OCPSTRAT-2713: Add ConfidentialCluster to InstallConfig by fangge1212 · Pull Request #10386 · openshift/installer

fangge1212 · 2026-03-12T13:24:16Z

Summary

With ConfidentialCluster, users can configure an external server
url to retrieve the ignition config for all the nodes including
bootstrap, master and worker.

Dependencies

OCPSTRAT-2713: Bump ignition from 3.2 to 3.6 #10392

coderabbitai · 2026-03-12T13:24:43Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Adds ConfidentialCluster to InstallConfig (schema, Go types, deepcopy), validation enforcing Azure-only and URI rules, integrates ignition trustee merge into bootstrap/node generation, upgrades CoreOS Ignition types v3_2 → v3_6 across many files, and bumps multiple dependencies in go.mod.

Changes

Cohort / File(s)	Summary
OpenAPI schema & types `data/data/install.openshift.io_installconfigs.yaml`, `pkg/types/installconfig.go`, `pkg/types/zz_generated.deepcopy.go`	Introduce `confidentialCluster` in OpenAPI and InstallConfig, add `ConfidentialCluster` type with `ignitionClevisPinTrustee` field, and generated DeepCopy methods.
Validation & tests `pkg/types/validation/installconfig.go`, `pkg/types/validation/installconfig_test.go`	Add validation for ConfidentialCluster (Azure-only, required trustee, HTTP(S) URI) and tests covering unsupported platforms, empty/invalid URIs, and valid cases.
Ignition library upgrade `pkg/.../ignition/...`, `pkg/asset/.../image/ignition.go`, `pkg/asset/.../image/ignition_test.go`, `pkg/infrastructure/...`, `pkg/types/nutanix/helpers.go` (many files using `github.com/coreos/ignition/v2/config/v3_*/types`)	Update ignition imports from v3_2 → v3_6 across ~30 files and adapt usages to the newer ignition types package.
Confidential cluster ignition integration `pkg/asset/ignition/bootstrap/common.go`, `pkg/asset/ignition/machine/node.go`, `pkg/asset/ignition/bootstrap/bootstrap_ignition.go`, `pkg/asset/ignition/machine/...`	When ConfidentialCluster is set, append an Ignition merge resource pointing to the trustee (`ignitionClevisPinTrustee`) into bootstrap/node ignition generation and preserve non-installer merge sources.
Dependency updates `go.mod`	Bump multiple dependencies (CoreOS ignition v2.24.0 → v2.26.0 and various Google, Azure, OpenTelemetry, and golang.org/x/* module versions).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check targets Ginkgo BDD tests but PR uses Go standard table-driven testing; pre-existing review comment flags mismatch between expected and actual validation error messages.	Apply check for table-driven tests instead of Ginkgo, or update test expectation at line 3072 from 'Invalid value' to 'Required value' to match field.Required() call.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add ConfidentialCluster to InstallConfig' directly and clearly describes the main change: introducing a new ConfidentialCluster field to the InstallConfig type, which is evident across multiple files including the schema definition, type definitions, validation logic, and usage throughout the codebase.
Stable And Deterministic Test Names	✅ Passed	Custom check targets Ginkgo test names, but PR uses standard Go testing with static, deterministic table-driven test cases.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

📝 Coding Plan

Generate coding plan for human review comments

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

Migrating from UI to YAML configuration.

Use the @coderabbitai configuration command in a PR comment to get a dump of all your UI settings in YAML format. You can then edit this YAML file and upload it to the root of your repository to configure CodeRabbit programmatically.

coderabbitai

Actionable comments posted: 4

🧹 Nitpick comments (1)

pkg/types/validation/installconfig_test.go (1)
3046-3100: Add coverage for the documented trustee URL contract.

pkg/types/installconfig.go documents ignitionClevisPinTrustee as http(s)://<trustee_server_ip_address>:<port>/ignition-clevis-pin-trustee, but these cases only pin empty input, a generic parse failure, and one HTTP success. Please add at least an HTTPS happy-path and a wrong-path rejection so validation can't drift from the API contract without a test failing.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/types/validation/installconfig_test.go` around lines 3046 - 3100, Add two
table-driven test cases in the same test slice in
pkg/types/validation/installconfig_test.go near the existing ConfidentialCluster
cases: (1) a "valid HTTPS IgnitionClevisPinTrustee in ConfidentialCluster" case
that sets ConfidentialCluster.IgnitionClevisPinTrustee to an https://... URL
(e.g. "https://10.73.210.28:8443/ignition-clevis-pin-trustee") and expects no
error, and (2) an "invalid wrong-path IgnitionClevisPinTrustee in
ConfidentialCluster" case that sets the trustee URL to a URL with an incorrect
path (e.g. "http://10.73.210.28:8000/wrong-path") and asserts the validator
rejects it with the same style of expectedError used by the other cases; use
validInstallConfig(), validAzurePlatform(), and the
ConfidentialCluster.IgnitionClevisPinTrustee field names to locate where to add
these entries so the suite ensures both HTTPS success and path validation
failures.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@data/data/install.openshift.io_installconfigs.yaml`:
- Around line 3109-3117: The CRD schema allows an empty confidentialCluster
object; make ignitionClevisPinTrustee required so configs like {
confidentialCluster: {} } are rejected: inside the confidentialCluster object
definition (the block with properties: ignitionClevisPinTrustee) add a required:
["ignitionClevisPinTrustee"] entry and optionally tighten the
ignitionClevisPinTrustee schema (e.g., ensure type: string and a pattern or
minLength) so the runtime validation matches the CRD; reference the
confidentialCluster object and the ignitionClevisPinTrustee property when
applying the change.

In `@pkg/asset/ignition/machine/node.go`:
- Around line 75-82: The current code appends the ConfidentialCluster trustee
URL to config.Ignition.Config.Merge but later generatePointerMachineConfig()
clears the entire Merge slice (config.Ignition.Config.Merge = nil), dropping the
trustee; instead, change generatePointerMachineConfig() to remove only the MCS
/config/<role> merge entry(s) while preserving any other merges (e.g., the
ConfidentialCluster trustee added from installConfig.ConfidentialCluster).
Locate and update the logic in generatePointerMachineConfig() that sets
config.Ignition.Config.Merge = nil to filter the slice: iterate
config.Ignition.Config.Merge, keep entries whose Source is not the MCS
/config/<role> path, and assign the filtered slice back so the clevis trustee
(from installConfig.ConfidentialCluster) remains.

In `@pkg/asset/imagebased/image/ignition.go`:
- Line 162: The current call uses v3_6.Parse which rejects older 3.x ignition
formats; replace the call to v3_6.Parse with v3_6.ParseCompatibleVersion when
parsing the user-supplied override (the line creating ignitionConfigOverride) so
older 3.x overrides are accepted and translated; update any error handling
around ignitionConfigOverride to handle the same returned values from
ParseCompatibleVersion and ensure the rest of the code uses the returned
ignitionConfigOverride as before.

In `@pkg/types/validation/installconfig.go`:
- Around line 1918-1922: The validation currently allows both "http" and "https"
for cc.IgnitionClevisPinTrustee via validateURI; change the allowed schemes to
only "https" so validateURI(cc.IgnitionClevisPinTrustee,
fldPath.Child("ignitionClevisPinTrustee"), []string{"https"}) is used, and
update any example/docs that show an http:// trustee URL to use https://
instead; ensure the error message and field name (ignitionClevisPinTrustee)
remain unchanged so callers see the same validation behavior except for the
stricter scheme.

---

Nitpick comments:
In `@pkg/types/validation/installconfig_test.go`:
- Around line 3046-3100: Add two table-driven test cases in the same test slice
in pkg/types/validation/installconfig_test.go near the existing
ConfidentialCluster cases: (1) a "valid HTTPS IgnitionClevisPinTrustee in
ConfidentialCluster" case that sets ConfidentialCluster.IgnitionClevisPinTrustee
to an https://... URL (e.g.
"https://10.73.210.28:8443/ignition-clevis-pin-trustee") and expects no error,
and (2) an "invalid wrong-path IgnitionClevisPinTrustee in ConfidentialCluster"
case that sets the trustee URL to a URL with an incorrect path (e.g.
"http://10.73.210.28:8000/wrong-path") and asserts the validator rejects it with
the same style of expectedError used by the other cases; use
validInstallConfig(), validAzurePlatform(), and the
ConfidentialCluster.IgnitionClevisPinTrustee field names to locate where to add
these entries so the suite ensures both HTTPS success and path validation
failures.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8087fb71-b7c9-4ce9-81b2-808c7de9c035

📥 Commits

Reviewing files that changed from the base of the PR and between b9c6f8e and 251b4a4.

⛔ Files ignored due to path filters (261)

go.sum is excluded by !**/*.sum
pkg/types/zz_generated.deepcopy.go is excluded by !**/zz_generated*
vendor/cloud.google.com/go/.release-please-manifest-individual.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/.release-please-manifest-submodules.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/.release-please-manifest.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/README.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/ekm_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/key_management_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/autogen/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/autogen/operations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/release-please-config-individual.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/.repo-metadata.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/bucket.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/contexts.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/copy.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/http_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/.repo-metadata.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/pcu.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/internal/exported/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/option.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/resourcemapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/proxy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/raid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/systemd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tang.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/unit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/verification.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/proxy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/raid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/systemd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tang.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/unit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/verification.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/cex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/proxy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/raid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/systemd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tang.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/unit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/verification.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/cex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/path.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (39)

data/data/install.openshift.io_installconfigs.yaml
go.mod
internal/tshelpers/custom_commands.go
pkg/asset/agent/image/ignition.go
pkg/asset/agent/image/ignition_test.go
pkg/asset/agent/image/unconfigured_ignition.go
pkg/asset/agent/joiner/clusterinfo.go
pkg/asset/agent/joiner/clusterinfo_test.go
pkg/asset/cluster/tfvars/tfvars.go
pkg/asset/ignition/bootstrap/bootstrap_ignition.go
pkg/asset/ignition/bootstrap/bootstrap_ignition_test.go
pkg/asset/ignition/bootstrap/common.go
pkg/asset/ignition/bootstrap/ibmcloud/storage.go
pkg/asset/ignition/machine/arbiter.go
pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
pkg/asset/ignition/machine/master.go
pkg/asset/ignition/machine/node.go
pkg/asset/ignition/machine/worker.go
pkg/asset/ignition/node.go
pkg/asset/imagebased/image/ignition.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/machines/machineconfig/authorizedkeys.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/machines/machineconfig/disks.go
pkg/asset/machines/machineconfig/disks_test.go
pkg/asset/machines/machineconfig/fips.go
pkg/asset/machines/machineconfig/hyperthreading.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/asset/machines/machineconfig/multipath.go
pkg/asset/machines/machineconfig/powersmt.go
pkg/asset/machines/machineconfig/routes.go
pkg/infrastructure/baremetal/bootstrap.go
pkg/infrastructure/clusterapi/helpers.go
pkg/infrastructure/clusterapi/ignition.go
pkg/infrastructure/openstack/preprovision/bootstrapignition.go
pkg/types/installconfig.go
pkg/types/nutanix/helpers.go
pkg/types/validation/installconfig.go
pkg/types/validation/installconfig_test.go

data/data/install.openshift.io_installconfigs.yaml

pkg/asset/ignition/machine/node.go

pkg/asset/imagebased/image/ignition.go

pkg/types/validation/installconfig.go

coderabbitai

♻️ Duplicate comments (1)

data/data/install.openshift.io_installconfigs.yaml (1)

3110-3116: ⚠️ Potential issue | 🟠 Major

Tighten trustee URL schema to match runtime checks.

ignitionClevisPinTrustee is required now (good), but on Line 3116 it is still only type: string. This lets invalid/non-HTTP(S) values pass CRD validation and fail later in installer validation.

Suggested schema tightening

           ignitionClevisPinTrustee:
             description: |-
               IgnitionClevisPinTrustee is the URL of the ignition configuration for LUKS encryption using Clevis. This ignition
               configuration is used by bootstrap, master and worker nodes to encrypt and decrypt their root disk. It's served by
               an external trustee server which performs remote attestation before returning the requested ignition config.
               Example: https://10.73.210.28:8000/ignition-clevis-pin-trustee
+            format: uri
+            pattern: ^https?://
             type: string

Use this read-only check to verify current CRD/runtime mismatch:

#!/bin/bash
set -euo pipefail

echo "=== CRD schema snippet (confidentialCluster) ==="
sed -n '3104,3122p' data/data/install.openshift.io_installconfigs.yaml

echo
echo "=== Runtime validation references ==="
rg -n -C3 'ConfidentialCluster|ignitionClevisPinTrustee|http|https|Parse' pkg/types/validation/installconfig.go

Expected result: schema snippet shows only type: string (no URI/scheme restriction), while runtime validation shows URI + scheme enforcement.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@data/data/install.openshift.io_installconfigs.yaml` around lines 3110 - 3116,
The CRD currently declares ignitionClevisPinTrustee only as type:string which
allows non-HTTP(S) values; update the schema for the ignitionClevisPinTrustee
property to validate URIs with an http/https scheme (e.g., add format: uri
and/or a pattern that enforces ^https?://) so it matches the runtime checks
referenced in pkg/types/validation/installconfig.go; keep the field required but
tighten its schema to reject non-HTTP(S) values at CRD validation time.

🧹 Nitpick comments (2)

pkg/types/installconfig.go (1)
686-692: Inconsistency between +required marker and omitempty JSON tag.

The IgnitionClevisPinTrustee field is marked as +required in the comment but has omitempty in the JSON tag. While this is functionally correct (validation enforces the requirement when ConfidentialCluster is set), consider either:

Using +kubebuilder:validation:Required for CRD schema validation, or

Clarifying the comment to indicate it's "required when ConfidentialCluster is specified"

This is a minor documentation nit since validation is handled separately.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/types/installconfig.go` around lines 686 - 692, The comment and struct
tag for ConfidentialCluster.IgnitionClevisPinTrustee are inconsistent: the field
is annotated with the comment marker "+required" but the JSON tag uses
"omitempty"; fix by either replacing the comment marker with a kubebuilder
schema annotation (e.g., add `+kubebuilder:validation:Required` above
IgnitionClevisPinTrustee) so CRD validation enforces presence, or change the
comment text to clearly state "required when ConfidentialCluster is specified"
and keep `omitempty`—update the comment line or add the kubebuilder tag on the
IgnitionClevisPinTrustee field accordingly.
pkg/types/validation/installconfig.go (1)
1918-1919: Consider using field.Required for consistency.

Other required field checks in this file use field.Required (e.g., lines 143, 527, 534). Using field.Invalid works but is less idiomatic for this case.
♻️ Suggested change
 	if cc.IgnitionClevisPinTrustee == "" {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("ignitionClevisPinTrustee"), "", "ignitionClevisPinTrustee is required if confidentialCluster is set"))
+		allErrs = append(allErrs, field.Required(fldPath.Child("ignitionClevisPinTrustee"), "ignitionClevisPinTrustee is required if confidentialCluster is set"))
 	} else {
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/types/validation/installconfig.go` around lines 1918 - 1919, Replace the
use of field.Invalid for the empty cc.IgnitionClevisPinTrustee check with
field.Required to match the idiomatic validation used elsewhere; locate the
check that appends to allErrs (references cc.IgnitionClevisPinTrustee and
fldPath.Child("ignitionClevisPinTrustee")) and change the appended error to use
field.Required with the same field path and a concise message indicating the
field is required when confidentialCluster is set.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@data/data/install.openshift.io_installconfigs.yaml`:
- Around line 3110-3116: The CRD currently declares ignitionClevisPinTrustee
only as type:string which allows non-HTTP(S) values; update the schema for the
ignitionClevisPinTrustee property to validate URIs with an http/https scheme
(e.g., add format: uri and/or a pattern that enforces ^https?://) so it matches
the runtime checks referenced in pkg/types/validation/installconfig.go; keep the
field required but tighten its schema to reject non-HTTP(S) values at CRD
validation time.

---

Nitpick comments:
In `@pkg/types/installconfig.go`:
- Around line 686-692: The comment and struct tag for
ConfidentialCluster.IgnitionClevisPinTrustee are inconsistent: the field is
annotated with the comment marker "+required" but the JSON tag uses "omitempty";
fix by either replacing the comment marker with a kubebuilder schema annotation
(e.g., add `+kubebuilder:validation:Required` above IgnitionClevisPinTrustee) so
CRD validation enforces presence, or change the comment text to clearly state
"required when ConfidentialCluster is specified" and keep `omitempty`—update the
comment line or add the kubebuilder tag on the IgnitionClevisPinTrustee field
accordingly.

In `@pkg/types/validation/installconfig.go`:
- Around line 1918-1919: Replace the use of field.Invalid for the empty
cc.IgnitionClevisPinTrustee check with field.Required to match the idiomatic
validation used elsewhere; locate the check that appends to allErrs (references
cc.IgnitionClevisPinTrustee and fldPath.Child("ignitionClevisPinTrustee")) and
change the appended error to use field.Required with the same field path and a
concise message indicating the field is required when confidentialCluster is
set.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aedac9f6-7280-44d9-ad84-1a74a9774eea

📥 Commits

Reviewing files that changed from the base of the PR and between 251b4a4 and 3688806.

📒 Files selected for processing (4)

data/data/install.openshift.io_installconfigs.yaml
pkg/asset/ignition/machine/node.go
pkg/types/installconfig.go
pkg/types/validation/installconfig.go

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/asset/imagebased/image/ignition.go (1)

162-162: ⚠️ Potential issue | 🔴 Critical

Use compatible parsing for user-supplied Ignition overrides.

Line 162 uses v3_6.Parse, which is strict and may reject older 3.x override docs that previously worked. For user-provided override input, this is a backward-compatibility break and runtime failure risk.

Proposed fix

-	ignitionConfigOverride, _, err := v3_6.Parse([]byte(override))
+	ignitionConfigOverride, _, err := v3_6.ParseCompatibleVersion([]byte(override))

Does github.com/coreos/ignition/v2/config/v3_6.Parse accept only ignition.version 3.6.0, and does ParseCompatibleVersion accept older 3.x versions (e.g., 3.2.0/3.4.0)?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/imagebased/image/ignition.go` at line 162, The call to v3_6.Parse
when parsing user-supplied Ignition overrides is too strict and can reject older
3.x documents; replace the strict parser with the compatible parser (e.g., use
the package's ParseCompatibleVersion or equivalent compatibility parsing
function) so older 3.x versions are accepted when parsing the override string
used to produce ignitionConfigOverride; update the parsing call surrounding
ignitionConfigOverride, err := ... to call the compatible parser and adjust
error handling accordingly to maintain the same variable names and flow.

🧹 Nitpick comments (1)

pkg/types/validation/installconfig_test.go (1)

3046-3100: Pin the trustee URI scheme whitelist in tests.

These cases cover the empty-string and parse-error paths, but not a well-formed unsupported scheme or the documented https:// happy path. A regression in the http/https whitelist would slip through.

🧪 Suggested additional cases

+		{
+			name: "invalid unsupported scheme in ConfidentialCluster",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.Platform = types.Platform{
+					Azure: validAzurePlatform(),
+				}
+				c.ConfidentialCluster = &types.ConfidentialCluster{
+					IgnitionClevisPinTrustee: "ftp://10.73.210.28:8000/ignition-clevis-pin-trustee",
+				}
+				return c
+			}(),
+			expectedError: `confidentialCluster.ignitionClevisPinTrustee: Unsupported value: "ftp": supported values: "http", "https"`,
+		},
+		{
+			name: "valid https IgnitionClevisPinTrustee in ConfidentialCluster",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.Platform = types.Platform{
+					Azure: validAzurePlatform(),
+				}
+				c.ConfidentialCluster = &types.ConfidentialCluster{
+					IgnitionClevisPinTrustee: "https://10.73.210.28:8000/ignition-clevis-pin-trustee",
+				}
+				return c
+			}(),
+		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/types/validation/installconfig_test.go` around lines 3046 - 3100, Add two
test cases in the same table-driven test that exercises
ConfidentialCluster.IgnitionClevisPinTrustee: one with a well-formed but
unsupported scheme (e.g., "ftp://example.com/path") asserting a
parse/unsupported-scheme error, and one with the documented https happy path
(e.g., "https://10.73.210.28:8000/ignition-clevis-pin-trustee") asserting no
error; use the existing helpers validInstallConfig() and validAzurePlatform()
and follow the pattern used by the other cases (referencing ConfidentialCluster
and IgnitionClevisPinTrustee) so the suite will catch regressions to the
http/https whitelist.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/types/validation/installconfig_test.go`:
- Around line 3061-3072: The test case for "invalid empty
IgnitionClevisPinTrustee in ConfidentialCluster" uses the wrong expected error
kind; update the expected error string in the test (in
pkg/types/validation/installconfig_test.go) to match
validateConfidentialCluster() returning field.Required for an empty
ConfidentialCluster.IgnitionClevisPinTrustee, i.e. change the expectedError from
the "Invalid value" message to the required-style message that references
ignitionClevisPinTrustee being required when ConfidentialCluster is set.

---

Duplicate comments:
In `@pkg/asset/imagebased/image/ignition.go`:
- Line 162: The call to v3_6.Parse when parsing user-supplied Ignition overrides
is too strict and can reject older 3.x documents; replace the strict parser with
the compatible parser (e.g., use the package's ParseCompatibleVersion or
equivalent compatibility parsing function) so older 3.x versions are accepted
when parsing the override string used to produce ignitionConfigOverride; update
the parsing call surrounding ignitionConfigOverride, err := ... to call the
compatible parser and adjust error handling accordingly to maintain the same
variable names and flow.

---

Nitpick comments:
In `@pkg/types/validation/installconfig_test.go`:
- Around line 3046-3100: Add two test cases in the same table-driven test that
exercises ConfidentialCluster.IgnitionClevisPinTrustee: one with a well-formed
but unsupported scheme (e.g., "ftp://example.com/path") asserting a
parse/unsupported-scheme error, and one with the documented https happy path
(e.g., "https://10.73.210.28:8000/ignition-clevis-pin-trustee") asserting no
error; use the existing helpers validInstallConfig() and validAzurePlatform()
and follow the pattern used by the other cases (referencing ConfidentialCluster
and IgnitionClevisPinTrustee) so the suite will catch regressions to the
http/https whitelist.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 638763ff-2a56-40ed-b8a6-0cb01b60cadc

📥 Commits

Reviewing files that changed from the base of the PR and between 3688806 and bd2a1af.

⛔ Files ignored due to path filters (244)

go.sum is excluded by !**/*.sum
pkg/types/zz_generated.deepcopy.go is excluded by !**/zz_generated*
vendor/cloud.google.com/go/.release-please-manifest-individual.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/.release-please-manifest-submodules.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/.release-please-manifest.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/README.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/auth/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/ekm_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/key_management_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/kms/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/autogen/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/longrunning/autogen/operations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/release-please-config-individual.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/.repo-metadata.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/bucket.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/contexts.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/copy.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/http_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/.repo-metadata.json is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/internal/version.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/pcu.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/cloud.google.com/go/storage/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/internal/exported/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/option.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/resourcemapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/proxy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/raid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/systemd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tang.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/unit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/verification.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/proxy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/raid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/systemd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tang.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/unit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/verification.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/translate/translate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/cex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/clevis.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/device.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/disk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/filesystem.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/ignition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/kargs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/luks.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/partition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/passwd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/proxy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/raid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/systemd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tang.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/unit.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/verification.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (39)

data/data/install.openshift.io_installconfigs.yaml
go.mod
internal/tshelpers/custom_commands.go
pkg/asset/agent/image/ignition.go
pkg/asset/agent/image/ignition_test.go
pkg/asset/agent/image/unconfigured_ignition.go
pkg/asset/agent/joiner/clusterinfo.go
pkg/asset/agent/joiner/clusterinfo_test.go
pkg/asset/cluster/tfvars/tfvars.go
pkg/asset/ignition/bootstrap/bootstrap_ignition.go
pkg/asset/ignition/bootstrap/bootstrap_ignition_test.go
pkg/asset/ignition/bootstrap/common.go
pkg/asset/ignition/bootstrap/ibmcloud/storage.go
pkg/asset/ignition/machine/arbiter.go
pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
pkg/asset/ignition/machine/master.go
pkg/asset/ignition/machine/node.go
pkg/asset/ignition/machine/worker.go
pkg/asset/ignition/node.go
pkg/asset/imagebased/image/ignition.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/machines/machineconfig/authorizedkeys.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/machines/machineconfig/disks.go
pkg/asset/machines/machineconfig/disks_test.go
pkg/asset/machines/machineconfig/fips.go
pkg/asset/machines/machineconfig/hyperthreading.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/asset/machines/machineconfig/multipath.go
pkg/asset/machines/machineconfig/powersmt.go
pkg/asset/machines/machineconfig/routes.go
pkg/infrastructure/baremetal/bootstrap.go
pkg/infrastructure/clusterapi/helpers.go
pkg/infrastructure/clusterapi/ignition.go
pkg/infrastructure/openstack/preprovision/bootstrapignition.go
pkg/types/installconfig.go
pkg/types/nutanix/helpers.go
pkg/types/validation/installconfig.go
pkg/types/validation/installconfig_test.go

🚧 Files skipped from review as they are similar to previous changes (23)

pkg/types/nutanix/helpers.go
internal/tshelpers/custom_commands.go
pkg/asset/agent/joiner/clusterinfo_test.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/ignition/machine/worker.go
pkg/asset/agent/joiner/clusterinfo.go
pkg/asset/agent/image/ignition.go
pkg/asset/agent/image/ignition_test.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/infrastructure/baremetal/bootstrap.go
pkg/asset/machines/machineconfig/authorizedkeys.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/ignition/bootstrap/bootstrap_ignition_test.go
pkg/asset/machines/machineconfig/disks_test.go
pkg/asset/ignition/bootstrap/ibmcloud/storage.go
pkg/asset/ignition/machine/master.go
pkg/types/installconfig.go
pkg/infrastructure/openstack/preprovision/bootstrapignition.go
pkg/asset/ignition/bootstrap/bootstrap_ignition.go
pkg/asset/machines/machineconfig/powersmt.go
pkg/asset/ignition/machine/arbiter.go
pkg/asset/cluster/tfvars/tfvars.go
pkg/infrastructure/clusterapi/ignition.go

pkg/types/validation/installconfig_test.go

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (1)

data/data/install.openshift.io_installconfigs.yaml (1)

3110-3116: ⚠️ Potential issue | 🟠 Major

Tighten ignitionClevisPinTrustee schema to match runtime URL validation

At Line 3116, this field is only type: string, so non-URL values pass CRD validation and fail later. Please enforce URI/HTTP(S) at schema level to keep API and runtime validation aligned.

Suggested schema tightening

             properties:
               ignitionClevisPinTrustee:
                 description: |-
                   IgnitionClevisPinTrustee is the URL of the ignition configuration for LUKS encryption using Clevis. This ignition
                   configuration is used by bootstrap, master and worker nodes to encrypt and decrypt their root disk. It's served by
                   an external trustee server which performs remote attestation before returning the requested ignition config.
                   Example: http://10.73.210.28:8000/ignition-clevis-pin-trustee
+                format: uri
+                minLength: 1
+                pattern: ^https?://
                 type: string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@data/data/install.openshift.io_installconfigs.yaml` around lines 3110 - 3116,
The CRD currently declares ignitionClevisPinTrustee only as type: string,
allowing non-URL values; update the schema for the ignitionClevisPinTrustee
property to validate URLs (restrict to HTTP/HTTPS) by adding a URL constraint
(e.g., add format: uri and/or a pattern like ^https?:// to enforce http/https)
so the API-level validation matches runtime checks for ignitionClevisPinTrustee.

🧹 Nitpick comments (1)

go.mod (1)
6-8: Keep feature PR scope tighter for dependency churn.

This PR mixes the ConfidentialCluster feature with a very large dependency sweep, which increases regression risk and makes bisect/rollback harder. Consider splitting bulk dependency upgrades into a dedicated PR (or clearly documenting why each bump is required for this feature).

As per coding guidelines, "**: -Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

Also applies to: 11-12, 25-25, 58-58, 106-106, 109-114, 162-168, 170-170, 173-173, 175-175, 185-186, 190-190, 199-199, 258-258, 319-320, 328-329, 331-331, 333-335
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 6 - 8, The go.mod dependency bumps (e.g.,
cloud.google.com/go/kms, cloud.google.com/go/monitoring,
cloud.google.com/go/storage and the other listed modules) should be separated
from the ConfidentialCluster feature changes: create a dedicated commit/PR that
contains only the dependency upgrades (and updated go.sum), run unit/integration
tests and CI there, and keep the ConfidentialCluster PR focused only on the
feature code; if any dependency upgrade is strictly required for the feature,
document each required bump with a brief rationale in the PR description and
include only those minimal upgrades in the feature PR.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 113-114: The go.mod currently pins
google.golang.org/genproto/googleapis/api and
google.golang.org/genproto/googleapis/rpc to different pseudo-versions causing
mod-graph instability; normalize them to the same pseudo-version (prefer the
newer commit, e.g., align api to the rpc commit or vice‑versa) so both
google.golang.org/genproto/googleapis/api and
google.golang.org/genproto/googleapis/rpc reference the identical version, then
run go mod tidy and verify with go mod graph/go list -m all that no conflicting
transitive versions remain.

In `@pkg/types/validation/installconfig.go`:
- Around line 1918-1923: The validation currently allows "https" for
cc.IgnitionClevisPinTrustee via validateURI(..., []string{"http","https"}) even
though trustee TLS CA is not provisioned; change the validation to only permit
"http" for IgnitionClevisPinTrustee (remove "https" from validateURI) until
trustee CA support is implemented, or alternatively extend the
ConfidentialCluster API to add a trustee CA field (e.g. TrusteeCACert) and wire
that into Ignition.Security.TLS.CertificateAuthorities so validateURI can keep
permitting "https" and the CA can be injected into the generated Ignition
config; update the code paths that reference cc.IgnitionClevisPinTrustee,
validateURI, ConfidentialCluster, and
Ignition.Security.TLS.CertificateAuthorities accordingly.

---

Duplicate comments:
In `@data/data/install.openshift.io_installconfigs.yaml`:
- Around line 3110-3116: The CRD currently declares ignitionClevisPinTrustee
only as type: string, allowing non-URL values; update the schema for the
ignitionClevisPinTrustee property to validate URLs (restrict to HTTP/HTTPS) by
adding a URL constraint (e.g., add format: uri and/or a pattern like ^https?://
to enforce http/https) so the API-level validation matches runtime checks for
ignitionClevisPinTrustee.

---

Nitpick comments:
In `@go.mod`:
- Around line 6-8: The go.mod dependency bumps (e.g., cloud.google.com/go/kms,
cloud.google.com/go/monitoring, cloud.google.com/go/storage and the other listed
modules) should be separated from the ConfidentialCluster feature changes:
create a dedicated commit/PR that contains only the dependency upgrades (and
updated go.sum), run unit/integration tests and CI there, and keep the
ConfidentialCluster PR focused only on the feature code; if any dependency
upgrade is strictly required for the feature, document each required bump with a
brief rationale in the PR description and include only those minimal upgrades in
the feature PR.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a61773ad-254c-4b40-a0d6-3074940c0e37

📥 Commits

Reviewing files that changed from the base of the PR and between bd2a1af and 2c1e578.

⛔ Files ignored due to path filters (265)

go.sum is excluded by !**/*.sum
vendor/cloud.google.com/go/.release-please-manifest-individual.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/.release-please-manifest-submodules.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/.release-please-manifest.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/README.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/go.work is excluded by !**/*.work, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/ekm_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/key_management_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/autogen/helpers.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/autogen/operations_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/release-please-config-individual.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/bucket.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/contexts.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/copy.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/http_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/pcu.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/reader.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/writer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/internal/exported/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/metric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/option.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/resourcemapping.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/systemd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tang.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tls.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/unit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/verification.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/systemd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tang.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tls.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/unit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/verification.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/cex.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/systemd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tang.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tls.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/unit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/verification.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/cex.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/storage.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (35)

data/data/install.openshift.io_installconfigs.yaml
go.mod
pkg/asset/agent/image/ignition.go
pkg/asset/agent/image/ignition_test.go
pkg/asset/agent/image/unconfigured_ignition.go
pkg/asset/agent/joiner/clusterinfo.go
pkg/asset/agent/joiner/clusterinfo_test.go
pkg/asset/cluster/tfvars/tfvars.go
pkg/asset/ignition/bootstrap/common.go
pkg/asset/ignition/bootstrap/ibmcloud/storage.go
pkg/asset/ignition/machine/arbiter.go
pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
pkg/asset/ignition/machine/master.go
pkg/asset/ignition/machine/node.go
pkg/asset/ignition/machine/worker.go
pkg/asset/imagebased/image/ignition.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/machines/machineconfig/authorizedkeys.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/machines/machineconfig/disks.go
pkg/asset/machines/machineconfig/disks_test.go
pkg/asset/machines/machineconfig/fips.go
pkg/asset/machines/machineconfig/hyperthreading.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/asset/machines/machineconfig/multipath.go
pkg/asset/machines/machineconfig/powersmt.go
pkg/asset/machines/machineconfig/routes.go
pkg/infrastructure/baremetal/bootstrap.go
pkg/infrastructure/clusterapi/helpers.go
pkg/infrastructure/clusterapi/ignition.go
pkg/infrastructure/openstack/preprovision/bootstrapignition.go
pkg/types/installconfig.go
pkg/types/validation/installconfig.go
pkg/types/validation/installconfig_test.go
pkg/types/zz_generated.deepcopy.go

✅ Files skipped from review due to trivial changes (1)

pkg/asset/ignition/bootstrap/ibmcloud/storage.go

🚧 Files skipped from review as they are similar to previous changes (13)

pkg/infrastructure/baremetal/bootstrap.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/ignition/machine/worker.go
pkg/asset/imagebased/image/ignition.go
pkg/asset/agent/image/unconfigured_ignition.go
pkg/types/validation/installconfig_test.go
pkg/types/installconfig.go
pkg/asset/machines/machineconfig/hyperthreading.go
pkg/asset/agent/image/ignition.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/asset/machines/machineconfig/disks.go
pkg/infrastructure/clusterapi/ignition.go

coderabbitai · 2026-03-16T05:01:49Z

go.mod

+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217
+	google.golang.org/grpc v1.78.0


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== genproto entries in go.mod ==" rg -n 'google\.golang\.org/genproto($|/googleapis/(api|rpc))' go.mod echo echo "== Imports that may pull these modules ==" rg -n --type go 'google\.golang\.org/genproto($|/googleapis/(api|rpc))' -g '!vendor/**' echo echo "== Related grpc/api pins in go.mod (for compatibility review) ==" rg -n 'google\.golang\.org/(grpc|api|protobuf)' go.mod

Repository: openshift/installer

Length of output: 43246

Resolve version skew for google.golang.org/genproto submodules to prevent mod-graph instability.

google.golang.org/genproto/googleapis/api and google.golang.org/genproto/googleapis/rpc are pinned to different pseudo-versions (~20 days apart: 20251202 vs 20251222). Both modules are pulled as transitive dependencies via imports in multiple packages (grpc, cel-go, protobuf generated code, etc.). Verify this skew is intentional and aligns with upstream compatibility; otherwise normalize to the same version to prevent go mod tidy churn and ambiguous module resolution.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 113 - 114, The go.mod currently pins google.golang.org/genproto/googleapis/api and google.golang.org/genproto/googleapis/rpc to different pseudo-versions causing mod-graph instability; normalize them to the same pseudo-version (prefer the newer commit, e.g., align api to the rpc commit or vice‑versa) so both google.golang.org/genproto/googleapis/api and google.golang.org/genproto/googleapis/rpc reference the identical version, then run go mod tidy and verify with go mod graph/go list -m all that no conflicting transitive versions remain.

coderabbitai · 2026-03-16T05:01:49Z

pkg/types/validation/installconfig.go

+	if cc.IgnitionClevisPinTrustee == "" {
+		allErrs = append(allErrs, field.Required(fldPath.Child("ignitionClevisPinTrustee"), "ignitionClevisPinTrustee is required if confidentialCluster is set"))
+	} else {
+		// TODO: restrict to "https" only once TLS is supported by the Trustee operator
+		// (tracked in https://github.com/trusted-execution-clusters/operator/pull/196)
+		allErrs = append(allErrs, validateURI(cc.IgnitionClevisPinTrustee, fldPath.Child("ignitionClevisPinTrustee"), []string{"http", "https"})...)


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, check the file structure git ls-files | grep -E "(validation/installconfig|ignition)" | head -20

Repository: openshift/installer

Length of output: 1781

🏁 Script executed:

# Read the specific lines mentioned in the review comment head -1930 pkg/types/validation/installconfig.go | tail -50 | cat -n

Repository: openshift/installer

Length of output: 2547

🏁 Script executed:

# Check the entire validateConfidentialCluster function rg -A 30 "func validateConfidentialCluster" pkg/types/validation/installconfig.go

Repository: openshift/installer

Length of output: 1092

🏁 Script executed:

# Check for trustee CA related code in ignition bootstrap rg "trustee" pkg/asset/ignition/bootstrap/common.go -i -B 3 -A 3

Repository: openshift/installer

Length of output: 217

🏁 Script executed:

# Check for trustee CA related code in ignition machine rg "trustee" pkg/asset/ignition/machine/node.go -i -B 3 -A 3

Repository: openshift/installer

Length of output: 1030

🏁 Script executed:

# Check ConfidentialCluster type definition rg "type ConfidentialCluster" pkg/types/ -A 10

Repository: openshift/installer

Length of output: 834

🏁 Script executed:

# Search for Security.TLS.CertificateAuthorities or TLS.CertificateAuthorities references related to trustee rg "CertificateAuthorities|TLS" pkg/asset/ignition/ -i -B 3 -A 3 | head -100

Repository: openshift/installer

Length of output: 9013

🏁 Script executed:

# Search for any trustee-related CA or certificate handling in the entire codebase rg "trustee.*ca|trustee.*cert|trustee.*tls" pkg/ -i

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Check if there's a ConfidentialClusterTrusteeCA or similar field rg "Trustee.*CA|TrusteeCA" pkg/types/ -B 2 -A 2

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Look at the full ignition config generation to understand TLS handling rg -B 5 -A 15 "Ignition.Security.TLS.CertificateAuthorities" pkg/asset/ignition/machine/node.go

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Search for all instances of CertificateAuthorities in the ignition asset generation rg "CertificateAuthorities" pkg/asset/ignition/ -B 5 -A 5

Repository: openshift/installer

Length of output: 1418

🏁 Script executed:

# Check the bootstrap ignition generation more carefully cat -n pkg/asset/ignition/bootstrap/bootstrap_ignition.go | grep -A 20 -B 5 "Security\|CertificateAuthorities"

Repository: openshift/installer

Length of output: 1467

🏁 Script executed:

# Check node.go machine generation cat -n pkg/asset/ignition/machine/node.go | grep -A 20 -B 5 "Security\|CertificateAuthorities"

Repository: openshift/installer

Length of output: 854

🏁 Script executed:

# Search for all code that adds to CertificateAuthorities rg -B 10 -A 5 "\.CertificateAuthorities\s*=" pkg/asset/ignition/

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Get context around trustee merge addition in bootstrap/common.go rg -B 20 -A 10 "IgnitionClevisPinTrustee" pkg/asset/ignition/bootstrap/common.go

Repository: openshift/installer

Length of output: 844

🏁 Script executed:

# Check if trustee CA might be embedded or handled elsewhere rg -i "clevis|trustee" pkg/types/azure/ -B 3 -A 3

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Verify if the rootCA passed to ignition includes trustee certs rg "rootCA\|RootCA" pkg/asset/ignition/machine/node.go -B 5 -A 5

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Check if there's any trustee CA field in Azure types rg "type.*Azure|TrusteCA\|ClevisTrustee" pkg/types/azure/ -B 2 -A 10

Repository: openshift/installer

Length of output: 1053

🏁 Script executed:

# Search for any field or handling related to trustee and CA together rg "trustee" pkg/ -i -l | xargs rg "ca\|cert\|tls" -i -B 2 -A 2 | grep -i trustee

Repository: openshift/installer

Length of output: 45

🏁 Script executed:

# Check the full ConfidentialCluster struct definition cat -n pkg/types/installconfig.go | sed -n '/type ConfidentialCluster/,/^[0-9]*-}/p'

Repository: openshift/installer

Length of output: 674

🏁 Script executed:

# Verify the exact CertificateAuthorities assignments in machine/node.go sed -n '50,90p' pkg/asset/ignition/machine/node.go | cat -n

Repository: openshift/installer

Length of output: 1413

https trustee URLs aren't fully supported yet.

This accepts https, but the generated ignition only carries the root CA for the machine config server; it does not add trust material for the trustee endpoint. When IgnitionClevisPinTrustee uses a self-signed or private certificate, TLS verification will fail at boot time despite validation accepting the URL. Either restrict to http only until trustee CA support is added, or add a trustee CA field to ConfidentialCluster and wire it into Ignition.Security.TLS.CertificateAuthorities.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/types/validation/installconfig.go` around lines 1918 - 1923, The validation currently allows "https" for cc.IgnitionClevisPinTrustee via validateURI(..., []string{"http","https"}) even though trustee TLS CA is not provisioned; change the validation to only permit "http" for IgnitionClevisPinTrustee (remove "https" from validateURI) until trustee CA support is implemented, or alternatively extend the ConfidentialCluster API to add a trustee CA field (e.g. TrusteeCACert) and wire that into Ignition.Security.TLS.CertificateAuthorities so validateURI can keep permitting "https" and the CA can be injected into the generated Ignition config; update the code paths that reference cc.IgnitionClevisPinTrustee, validateURI, ConfidentialCluster, and Ignition.Security.TLS.CertificateAuthorities accordingly.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

data/data/install.openshift.io_installconfigs.yaml (1)

3110-3116: ⚠️ Potential issue | 🟠 Major

Constrain trustee URL in CRD to match runtime validation.

At Line 3116, ignitionClevisPinTrustee is only type: string, so invalid/empty values pass schema admission and fail later in install validation. Please enforce URI shape (and HTTP/S scheme) in the CRD to keep validation behavior consistent.

Suggested schema tightening

             properties:
               ignitionClevisPinTrustee:
                 description: |-
                   IgnitionClevisPinTrustee is the URL of the ignition configuration for LUKS encryption using Clevis. This ignition
                   configuration is used by bootstrap, master and worker nodes to encrypt and decrypt their root disk. It's served by
                   an external trustee server which performs remote attestation before returning the requested ignition config.
                   Example: http://10.73.210.28:8000/ignition-clevis-pin-trustee
+                format: uri
+                minLength: 1
+                pattern: ^https?://
                 type: string

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@data/data/install.openshift.io_installconfigs.yaml` around lines 3110 - 3116,
The CRD currently defines ignitionClevisPinTrustee only as type: string which
allows invalid/empty URLs to pass admission; update the schema for
ignitionClevisPinTrustee to enforce an HTTP/HTTPS URI shape (for example add
format: uri and/or a stricter pattern like ^https?://.+ and a minLength > 0) so
runtime validation aligns with CR validation; locate the
ignitionClevisPinTrustee entry in the installconfigs CRD and add the
format/pattern and minLength constraints to the property definition.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/ignition/machine/node.go`:
- Around line 91-107: The current filter in node.go removes merges by comparing
only u.Path to fmt.Sprintf("/config/%s", role), which can strip user-supplied
merges from other hosts; update the logic in the block that iterates
config.Ignition.Config.Merge to match the full expected MCS source instead
(e.g., compare the full URL string or both u.Host and u.Path) before skipping
append, or alternatively add an expectedSource parameter and compare
*merge.Source == expectedSource; ensure you reference the same symbols
(config.Ignition.Config.Merge, merge.Source, role) and only drop the merge when
the host+path (or full URL) exactly equals the installer-generated MCS URL.

---

Duplicate comments:
In `@data/data/install.openshift.io_installconfigs.yaml`:
- Around line 3110-3116: The CRD currently defines ignitionClevisPinTrustee only
as type: string which allows invalid/empty URLs to pass admission; update the
schema for ignitionClevisPinTrustee to enforce an HTTP/HTTPS URI shape (for
example add format: uri and/or a stricter pattern like ^https?://.+ and a
minLength > 0) so runtime validation aligns with CR validation; locate the
ignitionClevisPinTrustee entry in the installconfigs CRD and add the
format/pattern and minLength constraints to the property definition.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0ace1c7c-4ba2-4fad-ac9a-5451b8a974cd

📥 Commits

Reviewing files that changed from the base of the PR and between 2c1e578 and 36cd074.

⛔ Files ignored due to path filters (261)

go.sum is excluded by !**/*.sum
vendor/cloud.google.com/go/.release-please-manifest-individual.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/.release-please-manifest-submodules.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/.release-please-manifest.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/README.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/auth/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/go.work is excluded by !**/*.work, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/autokey_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/ekm_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/key_management_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/kms/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/autogen/helpers.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/longrunning/autogen/operations_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/release-please-config-individual.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/bucket.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/contexts.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/copy.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/http_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/internal/version.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/pcu.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/reader.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/cloud.google.com/go/storage/writer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/internal/exported/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/metric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/option.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric/version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping/resourcemapping.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/systemd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tang.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/tls.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/unit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_3/types/verification.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/systemd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tang.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/tls.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/unit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_4/types/verification.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/cex.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/raid.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/resource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/schema.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/storage.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/systemd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tang.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/tls.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/unit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_5/types/verification.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/translate/translate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/cex.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/clevis.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/device.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/disk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/filesystem.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/headers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/ignition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/kargs.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/luks.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/mode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/partition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/passwd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/path.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/coreos/ignition/v2/config/v3_6/types/proxy.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (39)

data/data/install.openshift.io_installconfigs.yaml
go.mod
pkg/asset/agent/image/ignition.go
pkg/asset/agent/image/ignition_test.go
pkg/asset/agent/image/unconfigured_ignition.go
pkg/asset/agent/joiner/clusterinfo.go
pkg/asset/agent/joiner/clusterinfo_test.go
pkg/asset/cluster/tfvars/tfvars.go
pkg/asset/ignition/bootstrap/bootstrap_ignition.go
pkg/asset/ignition/bootstrap/bootstrap_ignition_test.go
pkg/asset/ignition/bootstrap/common.go
pkg/asset/ignition/bootstrap/ibmcloud/storage.go
pkg/asset/ignition/machine/arbiter.go
pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
pkg/asset/ignition/machine/master.go
pkg/asset/ignition/machine/node.go
pkg/asset/ignition/machine/worker.go
pkg/asset/ignition/node.go
pkg/asset/imagebased/image/ignition.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/machines/machineconfig/authorizedkeys.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/machines/machineconfig/disks.go
pkg/asset/machines/machineconfig/disks_test.go
pkg/asset/machines/machineconfig/fips.go
pkg/asset/machines/machineconfig/hyperthreading.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/asset/machines/machineconfig/multipath.go
pkg/asset/machines/machineconfig/powersmt.go
pkg/asset/machines/machineconfig/routes.go
pkg/infrastructure/baremetal/bootstrap.go
pkg/infrastructure/clusterapi/helpers.go
pkg/infrastructure/clusterapi/ignition.go
pkg/infrastructure/openstack/preprovision/bootstrapignition.go
pkg/types/installconfig.go
pkg/types/nutanix/helpers.go
pkg/types/validation/installconfig.go
pkg/types/validation/installconfig_test.go
pkg/types/zz_generated.deepcopy.go

✅ Files skipped from review due to trivial changes (1)

pkg/asset/machines/machineconfig/multipath.go

🚧 Files skipped from review as they are similar to previous changes (13)

pkg/asset/machines/machineconfig/authorizedkeys.go
pkg/asset/imagebased/image/ignition_test.go
pkg/asset/machines/machineconfig/routes.go
pkg/asset/agent/image/ignition_test.go
pkg/infrastructure/openstack/preprovision/bootstrapignition.go
pkg/asset/machines/machineconfig/disks_test.go
pkg/asset/ignition/machine/worker.go
pkg/asset/machines/machineconfig/chrony.go
pkg/asset/machines/machineconfig/ipv6.go
pkg/types/validation/installconfig_test.go
pkg/asset/machines/machineconfig/disks.go
pkg/asset/machines/machineconfig/powersmt.go
pkg/asset/imagebased/image/ignition.go

pkg/asset/ignition/machine/node.go

rna-afk · 2026-03-19T14:11:08Z

pkg/asset/ignition/machine/node.go

 		}
 	}
-	return &igntypes.Config{
+	var config = &igntypes.Config{


minor nit: Probably want to use config := for uniformity but not really an issue.

rna-afk · 2026-03-19T14:53:22Z

Looks like this PR missed two spots with the ignition version change from 3.2 to 3.6

AWSmachines file

clusterapi file

Do we want to change these too? I reckon we do.

Also, there is a lot of hardcoded versions in tests too. Might want to address that in the other PR and have it merged there. Otherwise, this looks good.

openshift-ci-robot · 2026-03-20T08:38:16Z

@fangge1212: No Jira issue with key OCPSTART-2713 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary

With ConfidentialCluster, users can configure an external server
url to retrieve the ignition config for all the nodes including
bootstrap, master and worker.

Dependencies

OCPSTRAT-2713: Bump ignition from 3.2 to 3.6 #10392

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-20T08:48:44Z

@fangge1212: This pull request references OCPSTRAT-2713 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the feature to target either version "4.22." or "openshift-4.22.", but it targets "openshift-5.0" instead.

Details

In response to this:

Summary

With ConfidentialCluster, users can configure an external server
url to retrieve the ignition config for all the nodes including
bootstrap, master and worker.

Dependencies

OCPSTRAT-2713: Bump ignition from 3.2 to 3.6 #10392

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

The latest ignition contains the API addtion to deploy confidential clusters. Signed-off-by: Alice Frosi <afrosi@redhat.com> Signed-off-by: Fangge Jin <fjin@redhat.com>

With ConfidentialCluster, users can configure an external server url to retrieve the ignition config for all the nodes including bootstrap, master and worker. The external server will perform remote attestation before returning the requested ignition config. Signed-off-by: Alice Frosi <afrosi@redhat.com> Signed-off-by: Fangge Jin <fjin@redhat.com>

openshift-ci · 2026-03-20T09:07:29Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign stephenfin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2026-03-20T12:18:16Z

@fangge1212: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-shared-vpc	`9fe5982`	link	false	`/test e2e-azure-ovn-shared-vpc`
ci/prow/e2e-metal-ipi-ovn-virtualmedia	`9fe5982`	link	false	`/test e2e-metal-ipi-ovn-virtualmedia`
ci/prow/e2e-aws-ovn-heterogeneous	`9fe5982`	link	false	`/test e2e-aws-ovn-heterogeneous`
ci/prow/e2e-aws-ovn-single-node	`9fe5982`	link	false	`/test e2e-aws-ovn-single-node`
ci/prow/e2e-agent-sno-ipv4-pxe	`9fe5982`	link	false	`/test e2e-agent-sno-ipv4-pxe`
ci/prow/e2e-agent-compact-ipv4-iso-no-registry	`9fe5982`	link	false	`/test e2e-agent-compact-ipv4-iso-no-registry`
ci/prow/gcp-private	`9fe5982`	link	false	`/test gcp-private`
ci/prow/e2e-gcp-custom-endpoints	`9fe5982`	link	false	`/test e2e-gcp-custom-endpoints`
ci/prow/e2e-agent-compact-ipv4	`9fe5982`	link	true	`/test e2e-agent-compact-ipv4`
ci/prow/aws-private	`9fe5982`	link	false	`/test aws-private`
ci/prow/e2e-metal-ipi-ovn-swapped-hosts	`9fe5982`	link	false	`/test e2e-metal-ipi-ovn-swapped-hosts`
ci/prow/e2e-azure-ovn	`9fe5982`	link	true	`/test e2e-azure-ovn`
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups	`9fe5982`	link	false	`/test e2e-aws-ovn-shared-vpc-custom-security-groups`
ci/prow/e2e-nutanix-ovn	`9fe5982`	link	false	`/test e2e-nutanix-ovn`
ci/prow/e2e-metal-ipi-ovn-dualstack	`9fe5982`	link	false	`/test e2e-metal-ipi-ovn-dualstack`
ci/prow/e2e-metal-ipi-ovn-ipv6	`9fe5982`	link	true	`/test e2e-metal-ipi-ovn-ipv6`
ci/prow/e2e-aws-ovn-imdsv2	`9fe5982`	link	false	`/test e2e-aws-ovn-imdsv2`
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones	`9fe5982`	link	false	`/test e2e-aws-ovn-shared-vpc-edge-zones`
ci/prow/e2e-agent-sno-ipv6	`9fe5982`	link	false	`/test e2e-agent-sno-ipv6`
ci/prow/e2e-openstack-nfv-intel	`9fe5982`	link	false	`/test e2e-openstack-nfv-intel`
ci/prow/e2e-aws-ovn-edge-zones	`9fe5982`	link	false	`/test e2e-aws-ovn-edge-zones`
ci/prow/e2e-agent-ha-dualstack	`9fe5982`	link	false	`/test e2e-agent-ha-dualstack`
ci/prow/e2e-aws-default-config	`9fe5982`	link	false	`/test e2e-aws-default-config`
ci/prow/e2e-gcp-ovn	`9fe5982`	link	true	`/test e2e-gcp-ovn`
ci/prow/e2e-metal-single-node-live-iso	`9fe5982`	link	false	`/test e2e-metal-single-node-live-iso`
ci/prow/e2e-metal-ovn-two-node-arbiter	`9fe5982`	link	false	`/test e2e-metal-ovn-two-node-arbiter`
ci/prow/e2e-metal-ipi-ovn	`9fe5982`	link	false	`/test e2e-metal-ipi-ovn`
ci/prow/e2e-azurestack	`9fe5982`	link	false	`/test e2e-azurestack`
ci/prow/e2e-openstack-proxy	`9fe5982`	link	false	`/test e2e-openstack-proxy`
ci/prow/e2e-openstack-ovn	`9fe5982`	link	true	`/test e2e-openstack-ovn`
ci/prow/e2e-azure-default-config	`9fe5982`	link	false	`/test e2e-azure-default-config`
ci/prow/e2e-gcp-custom-dns	`9fe5982`	link	false	`/test e2e-gcp-custom-dns`
ci/prow/e2e-agent-compact-ipv4-none-platform	`9fe5982`	link	false	`/test e2e-agent-compact-ipv4-none-platform`
ci/prow/e2e-agent-compact-ipv4-appliance-diskimage	`9fe5982`	link	false	`/test e2e-agent-compact-ipv4-appliance-diskimage`
ci/prow/e2e-gcp-ovn-xpn	`9fe5982`	link	false	`/test e2e-gcp-ovn-xpn`
ci/prow/e2e-agent-4control-ipv4	`9fe5982`	link	false	`/test e2e-agent-4control-ipv4`
ci/prow/e2e-agent-two-node-fencing-ipv4	`9fe5982`	link	false	`/test e2e-agent-two-node-fencing-ipv4`
ci/prow/e2e-metal-ovn-two-node-fencing	`9fe5982`	link	false	`/test e2e-metal-ovn-two-node-fencing`
ci/prow/unit	`9fe5982`	link	true	`/test unit`
ci/prow/e2e-aws-byo-subnet-role-security-groups	`9fe5982`	link	false	`/test e2e-aws-byo-subnet-role-security-groups`
ci/prow/e2e-agent-compact-ipv6-minimaliso	`9fe5982`	link	false	`/test e2e-agent-compact-ipv6-minimaliso`
ci/prow/e2e-gcp-ovn-byo-vpc	`9fe5982`	link	false	`/test e2e-gcp-ovn-byo-vpc`
ci/prow/gcp-custom-endpoints-proxy-wif	`9fe5982`	link	false	`/test gcp-custom-endpoints-proxy-wif`
ci/prow/e2e-aws-ovn	`9fe5982`	link	true	`/test e2e-aws-ovn`
ci/prow/e2e-gcp-secureboot	`9fe5982`	link	false	`/test e2e-gcp-secureboot`
ci/prow/e2e-agent-5control-ipv4	`9fe5982`	link	false	`/test e2e-agent-5control-ipv4`
ci/prow/e2e-metal-assisted	`9fe5982`	link	false	`/test e2e-metal-assisted`
ci/prow/e2e-aws-ovn-fips	`9fe5982`	link	false	`/test e2e-aws-ovn-fips`
ci/prow/e2e-gcp-default-config	`9fe5982`	link	false	`/test e2e-gcp-default-config`
ci/prow/azure-ovn-marketplace-images	`9fe5982`	link	false	`/test azure-ovn-marketplace-images`
ci/prow/e2e-gcp-xpn-dedicated-dns-project	`9fe5982`	link	false	`/test e2e-gcp-xpn-dedicated-dns-project`
ci/prow/azure-private	`9fe5982`	link	false	`/test azure-private`
ci/prow/e2e-ibmcloud-ovn	`9fe5982`	link	false	`/test e2e-ibmcloud-ovn`
ci/prow/e2e-gcp-xpn-custom-dns	`9fe5982`	link	false	`/test e2e-gcp-xpn-custom-dns`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci bot requested review from bfournie and eranco74 March 12, 2026 13:29

coderabbitai bot reviewed Mar 12, 2026

View reviewed changes

data/data/install.openshift.io_installconfigs.yaml Show resolved Hide resolved

pkg/asset/ignition/machine/node.go Show resolved Hide resolved

pkg/asset/imagebased/image/ignition.go Outdated Show resolved Hide resolved

pkg/types/validation/installconfig.go Show resolved Hide resolved

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 13, 2026

coderabbitai bot reviewed Mar 13, 2026

View reviewed changes

fangge1212 force-pushed the confidential_cluster_config_2 branch from 3688806 to bd2a1af Compare March 13, 2026 12:16

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 13, 2026

coderabbitai bot reviewed Mar 13, 2026

View reviewed changes

pkg/types/validation/installconfig_test.go Outdated Show resolved Hide resolved

fangge1212 force-pushed the confidential_cluster_config_2 branch from bd2a1af to 2c1e578 Compare March 16, 2026 04:51

coderabbitai bot reviewed Mar 16, 2026

View reviewed changes

fangge1212 force-pushed the confidential_cluster_config_2 branch from 2c1e578 to 36cd074 Compare March 16, 2026 08:05

coderabbitai bot reviewed Mar 16, 2026

View reviewed changes

pkg/asset/ignition/machine/node.go Outdated Show resolved Hide resolved

fangge1212 force-pushed the confidential_cluster_config_2 branch 4 times, most recently from 4966326 to ff5511c Compare March 16, 2026 10:08

rna-afk reviewed Mar 19, 2026

View reviewed changes

fangge1212 changed the title ~~Add ConfidentialCluster to InstallConfig~~ OCPSTART-2713: Add ConfidentialCluster to InstallConfig Mar 20, 2026

fangge1212 changed the title ~~OCPSTART-2713: Add ConfidentialCluster to InstallConfig~~ OCPSTRAT-2713: Add ConfidentialCluster to InstallConfig Mar 20, 2026

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 20, 2026

fangge1212 added 2 commits March 20, 2026 05:03

Bump ignition from 3.2 to 3.6

0889fd9

The latest ignition contains the API addtion to deploy confidential clusters. Signed-off-by: Alice Frosi <afrosi@redhat.com> Signed-off-by: Fangge Jin <fjin@redhat.com>

fangge1212 force-pushed the confidential_cluster_config_2 branch from ff5511c to 9fe5982 Compare March 20, 2026 09:04

		google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217
		google.golang.org/grpc v1.78.0

Conversation

fangge1212 commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Dependencies

Uh oh!

coderabbitai bot commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning, 1 inconclusive)

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

rna-afk Mar 19, 2026

Choose a reason for hiding this comment

Uh oh!

rna-afk commented Mar 19, 2026

Uh oh!

openshift-ci-robot commented Mar 20, 2026

Summary

Dependencies

Uh oh!

openshift-ci-robot commented Mar 20, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Dependencies

Uh oh!

openshift-ci bot commented Mar 20, 2026

Uh oh!

openshift-ci bot commented Mar 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

fangge1212 commented Mar 12, 2026 •

edited

Loading

coderabbitai bot commented Mar 12, 2026 •

edited

Loading

openshift-ci-robot commented Mar 20, 2026 •

edited by openshift-ci bot

Loading