OCPBUGS-55638: OCPBUGS-55637: Add admin_acks handling in the MCO

[djoshy]

- What I did
I added a new sync loop in the operator for the admin-gates configmap in the openshift-config-managed namespace. This sync loop will now begin to add the following keys:

• ack-4.18-boot-image-opt-out-in-4.19 when a AWS/GCP cluster does not have a boot image configuration.
• ack-4.18-aarch64-bootloader-4.19 when an aarch64/arm64 node is detected in the cluster.

These gates are only relevant for upgrades to 4.19, so they will only need to exist in the MCO's release-4.18 branch. I've also added a few units for this functionality.

- How to verify it
Before testing either case, ensure that any non MCO keys in admin-gates have been acknowledged. For example, if there is a key called ack-4.18-kube-1.32-api-removals-in-4.19 in admin-gates, add this key to the admin-acks configmap in the openshift-config namespace with its value set to true like so:

apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    include.release.openshift.io/hypershift: "true"
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    kubernetes.io/description: Record administrator acknowledgments of update gates
      defined in the admin-gates ConfigMap in the openshift-config-managed namespace.
    release.openshift.io/create-only: "true"
  creationTimestamp: "2025-05-13T07:51:46Z"
  name: admin-acks
  namespace: openshift-config
  resourceVersion: "2284"
  uid: fdd6b65e-5c83-4d41-a08d-cba2bbdf1e91
data:
  ack-4.18-kube-1.32-api-removals-in-4.19: "true"

• AWS/GCP boot image opt-out:
  • Launch this PR against a 4.18 cluster on the AWS or GCP platform without a boot image configuration defined. The CVO should trip Upgradeable=False (check via oc get clusterversion -o yaml). Now, add a boot image configuration - the CVO should no longer be setting Upgradeable to false.
  • This gate should not show up on any other platforms.
• aarch64 bootloader:
  • Launch this PR against a 4.18 aarch64 cluster. The CVO should trip Upgradeable=False (check via oc get clusterversion -o yaml).
  • This gate should not show up on clusters of any other architectures.

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-55638, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-55638 to depend on a bug targeting a version in 4.19.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

[DNM, currently testing]

- What I did

• Added a sync loop for admin-guards configmap with support for AWS/GCP boot image guard.

- How to verify it

• Launch this PR against a 4.18 cluster on the AWS or GCP platform without a boot image configurationm defined. The CVO should trip Upgradeable=False. Now, add a boot image configuration - this should set Upgradeable back to true.
• This PR should have no effect on other platforms.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/retest-required

[djoshy]

/retest-required

[yuqi-zhang]

Generally lgtm, will of course need to wait for the docs to exist before we can merge

Some minor questions inline, but I think they're mostly clear

[yuqi-zhang]

nit: updated sounds like it's an action that always needs to be taken, maybe we should say something like "ensure boot image is not too old" instead? (I couldn't think of a better way to phrase it)

[djoshy]

Yeah, that makes sense to me! Perhaps we should run the messages through a doc/Trevor review, they might have better insight/worked on this before

[yuqi-zhang]

So this is saying that if the user already has opted in in a previous version, we don't raise the admin ack?

(makes sense, just thinking out loud)

[djoshy]

Not necessarily opt-ed in, but if they have any sort of opinion(all/none/partial), we'll either remove the admin-ack if one exists, or otherwise a no-op

[yuqi-zhang]

This is interesting, in the sense that we do clear stale admin acks, but only before you do the upgrade, since these syncs will be gone after 4.18.

(again, this is fine, just thinking out loud)

[djoshy]

Right, so I wanted the user to able to clear the gate either by addressing it via the admin-ack configmap or via defining an boot image opinion. In 4.19, this should not have any effect per Trevor since these keys only target 4.18(but we can double check that again)

[yuqi-zhang]

These tests all have a "disabled" boot image configuration (empty machinemanagers), and thereby do not need the admin ack, right?

[djoshy]

Right, disabled meaning the user wanted to opt out so no need to raise the alarm. I can add comments/make this more verbose if its not very clear in the current state 😄

[djoshy]

/retest-required

[yuqi-zhang]

Leaving an approval for the code, but should wait until docs are in place to merge

[djoshy]

Updated to include doc links.

• ack-4.18-boot-image-opt-out-in-4.19 => https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/machine_configuration/mco-update-boot-images#mco-update-boot-images
• ack-4.18-aarch64-bootloader-4.19 => https://access.redhat.com/solutions/7119697 (still WIP)

[ptalgulk01]

Pre-merge verified :
Verified using IPI based AWS cluster

launch 4.18,openshift/machine-config-operator#5027 aws

Edit the admin-acks -n openshift-config

oc edit cm admin-acks -n openshift-config -o yaml
apiVersion: v1
data:
  ack-4.18-kube-1.32-api-removals-in-4.19: "true"
kind: ConfigMap
metadata:
  annotations:
    include.release.openshift.io/hypershift: "true"
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    kubernetes.io/description: Record administrator acknowledgments of update gates
      defined in the admin-gates ConfigMap in the openshift-config-managed namespace.
    release.openshift.io/create-only: "true"
  creationTimestamp: "2025-05-16T09:20:54Z"
  name: admin-acks
  namespace: openshift-config
  resourceVersion: "36986"
  uid: 167b0343-a43b-4e6d-b948-fa8c5a22cccc

Able to see Upgradeable = False before editing the bootImage value
Edit the machineconfiguration

....
  spec:
    logLevel: Normal
    managedBootImages:
      machineManagers:
      - apiGroup: machine.openshift.io
        resource: machinesets
        selection:
          mode: All
    managementState: Managed
    operatorLogLevel: Normal
  status:

After edit as far now able to see the Upgradeable is disappered from clusterversion and to make it appear again edit the data field from admin-acks -n openshift-config

[yuqi-zhang]

/label backport-risk-assessed

Not an actual backport

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-55638, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-55638 to depend on a bug targeting a version in 4.19.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

- What I did
I added a new sync loop in the operator for the admin-gates configmap in the openshift-config-managed namespace. This sync loop will now begin to add the following keys:

• ack-4.18-boot-image-opt-out-in-4.19 when a AWS/GCP cluster does not have a boot image configuration.
• ack-4.18-aarch64-bootloader-4.19 when an aarch64/arm64 node is detected in the cluster.

These gates are only relevant for upgrades to 4.19, so they will only need to exist in the MCO's release-4.18 branch. I've also added a few units for this functionality.

- How to verify it
Before testing either case, ensure that any non MCO keys in admin-gates have been acknowledged. For example, if there is a key called ack-4.18-kube-1.32-api-removals-in-4.19 in admin-gates, add this key to the admin-acks configmap in the openshift-config namespace with its value set to true like so:

apiVersion: v1
kind: ConfigMap
metadata:
 annotations:
   include.release.openshift.io/hypershift: "true"
   include.release.openshift.io/ibm-cloud-managed: "true"
   include.release.openshift.io/self-managed-high-availability: "true"
   kubernetes.io/description: Record administrator acknowledgments of update gates
     defined in the admin-gates ConfigMap in the openshift-config-managed namespace.
   release.openshift.io/create-only: "true"
 creationTimestamp: "2025-05-13T07:51:46Z"
 name: admin-acks
 namespace: openshift-config
 resourceVersion: "2284"
 uid: fdd6b65e-5c83-4d41-a08d-cba2bbdf1e91
data:
 ack-4.18-kube-1.32-api-removals-in-4.19: "true"

• AWS/GCP boot image opt-out:
  • Launch this PR against a 4.18 cluster on the AWS or GCP platform without a boot image configuration defined. The CVO should trip Upgradeable=False (check via oc get clusterversion -o yaml). Now, add a boot image configuration - the CVO should no longer be setting Upgradeable to false.
  • This gate should not show up on any other platforms.
• aarch64 bootloader:
  • Launch this PR against a 4.18 aarch64 cluster. The CVO should trip Upgradeable=False (check via oc get clusterversion -o yaml).
  • This gate should not show up on clusters of any other architectures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/jira refresh

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-55638, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead
• expected Jira Issue OCPBUGS-55638 to depend on a bug targeting a version in 4.19.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/jira refresh

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-55638, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.z) matches configured target version for branch (4.18.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-56453 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-56453 targets the "4.19.0" version, which is one of the valid target versions: 4.19.0
• bug has dependents

Requesting review from QA contact:
/cc @sergiordlr

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[djoshy]

/test all

[djoshy]

/hold

[djoshy]

/unhold

[ptalgulk01]

/label cherry-pick-approved

[djoshy]

/retest-required

[djoshy]

/override ci/prow/e2e-gcp-op

This PR has passed this test in the past, and it seems to timing out in the deprovision stage

[openshift-ci]

@djoshy: Overrode contexts on behalf of djoshy: ci/prow/e2e-gcp-op

In response to this:

/override ci/prow/e2e-gcp-op

This PR has passed this test in the past, and it seems to timing out in the deprovision stage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@djoshy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	a68e58b	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-vsphere-ovn-upi	a68e58b	link	false	/test e2e-vsphere-ovn-upi
ci/prow/e2e-azure-ovn-upgrade-out-of-change	a68e58b	link	false	/test e2e-azure-ovn-upgrade-out-of-change
ci/prow/e2e-vsphere-ovn-zones	a68e58b	link	false	/test e2e-vsphere-ovn-zones
ci/prow/e2e-gcp-op-techpreview	a68e58b	link	false	/test e2e-gcp-op-techpreview
ci/prow/e2e-gcp-op-ocl	a68e58b	link	false	/test e2e-gcp-op-ocl
ci/prow/e2e-vsphere-ovn-upi-zones	a68e58b	link	false	/test e2e-vsphere-ovn-upi-zones
ci/prow/e2e-gcp-op	a68e58b	link	true	/test e2e-gcp-op

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yuqi-zhang]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [djoshy,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@djoshy: Jira Issue OCPBUGS-55638: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#5027

Jira Issue OCPBUGS-55638 has been moved to the MODIFIED state.

In response to this:

- What I did
I added a new sync loop in the operator for the admin-gates configmap in the openshift-config-managed namespace. This sync loop will now begin to add the following keys:

• ack-4.18-boot-image-opt-out-in-4.19 when a AWS/GCP cluster does not have a boot image configuration.
• ack-4.18-aarch64-bootloader-4.19 when an aarch64/arm64 node is detected in the cluster.

These gates are only relevant for upgrades to 4.19, so they will only need to exist in the MCO's release-4.18 branch. I've also added a few units for this functionality.

- How to verify it
Before testing either case, ensure that any non MCO keys in admin-gates have been acknowledged. For example, if there is a key called ack-4.18-kube-1.32-api-removals-in-4.19 in admin-gates, add this key to the admin-acks configmap in the openshift-config namespace with its value set to true like so:

apiVersion: v1
kind: ConfigMap
metadata:
 annotations:
   include.release.openshift.io/hypershift: "true"
   include.release.openshift.io/ibm-cloud-managed: "true"
   include.release.openshift.io/self-managed-high-availability: "true"
   kubernetes.io/description: Record administrator acknowledgments of update gates
     defined in the admin-gates ConfigMap in the openshift-config-managed namespace.
   release.openshift.io/create-only: "true"
 creationTimestamp: "2025-05-13T07:51:46Z"
 name: admin-acks
 namespace: openshift-config
 resourceVersion: "2284"
 uid: fdd6b65e-5c83-4d41-a08d-cba2bbdf1e91
data:
 ack-4.18-kube-1.32-api-removals-in-4.19: "true"

• AWS/GCP boot image opt-out:
  • Launch this PR against a 4.18 cluster on the AWS or GCP platform without a boot image configuration defined. The CVO should trip Upgradeable=False (check via oc get clusterversion -o yaml). Now, add a boot image configuration - the CVO should no longer be setting Upgradeable to false.
  • This gate should not show up on any other platforms.
• aarch64 bootloader:
  • Launch this PR against a 4.18 aarch64 cluster. The CVO should trip Upgradeable=False (check via oc get clusterversion -o yaml).
  • This gate should not show up on clusters of any other architectures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-machine-config-operator
This PR has been included in build ose-machine-config-operator-container-v4.18.0-202505211838.p0.g7c89511.assembly.stream.el9.
All builds following this will include this PR.