constraints

Changes

1. etcd-init.sh: etcdutl/etcdctl fallback with error when neither tool is available
2. API: CEL immutability rule on restoreSnapshotURL + regenerated CRDs
3. Test suite: envtest YAML-driven tests covering MaxItems enforcement, immutability on update (change/removal rejected), and allowed transitions (initial set, unchanged value, unrelated updates)

Test plan

• Verify etcd snapshot restore works on OCP 4.21 (etcd 3.6) with a valid pre-signed S3 URL
• Verify etcd snapshot restore works on OCP 4.18-4.20 (etcd 3.5.x)
• Verify day-2 modification of restoreSnapshotURL is rejected by CEL validation
• Verify OADP restore workflow (plugin patches HC before CREATE) is not affected by CEL
• envtest suite passes for restoreSnapshotURL CEL validation (make test-envtest-kube)

Bug

https://redhat.atlassian.net/browse/OCPBUGS-82166

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.