Bug 86417: installer: sync MAPI master machine edits to CAPI AWSMachine manifests

[chdeshpa-hue]

Summary

• Adds a MasterMAPISync asset that detects drift between MAPI master machine manifests (openshift/) and CAPI AWSMachine manifests (cluster-api/machines/) during create cluster
• When drift is detected: emits a per-field warning and syncs MAPI values → CAPI objects before infrastructure provisioning begins
• Fixes silent misconfiguration where users edit openshift/ master manifests after create manifests but edits are ignored because CAPI machines are provisioned from cluster-api/machines/

Bug

https://redhat.atlassian.net/browse/OCPBUGS-86417

Changes

File	Change
pkg/asset/machines/mastermapisync.go	New: MasterMAPISync asset — compares MAPI and CAPI master specs, warns on drift, syncs fields
pkg/asset/machines/mastermapisync_test.go	New: 10 unit tests covering no-drift, per-field drift, multi-field drift, helpers
pkg/asset/cluster/cluster.go	Add &machines.MasterMAPISync{} to Cluster.Dependencies()

How it works

                    install-config.yaml
                     /              \
                    v                v
          machines.Master      machines.ClusterAPI
          (openshift/)         (cluster-api/machines/)
               \                      /
                v                    v
            MasterMAPISync
            (compare + sync MAPI → CAPI)
                        |
                        v
                cluster.Cluster → Provision()

The MasterMAPISync asset:

1. Depends on InstallConfig, Master, and ClusterAPI
2. Gates on CAPI-enabled + AWS platform (no-op otherwise)
3. Extracts AWSMachineProviderConfig from each MAPI machine
4. Matches to corresponding AWSMachine in CAPI by name/index
5. Compares each provisioning-relevant field
6. On drift: logs per-field warning, syncs MAPI value → CAPI object, re-serializes

Fields synced: instanceType, AMI, rootVolume (size/type/IOPS/throughput/encryptionKey), IAM instance profile, IMDS httpTokens, confidentialCompute, publicIP, subnet (ID or filters).

Platform scope: AWS only. Follow-up PRs extend to GCP/Azure.

Test plan

• Unit tests pass (10/10): go test ./pkg/asset/machines/ -run "TestSyncAWSFields|TestIndexAWSMachines|TestFindAWSMachine"
• E2E: fresh install on AWS eu-north-1 with MAPI edits (instanceType m6i.4xlarge, vol 200 io2, iops 5000, IMDS Required) — all synced correctly to EC2
• Control: 3 clusters on unpatched 4.22 confirmed MAPI edits are silently ignored
• CI: e2e-aws

Workaround (for unpatched versions)

Set values in install-config.yaml before create manifests, or after create manifests edit both openshift/ and cluster-api/machines/ manifests.

Made with Cursor

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5d9c276f-fbfa-465c-bea7-17b0a8338994

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @chdeshpa-hue. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign stephenfin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment