Skip to content

Merge https://github.com/kubernetes-sigs/cluster-api:v1.13.1 (16d0a65) into master#288

Open
cloud-team-rebase-bot[bot] wants to merge 601 commits intoopenshift:masterfrom
openshift-cloud-team:rebase-bot-master
Open

Merge https://github.com/kubernetes-sigs/cluster-api:v1.13.1 (16d0a65) into master#288
cloud-team-rebase-bot[bot] wants to merge 601 commits intoopenshift:masterfrom
openshift-cloud-team:rebase-bot-master

Conversation

@cloud-team-rebase-bot
Copy link
Copy Markdown

@cloud-team-rebase-bot cloud-team-rebase-bot Bot commented Apr 30, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • New Features

    • Node taint propagation and management
    • Disk partition layout customization for machine bootstrap
    • ClusterClass upgrade configuration and extensibility
    • MachineHealthCheck: unhealthy-condition rules
    • Topology rollout timing controls
    • Configurable certificate encryption algorithm support

  • Bug Fixes

    • Improved certificate validity/rotation handling
    • Reduced noisy control-plane init logging

  • Documentation

    • Updated many release notes (v1.10.9→v1.13.0) and contributing link

  • Chores

    • Tooling/version bumps, CRD cleanup (removed deprecated alpha versions), CI/workflow updates

k8s-ci-robot and others added 30 commits February 24, 2026 11:33
@k8s-ci-robot
Merge pull request kubernetes-sigs#13371 from kubernetes-sigs/dependa…
c99d405 
…bot/go_modules/sigs.k8s.io/structured-merge-diff/v6-6.3.2

🌱 Bump sigs.k8s.io/structured-merge-diff/v6 from 6.3.2-0.20260122202528-d9cc6641c482 to 6.3.2
@sbueringer
Promote ReconcileRateLimiting to beta (enabled per default)
e378fde 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@adarshagrawal38
🐛 Bump dependencies to fix CVE GO-2026-4394 (go.opentelemetry.io/otel…
596d413 
…/sdk pkg) (kubernetes-sigs#13372)

* GO-2026-4394: CVE fix for go.opentelemetry.io/otel/sdk pkg

Signed-off-by: Adarsh Agrawal <adarsh.agrawal1@ibm.com>

* Updating otlp pkgs to latest

Signed-off-by: Adarsh Agrawal <adarsh.agrawal1@ibm.com>

* Updating remaining opentelemetry pkg

Signed-off-by: Adarsh Agrawal <adarsh.agrawal1@ibm.com>

---------

Signed-off-by: Adarsh Agrawal <adarsh.agrawal1@ibm.com>
@fabriziopandini
Fix flaky KCP test
d0fb07d
@k8s-ci-robot
Merge pull request kubernetes-sigs#13374 from fabriziopandini/fix-fla…
e873e2c 
…ky-kcp-test

🌱 Fix flaky KCP test
@k8s-ci-robot
Merge pull request kubernetes-sigs#13373 from sbueringer/pr-prom-rate…
d6b7538 
…-limiting-beta

✨ Promote ReconcileRateLimiting to beta (enabled per default)
@k8s-ci-robot
Merge pull request kubernetes-sigs#13353 from fabriziopandini/bump-au…
c896b35 
…toscaler-v1.35.0

🌱 Bump autoscaler version used for testing to v1.35.0
@troy0820
update cert-manager v1.19.4
63936da 
Signed-off-by: Troy Connor <troy0820@users.noreply.github.com>
@k8s-ci-robot
Merge pull request kubernetes-sigs#13376 from troy0820/troy0820/updat…
590f4c0 
…e-cert-manager-1.19.4

 🌱 Bump cert-manager v1.19.4
@sbueringer
Fix panic in Cluster conversion
56fb8e1 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@k8s-ci-robot
Merge pull request kubernetes-sigs#13383 from sbueringer/pr-fix-conv-…
6e69fab 
…panic

🐛 Fix panic in Cluster conversion
@sbueringer
Bump trivy to v0.69.2 to fix CI
ea32408 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@k8s-ci-robot
Merge pull request kubernetes-sigs#13265 from nojnhuh/e2e-ssa
d4a41de 
🐛 e2e: only retry creating objects that failed
@k8s-ci-robot
Merge pull request kubernetes-sigs#13387 from sbueringer/pr-fix-trivy
67e4c95 
🐛 Bump trivy to v0.69.2 to fix CI
@sbueringer
Bump golang.org/x/net to v0.51 to fix CVE
b239495 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@k8s-ci-robot
Merge pull request kubernetes-sigs#13392 from sbueringer/pr-fix-cve-net
c47dfc4 
🌱 Bump golang.org/x/net to v0.51 to fix CVE
@MadJlzz
api: relax validation for Machine .status.addresses to maximum of 256…
4e62031 
… instead of 128 items
@sbueringer
Reduce verbosity of ClusterCache errors
5b8308c 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@k8s-ci-robot
Merge pull request kubernetes-sigs#13396 from sbueringer/pr-reduce-ve…
6f30fb2 
…rbosity

🌱 Remove stack traces from ClusterCache errors
@dependabot
🌱 Bump actions/setup-go in the all-github-actions group
ca4f734 
Bumps the all-github-actions group with 1 update: [actions/setup-go](https://github.com/actions/setup-go).


Updates `actions/setup-go` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@7a3fe6c...4b73464)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
🌱 Bump the all-go-mod-patch-and-minor group across 3 directories with…
8d85042 
… 8 updates

Bumps the all-go-mod-patch-and-minor group with 3 updates in the / directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) and [k8s.io/cluster-bootstrap](https://github.com/kubernetes/cluster-bootstrap).
Bumps the all-go-mod-patch-and-minor group with 3 updates in the /hack/tools directory: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client).
Bumps the all-go-mod-patch-and-minor group with 2 updates in the /test directory: [k8s.io/api](https://github.com/kubernetes/api) and [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver).


Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/apiextensions-apiserver` from 0.35.1 to 0.35.2
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](kubernetes/apiextensions-apiserver@v0.35.1...v0.35.2)

Updates `k8s.io/apimachinery` from 0.35.1 to 0.35.2
- [Commits](kubernetes/apimachinery@v0.35.1...v0.35.2)

Updates `k8s.io/apiserver` from 0.35.1 to 0.35.2
- [Commits](kubernetes/apiserver@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

Updates `k8s.io/cluster-bootstrap` from 0.35.1 to 0.35.2
- [Commits](kubernetes/cluster-bootstrap@v0.35.1...v0.35.2)

Updates `k8s.io/component-base` from 0.35.1 to 0.35.2
- [Commits](kubernetes/component-base@v0.35.1...v0.35.2)

Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/apiextensions-apiserver` from 0.35.1 to 0.35.2
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](kubernetes/apiextensions-apiserver@v0.35.1...v0.35.2)

Updates `k8s.io/apimachinery` from 0.35.1 to 0.35.2
- [Commits](kubernetes/apimachinery@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

Updates `google.golang.org/api` from 0.268.0 to 0.269.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.268.0...v0.269.0)

Updates `k8s.io/api` from 0.35.1 to 0.35.2
- [Commits](kubernetes/api@v0.35.1...v0.35.2)

Updates `k8s.io/apiextensions-apiserver` from 0.35.1 to 0.35.2
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](kubernetes/apiextensions-apiserver@v0.35.1...v0.35.2)

Updates `k8s.io/apimachinery` from 0.35.1 to 0.35.2
- [Commits](kubernetes/apimachinery@v0.35.1...v0.35.2)

Updates `k8s.io/apiserver` from 0.35.1 to 0.35.2
- [Commits](kubernetes/apiserver@v0.35.1...v0.35.2)

Updates `k8s.io/client-go` from 0.35.1 to 0.35.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.1...v0.35.2)

Updates `k8s.io/component-base` from 0.35.1 to 0.35.2
- [Commits](kubernetes/component-base@v0.35.1...v0.35.2)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apiserver
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/cluster-bootstrap
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/component-base
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: google.golang.org/api
  dependency-version: 0.269.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/api
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/apiserver
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/client-go
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
- dependency-name: k8s.io/component-base
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-go-mod-patch-and-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@k8s-ci-robot
Merge pull request kubernetes-sigs#13397 from kubernetes-sigs/dependa…
c94c21e 
…bot/github_actions/all-github-actions-2c6e677ddc

🌱 Bump actions/setup-go from 6.2.0 to 6.3.0 in the all-github-actions group
@k8s-ci-robot
Merge pull request kubernetes-sigs#13398 from kubernetes-sigs/dependa…
a97d105 
…bot/go_modules/all-go-mod-patch-and-minor-2fc94a814f

🌱 Bump the all-go-mod-patch-and-minor group across 3 directories with 8 updates
@k8s-ci-robot
Merge pull request kubernetes-sigs#13395 from MadJlzz/pr-relax-machin…
5232739 
…es-status-addresses-even-further

🌱  api: relax validation for Machine .status.addresses to maximum of 256 instead of 128 items
@fabriziopandini
🌱 Postpone date when we stop serving v1beta1 (kubernetes-sigs#13394)
44eca8a 
* Postpone date when we stop serving v1beta1

* Address comments
@sbueringer
Avoid unsetting nodeDeletionTimeoutSeconds during Machine deletion
b24eb26 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@fabriziopandini
✨ Add rolloutAfter to cluster.spec.topology (kubernetes-sigs#13391)
50cd7dd 
* Add rolloutAfter to cluster.spec.topology

* Address comments
@k8s-ci-robot
Merge pull request kubernetes-sigs#13401 from sbueringer/pr-avoid-tim…
065e9df 
…eout-unset

🌱 Avoid unsetting nodeDeletionTimeoutSeconds during Machine deletion
@sbueringer
Add safeguard to patchHelper to avoid sending empty patches to the
52f1f24 
apiserver

Signed-off-by: Stefan Büringer buringerst@vmware.com
@sbueringer
Fix UpToDate calculation for rolloutAfter
a829a55 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@openshift-ci openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 30, 2026
@damdo
Copy link
Copy Markdown
Member

damdo commented Apr 30, 2026

/retest

@cloud-team-bot cloud-team-bot Bot force-pushed the rebase-bot-master branch from b87308b to 5c92e88 Compare May 4, 2026 13:09
coderabbitai[bot]
coderabbitai Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yaml (1)

18-237: ⚠️ Potential issue | 🟠 Major

Verify that v1alpha3 and v1alpha4 were safely migrated before removing them from spec.versions.

This change removes v1alpha3 and v1alpha4 from the CRD versions. According to Kubernetes CRD versioning requirements, a version cannot be safely removed from spec.versions while it still appears in the live cluster's status.storedVersions. Before removing these versions, confirm that:

  1. All existing ClusterResourceSetBinding objects stored in these versions have been migrated to the new storage version (v1beta2)
  2. v1alpha3 and v1alpha4 have been removed from the CRD's status.storedVersions on all affected clusters

If this migration was not completed before applying this manifest, the CRD update will fail on upgraded clusters.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yaml`
around lines 18 - 237, The CRD removal of v1alpha3 and v1alpha4 from
spec.versions for ClusterResourceSetBinding can fail if stored objects still
exist in those versions; verify migration by ensuring all
ClusterResourceSetBinding objects previously stored as v1alpha3/v1alpha4 have
been migrated to the storage version v1beta2 and that v1alpha3 and v1alpha4 no
longer appear in the CRD's status.storedVersions on every cluster before
removing them from spec.versions; if you find remaining storedVersions or
resources, perform the Kubernetes CRD version migration (or re-add the versions
temporarily) so storedVersions is cleared, confirm spec.required and the v1beta2
schema supports the migrated objects, then remove v1alpha3/v1alpha4 from
spec.versions only after status.storedVersions no longer lists them.
api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go (1)

777-806: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reject contradictory layout/diskLayout combinations.

diskLayout adds a second way to define partition layout, but layout is still a required boolean on the same struct. As written, layout: false plus a non-empty diskLayout can still be admitted, so the boolean is effectively ignored by the renderer and the persisted spec becomes misleading. Please add schema/webhook validation requiring layout=true when diskLayout is set, or make the two fields conditionally exclusive.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go` around lines 777 - 806,
The Partition struct allows contradictory definitions (Layout bool vs DiskLayout
slice); add validation so DiskLayout may only be set when Layout is true.
Implement this by adding a kubebuilder XValidation on the Partition type (or
immediately above DiskLayout) such as an XValidation rule that enforces "if
diskLayout is present then layout == true" (e.g. rule like
"!has(self.diskLayout) || self.layout == true" with a clear message), or if you
prefer, implement an equivalent validating webhook that rejects Partition
entries where DiskLayout is non-empty but Layout is false; reference the
Partition struct and its fields Layout and DiskLayout when making the change.
controllers/clustercache/cluster_cache.go (1)

322-328: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Wire options.ClusterFilter into the cache instance.

Reconcile reads cc.clusterFilter, but this constructor never copies options.ClusterFilter into the struct, so the new filter is always nil and filtered clusters will still be connected.

Suggested fix 
 	cc := &clusterCache{
 		client:                mgr.GetClient(),
 		clusterAccessorConfig: buildClusterAccessorConfig(mgr.GetScheme(), options, controllerPodMetadata),
 		clusterAccessors:      make(map[client.ObjectKey]*clusterAccessor),
 		cacheCtx:              cacheCtx,
 		cacheCtxCancel:        cacheCtxCancel,
+		clusterFilter:         options.ClusterFilter,
 	}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@controllers/clustercache/cluster_cache.go` around lines 322 - 328, The
clusterCache constructor is not setting the clusterFilter field, so
cc.clusterFilter is nil when Reconcile reads it; update the struct literal that
creates the clusterCache (the cc := &clusterCache{...} block) to include
clusterFilter: options.ClusterFilter so the newly created clusterCache carries
the provided filter into Reconcile.
🧹 Nitpick comments (3)
CHANGELOG/v1.13.0-rc.0.md (3)

236-236: ⚡ Quick win

Maintain consistent spelling: use "Optimize" instead of "Optimise".

The document consistently uses American spelling "optimize" elsewhere (lines 65, 73, 82), but line 236 uses British spelling "Optimise." As per coding guidelines, maintain consistency within a single document.

📝 Suggested fix 
-- util: Optimise patch calls (`#13367`)
+- util: Optimize patch calls (`#13367`)
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG/v1.13.0-rc.0.md` at line 236, Change the British spelling
"Optimise" to American "Optimize" in the changelog entry "- util: Optimise patch
calls (`#13367`)" so it matches the document's existing use of "optimize"; update
the string exactly to "- util: Optimize patch calls (`#13367`)" in the
CHANGELOG/v1.13.0-rc.0.md content.

37-38: ⚡ Quick win

Fix subject-verb agreement.

"Provider" should be plural "Providers" to match the verb "should."

📝 Suggested fix 
-    - Reminder: Provider should start implementing the v1beta2 contract ASAP.
+    - Reminder: Providers should start implementing the v1beta2 contract ASAP.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG/v1.13.0-rc.0.md` around lines 37 - 38, Change the noun in the
sentence "Reminder: Provider should start implementing the v1beta2 contract
ASAP." to plural so it agrees with the verb; replace "Provider" with "Providers"
in the CHANGELOG entry so the line reads "Reminder: Providers should start
implementing the v1beta2 contract ASAP."

13-13: ⚡ Quick win

Use singular "performance" instead of "performances".

In this technical context, "performance" is typically used as an uncountable noun.

📝 Suggested fix 
-CAPI v1.13 is a release focused on stability, reliability and performances:
+CAPI v1.13 is a release focused on stability, reliability and performance:
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG/v1.13.0-rc.0.md` at line 13, Replace the plural word "performances"
in the sentence "CAPI v1.13 is a release focused on stability, reliability and
performances:" with the uncountable singular "performance" so it reads "CAPI
v1.13 is a release focused on stability, reliability and performance:"; update
only that token in the line containing "stability, reliability and
performances".
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/weekly-security-scan.yaml:
- Line 16: The workflow's matrix branches list is invalid (it lists main and
release-1.*); update the branches array used in the weekly-security-scan
workflow so actions/checkout uses existing repo branches (replace "branch: [
main, release-1.12, release-1.11 ]" with a valid list such as "branch: [ master
]" or the actual release branch names), ensuring the matrix contains only real
branch names so the job runs successfully.

In `@api/controlplane/kubeadm/v1beta1/conversion.go`:
- Around line 420-427: The conversion functions are appending to destination
taint slices (e.g., out.Spec.Taints, out.Taints) without clearing them, causing
duplicates when objects are reused; change each conversion that iterates over
in.Taints (and the reverse/template variants) to allocate a slice of exact
length (len(in.Taints)), assign it to the destination (out.Spec.Taints =
make(..., len(in.Taints))), and populate entries by index using
clusterv1.MachineTaint{...} instead of append; apply the same pattern for all
occurrences noted (the blocks around the in.Taints iterations and their
reverse/template counterparts).

In `@api/runtime/hooks/v1alpha1/lifecyclehooks_types.go`:
- Around line 22-23: Revert the import change so the embedded Cluster schema in
the v1alpha1 hook contract remains the original core v1beta1 type: replace the
current import "sigs.k8s.io/cluster-api/api/core/v1beta2" used as clusterv1 with
the original "sigs.k8s.io/cluster-api/api/core/v1beta1" and ensure every struct
in this file that embeds or references clusterv1.Cluster (the v1alpha1 request
types) continues to use the v1beta1 shape; if you actually need v1beta2
semantics, instead create a new hook version (e.g., v1beta1 hook API) and
perform explicit conversion between versions rather than changing the v1alpha1
contract in-place.

In `@bootstrap/util/configowner_test.go`:
- Around line 66-68: The test currently discards the error returned by
clusterv1.AddToScheme, which can hide scheme registration failures; update both
places where runtime.NewScheme() and clusterv1.AddToScheme(...) are used to
capture the returned error (e.g., err := clusterv1.AddToScheme(scheme)) and
explicitly fail the test if err != nil (use t.Fatalf or a test assertion helper
like require.NoError) before building the fake client
(fake.NewClientBuilder().WithScheme(scheme)...), so any scheme registration
failure surfaces immediately.

In `@CHANGELOG/v1.13.0-rc.0.md`:
- Line 186: Replace the malformed changelog line "e2e: 0 in e2e tests" with a
clear, complete description for PR `#13429`: locate the entry referencing PR
`#13429` and update it to a concise sentence like "e2e: <brief summary of the
fix/feature introduced by PR `#13429`> (PR `#13429`)" so it explains what changed in
e2e tests and includes the PR number for traceability; confirm the wording
matches the PR title/description and preserves the changelog format.

In `@config/crd/bases/cluster.x-k8s.io_machines.yaml`:
- Around line 293-302: The spec.taints[].key schema currently allows a name
segment longer than 63 chars because maxLength: 317 was left without the
split-length enforcement; restore the original qualified-name validation by
updating the key schema (the pattern and length checks for spec.taints[].key) so
the optional DNS subdomain prefix is limited to 253 chars and the name segment
is limited to 63 chars (i.e. reinstate the regex that enforces the name segment
max 63 and prefix max 253 rather than relying only on a 317 overall max),
update/remove the incorrect maxLength if needed to match that regex, and then
regenerate the CRDs so the corrected validation is applied.

In `@controllers/clustercache/cluster_cache.go`:
- Around line 469-478: When a cluster is filtered out we currently disconnect
and delete the accessor (getClusterAccessor, accessor.Disconnect,
deleteClusterAccessor, cleanupClusterSourcesForCluster) then return early, which
prevents notifying consumers; move or add a call to
cc.sendEventsToClusterSources (or invoke the existing method that enqueues a
handled→filtered-out disconnect event for GetClusterSource consumers)
immediately after Disconnect and before
deleteClusterAccessor/cleanupClusterSourcesForCluster (or at least before
returning) so the disconnect/requeue is sent; ensure you reference clusterKey
and the same transition payload used elsewhere so consumers see the
handled→filtered-out event.

---

Outside diff comments:
In `@api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go`:
- Around line 777-806: The Partition struct allows contradictory definitions
(Layout bool vs DiskLayout slice); add validation so DiskLayout may only be set
when Layout is true. Implement this by adding a kubebuilder XValidation on the
Partition type (or immediately above DiskLayout) such as an XValidation rule
that enforces "if diskLayout is present then layout == true" (e.g. rule like
"!has(self.diskLayout) || self.layout == true" with a clear message), or if you
prefer, implement an equivalent validating webhook that rejects Partition
entries where DiskLayout is non-empty but Layout is false; reference the
Partition struct and its fields Layout and DiskLayout when making the change.

In `@config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yaml`:
- Around line 18-237: The CRD removal of v1alpha3 and v1alpha4 from
spec.versions for ClusterResourceSetBinding can fail if stored objects still
exist in those versions; verify migration by ensuring all
ClusterResourceSetBinding objects previously stored as v1alpha3/v1alpha4 have
been migrated to the storage version v1beta2 and that v1alpha3 and v1alpha4 no
longer appear in the CRD's status.storedVersions on every cluster before
removing them from spec.versions; if you find remaining storedVersions or
resources, perform the Kubernetes CRD version migration (or re-add the versions
temporarily) so storedVersions is cleared, confirm spec.required and the v1beta2
schema supports the migrated objects, then remove v1alpha3/v1alpha4 from
spec.versions only after status.storedVersions no longer lists them.

In `@controllers/clustercache/cluster_cache.go`:
- Around line 322-328: The clusterCache constructor is not setting the
clusterFilter field, so cc.clusterFilter is nil when Reconcile reads it; update
the struct literal that creates the clusterCache (the cc := &clusterCache{...}
block) to include clusterFilter: options.ClusterFilter so the newly created
clusterCache carries the provided filter into Reconcile.

---

Nitpick comments:
In `@CHANGELOG/v1.13.0-rc.0.md`:
- Line 236: Change the British spelling "Optimise" to American "Optimize" in the
changelog entry "- util: Optimise patch calls (`#13367`)" so it matches the
document's existing use of "optimize"; update the string exactly to "- util:
Optimize patch calls (`#13367`)" in the CHANGELOG/v1.13.0-rc.0.md content.
- Around line 37-38: Change the noun in the sentence "Reminder: Provider should
start implementing the v1beta2 contract ASAP." to plural so it agrees with the
verb; replace "Provider" with "Providers" in the CHANGELOG entry so the line
reads "Reminder: Providers should start implementing the v1beta2 contract ASAP."
- Line 13: Replace the plural word "performances" in the sentence "CAPI v1.13 is
a release focused on stability, reliability and performances:" with the
uncountable singular "performance" so it reads "CAPI v1.13 is a release focused
on stability, reliability and performance:"; update only that token in the line
containing "stability, reliability and performances".
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a65565de-5e44-46d8-b1b1-bc5a111226ef

📥 Commits

Reviewing files that changed from the base of the PR and between 656dec8 and 5c92e88.

⛔ Files ignored due to path filters (36)
  • api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go is excluded by !**/zz_generated*
  • api/bootstrap/kubeadm/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/controlplane/kubeadm/v1beta1/zz_generated.conversion.go is excluded by !**/zz_generated*
  • api/controlplane/kubeadm/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/controlplane/kubeadm/v1beta2/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/core/v1beta1/zz_generated.conversion.go is excluded by !**/zz_generated*
  • api/core/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/core/v1beta1/zz_generated.openapi.go is excluded by !**/zz_generated*
  • api/core/v1beta2/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/core/v1beta2/zz_generated.openapi.go is excluded by !**/zz_generated*
  • api/runtime/hooks/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/runtime/hooks/v1alpha1/zz_generated.openapi.go is excluded by !**/zz_generated*
  • docs/book/src/images/clusterclass-crd-relationships.svg is excluded by !**/*.svg
  • docs/book/src/images/kubeadm-control-plane-machines-resources.png is excluded by !**/*.png
  • docs/book/src/images/worker-machines-resources.png is excluded by !**/*.png
  • go.sum is excluded by !**/*.sum
  • hack/tools/go.sum is excluded by !**/*.sum
  • hack/tools/vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/version.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/.repo-metadata.json is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/CHANGES.md is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/README.md is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/apiv1/iampb/iam_policy.pb.go is excluded by !**/*.pb.go, !**/vendor/**
📒 Files selected for processing (264)
  • .dockerignore
  • .github/workflows/pr-gh-workflow-approve.yaml
  • .github/workflows/pr-md-link-check.yaml
  • .github/workflows/release.yaml
  • .github/workflows/weekly-md-link-check.yaml
  • .github/workflows/weekly-security-scan.yaml
  • .github/workflows/weekly-test-release.yaml
  • .golangci-kal.yml
  • .golangci.yml
  • .trivyignore
  • CHANGELOG/v1.10.10.md
  • CHANGELOG/v1.10.9.md
  • CHANGELOG/v1.11.4.md
  • CHANGELOG/v1.11.5.md
  • CHANGELOG/v1.11.6.md
  • CHANGELOG/v1.11.7.md
  • CHANGELOG/v1.12.0-rc.1.md
  • CHANGELOG/v1.12.0.md
  • CHANGELOG/v1.12.1.md
  • CHANGELOG/v1.12.2.md
  • CHANGELOG/v1.12.3.md
  • CHANGELOG/v1.12.4.md
  • CHANGELOG/v1.13.0-beta.0.md
  • CHANGELOG/v1.13.0-beta.1.md
  • CHANGELOG/v1.13.0-rc.0.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • Tiltfile
  • api/bootstrap/kubeadm/v1beta1/conversion.go
  • api/bootstrap/kubeadm/v1beta1/kubeadm_types.go
  • api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go
  • api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go
  • api/controlplane/kubeadm/v1beta1/conversion.go
  • api/controlplane/kubeadm/v1beta1/kubeadm_control_plane_types.go
  • api/controlplane/kubeadm/v1beta1/kubeadmcontrolplanetemplate_types.go
  • api/controlplane/kubeadm/v1beta2/kubeadm_control_plane_types.go
  • api/controlplane/kubeadm/v1beta2/kubeadmcontrolplanetemplate_types.go
  • api/core/v1beta1/cluster_types.go
  • api/core/v1beta1/clusterclass_types.go
  • api/core/v1beta1/common_types.go
  • api/core/v1beta1/conversion.go
  • api/core/v1beta1/conversion_test.go
  • api/core/v1beta1/machine_types.go
  • api/core/v1beta1/machinehealthcheck_types.go
  • api/core/v1beta2/cluster_types.go
  • api/core/v1beta2/clusterclass_types.go
  • api/core/v1beta2/common_types.go
  • api/core/v1beta2/condition_types.go
  • api/core/v1beta2/machine_types.go
  • api/ipam/v1alpha1/conversion.go
  • api/runtime/hooks/v1alpha1/common_types.go
  • api/runtime/hooks/v1alpha1/lifecyclehooks_types.go
  • api/runtime/hooks/v1alpha1/topologymutation_types.go
  • api/runtime/hooks/v1alpha1/topologymutation_variable_types.go
  • bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml
  • bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
  • bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
  • bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigtemplates.yaml
  • bootstrap/kubeadm/config/manager/manager.yaml
  • bootstrap/kubeadm/config/webhook/manifests.yaml
  • bootstrap/kubeadm/internal/cloudinit/cloudinit_test.go
  • bootstrap/kubeadm/internal/cloudinit/disk_setup.go
  • bootstrap/kubeadm/internal/cloudinit/utils.go
  • bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
  • bootstrap/kubeadm/internal/controllers/suite_test.go
  • bootstrap/kubeadm/internal/locking/control_plane_init_mutex.go
  • bootstrap/kubeadm/internal/setup/setup.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfig.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate_test.go
  • bootstrap/kubeadm/main.go
  • bootstrap/util/configowner_test.go
  • bootstrap/util/suite_test.go
  • cmd/clusterctl/Dockerfile
  • cmd/clusterctl/client/cluster/cert_manager.go
  • cmd/clusterctl/client/cluster/cert_manager_test.go
  • cmd/clusterctl/client/cluster/mover.go
  • cmd/clusterctl/client/cluster/template.go
  • cmd/clusterctl/client/cluster/template_test.go
  • cmd/clusterctl/client/cluster/upgrader.go
  • cmd/clusterctl/client/cluster/upgrader_test.go
  • cmd/clusterctl/client/config/imagemeta_client.go
  • cmd/clusterctl/client/config/imagemeta_client_test.go
  • cmd/clusterctl/client/config/providers_client.go
  • cmd/clusterctl/client/config_test.go
  • cmd/clusterctl/client/repository/repository_github.go
  • cmd/clusterctl/client/repository/repository_github_test.go
  • cmd/clusterctl/client/upgrade.go
  • cmd/clusterctl/cmd/config_repositories_test.go
  • cmd/clusterctl/cmd/describe_cluster.go
  • cmd/clusterctl/cmd/upgrade_apply.go
  • cmd/clusterctl/cmd/version_checker.go
  • cmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_metadata.yaml
  • cmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_providers.yaml
  • cmd/clusterctl/config/manifest/clusterctl-api.yaml
  • cmd/clusterctl/hack/create-local-repository.py
  • cmd/clusterctl/internal/test/fake_github.go
  • cmd/clusterctl/internal/test/fake_reader.go
  • config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yaml
  • config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yaml
  • config/crd/bases/cluster.x-k8s.io_clusterclasses.yaml
  • config/crd/bases/cluster.x-k8s.io_clusters.yaml
  • config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml
  • config/crd/bases/cluster.x-k8s.io_machinedrainrules.yaml
  • config/crd/bases/cluster.x-k8s.io_machinehealthchecks.yaml
  • config/crd/bases/cluster.x-k8s.io_machinepools.yaml
  • config/crd/bases/cluster.x-k8s.io_machines.yaml
  • config/crd/bases/cluster.x-k8s.io_machinesets.yaml
  • config/crd/bases/ipam.cluster.x-k8s.io_ipaddressclaims.yaml
  • config/crd/bases/ipam.cluster.x-k8s.io_ipaddresses.yaml
  • config/crd/bases/runtime.cluster.x-k8s.io_extensionconfigs.yaml
  • config/crd/patches/webhook_in_clusterclasses.yaml
  • config/crd/patches/webhook_in_clusterresourcesetbindings.yaml
  • config/crd/patches/webhook_in_clusterresourcesets.yaml
  • config/crd/patches/webhook_in_clusters.yaml
  • config/crd/patches/webhook_in_extensionconfigs.yaml
  • config/crd/patches/webhook_in_ipaddressclaims.yaml
  • config/crd/patches/webhook_in_ipaddresses.yaml
  • config/crd/patches/webhook_in_machinedeployments.yaml
  • config/crd/patches/webhook_in_machinedrainrules.yaml
  • config/crd/patches/webhook_in_machinehealthchecks.yaml
  • config/crd/patches/webhook_in_machinepools.yaml
  • config/crd/patches/webhook_in_machines.yaml
  • config/crd/patches/webhook_in_machinesets.yaml
  • config/manager/manager.yaml
  • config/metrics/crd-metrics-config.yaml
  • config/webhook/manifests.yaml
  • controllers/clustercache/cluster_accessor.go
  • controllers/clustercache/cluster_accessor_client.go
  • controllers/clustercache/cluster_accessor_test.go
  • controllers/clustercache/cluster_cache.go
  • controllers/clustercache/cluster_cache_test.go
  • controllers/crdmigrator/crd_migrator.go
  • controllers/crdmigrator/test/t1/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t2/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t3/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t4/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
  • controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml
  • controlplane/kubeadm/config/crd/patches/webhook_in_kubeadmcontrolplanes.yaml
  • controlplane/kubeadm/config/crd/patches/webhook_in_kubeadmcontrolplanetemplates.yaml
  • controlplane/kubeadm/config/manager/manager.yaml
  • controlplane/kubeadm/config/webhook/manifests.yaml
  • controlplane/kubeadm/internal/cluster.go
  • controlplane/kubeadm/internal/cluster_test.go
  • controlplane/kubeadm/internal/clustercache_utils.go
  • controlplane/kubeadm/internal/control_plane.go
  • controlplane/kubeadm/internal/control_plane_test.go
  • controlplane/kubeadm/internal/controllers/controller.go
  • controlplane/kubeadm/internal/controllers/controller_test.go
  • controlplane/kubeadm/internal/controllers/fakes_test.go
  • controlplane/kubeadm/internal/controllers/helpers.go
  • controlplane/kubeadm/internal/controllers/inplace.go
  • controlplane/kubeadm/internal/controllers/inplace_canupdatemachine.go
  • controlplane/kubeadm/internal/controllers/inplace_trigger.go
  • controlplane/kubeadm/internal/controllers/remediation.go
  • controlplane/kubeadm/internal/controllers/remediation_test.go
  • controlplane/kubeadm/internal/controllers/scale.go
  • controlplane/kubeadm/internal/controllers/scale_test.go
  • controlplane/kubeadm/internal/controllers/status.go
  • controlplane/kubeadm/internal/controllers/status_test.go
  • controlplane/kubeadm/internal/controllers/suite_test.go
  • controlplane/kubeadm/internal/controllers/update_test.go
  • controlplane/kubeadm/internal/desiredstate/desired_state.go
  • controlplane/kubeadm/internal/desiredstate/desired_state_test.go
  • controlplane/kubeadm/internal/etcd/etcd_test.go
  • controlplane/kubeadm/internal/etcd/fake/client.go
  • controlplane/kubeadm/internal/setup/setup.go
  • controlplane/kubeadm/internal/suite_test.go
  • controlplane/kubeadm/internal/webhooks/kubeadmcontrolplane.go
  • controlplane/kubeadm/internal/webhooks/kubeadmcontrolplane_test.go
  • controlplane/kubeadm/internal/webhooks/kubeadmcontrolplanetemplate.go
  • controlplane/kubeadm/internal/webhooks/scale.go
  • controlplane/kubeadm/internal/workload_cluster.go
  • controlplane/kubeadm/internal/workload_cluster_conditions.go
  • controlplane/kubeadm/internal/workload_cluster_conditions_test.go
  • controlplane/kubeadm/internal/workload_cluster_coredns.go
  • controlplane/kubeadm/internal/workload_cluster_etcd.go
  • controlplane/kubeadm/internal/workload_cluster_etcd_test.go
  • controlplane/kubeadm/internal/workload_cluster_test.go
  • controlplane/kubeadm/main.go
  • docs/book/src/SUMMARY.md
  • docs/book/src/clusterctl/configuration.md
  • docs/book/src/developer/core/logging.md
  • docs/book/src/developer/core/tilt.md
  • docs/book/src/developer/providers/contracts/bootstrap-config.md
  • docs/book/src/developer/providers/contracts/clusterctl.md
  • docs/book/src/developer/providers/contracts/control-plane.md
  • docs/book/src/developer/providers/contracts/infra-cluster.md
  • docs/book/src/developer/providers/contracts/infra-machine.md
  • docs/book/src/developer/providers/contracts/infra-machinepool.md
  • docs/book/src/developer/providers/getting-started/webhooks.md
  • docs/book/src/developer/providers/migrations/v1.10-to-v1.11.md
  • docs/book/src/developer/providers/migrations/v1.12-to-v1.13.md
  • docs/book/src/developer/providers/migrations/v1.9-to-v1.10.md
  • docs/book/src/images/kubeadm-control-plane-machines-resources.plantuml
  • docs/book/src/images/worker-machines-resources.plantuml
  • docs/book/src/introduction.md
  • docs/book/src/reference/api/crd-api-reference-v1beta1.md
  • docs/book/src/reference/api/crd-api-reference.md
  • docs/book/src/reference/api/crd-relationships.md
  • docs/book/src/reference/api/reference.md
  • docs/book/src/reference/versions.md
  • docs/book/src/tasks/automated-machine-management/healthchecking.md
  • docs/book/src/tasks/automated-machine-management/scaling.md
  • docs/book/src/tasks/cluster-resource-set.md
  • docs/book/src/tasks/diagnostics.md
  • docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
  • docs/book/src/tasks/experimental-features/experimental-features.md
  • docs/book/src/tasks/experimental-features/machine-pools.md
  • docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md
  • docs/book/src/tasks/experimental-features/runtime-sdk/index.md
  • docs/book/src/tasks/external-etcd.md
  • docs/book/src/tasks/using-kustomize.md
  • docs/book/src/user/quick-start.md
  • docs/proposals/20200506-conditions.md
  • docs/proposals/20210310-opt-in-autoscaling-from-zero.md
  • docs/proposals/20220330-topology-mutation-hook.md
  • docs/proposals/20240916-improve-status-in-CAPI-resources.md
  • docs/proposals/20250124-From CAPD(docker) to CAPD(dev) .md
  • docs/release/releases/release-1.13.md
  • docs/release/role-handbooks/ci-signal/README.md
  • docs/release/role-handbooks/release-lead/README.md
  • exp/topology/desiredstate/desired_state.go
  • exp/topology/desiredstate/desired_state_test.go
  • exp/topology/desiredstate/lifecycle_hooks.go
  • exp/topology/desiredstate/lifecycle_hooks_test.go
  • exp/topology/desiredstate/upgrade_plan.go
  • exp/topology/desiredstate/upgrade_plan_test.go
  • feature/feature.go
  • go.mod
  • hack/crd-ref-docs-config-v1beta1.yaml
  • hack/crd-ref-docs-config-v1beta2.yaml
  • hack/ensure-go.sh
  • hack/gogcflags.sh
  • hack/kind-install.sh
  • hack/observability/alloy/kustomization.yaml
  • hack/observability/grafana/chart/kustomization.yaml
  • hack/observability/grafana/dashboards/cluster-api-mgmt-apiserver-requests.json
  • hack/observability/grafana/dashboards/cluster-api-performance.json
  • hack/observability/grafana/dashboards/cluster-api-state.json
  • hack/observability/grafana/dashboards/cluster-api-wl-apiserver-requests.json
  • hack/observability/grafana/dashboards/controller-runtime.json
  • hack/observability/grafana/dashboards/runtime-extensions.json
  • hack/observability/kube-state-metrics/kustomization.yaml
  • hack/observability/loki/kustomization.yaml
  • hack/observability/loki/values.yaml
  • hack/observability/metrics-server/kustomization.yaml
  • hack/observability/parca/values.yaml
  • hack/observability/prometheus/kustomization.yaml
  • hack/observability/prometheus/values.yaml
  • hack/observability/tempo/kustomization.yaml
  • hack/observability/visualizer/kustomization.yaml
  • hack/tools/go.mod
  • hack/tools/internal/tilt-prepare/main.go
  • hack/tools/prowjob-gen/config.go
  • hack/tools/prowjob-gen/test/test-configuration.yaml
  • hack/tools/prowjob-gen/test/test-main.yaml.golden
  • hack/tools/prowjob-gen/test/test.yaml.tpl
  • hack/tools/release/internal/update_providers/provider_issues.go
  • hack/tools/release/weekly/main.go
  • hack/tools/runtime-openapi-gen/main.go
💤 Files with no reviewable changes (7)
  • config/webhook/manifests.yaml
  • controllers/clustercache/cluster_accessor_test.go
  • .trivyignore
  • bootstrap/kubeadm/config/webhook/manifests.yaml
  • cmd/clusterctl/client/cluster/upgrader_test.go
  • bootstrap/util/suite_test.go
  • .github/workflows/pr-gh-workflow-approve.yaml

Comment thread .github/workflows/weekly-security-scan.yaml
fail-fast: false
matrix:
branch: [ main, release-1.11, release-1.10, release-1.9 ]
branch: [ main, release-1.12, release-1.11 ]
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

for b in main master release-1.12 release-1.11; do
  if git ls-remote --exit-code --heads origin "$b" >/dev/null 2>&1; then
    echo "exists: $b"
  else
    echo "missing: $b"
  fi
done

Repository: openshift/cluster-api

Length of output: 138

Update workflow matrix branches to match actual repository branches.

The workflow matrix references main, release-1.12, and release-1.11, but only master exists in this repository. The actions/checkout action will fail on all three matrix entries, preventing the security scan from running. Update line 16 to reference valid branches.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/weekly-security-scan.yaml at line 16, The workflow's
matrix branches list is invalid (it lists main and release-1.*); update the
branches array used in the weekly-security-scan workflow so actions/checkout
uses existing repo branches (replace "branch: [ main, release-1.12, release-1.11
]" with a valid list such as "branch: [ master ]" or the actual release branch
names), ensuring the matrix contains only real branch names so the job runs
successfully.

Comment thread api/controlplane/kubeadm/v1beta1/conversion.go
Comment on lines +420 to +427
for _, c := range in.Taints {
out.Spec.Taints = append(out.Spec.Taints, clusterv1.MachineTaint{
Key: c.Key,
Value: c.Value,
Effect: c.Effect,
Propagation: clusterv1.MachineTaintPropagation(c.Propagation),
})
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reset destination taint slices before appending.

These conversions append into out.Spec.Taints / out.Taints without clearing them first. If the destination object is reused, you'll retain stale taints or duplicate entries across conversions. Allocate the exact-length slice and assign by index instead of appending.

💡 Suggested pattern 
- for _, c := range in.Taints {
- 	out.Spec.Taints = append(out.Spec.Taints, clusterv1.MachineTaint{
- 		Key:         c.Key,
- 		Value:       c.Value,
- 		Effect:      c.Effect,
- 		Propagation: clusterv1.MachineTaintPropagation(c.Propagation),
- 	})
- }
+ if len(in.Taints) == 0 {
+ 	out.Spec.Taints = nil
+ } else {
+ 	out.Spec.Taints = make([]clusterv1.MachineTaint, len(in.Taints))
+ 	for i, c := range in.Taints {
+ 		out.Spec.Taints[i] = clusterv1.MachineTaint{
+ 			Key:         c.Key,
+ 			Value:       c.Value,
+ 			Effect:      c.Effect,
+ 			Propagation: clusterv1.MachineTaintPropagation(c.Propagation),
+ 		}
+ 	}
+ }

Apply the same pattern to the reverse/template conversions as well.

Also applies to: 446-453, 464-471, 482-489

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/controlplane/kubeadm/v1beta1/conversion.go` around lines 420 - 427, The
conversion functions are appending to destination taint slices (e.g.,
out.Spec.Taints, out.Taints) without clearing them, causing duplicates when
objects are reused; change each conversion that iterates over in.Taints (and the
reverse/template variants) to allocate a slice of exact length (len(in.Taints)),
assign it to the destination (out.Spec.Taints = make(..., len(in.Taints))), and
populate entries by index using clusterv1.MachineTaint{...} instead of append;
apply the same pattern for all occurrences noted (the blocks around the
in.Taints iterations and their reverse/template counterparts).

Comment thread api/runtime/hooks/v1alpha1/lifecyclehooks_types.go
Comment on lines +22 to 23
clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
runtimecatalog "sigs.k8s.io/cluster-api/exp/runtime/catalog"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Avoid changing the embedded Cluster schema in the v1alpha1 hook contract.

These request types are the wire contract for Runtime SDK extensions. Swapping cluster from core v1beta1 to core v1beta2 changes that payload shape without a hook API version bump, so existing extensions can start deserializing a different object after upgrading the management cluster. Keep the old payload in v1alpha1 or introduce a new hook version and convert explicitly.

Also applies to: 34-36, 61-63, 89-91, 141-143, 185-187, 225-227, 269-271, 309-311, 341-343

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/runtime/hooks/v1alpha1/lifecyclehooks_types.go` around lines 22 - 23,
Revert the import change so the embedded Cluster schema in the v1alpha1 hook
contract remains the original core v1beta1 type: replace the current import
"sigs.k8s.io/cluster-api/api/core/v1beta2" used as clusterv1 with the original
"sigs.k8s.io/cluster-api/api/core/v1beta1" and ensure every struct in this file
that embeds or references clusterv1.Cluster (the v1alpha1 request types)
continues to use the v1beta1 shape; if you actually need v1beta2 semantics,
instead create a new hook version (e.g., v1beta1 hook API) and perform explicit
conversion between versions rather than changing the v1alpha1 contract in-place.

Comment thread bootstrap/util/configowner_test.go
Comment on lines +66 to +68
scheme := runtime.NewScheme()
_ = clusterv1.AddToScheme(scheme)
c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(myMachine).Build()
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Handle scheme registration failures explicitly.

At Line [67] and Line [121], discarding the AddToScheme error can hide test setup failures and make downstream assertions misleading.

Suggested fix 
 			scheme := runtime.NewScheme()
-			_ = clusterv1.AddToScheme(scheme)
+			g.Expect(clusterv1.AddToScheme(scheme)).To(Succeed())
 			c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(myMachine).Build()
@@
 			scheme := runtime.NewScheme()
-			_ = clusterv1.AddToScheme(scheme)
+			g.Expect(clusterv1.AddToScheme(scheme)).To(Succeed())
 			c := fake.NewClientBuilder().WithScheme(scheme).WithObjects(myPool).Build()

Also applies to: 120-123

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@bootstrap/util/configowner_test.go` around lines 66 - 68, The test currently
discards the error returned by clusterv1.AddToScheme, which can hide scheme
registration failures; update both places where runtime.NewScheme() and
clusterv1.AddToScheme(...) are used to capture the returned error (e.g., err :=
clusterv1.AddToScheme(scheme)) and explicitly fail the test if err != nil (use
t.Fatalf or a test assertion helper like require.NoError) before building the
fake client (fake.NewClientBuilder().WithScheme(scheme)...), so any scheme
registration failure surfaces immediately.

Comment thread CHANGELOG/v1.13.0-rc.0.md
- Devtools: Enable native histograms in Grafana / Prometheus (#13304)
- Devtools: Make kind image configurable via env var for make tilt-up (#13333)
- Devtools: Updated dev observability stack (#13044)
- e2e: 0 in e2e tests (#13429)
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed changelog entry.

This entry is incomplete and unclear: "0 in e2e tests" does not describe what change was made. Please verify the correct description for PR #13429.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG/v1.13.0-rc.0.md` at line 186, Replace the malformed changelog line
"e2e: 0 in e2e tests" with a clear, complete description for PR `#13429`: locate
the entry referencing PR `#13429` and update it to a concise sentence like "e2e:
<brief summary of the fix/feature introduced by PR `#13429`> (PR `#13429`)" so it
explains what changed in e2e tests and includes the PR number for traceability;
confirm the wording matches the PR title/description and preserves the changelog
format.

Comment thread config/crd/bases/cluster.x-k8s.io_machines.yaml
Comment on lines +293 to +302
key:
description: |-
key is the taint key to be applied to a node.
Must be a valid qualified name of maximum size 63 characters
with an optional subdomain prefix of maximum size 253 characters,
separated by a `/`.
maxLength: 317
minLength: 1
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/)?([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$
type: string
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore qualified-name validation on spec.taints[].key.

After dropping the split-length validation, this schema now accepts keys whose name segment is longer than 63 characters as long as the overall string stays under 317 chars. That no longer matches Kubernetes qualified-name rules, so invalid taints can be admitted here and then fail later when Cluster API tries to apply them to Nodes. Please restore the source-level validation and regenerate the CRDs.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@config/crd/bases/cluster.x-k8s.io_machines.yaml` around lines 293 - 302, The
spec.taints[].key schema currently allows a name segment longer than 63 chars
because maxLength: 317 was left without the split-length enforcement; restore
the original qualified-name validation by updating the key schema (the pattern
and length checks for spec.taints[].key) so the optional DNS subdomain prefix is
limited to 253 chars and the name segment is limited to 63 chars (i.e. reinstate
the regex that enforces the name segment max 63 and prefix max 253 rather than
relying only on a 317 overall max), update/remove the incorrect maxLength if
needed to match that regex, and then regenerate the CRDs so the corrected
validation is applied.

Comment thread controllers/clustercache/cluster_cache.go
Comment on lines +469 to +478
// Apply cluster filter if set
if cc.clusterFilter != nil && !cc.clusterFilter(cluster) {
log.V(6).Info("Cluster filtered out by ClusterFilter, not connecting")
accessor := cc.getClusterAccessor(clusterKey)
if accessor != nil {
accessor.Disconnect(ctx)
}
cc.deleteClusterAccessor(clusterKey)
cc.cleanupClusterSourcesForCluster(clusterKey)
return ctrl.Result{}, nil
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't drop disconnect events when a cluster becomes filtered out.

If this branch disconnects an existing accessor, the early return skips sendEventsToClusterSources below, so GetClusterSource consumers never see the disconnect requeue for handled → filtered-out transitions.

Suggested fix 
 	// Apply cluster filter if set
 	if cc.clusterFilter != nil && !cc.clusterFilter(cluster) {
 		log.V(6).Info("Cluster filtered out by ClusterFilter, not connecting")
 		accessor := cc.getClusterAccessor(clusterKey)
+		didDisconnect := false
 		if accessor != nil {
-			accessor.Disconnect(ctx)
+			if accessor.Connected(ctx) {
+				accessor.Disconnect(ctx)
+				didDisconnect = true
+			}
 		}
+		if didDisconnect {
+			cc.sendEventsToClusterSources(ctx, cluster, time.Now(), accessor.GetHealthCheckingState(ctx).LastProbeSuccessTime, false, true)
+		}
 		cc.deleteClusterAccessor(clusterKey)
 		cc.cleanupClusterSourcesForCluster(clusterKey)
 		return ctrl.Result{}, nil
 	}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@controllers/clustercache/cluster_cache.go` around lines 469 - 478, When a
cluster is filtered out we currently disconnect and delete the accessor
(getClusterAccessor, accessor.Disconnect, deleteClusterAccessor,
cleanupClusterSourcesForCluster) then return early, which prevents notifying
consumers; move or add a call to cc.sendEventsToClusterSources (or invoke the
existing method that enqueues a handled→filtered-out disconnect event for
GetClusterSource consumers) immediately after Disconnect and before
deleteClusterAccessor/cleanupClusterSourcesForCluster (or at least before
returning) so the disconnect/requeue is sent; ensure you reference clusterKey
and the same transition payload used elsewhere so consumers see the
handled→filtered-out event.

cloud-team-rebase-bot and others added 21 commits May 7, 2026 12:10
merge upstream/v1.13.1 into master
49b2bc3
UPSTREAM: <carry>: Add openshift specific changes
e69179f 
Squash follow-up OWNERS sync into the initial OpenShift-specific carry since it
updates the same initial ownership surface.

# Conflicts:
#	.github/workflows/pr-dependabot.yaml
#	.github/workflows/pr-golangci-lint.yaml
#	.github/workflows/pr-verify.yaml
#	OWNERS_ALIASES
UPSTREAM: <carry>: Sync OWNERS updates
944061c 
Squash the OWNERS-only carries into a single update to keep ownership churn in
one focused commit.
UPSTREAM: <carry>: Update manifests tooling and metadata syncing
262d037 
Squash adjacent changes that iterate on OpenShift manifest tooling and
metadata sync behavior in the same Makefile-driven flow.
UPSTREAM: <carry>: Update 4.21 image and manager binary name
11c4385 
Squash adjacent Dockerfile updates that refine the 4.21 image carry and
manager binary naming.
UPSTREAM: <carry>: Update kustomize and pin IPAM manifests
d56cb85 
Squash adjacent toolchain updates touching openshift/tools so kustomize
alignment and IPAM pinning are applied together.
@damdo
UPSTREAM: <carry>: openshift: set Core CAPI IPAM webhooks to failureP…
64e1893 
…olicy: Ignore

Add functions to set the failurePolicy to Ignore for both mutating and validating webhooks handling IPAM resources.

During bootstrap, the bootstrap node's Kube API Server receives IPAM create requests but is unable
to reach the webhooks in the Cluster API namespace.

This is because the bootstrap node doesn't have a route to the pods as it doesn't have access to the pod networks.
If failurePolicy is set to Fail, the KAS cannot reach the webhook endpoints and the request fails, preventing creation of IPAddress and IPAddressClaim resources.

This causes a chicken-and-egg problem as it prevents IPAM provisioning
for the workers which won't start without their IP addresses being allocated.

Setting failurePolicy to Ignore allows the resources to be created even when the webhooks are
unreachable during bootstrap, matching what Machine API also does.

More context: https://redhat-internal.slack.com/archives/C0A2M43S199/p1765540108488539
UPSTREAM: <carry>: Sync ART image bumps
7644fa1 
Squash ART image consistency updates into a single carry commit.
@RadekManak @claude
UPSTREAM: <carry>: Add manifests verify target
3e7618c 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
UPSTREAM: <carry>: Update IPAM/manifests-gen and ART 4.22 image
a0a1b80 
Squash adjacent carries that iterate over OpenShift manifests generation,
IPAM kustomization, and Dockerfile image consistency.
@damdo
UPSTREAM: <carry>: remove ClusterResourceSet featuregate
ec1a5ac
UPSTREAM: <carry>: Regenerate OpenShift manifests and vendoring after…
4ec9a03 
… upstream rebase

Squash the post-rebase regeneration steps into a single carry commit so the
PR keeps one coherent update for generated manifests and dependency vendoring.
UPSTREAM: <carry>: Remove upstream OWNERS
a4dfb12
@damdo
UPSTREAM: 13510: fix: gracefully handle not-found when resolving owne…
1c41e75 
…r references
@damdo
UPSTREAM: <carry>: use negated feature-gate for IPAM CRDs
3df24a2
@damdo
UPSTREAM: <carry>: Sync OWNERS file
a8e9ab0
@mdbooth
UPSTREAM: <carry>: Add adopt-existing annotation to IPAM CRDs
160e91f
@damdo
UPSTREAM: <carry>: Add TLS substitutions
890c630
UPSTREAM: <drop>: Update manifests generator
9054407
UPSTREAM: <drop>: Generate OpenShift manifests
eebe9e7
UPSTREAM: <drop>: Updating and vendoring go modules after an upstream…
e801fc2 
… rebase
@cloud-team-bot cloud-team-bot Bot force-pushed the rebase-bot-master branch from 5c92e88 to e801fc2 Compare May 7, 2026 12:13
coderabbitai[bot]
coderabbitai Bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go (1)

778-807: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add custom conversion logic to handle layout+diskLayout mutual exclusivity across API versions.

v1beta2's Partition struct enforces +kubebuilder:validation:ExactlyOneOf=layout;diskLayout (line 853), ensuring exactly one field is set. However, the auto-generated conversion produces incorrect results:

In v1beta1, Layout bool is required (always non-nil). When converting a v1beta1 resource with both layout: false and diskLayout: [...], the auto-generated Convert_bool_To_Pointer_bool creates a non-nil pointer Layout: &false. In v1beta2, this counts as "specified" by ExactlyOneOf, causing validation failure even though the user intended only diskLayout to be set.

The v1beta1→v1beta2 conversion must set Layout = nil when DiskLayout is non-empty. The reverse conversion (v1beta2→v1beta1) needs to set Layout = false when Layout == nil (indicating only diskLayout was used in v1beta2).

Implement custom conversion functions in api/bootstrap/kubeadm/v1beta1/conversion.go to override the auto-generated Convert_v1beta1_Partition_To_v1beta2_Partition and Convert_v1beta2_Partition_To_v1beta1_Partition.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go` around lines 778 - 807,
The auto-generated conversions need to be overridden for Partition to enforce
mutual exclusivity: add custom conversion functions
Convert_v1beta1_Partition_To_v1beta2_Partition and
Convert_v1beta2_Partition_To_v1beta1_Partition in
api/bootstrap/kubeadm/v1beta1/conversion.go that first call the autogenerated
conversion to copy fields, then adjust Layout/DiskLayout: in
Convert_v1beta1_Partition_To_v1beta2_Partition, if in the source DiskLayout is
non-empty set dst.Layout = nil (so layout is treated as unspecified); in
Convert_v1beta2_Partition_To_v1beta1_Partition, if src.Layout == nil set
dst.Layout = false; ensure you preserve other fields and return any conversion
errors from the autogenerated call.
♻️ Duplicate comments (1)
CHANGELOG/v1.13.0-rc.0.md (1)

186-186: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed changelog entry.

This entry is incomplete and unclear: "0 in e2e tests" does not describe what change was made. Please verify the correct description for PR #13429 and update the entry accordingly.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG/v1.13.0-rc.0.md` at line 186, The changelog entry "e2e: 0 in e2e
tests (`#13429`)" is malformed; look up PR `#13429` to determine the correct concise
description and replace that line with a proper changelog entry that follows the
repo's format (e.g., "e2e: <brief description of the change> (`#13429`)"),
ensuring it clearly describes what was changed and includes the PR number.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/bootstrap/kubeadm/v1beta1/conversion.go`:
- Around line 68-78: The conversion currently restores only InitConfiguration
and JoinConfiguration timeouts; you must also preserve backported
ClusterConfiguration fields by copying CertificateValidityPeriodDays,
CACertificateValidityPeriodDays, and EncryptionAlgorithm from the restored
object into dst when those fields are present in restored but unset/zero in dst;
update RestoreKubeadmConfigSpec to check restored.ClusterConfiguration (or
restored.ClusterConfiguration.IsDefined() if available) and for each of
CertificateValidityPeriodDays, CACertificateValidityPeriodDays, and
EncryptionAlgorithm assign dst.ClusterConfiguration.<field> =
restored.ClusterConfiguration.<field> only when dst.ClusterConfiguration.<field>
is empty/zero to avoid overwriting existing spoke values.

In `@api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go`:
- Around line 411-435: The validateIgnition function must reject any
Partition.DiskLayout entries when spec.Format is "ignition"; update
KubeadmConfigSpec.validateIgnition to iterate c.DiskSetup.Partitions and for
each partition with len(partition.DiskLayout) > 0 append a field.Forbidden
(using pathPrefix.Child("diskSetup","partitions").Index(i).Child("diskLayout"))
with a clear message such as "diskLayout is not supported when format is
ignition" so users get a validation error instead of silent ignored
configuration.

In `@api/core/v1beta1/machinehealthcheck_types.go`:
- Around line 170-175: The Timeout field currently uses metav1.Duration which
allows sub-second, negative, and very large values that are lossy when converted
via ConvertToSeconds() to v1beta2; to fix, either change the Timeout type to
*int32 (seconds) to match the v1beta2 hub representation and update all
conversion helpers/CRD tags to accept seconds-only, or keep metav1.Duration but
add strict validation (e.g., in the MachineHealthCheck webhook/Validate methods)
to reject values < 1s, reject negative durations, and reject values >
math.MaxInt32 seconds and any sub-second precision (truncate/rounding not
allowed); update ConvertToSeconds usage and conversion functions to assume the
new seconds-only contract and add clear error messages referencing Timeout and
ConvertToSeconds so clients receive validation failures instead of silent
truncation.

In `@CHANGELOG/v1.12.0-rc.1.md`:
- Around line 85-311: The release note contains duplicate top-level headings
within the <details> block (e.g., "## :chart_with_upwards_trend: Overview", "##
:bug: Bug Fixes", "## :seedling: Others", "## Dependencies") which triggers
markdownlint MD024; remove or rename the duplicated headings inside the
<details> section (or convert them to lower-level headings like "###" or inline
labels) so only one instance of each top-level heading remains (search for the
exact heading strings above to locate the duplicated blocks).

In `@CHANGELOG/v1.12.0.md`:
- Around line 308-373: The dependency transition table in the "### Changed"
section contains apparent downgrades (e.g., cloud.google.com/go/storage,
cloud.google.com/go, github.com/census-instrumentation/opencensus-proto,
github.com/googleapis/gax-go/v2, go.opencensus.io, google.golang.org/api);
verify the intended direction by checking the authoritative source
(go.mod/go.sum or the release tooling that produced the list), then correct each
line to show the proper "old → new" version or remove any incorrect entries;
update the specific entries for cloud.google.com/go/storage,
cloud.google.com/go, github.com/census-instrumentation/opencensus-proto,
github.com/googleapis/gax-go/v2, go.opencensus.io, and google.golang.org/api in
the changelog so the arrow direction and versions match the actual dependency
changes.

In `@CHANGELOG/v1.13.0-beta.0.md`:
- Line 135: The changelog line "e2e: 0 in e2e tests" is malformed and must be
replaced with a clear summary of PR `#13429`; review PR `#13429` to determine the
intended change and update the entry to a concise, conventional changelog phrase
(e.g., "e2e: fix flakey test X" or "e2e: add test for Y"), keeping the same
prefix/scope format used in other entries and preserving bullet/list formatting
so the entry is meaningful and consistent with surrounding lines.

In `@CHANGELOG/v1.13.0-beta.1.md`:
- Line 207: The changelog contains a malformed entry "e2e: 0 in e2e tests" that
must be replaced with the actual description from PR `#13429`; open PR `#13429` to
confirm the intended change (what was added/fixed in e2e tests) and update the
entry in CHANGELOG/v1.13.0-beta.1.md to a clear, concise sentence referencing
the fix or feature (e.g., "e2e: <brief description of change/fix> (`#13429`)"),
ensuring the PR number remains included for traceability.

In `@config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml`:
- Around line 594-600: The CRD schema for the taint "value" field currently has
minLength: 1 which rejects valid empty taint values even though the regex
pattern allows the empty string; update the "value" schema (the value property
under the taint definition) to allow empty values by removing the minLength
constraint or setting minLength: 0 so the pattern and length constraints are
consistent and manifests with an explicit empty taint value validate
successfully.

---

Outside diff comments:
In `@api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go`:
- Around line 778-807: The auto-generated conversions need to be overridden for
Partition to enforce mutual exclusivity: add custom conversion functions
Convert_v1beta1_Partition_To_v1beta2_Partition and
Convert_v1beta2_Partition_To_v1beta1_Partition in
api/bootstrap/kubeadm/v1beta1/conversion.go that first call the autogenerated
conversion to copy fields, then adjust Layout/DiskLayout: in
Convert_v1beta1_Partition_To_v1beta2_Partition, if in the source DiskLayout is
non-empty set dst.Layout = nil (so layout is treated as unspecified); in
Convert_v1beta2_Partition_To_v1beta1_Partition, if src.Layout == nil set
dst.Layout = false; ensure you preserve other fields and return any conversion
errors from the autogenerated call.

---

Duplicate comments:
In `@CHANGELOG/v1.13.0-rc.0.md`:
- Line 186: The changelog entry "e2e: 0 in e2e tests (`#13429`)" is malformed;
look up PR `#13429` to determine the correct concise description and replace that
line with a proper changelog entry that follows the repo's format (e.g., "e2e:
<brief description of the change> (`#13429`)"), ensuring it clearly describes what
was changed and includes the PR number.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c3a07f7d-036d-431b-83f1-8894ce44d85d

📥 Commits

Reviewing files that changed from the base of the PR and between 5c92e88 and e801fc2.

⛔ Files ignored due to path filters (36)
  • api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go is excluded by !**/zz_generated*
  • api/bootstrap/kubeadm/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/controlplane/kubeadm/v1beta1/zz_generated.conversion.go is excluded by !**/zz_generated*
  • api/controlplane/kubeadm/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/controlplane/kubeadm/v1beta2/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/core/v1beta1/zz_generated.conversion.go is excluded by !**/zz_generated*
  • api/core/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/core/v1beta1/zz_generated.openapi.go is excluded by !**/zz_generated*
  • api/core/v1beta2/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/core/v1beta2/zz_generated.openapi.go is excluded by !**/zz_generated*
  • api/runtime/hooks/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
  • api/runtime/hooks/v1alpha1/zz_generated.openapi.go is excluded by !**/zz_generated*
  • docs/book/src/images/clusterclass-crd-relationships.svg is excluded by !**/*.svg
  • docs/book/src/images/kubeadm-control-plane-machines-resources.png is excluded by !**/*.png
  • docs/book/src/images/worker-machines-resources.png is excluded by !**/*.png
  • go.sum is excluded by !**/*.sum
  • hack/tools/go.sum is excluded by !**/*.sum
  • hack/tools/vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/auth/internal/version.go is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/.repo-metadata.json is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/CHANGES.md is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/README.md is excluded by !**/vendor/**
  • hack/tools/vendor/cloud.google.com/go/iam/apiv1/iampb/iam_policy.pb.go is excluded by !**/*.pb.go, !**/vendor/**
📒 Files selected for processing (264)
  • .dockerignore
  • .github/workflows/pr-gh-workflow-approve.yaml
  • .github/workflows/pr-md-link-check.yaml
  • .github/workflows/release.yaml
  • .github/workflows/weekly-md-link-check.yaml
  • .github/workflows/weekly-security-scan.yaml
  • .github/workflows/weekly-test-release.yaml
  • .golangci-kal.yml
  • .golangci.yml
  • .trivyignore
  • CHANGELOG/v1.10.10.md
  • CHANGELOG/v1.10.9.md
  • CHANGELOG/v1.11.4.md
  • CHANGELOG/v1.11.5.md
  • CHANGELOG/v1.11.6.md
  • CHANGELOG/v1.11.7.md
  • CHANGELOG/v1.12.0-rc.1.md
  • CHANGELOG/v1.12.0.md
  • CHANGELOG/v1.12.1.md
  • CHANGELOG/v1.12.2.md
  • CHANGELOG/v1.12.3.md
  • CHANGELOG/v1.12.4.md
  • CHANGELOG/v1.13.0-beta.0.md
  • CHANGELOG/v1.13.0-beta.1.md
  • CHANGELOG/v1.13.0-rc.0.md
  • CONTRIBUTING.md
  • Dockerfile
  • Makefile
  • Tiltfile
  • api/bootstrap/kubeadm/v1beta1/conversion.go
  • api/bootstrap/kubeadm/v1beta1/kubeadm_types.go
  • api/bootstrap/kubeadm/v1beta1/kubeadmconfig_types.go
  • api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go
  • api/controlplane/kubeadm/v1beta1/conversion.go
  • api/controlplane/kubeadm/v1beta1/kubeadm_control_plane_types.go
  • api/controlplane/kubeadm/v1beta1/kubeadmcontrolplanetemplate_types.go
  • api/controlplane/kubeadm/v1beta2/kubeadm_control_plane_types.go
  • api/controlplane/kubeadm/v1beta2/kubeadmcontrolplanetemplate_types.go
  • api/core/v1beta1/cluster_types.go
  • api/core/v1beta1/clusterclass_types.go
  • api/core/v1beta1/common_types.go
  • api/core/v1beta1/conversion.go
  • api/core/v1beta1/conversion_test.go
  • api/core/v1beta1/machine_types.go
  • api/core/v1beta1/machinehealthcheck_types.go
  • api/core/v1beta2/cluster_types.go
  • api/core/v1beta2/clusterclass_types.go
  • api/core/v1beta2/common_types.go
  • api/core/v1beta2/condition_types.go
  • api/core/v1beta2/machine_types.go
  • api/ipam/v1alpha1/conversion.go
  • api/runtime/hooks/v1alpha1/common_types.go
  • api/runtime/hooks/v1alpha1/lifecyclehooks_types.go
  • api/runtime/hooks/v1alpha1/topologymutation_types.go
  • api/runtime/hooks/v1alpha1/topologymutation_variable_types.go
  • bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml
  • bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
  • bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
  • bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigtemplates.yaml
  • bootstrap/kubeadm/config/manager/manager.yaml
  • bootstrap/kubeadm/config/webhook/manifests.yaml
  • bootstrap/kubeadm/internal/cloudinit/cloudinit_test.go
  • bootstrap/kubeadm/internal/cloudinit/disk_setup.go
  • bootstrap/kubeadm/internal/cloudinit/utils.go
  • bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
  • bootstrap/kubeadm/internal/controllers/suite_test.go
  • bootstrap/kubeadm/internal/locking/control_plane_init_mutex.go
  • bootstrap/kubeadm/internal/setup/setup.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfig.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate_test.go
  • bootstrap/kubeadm/main.go
  • bootstrap/util/configowner_test.go
  • bootstrap/util/suite_test.go
  • cmd/clusterctl/Dockerfile
  • cmd/clusterctl/client/cluster/cert_manager.go
  • cmd/clusterctl/client/cluster/cert_manager_test.go
  • cmd/clusterctl/client/cluster/mover.go
  • cmd/clusterctl/client/cluster/template.go
  • cmd/clusterctl/client/cluster/template_test.go
  • cmd/clusterctl/client/cluster/upgrader.go
  • cmd/clusterctl/client/cluster/upgrader_test.go
  • cmd/clusterctl/client/config/imagemeta_client.go
  • cmd/clusterctl/client/config/imagemeta_client_test.go
  • cmd/clusterctl/client/config/providers_client.go
  • cmd/clusterctl/client/config_test.go
  • cmd/clusterctl/client/repository/repository_github.go
  • cmd/clusterctl/client/repository/repository_github_test.go
  • cmd/clusterctl/client/upgrade.go
  • cmd/clusterctl/cmd/config_repositories_test.go
  • cmd/clusterctl/cmd/describe_cluster.go
  • cmd/clusterctl/cmd/upgrade_apply.go
  • cmd/clusterctl/cmd/version_checker.go
  • cmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_metadata.yaml
  • cmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_providers.yaml
  • cmd/clusterctl/config/manifest/clusterctl-api.yaml
  • cmd/clusterctl/hack/create-local-repository.py
  • cmd/clusterctl/internal/test/fake_github.go
  • cmd/clusterctl/internal/test/fake_reader.go
  • config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yaml
  • config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesets.yaml
  • config/crd/bases/cluster.x-k8s.io_clusterclasses.yaml
  • config/crd/bases/cluster.x-k8s.io_clusters.yaml
  • config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml
  • config/crd/bases/cluster.x-k8s.io_machinedrainrules.yaml
  • config/crd/bases/cluster.x-k8s.io_machinehealthchecks.yaml
  • config/crd/bases/cluster.x-k8s.io_machinepools.yaml
  • config/crd/bases/cluster.x-k8s.io_machines.yaml
  • config/crd/bases/cluster.x-k8s.io_machinesets.yaml
  • config/crd/bases/ipam.cluster.x-k8s.io_ipaddressclaims.yaml
  • config/crd/bases/ipam.cluster.x-k8s.io_ipaddresses.yaml
  • config/crd/bases/runtime.cluster.x-k8s.io_extensionconfigs.yaml
  • config/crd/patches/webhook_in_clusterclasses.yaml
  • config/crd/patches/webhook_in_clusterresourcesetbindings.yaml
  • config/crd/patches/webhook_in_clusterresourcesets.yaml
  • config/crd/patches/webhook_in_clusters.yaml
  • config/crd/patches/webhook_in_extensionconfigs.yaml
  • config/crd/patches/webhook_in_ipaddressclaims.yaml
  • config/crd/patches/webhook_in_ipaddresses.yaml
  • config/crd/patches/webhook_in_machinedeployments.yaml
  • config/crd/patches/webhook_in_machinedrainrules.yaml
  • config/crd/patches/webhook_in_machinehealthchecks.yaml
  • config/crd/patches/webhook_in_machinepools.yaml
  • config/crd/patches/webhook_in_machines.yaml
  • config/crd/patches/webhook_in_machinesets.yaml
  • config/manager/manager.yaml
  • config/metrics/crd-metrics-config.yaml
  • config/webhook/manifests.yaml
  • controllers/clustercache/cluster_accessor.go
  • controllers/clustercache/cluster_accessor_client.go
  • controllers/clustercache/cluster_accessor_test.go
  • controllers/clustercache/cluster_cache.go
  • controllers/clustercache/cluster_cache_test.go
  • controllers/crdmigrator/crd_migrator.go
  • controllers/crdmigrator/test/t1/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t2/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t3/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t4/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
  • controlplane/kubeadm/config/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanetemplates.yaml
  • controlplane/kubeadm/config/crd/patches/webhook_in_kubeadmcontrolplanes.yaml
  • controlplane/kubeadm/config/crd/patches/webhook_in_kubeadmcontrolplanetemplates.yaml
  • controlplane/kubeadm/config/manager/manager.yaml
  • controlplane/kubeadm/config/webhook/manifests.yaml
  • controlplane/kubeadm/internal/cluster.go
  • controlplane/kubeadm/internal/cluster_test.go
  • controlplane/kubeadm/internal/clustercache_utils.go
  • controlplane/kubeadm/internal/control_plane.go
  • controlplane/kubeadm/internal/control_plane_test.go
  • controlplane/kubeadm/internal/controllers/controller.go
  • controlplane/kubeadm/internal/controllers/controller_test.go
  • controlplane/kubeadm/internal/controllers/fakes_test.go
  • controlplane/kubeadm/internal/controllers/helpers.go
  • controlplane/kubeadm/internal/controllers/inplace.go
  • controlplane/kubeadm/internal/controllers/inplace_canupdatemachine.go
  • controlplane/kubeadm/internal/controllers/inplace_trigger.go
  • controlplane/kubeadm/internal/controllers/remediation.go
  • controlplane/kubeadm/internal/controllers/remediation_test.go
  • controlplane/kubeadm/internal/controllers/scale.go
  • controlplane/kubeadm/internal/controllers/scale_test.go
  • controlplane/kubeadm/internal/controllers/status.go
  • controlplane/kubeadm/internal/controllers/status_test.go
  • controlplane/kubeadm/internal/controllers/suite_test.go
  • controlplane/kubeadm/internal/controllers/update_test.go
  • controlplane/kubeadm/internal/desiredstate/desired_state.go
  • controlplane/kubeadm/internal/desiredstate/desired_state_test.go
  • controlplane/kubeadm/internal/etcd/etcd_test.go
  • controlplane/kubeadm/internal/etcd/fake/client.go
  • controlplane/kubeadm/internal/setup/setup.go
  • controlplane/kubeadm/internal/suite_test.go
  • controlplane/kubeadm/internal/webhooks/kubeadmcontrolplane.go
  • controlplane/kubeadm/internal/webhooks/kubeadmcontrolplane_test.go
  • controlplane/kubeadm/internal/webhooks/kubeadmcontrolplanetemplate.go
  • controlplane/kubeadm/internal/webhooks/scale.go
  • controlplane/kubeadm/internal/workload_cluster.go
  • controlplane/kubeadm/internal/workload_cluster_conditions.go
  • controlplane/kubeadm/internal/workload_cluster_conditions_test.go
  • controlplane/kubeadm/internal/workload_cluster_coredns.go
  • controlplane/kubeadm/internal/workload_cluster_etcd.go
  • controlplane/kubeadm/internal/workload_cluster_etcd_test.go
  • controlplane/kubeadm/internal/workload_cluster_test.go
  • controlplane/kubeadm/main.go
  • docs/book/src/SUMMARY.md
  • docs/book/src/clusterctl/configuration.md
  • docs/book/src/developer/core/logging.md
  • docs/book/src/developer/core/tilt.md
  • docs/book/src/developer/providers/contracts/bootstrap-config.md
  • docs/book/src/developer/providers/contracts/clusterctl.md
  • docs/book/src/developer/providers/contracts/control-plane.md
  • docs/book/src/developer/providers/contracts/infra-cluster.md
  • docs/book/src/developer/providers/contracts/infra-machine.md
  • docs/book/src/developer/providers/contracts/infra-machinepool.md
  • docs/book/src/developer/providers/getting-started/webhooks.md
  • docs/book/src/developer/providers/migrations/v1.10-to-v1.11.md
  • docs/book/src/developer/providers/migrations/v1.12-to-v1.13.md
  • docs/book/src/developer/providers/migrations/v1.9-to-v1.10.md
  • docs/book/src/images/kubeadm-control-plane-machines-resources.plantuml
  • docs/book/src/images/worker-machines-resources.plantuml
  • docs/book/src/introduction.md
  • docs/book/src/reference/api/crd-api-reference-v1beta1.md
  • docs/book/src/reference/api/crd-api-reference.md
  • docs/book/src/reference/api/crd-relationships.md
  • docs/book/src/reference/api/reference.md
  • docs/book/src/reference/versions.md
  • docs/book/src/tasks/automated-machine-management/healthchecking.md
  • docs/book/src/tasks/automated-machine-management/scaling.md
  • docs/book/src/tasks/cluster-resource-set.md
  • docs/book/src/tasks/diagnostics.md
  • docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md
  • docs/book/src/tasks/experimental-features/experimental-features.md
  • docs/book/src/tasks/experimental-features/machine-pools.md
  • docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md
  • docs/book/src/tasks/experimental-features/runtime-sdk/index.md
  • docs/book/src/tasks/external-etcd.md
  • docs/book/src/tasks/using-kustomize.md
  • docs/book/src/user/quick-start.md
  • docs/proposals/20200506-conditions.md
  • docs/proposals/20210310-opt-in-autoscaling-from-zero.md
  • docs/proposals/20220330-topology-mutation-hook.md
  • docs/proposals/20240916-improve-status-in-CAPI-resources.md
  • docs/proposals/20250124-From CAPD(docker) to CAPD(dev) .md
  • docs/release/releases/release-1.13.md
  • docs/release/role-handbooks/ci-signal/README.md
  • docs/release/role-handbooks/release-lead/README.md
  • exp/topology/desiredstate/desired_state.go
  • exp/topology/desiredstate/desired_state_test.go
  • exp/topology/desiredstate/lifecycle_hooks.go
  • exp/topology/desiredstate/lifecycle_hooks_test.go
  • exp/topology/desiredstate/upgrade_plan.go
  • exp/topology/desiredstate/upgrade_plan_test.go
  • feature/feature.go
  • go.mod
  • hack/crd-ref-docs-config-v1beta1.yaml
  • hack/crd-ref-docs-config-v1beta2.yaml
  • hack/ensure-go.sh
  • hack/gogcflags.sh
  • hack/kind-install.sh
  • hack/observability/alloy/kustomization.yaml
  • hack/observability/grafana/chart/kustomization.yaml
  • hack/observability/grafana/dashboards/cluster-api-mgmt-apiserver-requests.json
  • hack/observability/grafana/dashboards/cluster-api-performance.json
  • hack/observability/grafana/dashboards/cluster-api-state.json
  • hack/observability/grafana/dashboards/cluster-api-wl-apiserver-requests.json
  • hack/observability/grafana/dashboards/controller-runtime.json
  • hack/observability/grafana/dashboards/runtime-extensions.json
  • hack/observability/kube-state-metrics/kustomization.yaml
  • hack/observability/loki/kustomization.yaml
  • hack/observability/loki/values.yaml
  • hack/observability/metrics-server/kustomization.yaml
  • hack/observability/parca/values.yaml
  • hack/observability/prometheus/kustomization.yaml
  • hack/observability/prometheus/values.yaml
  • hack/observability/tempo/kustomization.yaml
  • hack/observability/visualizer/kustomization.yaml
  • hack/tools/go.mod
  • hack/tools/internal/tilt-prepare/main.go
  • hack/tools/prowjob-gen/config.go
  • hack/tools/prowjob-gen/test/test-configuration.yaml
  • hack/tools/prowjob-gen/test/test-main.yaml.golden
  • hack/tools/prowjob-gen/test/test.yaml.tpl
  • hack/tools/release/internal/update_providers/provider_issues.go
  • hack/tools/release/weekly/main.go
  • hack/tools/runtime-openapi-gen/main.go
💤 Files with no reviewable changes (7)
  • .trivyignore
  • .github/workflows/pr-gh-workflow-approve.yaml
  • controllers/clustercache/cluster_accessor_test.go
  • cmd/clusterctl/client/cluster/upgrader_test.go
  • config/webhook/manifests.yaml
  • bootstrap/util/suite_test.go
  • bootstrap/kubeadm/config/webhook/manifests.yaml
✅ Files skipped from review due to trivial changes (62)
  • .github/workflows/pr-md-link-check.yaml
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfigtemplate_test.go
  • bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
  • config/crd/patches/webhook_in_clusterresourcesets.yaml
  • config/crd/patches/webhook_in_machines.yaml
  • cmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_providers.yaml
  • config/crd/bases/ipam.cluster.x-k8s.io_ipaddresses.yaml
  • .github/workflows/weekly-md-link-check.yaml
  • cmd/clusterctl/client/repository/repository_github.go
  • cmd/clusterctl/config/manifest/clusterctl-api.yaml
  • config/manager/manager.yaml
  • cmd/clusterctl/client/cluster/template_test.go
  • CONTRIBUTING.md
  • cmd/clusterctl/config/crd/bases/clusterctl.cluster.x-k8s.io_metadata.yaml
  • cmd/clusterctl/cmd/version_checker.go
  • bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigtemplates.yaml
  • config/crd/patches/webhook_in_clusterresourcesetbindings.yaml
  • config/crd/patches/webhook_in_ipaddressclaims.yaml
  • config/crd/patches/webhook_in_machinehealthchecks.yaml
  • config/crd/patches/webhook_in_extensionconfigs.yaml
  • bootstrap/kubeadm/config/manager/manager.yaml
  • controllers/crdmigrator/test/t4/crd/test.cluster.x-k8s.io_testclusters.yaml
  • controllers/crdmigrator/test/t3/crd/test.cluster.x-k8s.io_testclusters.yaml
  • config/crd/patches/webhook_in_machinepools.yaml
  • config/crd/patches/webhook_in_machinedeployments.yaml
  • cmd/clusterctl/internal/test/fake_github.go
  • controllers/crdmigrator/test/t1/crd/test.cluster.x-k8s.io_testclusters.yaml
  • cmd/clusterctl/hack/create-local-repository.py
  • config/crd/patches/webhook_in_machinesets.yaml
  • config/crd/patches/webhook_in_clusterclasses.yaml
  • cmd/clusterctl/client/config/providers_client.go
  • config/crd/bases/cluster.x-k8s.io_machinedrainrules.yaml
  • api/controlplane/kubeadm/v1beta1/kubeadm_control_plane_types.go
  • .github/workflows/weekly-test-release.yaml
  • controllers/crdmigrator/test/t2/crd/test.cluster.x-k8s.io_testclusters.yaml
  • CHANGELOG/v1.12.1.md
  • .dockerignore
  • api/core/v1beta2/common_types.go
  • CHANGELOG/v1.10.9.md
  • cmd/clusterctl/client/config/imagemeta_client.go
  • CHANGELOG/v1.12.2.md
  • api/core/v1beta1/common_types.go
  • api/core/v1beta1/machine_types.go
  • config/crd/patches/webhook_in_ipaddresses.yaml
  • config/crd/patches/webhook_in_machinedrainrules.yaml
  • CHANGELOG/v1.12.3.md
  • bootstrap/kubeadm/internal/cloudinit/disk_setup.go
  • CHANGELOG/v1.11.6.md
  • api/core/v1beta2/condition_types.go
  • config/metrics/crd-metrics-config.yaml
  • CHANGELOG/v1.11.4.md
  • CHANGELOG/v1.11.7.md
  • controllers/clustercache/cluster_cache_test.go
  • .github/workflows/release.yaml
  • api/runtime/hooks/v1alpha1/topologymutation_variable_types.go
  • CHANGELOG/v1.12.4.md
  • bootstrap/kubeadm/internal/setup/setup.go
  • config/crd/patches/webhook_in_clusters.yaml
  • .golangci.yml
  • api/core/v1beta1/cluster_types.go
  • api/runtime/hooks/v1alpha1/lifecyclehooks_types.go
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfig.go
🚧 Files skipped from review as they are similar to previous changes (28)
  • bootstrap/kubeadm/internal/webhooks/kubeadmconfig_test.go
  • cmd/clusterctl/client/cluster/template.go
  • api/runtime/hooks/v1alpha1/topologymutation_types.go
  • .github/workflows/weekly-security-scan.yaml
  • cmd/clusterctl/cmd/config_repositories_test.go
  • api/core/v1beta2/machine_types.go
  • config/crd/bases/addons.cluster.x-k8s.io_clusterresourcesetbindings.yaml
  • api/controlplane/kubeadm/v1beta2/kubeadmcontrolplanetemplate_types.go
  • cmd/clusterctl/client/repository/repository_github_test.go
  • cmd/clusterctl/client/cluster/mover.go
  • cmd/clusterctl/client/config/imagemeta_client_test.go
  • .golangci-kal.yml
  • api/ipam/v1alpha1/conversion.go
  • Tiltfile
  • api/controlplane/kubeadm/v1beta1/conversion.go
  • controllers/clustercache/cluster_accessor.go
  • api/bootstrap/kubeadm/v1beta1/kubeadm_types.go
  • api/core/v1beta1/conversion_test.go
  • config/crd/bases/cluster.x-k8s.io_machinepools.yaml
  • api/core/v1beta2/cluster_types.go
  • controllers/clustercache/cluster_cache.go
  • api/controlplane/kubeadm/v1beta2/kubeadm_control_plane_types.go
  • config/crd/bases/cluster.x-k8s.io_clusterclasses.yaml
  • config/crd/bases/cluster.x-k8s.io_machines.yaml
  • controllers/clustercache/cluster_accessor_client.go
  • api/core/v1beta1/conversion.go
  • config/crd/bases/cluster.x-k8s.io_machinesets.yaml
  • bootstrap/kubeadm/main.go

Comment thread api/bootstrap/kubeadm/v1beta1/conversion.go
Comment on lines 68 to 78
func RestoreKubeadmConfigSpec(restored *bootstrapv1.KubeadmConfigSpec, dst *bootstrapv1.KubeadmConfigSpec) {
// Restore fields added in v1beta2
// Note: Because timeout fields partially exist already in v1beta1 we are using the conversion annotation
// instead of backporting the entire timeout fields to v1beta1 and then having some duplicate timeout fields.
if restored.InitConfiguration.IsDefined() && !reflect.DeepEqual(restored.InitConfiguration.Timeouts, bootstrapv1.Timeouts{}) {
dst.InitConfiguration.Timeouts = restored.InitConfiguration.Timeouts
}
if restored.JoinConfiguration.IsDefined() && !reflect.DeepEqual(restored.JoinConfiguration.Timeouts, bootstrapv1.Timeouts{}) {
dst.JoinConfiguration.Timeouts = restored.JoinConfiguration.Timeouts
}
if restored.ClusterConfiguration.CertificateValidityPeriodDays != 0 || restored.ClusterConfiguration.CACertificateValidityPeriodDays != 0 {
if restored.ClusterConfiguration.CertificateValidityPeriodDays != 0 {
dst.ClusterConfiguration.CertificateValidityPeriodDays = restored.ClusterConfiguration.CertificateValidityPeriodDays
}
if restored.ClusterConfiguration.CACertificateValidityPeriodDays != 0 {
dst.ClusterConfiguration.CACertificateValidityPeriodDays = restored.ClusterConfiguration.CACertificateValidityPeriodDays
}
}
if restored.ClusterConfiguration.EncryptionAlgorithm != "" {
dst.ClusterConfiguration.EncryptionAlgorithm = restored.ClusterConfiguration.EncryptionAlgorithm
}
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep restoring the newly backported ClusterConfiguration fields for older annotated objects.

After this change, CertificateValidityPeriodDays, CACertificateValidityPeriodDays, and EncryptionAlgorithm are no longer recovered from the stored hub annotation. That works for objects written after the backport, but pre-upgrade v1beta1 objects can still have those values only in the annotation, so a v1beta1 -> v1beta2 conversion will now silently drop them. Please keep the restore path until those objects are rewritten, or only skip the annotation value when the spoke field is already populated.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/bootstrap/kubeadm/v1beta1/conversion.go` around lines 68 - 78, The
conversion currently restores only InitConfiguration and JoinConfiguration
timeouts; you must also preserve backported ClusterConfiguration fields by
copying CertificateValidityPeriodDays, CACertificateValidityPeriodDays, and
EncryptionAlgorithm from the restored object into dst when those fields are
present in restored but unset/zero in dst; update RestoreKubeadmConfigSpec to
check restored.ClusterConfiguration (or
restored.ClusterConfiguration.IsDefined() if available) and for each of
CertificateValidityPeriodDays, CACertificateValidityPeriodDays, and
EncryptionAlgorithm assign dst.ClusterConfiguration.<field> =
restored.ClusterConfiguration.<field> only when dst.ClusterConfiguration.<field>
is empty/zero to avoid overwriting existing spoke values.

Comment thread api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go
Comment on lines +411 to +435
func (c *KubeadmConfigSpec) validateDiskSetup(pathPrefix *field.Path) field.ErrorList {
var allErrs field.ErrorList

for i, partition := range c.DiskSetup.Partitions {
if len(partition.DiskLayout) > 0 {
var totalPercentage int32
for _, layout := range partition.DiskLayout {
totalPercentage += layout.Percentage
}

if totalPercentage > 100 {
allErrs = append(
allErrs,
field.Invalid(
pathPrefix.Child("diskSetup", "partitions").Index(i).Child("diskLayout"),
totalPercentage,
"the sum of all partition percentages must not be greater than 100",
),
)
}
}
}

return allErrs
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether the Ignition rendering path (internal/ignition) handles DiskLayout
rg -n --type go "DiskLayout" -C 4 -- bootstrap/kubeadm/internal/ignition/

Repository: openshift/cluster-api

Length of output: 47

🏁 Script executed:

# Search for validateIgnition function
rg -n "validateIgnition" --type go api/bootstrap/kubeadm/v1beta2/

Repository: openshift/cluster-api

Length of output: 328

🏁 Script executed:

# Look at the ignition directory structure
find . -path "*bootstrap/kubeadm/internal/ignition*" -type f -name "*.go" | head -20

Repository: openshift/cluster-api

Length of output: 273

🏁 Script executed:

# Search more broadly for DiskLayout and format ignition handling
rg -n "format.*ignition\|ignition.*format" --type go -i api/bootstrap/kubeadm/ | head -30

Repository: openshift/cluster-api

Length of output: 47

🏁 Script executed:

# Check the kubeadmconfig_types.go file around the validateDiskSetup to find validateIgnition
rg -n "func.*validate" --type go api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go | head -20

Repository: openshift/cluster-api

Length of output: 424

🏁 Script executed:

# Read validateIgnition function starting at line 303
sed -n '303,410p' api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go

Repository: openshift/cluster-api

Length of output: 2424

🏁 Script executed:

# Read the ignition.go file to understand DiskLayout handling
cat -n bootstrap/kubeadm/internal/ignition/ignition.go

Repository: openshift/cluster-api

Length of output: 4867

🏁 Script executed:

# Find disk_setup.go
find . -name "disk_setup.go" -type f

Repository: openshift/cluster-api

Length of output: 118

🏁 Script executed:

# Search for how DiskLayout is handled in cloud-init rendering
rg -n "DiskLayout" --type go -C 3 bootstrap/kubeadm/internal/cloudinit/

Repository: openshift/cluster-api

Length of output: 4222

🏁 Script executed:

# Check if BaseUserData includes DiskSetup
rg -n "type BaseUserData" --type go -A 20 bootstrap/kubeadm/internal/cloudinit/

Repository: openshift/cluster-api

Length of output: 1865

🏁 Script executed:

# Check how BaseUserData with DiskSetup is passed to the ignition rendering
rg -n "BaseUserData\|DiskSetup" bootstrap/kubeadm/internal/ignition/ignition.go -B 2 -A 2

Repository: openshift/cluster-api

Length of output: 47

🏁 Script executed:

# Check clc.Render function to see if it uses DiskSetup
rg -n "func Render" bootstrap/kubeadm/internal/ignition/clc/clc.go -A 30

Repository: openshift/cluster-api

Length of output: 1294

🏁 Script executed:

# Find renderCLC function to see if it processes DiskSetup
rg -n "func renderCLC" bootstrap/kubeadm/internal/ignition/clc/clc.go -A 30

Repository: openshift/cluster-api

Length of output: 1172

🏁 Script executed:

# Search for disk_setup template usage in ignition rendering
rg -n "disk_setup\|DiskSetup" bootstrap/kubeadm/internal/ignition/clc/clc.go -B 2 -A 2

Repository: openshift/cluster-api

Length of output: 47

🏁 Script executed:

# Find the clcTemplate to see if it references disk_setup
rg -n "clcTemplate\|disk_setup" bootstrap/kubeadm/internal/ignition/clc/clc.go -B 2 -A 2

Repository: openshift/cluster-api

Length of output: 47

🏁 Script executed:

# Get the clcTemplate definition - look at the end of clc.go file
tail -300 bootstrap/kubeadm/internal/ignition/clc/clc.go | head -150

Repository: openshift/cluster-api

Length of output: 4030

validateIgnition should forbid DiskLayout on partitions.

validateIgnition forbids other cloud-init-specific fields (bootCommands, replaceFS, partition, non-gpt table types, gzip encoding) but does not forbid DiskLayout. The Ignition template (clcTemplate in bootstrap/kubeadm/internal/ignition/clc/clc.go) does not reference DiskLayout; it only uses the Layout field. Meanwhile, the cloud-init rendering uses DiskLayout to generate the layout: section in disk_setup.go. Users setting diskLayout with format: ignition would have their configuration silently ignored, creating a confusing failure mode without validation feedback.

Add validation to forbid DiskLayout on partitions when format: ignition:

 	for i, partition := range c.DiskSetup.Partitions {
 		if partition.TableType != "" && partition.TableType != "gpt" {
 			// ...existing tableType check...
 		}
+		if len(partition.DiskLayout) > 0 {
+			allErrs = append(
+				allErrs,
+				field.Forbidden(
+					pathPrefix.Child("diskSetup", "partitions").Index(i).Child("diskLayout"),
+					cannotUseWithIgnition,
+				),
+			)
+		}
 	}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/bootstrap/kubeadm/v1beta2/kubeadmconfig_types.go` around lines 411 - 435,
The validateIgnition function must reject any Partition.DiskLayout entries when
spec.Format is "ignition"; update KubeadmConfigSpec.validateIgnition to iterate
c.DiskSetup.Partitions and for each partition with len(partition.DiskLayout) > 0
append a field.Forbidden (using
pathPrefix.Child("diskSetup","partitions").Index(i).Child("diskLayout")) with a
clear message such as "diskLayout is not supported when format is ignition" so
users get a validation error instead of silent ignored configuration.

Comment thread api/core/v1beta1/machinehealthcheck_types.go
Comment on lines +170 to +175
// timeout is the duration that a Machine must be in a given status for,
// after which the Machine is considered unhealthy.
// For example, with a value of "1h", the Machine must match the status
// for at least 1 hour before being considered unhealthy.
// +required
Timeout metav1.Duration `json:"timeout"`
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n -C3 'UnhealthyMachineCondition|timeoutSeconds|Timeout' \
  api/core/v1beta1/conversion.go \
  api/core/v1beta1/conversion_test.go

Repository: openshift/cluster-api

Length of output: 42771

🏁 Script executed:

# Find the clusterv1 package conversion functions
find . -type f -name "*.go" | xargs grep -l "ConvertToSeconds\|ConvertFromSeconds" | head -5

Repository: openshift/cluster-api

Length of output: 319

🏁 Script executed:

# Search for the v1beta2 UnhealthyMachineCondition type definition
rg -n "type UnhealthyMachineCondition" --type go | grep -v v1beta1

Repository: openshift/cluster-api

Length of output: 410

🏁 Script executed:

# Check if there are validation rules on the v1beta1 Timeout field
rg -n "Timeout.*metav1.Duration" api/core/v1beta1/machinehealthcheck_types.go -A 5

Repository: openshift/cluster-api

Length of output: 1234

🏁 Script executed:

# View the v1beta2 UnhealthyMachineCondition definition
sed -n '245,260p' api/core/v1beta2/machinehealthcheck_types.go

Repository: openshift/cluster-api

Length of output: 994

🏁 Script executed:

# Find and view the ConvertToSeconds function implementation
rg -n "func ConvertToSeconds" api/core/ -A 10

Repository: openshift/cluster-api

Length of output: 665

🏁 Script executed:

# Find and view the ConvertFromSeconds function implementation
rg -n "func ConvertFromSeconds" api/core/ -A 10

Repository: openshift/cluster-api

Length of output: 939

Constrain Timeout to second-granularity values matching v1beta2's int32 representation.

The v1beta1 field accepts any metav1.Duration, but the conversion to v1beta2 is lossy. ConvertToSeconds() truncates sub-second precision via math.Trunc() and clamps values exceeding int32 max seconds. A v1beta1 client submitting 500ms converts to 0 seconds in v1beta2 and round-trips back as 0 duration. Similarly, negative durations and durations exceeding ~68 years get truncated or clamped. Either add validation to reject invalid values (e.g., minimum: 1 second, maximum bounds) or change Timeout to *int32 (seconds only) to match the hub version.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/core/v1beta1/machinehealthcheck_types.go` around lines 170 - 175, The
Timeout field currently uses metav1.Duration which allows sub-second, negative,
and very large values that are lossy when converted via ConvertToSeconds() to
v1beta2; to fix, either change the Timeout type to *int32 (seconds) to match the
v1beta2 hub representation and update all conversion helpers/CRD tags to accept
seconds-only, or keep metav1.Duration but add strict validation (e.g., in the
MachineHealthCheck webhook/Validate methods) to reject values < 1s, reject
negative durations, and reject values > math.MaxInt32 seconds and any sub-second
precision (truncate/rounding not allowed); update ConvertToSeconds usage and
conversion functions to assume the new seconds-only contract and add clear error
messages referencing Timeout and ConvertToSeconds so clients receive validation
failures instead of silent truncation.

Comment thread CHANGELOG/v1.12.0-rc.1.md
Comment on lines +85 to +311
<details>
<summary>More details about the release</summary>

## Changes since v1.11.0
## :chart_with_upwards_trend: Overview
- 287 new commits merged
- 5 breaking changes :warning:
- 42 feature additions ✨
- 42 bugs fixed 🐛

## :warning: Breaking Changes
- CI: Improve KAL config docs for forbidding OpenAPI defaulting (#12869)
- clusterctl: Block move when Cluster or ClusterClass is paused (#12786)
- Dependency: Bump to controller-runtime v0.22 & controller-tools v0.19 (#12634)
- Runtime SDK: Improve chained upgrade observability (#12973)
- Runtime SDK: Make the AfterClusterUpgrade hook blocking (#12984)

## :sparkles: New Features
- API/Machine/MachineSet/MachineDeployment: Machine related API changes, conversion and feature gate (#12936)
- CABPK: Add EncryptionAlgorithm to Kubeadmconfig (#12859)
- CAPD: Add scale from/to 0 support for CAPD (#12572)
- CI: Bump autoscaler to a9cb59fdd (#12643)
- CI: Bump Kubernetes in tests to v1.34.0 and claim support for v1.34 (#12699)
- ClusterCache/KCP: Deprecate GetClientCertificatePrivateKey and stop using it in KCP (#12846)
- ClusterCache: Add GetUncachedClient() (#12803)
- ClusterClass: Add .spec.upgrade.external.generateUpgradePlanExtension field to ClusterClass (#12809)
- ClusterClass: Add types and hook for GenerateUpgradePlan (#12823)
- ClusterClass: Additional validation in Cluster/ClusterClass webhook for chained upgrades (#12816)
- ClusterClass: Call GenerateUpgradePlanRequest Runtime Extension (#12903)
- ClusterClass: Implement core logic for chained upgrades (#12726)
- clusterctl: Add conditions filter for clusterctl describe (#12991)
- Control-plane: Add new control-plane provider HCP (#12800)
- e2e: Bump Kubernetes version used for testing to v1.34.0-rc.1 (#12623)
- e2e: Bump Kubernetes version used for testing to v1.34.0-rc.2 (#12658)
- e2e: Bump Kubernetes version used for testing to v1.35.0-beta.0 (#13029)
- e2e: Change RuntimeSDK e2e test ClusterClass to use GenerateUpgradePlan extension (#12955)
- e2e: Implement e2e test for in-place updates (#12938)
- KCP/CABPK/CI: Bump KAL to pick up latest requiredfields linter, add Min/MaxLength to BootstrapToken (#12563)
- KCP/MachineSet: Refactor BootstrapConfig/InfraMachine managedFields for in-place (#12890)
- KCP: Bump coredns/corefile-migration to v1.0.28 (#12748)
- KCP: Bump coredns/corefile-migration to v1.0.29 (#12862)
- KCP: Bump corefile-migration to v1.0.27 (#12636)
- KCP: Compare ClusterConfiguration via KubeadmConfig instead of annotation on Machine (#12758)
- KCP: Extend rollout logic for in-place updates (#12840)
- KCP: Implement CanUpdateMachine (#12857)
- KCP: Implement trigger in-place update (#12897)
- Machine: Add in-place updates support for machine controller (#12831)
- MachineDeployment: Add in-place to rollout planner (#12865)
- MachineDeployment: Implement CanUpdateMachineSet (#12965)
- MachineHealthCheck: Add support for checking Machine conditions in MachineHealthCheck (#12827)
- Misc: Add inplace updates featuregate (#12755)
- Misc: Improve logs, errors and conditions (#12992)
- Misc: Introduce & use wait for cache utils (#12957)
- Misc: Introduce reconciler rate-limiting and hook caching (#13006)
- Runtime SDK/IPAM/MachinePool: Cleanup exp packages (#12651)
- Runtime SDK: Add in-place update hooks to API (#12343)
- Runtime SDK: Add lifecycle hooks for chained-upgrade (#12878)
- Runtime SDK: Call new lifecycle hooks for chained-upgrades (#12891)
- Runtime SDK: Ensure ExtensionConfig controller can be used outside of the core provider (#12754)
- Runtime SDK: Implement GenerateUpgradePlan handler (#12927)

## :bug: Bug Fixes
- API: Only try to convert infraRefs if they are set (#12686)
- API: Register conversion funcs in schemes (#12687)
- CABPK: Always use latest apiVersion when getting owner of KubeadmConfig in CABPK (#12685)
- CAPD: CAPD on rootless podman (#12941)
- CAPD: Fix the format error of healthCheck in test templates (#12787)
- CAPD: Remove finalizers during deletion if ownerRef was never set (#12675)
- CAPD: Run CAPD conversion tests in CI (#12583)
- CAPIM: Eliminate data race in DialContext (#12778)
- ClusterClass/MachinePool: Fix MP error in desired state calculation during Cluster creation (#12607)
- ClusterClass: Do not overwrite global http.DefaultClient TLSConfig (#13063)
- ClusterClass: Ensure holder field path in GeneratePatchRequest is set based on contract (#12684)
- ClusterClass: Fix field paths in ClusterClass compatibility validation errors (#12660)
- ClusterClass: Fix wait for cache in reconcile_state.go (#13032)
- ClusterClass: Stop adding conversion-data annotation to Cluster object (#12719)
- ClusterClass: Stop writing zero values for spec.controlPlaneEndpoint to ControlPlane objects (#12958)
- clusterctl: Removing Ready/Available prefix from STATUS Column (#12729)
- clusterctl: Verify providers need upgrade before applying (#12753)
- Devtools: Fix kube-state-metrics deployment (#13024)
- e2e: Do not require kubetest configration if not needed (#12948)
- e2e: Fix autoscaler e2e test flake (#12613)
- e2e: Fix e2e test issues introduced by chained upgrades (#12766)
- e2e: Fix objects with Changed Resource Versions flake (#12848)
- e2e: Fix upgrade runtimesdk test (#12833)
- e2e: Fix WaitForMachinesReady interval (#13051)
- e2e: Increase reconcile timeout for DockerMachine (#13099)
- e2e: Propagate clusterctl variables for cluster upgrades (#12949)
- KCP: Fix ControlPlaneComponentHealthCheckSeconds validation in KubeadmConfigSpec.Validate (#12609)
- KCP: Fix conversion issue in KubeadmControlPlaneTemplate with rolloutStrategy.type (#12608)
- KCP: Fix KCP KubeadmConfig isJoin detection (#13035)
- KCP: Grant `delete` permissions to Secrets. (#13097)
- Machine/MachinePool: Fix MachinePool nodeRef UID mismatch after K8s upgrade (#12392)
- Machine/MachineSet: Use MachineSet template values in completeMoveMachine for in-place updates (#13085)
- MachineDeployment: Fix race conditions ScaleDownOldMS (#12812)
- MachineDeployment: Fix race conditions ScaleDownOldMS OnDelete (#12830)
- MachineDeployment: Fix rollout with unavailable machines (#13020)
- Runtime SDK: Export ExtensionConfig webhook (#12598)
- Testing/e2e: Fix unit test flakes, improve clusterctl download error in e2e tests (#13056)
- Testing: Fix flaky TestFuzzyConversion (Cluster) test (#12618)
- Testing: Fix flaky TestReconcileMachinePhases unit test (#12616)
- Testing: Fix flaky TestReconcileState unit test (#12617)
- Testing: Fix KubeadmConfig fuzz test flake (#12679)
- util: Fix a panic in conditions.Delete method if the sources condition list is empty (#13053)

## :seedling: Others
- API: Relax validation for Machine .status.addresses to maximum of 128 instead of 32 items (#13090)
- Autoscaling: Bump autoscaler in e2e tests to v1.33.1 (#12790)
- CABPK: Migrate from Requeue to RequeueAfter in CABPK (#12988)
- CAPD: Cleanup CAPD exp packages (#12672)
- CAPD: Recreate container if we re-enter reconciliation and it exists but is not running (#12923)
- CI: Add OpenAPI defaulting detection for KubeadmConfig by using forbiddenmarkers (#12851)
- CI: Block FIXME comments (#12772)
- CI: Bump KAL & add nodurations linter (#12743)
- CI: Bump KAL & add nonullable and forbiddenmarkers linter (#12724)
- CI: Bump KAL & drop schemaless excludes (#12646)
- CI: Bump KAL, adjust excludes (#12650)
- CI: Bump Kube API Linter version (#12974)
- CI: Bump softprops/action-gh-release from 2.4.2 to 2.5.0 in the all-github-actions group (#13094)
- CI: Bump to golangci-linter version to v2.4.0 (#12703)
- CI: Update metrics configuration to v1beta2 (#12642)
- Cluster: Allow >1 minor version upgrades if generateUpgradePlan extension is defined (#12979)
- Cluster: Simplify Cluster webhook (#12895)
- ClusterClass: Add input validations for desired state generator function (#12655)
- ClusterClass: Improve topology reconciled condition (#13002)
- clusterctl: Add metal-stack infrastructure provider (#12925)
- clusterctl: Add Metal3 as an IPAMProvider (#12756)
- clusterctl: Allow metadata.yaml's Kind to be empty (#12714)
- clusterctl: Bump cert-manager to v1.19.0 (#12828)
- clusterctl: Bump cert-manager to v1.19.1 (#12873)
- clusterctl: Bumping tablewriter to v1.0.9 - latest (#12781)
- clusterctl: Show Available condition for CP (#12759)
- ClusterResourceSet: Remove deprecated ClusterResourceSet feature gate (#12950)
- Dependency: Bump github.com/go-viper/mapstructure/v2 to fix CVE (#12677)
- Dependency: Bump Go to v1.24.10 (#12962)
- Dependency: Bump Go to v1.24.6 (#12611)
- Dependency: Bump go to v1.24.7 (#12733)
- Dependency: Bump Go to v1.24.8 (#12826)
- Dependency: Bump Go to v1.24.9 (#12867)
- Dependency: Bump golang.org/x/crypto to v0.45 to fix CVE (#13036)
- Dependency: Bump to envtest v1.34.0 (#12702)
- Devtools: Drop ALL groups in tilt (#13001)
- Devtools: Extend CR dashboard to handle capi_reconcile metrics (#13040)
- Devtools: Promtail to alloy migration (#11945)
- Documentation/MachinePool: Add structure for area/machinepool ownership in OWNERS files (#13018)
- e2e: Add quickstart e2e test with v1beta1 with ClusterClass and RuntimeSDK (#12577)
- e2e: Bump autoscaler in e2e tests to v1.34.0 (#12806)
- e2e: Bump pause image in e2e tests to 3.10.1 (default for Kubernetes v1.34) (#12731)
- e2e: Bump to kind v0.30.0 (#12701)
- e2e: Do not expect Machines for MachinePools not supporting Machines (#13077)
- e2e: E2e coverage via md rollout test (#12966)
- e2e: Enable IPv6 test again (#12597)
- e2e: Fix autoscaler test (#12978)
- e2e: Fix kind build git commit setting (#12858)
- e2e: Fix md-rollout test to test in-place taint changes before doing the rollout change (#13031)
- e2e: Fix self-hosted to actually read DOCKER_PRELOAD_IMAGES from the e2e config (#12907)
- e2e: Get kind mgmt cluster logs in clusterctl upgrade test (#12676)
- e2e: Improve check for Cluster Available condition in e2e tests (#12594)
- e2e: Make clusterctl upgrade test to work when there are no machines (#13074)
- e2e: Set startup taint for autoscaler in e2e tests (#12736)
- e2e: Start testing against Kubernetes v1.35 (#12709)
- e2e: Use wait-machine-upgrade timeout in ClusterClassChanges tests to wait for machines to be ready (#13013)
- e2e: Wait for cluster deletion in runtime sdk test (#12956)
- KCP/CABPK: Stop using unsafe for EnvVar conversion (#12619)
- KCP/MachineSet/MachineDeployment: Remove unused CleanUpManagedFieldsForSSAAdoption code (#12788)
- KCP: Add current/desired objects to NotUpToDateResult & refactor object creation (#12817)
- KCP: Avoid KCP rollouts if only ControlPlaneComponentHealthCheckSeconds is changed (#13026)
- KCP: Check for error before checking reconcile result (#12935)
- KCP: Enable websocket dialer with fallback to spdy (#12902)
- KCP: Fix race condition on KCP initialized condition (#12980)
- KCP: Improve KCP etcd client crt/key caching (#12977)
- KCP: Simplify cleanupConfigFields in KCP (#12776)
- KCP: Simplify KCP matchesKubeadmConfig (#12813)
- KCP: Variable/func renames, func order (#12793)
- Logging: Reduce noisy logs (#12606)
- Machine/MachineSet/MachineDeployment: Adjust UpToDate condition to consider Updating, move UpToDate condition to Machine ctrl for workers (#12959)
- Machine: Add DisableCertPrivateKey function for clustercache for test flake (#12921)
- Machine: Consider updating condition when computing Machine's ready condition (#12939)
- Machine: Fix TestReconcileMachinePhases flake (#12818)
- Machine: Implement Updating Machine phase (#12940)
- Machine: Requeue for Machine Available condition (#12953)
- Machine: Use apireader to directly talk to apiserver (#12819)
- MachineDeployment: Add in-place to machineset controller (#12906)
- MachineDeployment: Add more info to logs for rollout changes (#12997)
- MachineDeployment: Add rollout planner (#12804)
- MachineDeployment: Cleanup getMachinesSucceeded flag from MD controller (#12882)
- MachineDeployment: Defer in-place updates for machines not yet provisioned (#13007)
- MachineDeployment: Fix misleading log statements and optimize logic (#12871)
- MachineDeployment: Move compute and create ms to rollout planner (#12841)
- MachineDeployment: Refactor MachineTemplateUpToDate (#12811)
- MachineDeployment: Rollout-planner improve checks for scalingOrInPlaceUpdateInProgress (#12954)
- MachineDeployment: Simplify rollout planner (#12899)
- MachineHealthCheck: Add reason to condition, add reason+message to log (#12987)
- MachineHealthCheck: No longer requeue when remediation is not allowed (#12924)
- MachinePool: Migrate from Requeue to RequeueAfter in MachinePool tests (#13027)
- MachineSet: Fix flakes in syncMachines unit test (#12918)
- MachineSet: Fix race conditions with global scheme in TestMachineSetReconciler_reconcileUnhealthyMachines (#12919)
- MachineSet: Refactor BootstrapConfig/InfraMachine creation in MachineSet controller (#12881)
- Misc: Add Proxy Support to Docker Build-Args (#12669)
- Misc: Avoid using deprecated client.Patch method (#12737)
- Misc: Cleanup TestReconcileMachinePhases (#12976)
- Misc: Consistent webhook file/folder structure (#12791)
- Misc: Improve mark hook utils (#12994)
- Misc: Improve wait for cache (#12993)
- Misc: Log version and git commit on controller start (#12694)
- Misc: Stop setting and relying on TypeMeta in typed objects (#12533)
- Misc: Use errors package of Go (#10875)
- Release/clusterctl: Add CAPRKE2 to release tool’s issue-opening providers list (#12713)
- Release/Testing: Added test cases for list.go and github.go (#11937)
- Release: Clarify semantic of --previous-release-version (#12995)
- Release: Prepare main branch for v1.12 development (#12723)
- Release: Update release notes tool to handle multiples_areas and colons (#12738)
- Runtime SDK: Add defensive response status checking in runtime client (#12898)
- Runtime SDK: Add hint to look into controller logs to runtime client error response (#12849)
- Runtime SDK: Add httpClientCache to runtime client (#13080)
- Runtime SDK: Deduplicate extension filtering and response validation logic (#12905)
- Runtime SDK: Migrate from Requeue to RequeueAfter in extensionconfig (#13000)
- Testing: Add clusterapi crd groups to audit logs for envtest (#12883)
- Testing: Enable audit logs for envtest-based unit tests if ARTIFACTS env var is set (#12847)
- Testing: Implement unit-tests for desired state generator (#12656)
- Testing: Update version matrix for GitHub workflows for release 1.11 (#12586)
- util: Add check version against metadata utility (#12529)
- util: Add items to cache immediately after apply (#12877)

:book: Additionally, there have been 44 contributions to our documentation and book. (#12085, #12199, #12329, #12562, #12581, #12582, #12593, #12600, #12601, #12647, #12662, #12663, #12673, #12710, #12741, #12761, #12777, #12779, #12797, #12810, #12814, #12835, #12836, #12854, #12866, #12880, #12885, #12892, #12893, #12896, #12917, #12934, #12942, #12944, #12951, #12961, #12970, #12998, #13010, #13011, #13012, #13021, #13057, #13098)

## Dependencies
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Duplicate headings inside <details> trigger markdownlint MD024 warnings.

The nested section repeats headings like ## :chart_with_upwards_trend: Overview, ## :bug: Bug Fixes, ## :seedling: Others, and ## Dependencies, which can fail docs linting.

Suggested minimal fix 
-## :chart_with_upwards_trend: Overview
+### :chart_with_upwards_trend: Overview (detailed)

-## :bug: Bug Fixes
+### :bug: Bug Fixes (detailed)

-## :seedling: Others
+### :seedling: Others (detailed)

-## Dependencies
+### Dependencies (detailed)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<details>
<summary>More details about the release</summary>
## Changes since v1.11.0
## :chart_with_upwards_trend: Overview
- 287 new commits merged
- 5 breaking changes :warning:
- 42 feature additions ✨
- 42 bugs fixed 🐛
## :warning: Breaking Changes
- CI: Improve KAL config docs for forbidding OpenAPI defaulting (#12869)
- clusterctl: Block move when Cluster or ClusterClass is paused (#12786)
- Dependency: Bump to controller-runtime v0.22 & controller-tools v0.19 (#12634)
- Runtime SDK: Improve chained upgrade observability (#12973)
- Runtime SDK: Make the AfterClusterUpgrade hook blocking (#12984)
## :sparkles: New Features
- API/Machine/MachineSet/MachineDeployment: Machine related API changes, conversion and feature gate (#12936)
- CABPK: Add EncryptionAlgorithm to Kubeadmconfig (#12859)
- CAPD: Add scale from/to 0 support for CAPD (#12572)
- CI: Bump autoscaler to a9cb59fdd (#12643)
- CI: Bump Kubernetes in tests to v1.34.0 and claim support for v1.34 (#12699)
- ClusterCache/KCP: Deprecate GetClientCertificatePrivateKey and stop using it in KCP (#12846)
- ClusterCache: Add GetUncachedClient() (#12803)
- ClusterClass: Add .spec.upgrade.external.generateUpgradePlanExtension field to ClusterClass (#12809)
- ClusterClass: Add types and hook for GenerateUpgradePlan (#12823)
- ClusterClass: Additional validation in Cluster/ClusterClass webhook for chained upgrades (#12816)
- ClusterClass: Call GenerateUpgradePlanRequest Runtime Extension (#12903)
- ClusterClass: Implement core logic for chained upgrades (#12726)
- clusterctl: Add conditions filter for clusterctl describe (#12991)
- Control-plane: Add new control-plane provider HCP (#12800)
- e2e: Bump Kubernetes version used for testing to v1.34.0-rc.1 (#12623)
- e2e: Bump Kubernetes version used for testing to v1.34.0-rc.2 (#12658)
- e2e: Bump Kubernetes version used for testing to v1.35.0-beta.0 (#13029)
- e2e: Change RuntimeSDK e2e test ClusterClass to use GenerateUpgradePlan extension (#12955)
- e2e: Implement e2e test for in-place updates (#12938)
- KCP/CABPK/CI: Bump KAL to pick up latest requiredfields linter, add Min/MaxLength to BootstrapToken (#12563)
- KCP/MachineSet: Refactor BootstrapConfig/InfraMachine managedFields for in-place (#12890)
- KCP: Bump coredns/corefile-migration to v1.0.28 (#12748)
- KCP: Bump coredns/corefile-migration to v1.0.29 (#12862)
- KCP: Bump corefile-migration to v1.0.27 (#12636)
- KCP: Compare ClusterConfiguration via KubeadmConfig instead of annotation on Machine (#12758)
- KCP: Extend rollout logic for in-place updates (#12840)
- KCP: Implement CanUpdateMachine (#12857)
- KCP: Implement trigger in-place update (#12897)
- Machine: Add in-place updates support for machine controller (#12831)
- MachineDeployment: Add in-place to rollout planner (#12865)
- MachineDeployment: Implement CanUpdateMachineSet (#12965)
- MachineHealthCheck: Add support for checking Machine conditions in MachineHealthCheck (#12827)
- Misc: Add inplace updates featuregate (#12755)
- Misc: Improve logs, errors and conditions (#12992)
- Misc: Introduce & use wait for cache utils (#12957)
- Misc: Introduce reconciler rate-limiting and hook caching (#13006)
- Runtime SDK/IPAM/MachinePool: Cleanup exp packages (#12651)
- Runtime SDK: Add in-place update hooks to API (#12343)
- Runtime SDK: Add lifecycle hooks for chained-upgrade (#12878)
- Runtime SDK: Call new lifecycle hooks for chained-upgrades (#12891)
- Runtime SDK: Ensure ExtensionConfig controller can be used outside of the core provider (#12754)
- Runtime SDK: Implement GenerateUpgradePlan handler (#12927)
## :bug: Bug Fixes
- API: Only try to convert infraRefs if they are set (#12686)
- API: Register conversion funcs in schemes (#12687)
- CABPK: Always use latest apiVersion when getting owner of KubeadmConfig in CABPK (#12685)
- CAPD: CAPD on rootless podman (#12941)
- CAPD: Fix the format error of healthCheck in test templates (#12787)
- CAPD: Remove finalizers during deletion if ownerRef was never set (#12675)
- CAPD: Run CAPD conversion tests in CI (#12583)
- CAPIM: Eliminate data race in DialContext (#12778)
- ClusterClass/MachinePool: Fix MP error in desired state calculation during Cluster creation (#12607)
- ClusterClass: Do not overwrite global http.DefaultClient TLSConfig (#13063)
- ClusterClass: Ensure holder field path in GeneratePatchRequest is set based on contract (#12684)
- ClusterClass: Fix field paths in ClusterClass compatibility validation errors (#12660)
- ClusterClass: Fix wait for cache in reconcile_state.go (#13032)
- ClusterClass: Stop adding conversion-data annotation to Cluster object (#12719)
- ClusterClass: Stop writing zero values for spec.controlPlaneEndpoint to ControlPlane objects (#12958)
- clusterctl: Removing Ready/Available prefix from STATUS Column (#12729)
- clusterctl: Verify providers need upgrade before applying (#12753)
- Devtools: Fix kube-state-metrics deployment (#13024)
- e2e: Do not require kubetest configration if not needed (#12948)
- e2e: Fix autoscaler e2e test flake (#12613)
- e2e: Fix e2e test issues introduced by chained upgrades (#12766)
- e2e: Fix objects with Changed Resource Versions flake (#12848)
- e2e: Fix upgrade runtimesdk test (#12833)
- e2e: Fix WaitForMachinesReady interval (#13051)
- e2e: Increase reconcile timeout for DockerMachine (#13099)
- e2e: Propagate clusterctl variables for cluster upgrades (#12949)
- KCP: Fix ControlPlaneComponentHealthCheckSeconds validation in KubeadmConfigSpec.Validate (#12609)
- KCP: Fix conversion issue in KubeadmControlPlaneTemplate with rolloutStrategy.type (#12608)
- KCP: Fix KCP KubeadmConfig isJoin detection (#13035)
- KCP: Grant `delete` permissions to Secrets. (#13097)
- Machine/MachinePool: Fix MachinePool nodeRef UID mismatch after K8s upgrade (#12392)
- Machine/MachineSet: Use MachineSet template values in completeMoveMachine for in-place updates (#13085)
- MachineDeployment: Fix race conditions ScaleDownOldMS (#12812)
- MachineDeployment: Fix race conditions ScaleDownOldMS OnDelete (#12830)
- MachineDeployment: Fix rollout with unavailable machines (#13020)
- Runtime SDK: Export ExtensionConfig webhook (#12598)
- Testing/e2e: Fix unit test flakes, improve clusterctl download error in e2e tests (#13056)
- Testing: Fix flaky TestFuzzyConversion (Cluster) test (#12618)
- Testing: Fix flaky TestReconcileMachinePhases unit test (#12616)
- Testing: Fix flaky TestReconcileState unit test (#12617)
- Testing: Fix KubeadmConfig fuzz test flake (#12679)
- util: Fix a panic in conditions.Delete method if the sources condition list is empty (#13053)
## :seedling: Others
- API: Relax validation for Machine .status.addresses to maximum of 128 instead of 32 items (#13090)
- Autoscaling: Bump autoscaler in e2e tests to v1.33.1 (#12790)
- CABPK: Migrate from Requeue to RequeueAfter in CABPK (#12988)
- CAPD: Cleanup CAPD exp packages (#12672)
- CAPD: Recreate container if we re-enter reconciliation and it exists but is not running (#12923)
- CI: Add OpenAPI defaulting detection for KubeadmConfig by using forbiddenmarkers (#12851)
- CI: Block FIXME comments (#12772)
- CI: Bump KAL & add nodurations linter (#12743)
- CI: Bump KAL & add nonullable and forbiddenmarkers linter (#12724)
- CI: Bump KAL & drop schemaless excludes (#12646)
- CI: Bump KAL, adjust excludes (#12650)
- CI: Bump Kube API Linter version (#12974)
- CI: Bump softprops/action-gh-release from 2.4.2 to 2.5.0 in the all-github-actions group (#13094)
- CI: Bump to golangci-linter version to v2.4.0 (#12703)
- CI: Update metrics configuration to v1beta2 (#12642)
- Cluster: Allow >1 minor version upgrades if generateUpgradePlan extension is defined (#12979)
- Cluster: Simplify Cluster webhook (#12895)
- ClusterClass: Add input validations for desired state generator function (#12655)
- ClusterClass: Improve topology reconciled condition (#13002)
- clusterctl: Add metal-stack infrastructure provider (#12925)
- clusterctl: Add Metal3 as an IPAMProvider (#12756)
- clusterctl: Allow metadata.yaml's Kind to be empty (#12714)
- clusterctl: Bump cert-manager to v1.19.0 (#12828)
- clusterctl: Bump cert-manager to v1.19.1 (#12873)
- clusterctl: Bumping tablewriter to v1.0.9 - latest (#12781)
- clusterctl: Show Available condition for CP (#12759)
- ClusterResourceSet: Remove deprecated ClusterResourceSet feature gate (#12950)
- Dependency: Bump github.com/go-viper/mapstructure/v2 to fix CVE (#12677)
- Dependency: Bump Go to v1.24.10 (#12962)
- Dependency: Bump Go to v1.24.6 (#12611)
- Dependency: Bump go to v1.24.7 (#12733)
- Dependency: Bump Go to v1.24.8 (#12826)
- Dependency: Bump Go to v1.24.9 (#12867)
- Dependency: Bump golang.org/x/crypto to v0.45 to fix CVE (#13036)
- Dependency: Bump to envtest v1.34.0 (#12702)
- Devtools: Drop ALL groups in tilt (#13001)
- Devtools: Extend CR dashboard to handle capi_reconcile metrics (#13040)
- Devtools: Promtail to alloy migration (#11945)
- Documentation/MachinePool: Add structure for area/machinepool ownership in OWNERS files (#13018)
- e2e: Add quickstart e2e test with v1beta1 with ClusterClass and RuntimeSDK (#12577)
- e2e: Bump autoscaler in e2e tests to v1.34.0 (#12806)
- e2e: Bump pause image in e2e tests to 3.10.1 (default for Kubernetes v1.34) (#12731)
- e2e: Bump to kind v0.30.0 (#12701)
- e2e: Do not expect Machines for MachinePools not supporting Machines (#13077)
- e2e: E2e coverage via md rollout test (#12966)
- e2e: Enable IPv6 test again (#12597)
- e2e: Fix autoscaler test (#12978)
- e2e: Fix kind build git commit setting (#12858)
- e2e: Fix md-rollout test to test in-place taint changes before doing the rollout change (#13031)
- e2e: Fix self-hosted to actually read DOCKER_PRELOAD_IMAGES from the e2e config (#12907)
- e2e: Get kind mgmt cluster logs in clusterctl upgrade test (#12676)
- e2e: Improve check for Cluster Available condition in e2e tests (#12594)
- e2e: Make clusterctl upgrade test to work when there are no machines (#13074)
- e2e: Set startup taint for autoscaler in e2e tests (#12736)
- e2e: Start testing against Kubernetes v1.35 (#12709)
- e2e: Use wait-machine-upgrade timeout in ClusterClassChanges tests to wait for machines to be ready (#13013)
- e2e: Wait for cluster deletion in runtime sdk test (#12956)
- KCP/CABPK: Stop using unsafe for EnvVar conversion (#12619)
- KCP/MachineSet/MachineDeployment: Remove unused CleanUpManagedFieldsForSSAAdoption code (#12788)
- KCP: Add current/desired objects to NotUpToDateResult & refactor object creation (#12817)
- KCP: Avoid KCP rollouts if only ControlPlaneComponentHealthCheckSeconds is changed (#13026)
- KCP: Check for error before checking reconcile result (#12935)
- KCP: Enable websocket dialer with fallback to spdy (#12902)
- KCP: Fix race condition on KCP initialized condition (#12980)
- KCP: Improve KCP etcd client crt/key caching (#12977)
- KCP: Simplify cleanupConfigFields in KCP (#12776)
- KCP: Simplify KCP matchesKubeadmConfig (#12813)
- KCP: Variable/func renames, func order (#12793)
- Logging: Reduce noisy logs (#12606)
- Machine/MachineSet/MachineDeployment: Adjust UpToDate condition to consider Updating, move UpToDate condition to Machine ctrl for workers (#12959)
- Machine: Add DisableCertPrivateKey function for clustercache for test flake (#12921)
- Machine: Consider updating condition when computing Machine's ready condition (#12939)
- Machine: Fix TestReconcileMachinePhases flake (#12818)
- Machine: Implement Updating Machine phase (#12940)
- Machine: Requeue for Machine Available condition (#12953)
- Machine: Use apireader to directly talk to apiserver (#12819)
- MachineDeployment: Add in-place to machineset controller (#12906)
- MachineDeployment: Add more info to logs for rollout changes (#12997)
- MachineDeployment: Add rollout planner (#12804)
- MachineDeployment: Cleanup getMachinesSucceeded flag from MD controller (#12882)
- MachineDeployment: Defer in-place updates for machines not yet provisioned (#13007)
- MachineDeployment: Fix misleading log statements and optimize logic (#12871)
- MachineDeployment: Move compute and create ms to rollout planner (#12841)
- MachineDeployment: Refactor MachineTemplateUpToDate (#12811)
- MachineDeployment: Rollout-planner improve checks for scalingOrInPlaceUpdateInProgress (#12954)
- MachineDeployment: Simplify rollout planner (#12899)
- MachineHealthCheck: Add reason to condition, add reason+message to log (#12987)
- MachineHealthCheck: No longer requeue when remediation is not allowed (#12924)
- MachinePool: Migrate from Requeue to RequeueAfter in MachinePool tests (#13027)
- MachineSet: Fix flakes in syncMachines unit test (#12918)
- MachineSet: Fix race conditions with global scheme in TestMachineSetReconciler_reconcileUnhealthyMachines (#12919)
- MachineSet: Refactor BootstrapConfig/InfraMachine creation in MachineSet controller (#12881)
- Misc: Add Proxy Support to Docker Build-Args (#12669)
- Misc: Avoid using deprecated client.Patch method (#12737)
- Misc: Cleanup TestReconcileMachinePhases (#12976)
- Misc: Consistent webhook file/folder structure (#12791)
- Misc: Improve mark hook utils (#12994)
- Misc: Improve wait for cache (#12993)
- Misc: Log version and git commit on controller start (#12694)
- Misc: Stop setting and relying on TypeMeta in typed objects (#12533)
- Misc: Use errors package of Go (#10875)
- Release/clusterctl: Add CAPRKE2 to release tools issue-opening providers list (#12713)
- Release/Testing: Added test cases for list.go and github.go (#11937)
- Release: Clarify semantic of --previous-release-version (#12995)
- Release: Prepare main branch for v1.12 development (#12723)
- Release: Update release notes tool to handle multiples_areas and colons (#12738)
- Runtime SDK: Add defensive response status checking in runtime client (#12898)
- Runtime SDK: Add hint to look into controller logs to runtime client error response (#12849)
- Runtime SDK: Add httpClientCache to runtime client (#13080)
- Runtime SDK: Deduplicate extension filtering and response validation logic (#12905)
- Runtime SDK: Migrate from Requeue to RequeueAfter in extensionconfig (#13000)
- Testing: Add clusterapi crd groups to audit logs for envtest (#12883)
- Testing: Enable audit logs for envtest-based unit tests if ARTIFACTS env var is set (#12847)
- Testing: Implement unit-tests for desired state generator (#12656)
- Testing: Update version matrix for GitHub workflows for release 1.11 (#12586)
- util: Add check version against metadata utility (#12529)
- util: Add items to cache immediately after apply (#12877)
:book: Additionally, there have been 44 contributions to our documentation and book. (#12085, #12199, #12329, #12562, #12581, #12582, #12593, #12600, #12601, #12647, #12662, #12663, #12673, #12710, #12741, #12761, #12777, #12779, #12797, #12810, #12814, #12835, #12836, #12854, #12866, #12880, #12885, #12892, #12893, #12896, #12917, #12934, #12942, #12944, #12951, #12961, #12970, #12998, #13010, #13011, #13012, #13021, #13057, #13098)
## Dependencies
<details>
<summary>More details about the release</summary>
## Changes since v1.11.0
### :chart_with_upwards_trend: Overview (detailed)
- 287 new commits merged
- 5 breaking changes :warning:
- 42 feature additions ✨
- 42 bugs fixed 🐛
## :warning: Breaking Changes
- CI: Improve KAL config docs for forbidding OpenAPI defaulting (`#12869`)
- clusterctl: Block move when Cluster or ClusterClass is paused (`#12786`)
- Dependency: Bump to controller-runtime v0.22 & controller-tools v0.19 (`#12634`)
- Runtime SDK: Improve chained upgrade observability (`#12973`)
- Runtime SDK: Make the AfterClusterUpgrade hook blocking (`#12984`)
### :sparkles: New Features (detailed)
- API/Machine/MachineSet/MachineDeployment: Machine related API changes, conversion and feature gate (`#12936`)
- CABPK: Add EncryptionAlgorithm to Kubeadmconfig (`#12859`)
- CAPD: Add scale from/to 0 support for CAPD (`#12572`)
- CI: Bump autoscaler to a9cb59fdd (`#12643`)
- CI: Bump Kubernetes in tests to v1.34.0 and claim support for v1.34 (`#12699`)
- ClusterCache/KCP: Deprecate GetClientCertificatePrivateKey and stop using it in KCP (`#12846`)
- ClusterCache: Add GetUncachedClient() (`#12803`)
- ClusterClass: Add .spec.upgrade.external.generateUpgradePlanExtension field to ClusterClass (`#12809`)
- ClusterClass: Add types and hook for GenerateUpgradePlan (`#12823`)
- ClusterClass: Additional validation in Cluster/ClusterClass webhook for chained upgrades (`#12816`)
- ClusterClass: Call GenerateUpgradePlanRequest Runtime Extension (`#12903`)
- ClusterClass: Implement core logic for chained upgrades (`#12726`)
- clusterctl: Add conditions filter for clusterctl describe (`#12991`)
- Control-plane: Add new control-plane provider HCP (`#12800`)
- e2e: Bump Kubernetes version used for testing to v1.34.0-rc.1 (`#12623`)
- e2e: Bump Kubernetes version used for testing to v1.34.0-rc.2 (`#12658`)
- e2e: Bump Kubernetes version used for testing to v1.35.0-beta.0 (`#13029`)
- e2e: Change RuntimeSDK e2e test ClusterClass to use GenerateUpgradePlan extension (`#12955`)
- e2e: Implement e2e test for in-place updates (`#12938`)
- KCP/CABPK/CI: Bump KAL to pick up latest requiredfields linter, add Min/MaxLength to BootstrapToken (`#12563`)
- KCP/MachineSet: Refactor BootstrapConfig/InfraMachine managedFields for in-place (`#12890`)
- KCP: Bump coredns/corefile-migration to v1.0.28 (`#12748`)
- KCP: Bump coredns/corefile-migration to v1.0.29 (`#12862`)
- KCP: Bump corefile-migration to v1.0.27 (`#12636`)
- KCP: Compare ClusterConfiguration via KubeadmConfig instead of annotation on Machine (`#12758`)
- KCP: Extend rollout logic for in-place updates (`#12840`)
- KCP: Implement CanUpdateMachine (`#12857`)
- KCP: Implement trigger in-place update (`#12897`)
- Machine: Add in-place updates support for machine controller (`#12831`)
- MachineDeployment: Add in-place to rollout planner (`#12865`)
- MachineDeployment: Implement CanUpdateMachineSet (`#12965`)
- MachineHealthCheck: Add support for checking Machine conditions in MachineHealthCheck (`#12827`)
- Misc: Add inplace updates featuregate (`#12755`)
- Misc: Improve logs, errors and conditions (`#12992`)
- Misc: Introduce & use wait for cache utils (`#12957`)
- Misc: Introduce reconciler rate-limiting and hook caching (`#13006`)
- Runtime SDK/IPAM/MachinePool: Cleanup exp packages (`#12651`)
- Runtime SDK: Add in-place update hooks to API (`#12343`)
- Runtime SDK: Add lifecycle hooks for chained-upgrade (`#12878`)
- Runtime SDK: Call new lifecycle hooks for chained-upgrades (`#12891`)
- Runtime SDK: Ensure ExtensionConfig controller can be used outside of the core provider (`#12754`)
- Runtime SDK: Implement GenerateUpgradePlan handler (`#12927`)
### :bug: Bug Fixes (detailed)
- API: Only try to convert infraRefs if they are set (`#12686`)
- API: Register conversion funcs in schemes (`#12687`)
- CABPK: Always use latest apiVersion when getting owner of KubeadmConfig in CABPK (`#12685`)
- CAPD: CAPD on rootless podman (`#12941`)
- CAPD: Fix the format error of healthCheck in test templates (`#12787`)
- CAPD: Remove finalizers during deletion if ownerRef was never set (`#12675`)
- CAPD: Run CAPD conversion tests in CI (`#12583`)
- CAPIM: Eliminate data race in DialContext (`#12778`)
- ClusterClass/MachinePool: Fix MP error in desired state calculation during Cluster creation (`#12607`)
- ClusterClass: Do not overwrite global http.DefaultClient TLSConfig (`#13063`)
- ClusterClass: Ensure holder field path in GeneratePatchRequest is set based on contract (`#12684`)
- ClusterClass: Fix field paths in ClusterClass compatibility validation errors (`#12660`)
- ClusterClass: Fix wait for cache in reconcile_state.go (`#13032`)
- ClusterClass: Stop adding conversion-data annotation to Cluster object (`#12719`)
- ClusterClass: Stop writing zero values for spec.controlPlaneEndpoint to ControlPlane objects (`#12958`)
- clusterctl: Removing Ready/Available prefix from STATUS Column (`#12729`)
- clusterctl: Verify providers need upgrade before applying (`#12753`)
- Devtools: Fix kube-state-metrics deployment (`#13024`)
- e2e: Do not require kubetest configration if not needed (`#12948`)
- e2e: Fix autoscaler e2e test flake (`#12613`)
- e2e: Fix e2e test issues introduced by chained upgrades (`#12766`)
- e2e: Fix objects with Changed Resource Versions flake (`#12848`)
- e2e: Fix upgrade runtimesdk test (`#12833`)
- e2e: Fix WaitForMachinesReady interval (`#13051`)
- e2e: Increase reconcile timeout for DockerMachine (`#13099`)
- e2e: Propagate clusterctl variables for cluster upgrades (`#12949`)
- KCP: Fix ControlPlaneComponentHealthCheckSeconds validation in KubeadmConfigSpec.Validate (`#12609`)
- KCP: Fix conversion issue in KubeadmControlPlaneTemplate with rolloutStrategy.type (`#12608`)
- KCP: Fix KCP KubeadmConfig isJoin detection (`#13035`)
- KCP: Grant `delete` permissions to Secrets. (`#13097`)
- Machine/MachinePool: Fix MachinePool nodeRef UID mismatch after K8s upgrade (`#12392`)
- Machine/MachineSet: Use MachineSet template values in completeMoveMachine for in-place updates (`#13085`)
- MachineDeployment: Fix race conditions ScaleDownOldMS (`#12812`)
- MachineDeployment: Fix race conditions ScaleDownOldMS OnDelete (`#12830`)
- MachineDeployment: Fix rollout with unavailable machines (`#13020`)
- Runtime SDK: Export ExtensionConfig webhook (`#12598`)
- Testing/e2e: Fix unit test flakes, improve clusterctl download error in e2e tests (`#13056`)
- Testing: Fix flaky TestFuzzyConversion (Cluster) test (`#12618`)
- Testing: Fix flaky TestReconcileMachinePhases unit test (`#12616`)
- Testing: Fix flaky TestReconcileState unit test (`#12617`)
- Testing: Fix KubeadmConfig fuzz test flake (`#12679`)
- util: Fix a panic in conditions.Delete method if the sources condition list is empty (`#13053`)
### :seedling: Others (detailed)
- API: Relax validation for Machine .status.addresses to maximum of 128 instead of 32 items (`#13090`)
- Autoscaling: Bump autoscaler in e2e tests to v1.33.1 (`#12790`)
- CABPK: Migrate from Requeue to RequeueAfter in CABPK (`#12988`)
- CAPD: Cleanup CAPD exp packages (`#12672`)
- CAPD: Recreate container if we re-enter reconciliation and it exists but is not running (`#12923`)
- CI: Add OpenAPI defaulting detection for KubeadmConfig by using forbiddenmarkers (`#12851`)
- CI: Block FIXME comments (`#12772`)
- CI: Bump KAL & add nodurations linter (`#12743`)
- CI: Bump KAL & add nonullable and forbiddenmarkers linter (`#12724`)
- CI: Bump KAL & drop schemaless excludes (`#12646`)
- CI: Bump KAL, adjust excludes (`#12650`)
- CI: Bump Kube API Linter version (`#12974`)
- CI: Bump softprops/action-gh-release from 2.4.2 to 2.5.0 in the all-github-actions group (`#13094`)
- CI: Bump to golangci-linter version to v2.4.0 (`#12703`)
- CI: Update metrics configuration to v1beta2 (`#12642`)
- Cluster: Allow >1 minor version upgrades if generateUpgradePlan extension is defined (`#12979`)
- Cluster: Simplify Cluster webhook (`#12895`)
- ClusterClass: Add input validations for desired state generator function (`#12655`)
- ClusterClass: Improve topology reconciled condition (`#13002`)
- clusterctl: Add metal-stack infrastructure provider (`#12925`)
- clusterctl: Add Metal3 as an IPAMProvider (`#12756`)
- clusterctl: Allow metadata.yaml's Kind to be empty (`#12714`)
- clusterctl: Bump cert-manager to v1.19.0 (`#12828`)
- clusterctl: Bump cert-manager to v1.19.1 (`#12873`)
- clusterctl: Bumping tablewriter to v1.0.9 - latest (`#12781`)
- clusterctl: Show Available condition for CP (`#12759`)
- ClusterResourceSet: Remove deprecated ClusterResourceSet feature gate (`#12950`)
- Dependency: Bump github.com/go-viper/mapstructure/v2 to fix CVE (`#12677`)
- Dependency: Bump Go to v1.24.10 (`#12962`)
- Dependency: Bump Go to v1.24.6 (`#12611`)
- Dependency: Bump go to v1.24.7 (`#12733`)
- Dependency: Bump Go to v1.24.8 (`#12826`)
- Dependency: Bump Go to v1.24.9 (`#12867`)
- Dependency: Bump golang.org/x/crypto to v0.45 to fix CVE (`#13036`)
- Dependency: Bump to envtest v1.34.0 (`#12702`)
- Devtools: Drop ALL groups in tilt (`#13001`)
- Devtools: Extend CR dashboard to handle capi_reconcile metrics (`#13040`)
- Devtools: Promtail to alloy migration (`#11945`)
- Documentation/MachinePool: Add structure for area/machinepool ownership in OWNERS files (`#13018`)
- e2e: Add quickstart e2e test with v1beta1 with ClusterClass and RuntimeSDK (`#12577`)
- e2e: Bump autoscaler in e2e tests to v1.34.0 (`#12806`)
- e2e: Bump pause image in e2e tests to 3.10.1 (default for Kubernetes v1.34) (`#12731`)
- e2e: Bump to kind v0.30.0 (`#12701`)
- e2e: Do not expect Machines for MachinePools not supporting Machines (`#13077`)
- e2e: E2e coverage via md rollout test (`#12966`)
- e2e: Enable IPv6 test again (`#12597`)
- e2e: Fix autoscaler test (`#12978`)
- e2e: Fix kind build git commit setting (`#12858`)
- e2e: Fix md-rollout test to test in-place taint changes before doing the rollout change (`#13031`)
- e2e: Fix self-hosted to actually read DOCKER_PRELOAD_IMAGES from the e2e config (`#12907`)
- e2e: Get kind mgmt cluster logs in clusterctl upgrade test (`#12676`)
- e2e: Improve check for Cluster Available condition in e2e tests (`#12594`)
- e2e: Make clusterctl upgrade test to work when there are no machines (`#13074`)
- e2e: Set startup taint for autoscaler in e2e tests (`#12736`)
- e2e: Start testing against Kubernetes v1.35 (`#12709`)
- e2e: Use wait-machine-upgrade timeout in ClusterClassChanges tests to wait for machines to be ready (`#13013`)
- e2e: Wait for cluster deletion in runtime sdk test (`#12956`)
- KCP/CABPK: Stop using unsafe for EnvVar conversion (`#12619`)
- KCP/MachineSet/MachineDeployment: Remove unused CleanUpManagedFieldsForSSAAdoption code (`#12788`)
- KCP: Add current/desired objects to NotUpToDateResult & refactor object creation (`#12817`)
- KCP: Avoid KCP rollouts if only ControlPlaneComponentHealthCheckSeconds is changed (`#13026`)
- KCP: Check for error before checking reconcile result (`#12935`)
- KCP: Enable websocket dialer with fallback to spdy (`#12902`)
- KCP: Fix race condition on KCP initialized condition (`#12980`)
- KCP: Improve KCP etcd client crt/key caching (`#12977`)
- KCP: Simplify cleanupConfigFields in KCP (`#12776`)
- KCP: Simplify KCP matchesKubeadmConfig (`#12813`)
- KCP: Variable/func renames, func order (`#12793`)
- Logging: Reduce noisy logs (`#12606`)
- Machine/MachineSet/MachineDeployment: Adjust UpToDate condition to consider Updating, move UpToDate condition to Machine ctrl for workers (`#12959`)
- Machine: Add DisableCertPrivateKey function for clustercache for test flake (`#12921`)
- Machine: Consider updating condition when computing Machine's ready condition (`#12939`)
- Machine: Fix TestReconcileMachinePhases flake (`#12818`)
- Machine: Implement Updating Machine phase (`#12940`)
- Machine: Requeue for Machine Available condition (`#12953`)
- Machine: Use apireader to directly talk to apiserver (`#12819`)
- MachineDeployment: Add in-place to machineset controller (`#12906`)
- MachineDeployment: Add more info to logs for rollout changes (`#12997`)
- MachineDeployment: Add rollout planner (`#12804`)
- MachineDeployment: Cleanup getMachinesSucceeded flag from MD controller (`#12882`)
- MachineDeployment: Defer in-place updates for machines not yet provisioned (`#13007`)
- MachineDeployment: Fix misleading log statements and optimize logic (`#12871`)
- MachineDeployment: Move compute and create ms to rollout planner (`#12841`)
- MachineDeployment: Refactor MachineTemplateUpToDate (`#12811`)
- MachineDeployment: Rollout-planner improve checks for scalingOrInPlaceUpdateInProgress (`#12954`)
- MachineDeployment: Simplify rollout planner (`#12899`)
- MachineHealthCheck: Add reason to condition, add reason+message to log (`#12987`)
- MachineHealthCheck: No longer requeue when remediation is not allowed (`#12924`)
- MachinePool: Migrate from Requeue to RequeueAfter in MachinePool tests (`#13027`)
- MachineSet: Fix flakes in syncMachines unit test (`#12918`)
- MachineSet: Fix race conditions with global scheme in TestMachineSetReconciler_reconcileUnhealthyMachines (`#12919`)
- MachineSet: Refactor BootstrapConfig/InfraMachine creation in MachineSet controller (`#12881`)
- Misc: Add Proxy Support to Docker Build-Args (`#12669`)
- Misc: Avoid using deprecated client.Patch method (`#12737`)
- Misc: Cleanup TestReconcileMachinePhases (`#12976`)
- Misc: Consistent webhook file/folder structure (`#12791`)
- Misc: Improve mark hook utils (`#12994`)
- Misc: Improve wait for cache (`#12993`)
- Misc: Log version and git commit on controller start (`#12694`)
- Misc: Stop setting and relying on TypeMeta in typed objects (`#12533`)
- Misc: Use errors package of Go (`#10875`)
- Release/clusterctl: Add CAPRKE2 to release tool's issue-opening providers list (`#12713`)
- Release/Testing: Added test cases for list.go and github.go (`#11937`)
- Release: Clarify semantic of --previous-release-version (`#12995`)
- Release: Prepare main branch for v1.12 development (`#12723`)
- Release: Update release notes tool to handle multiples_areas and colons (`#12738`)
- Runtime SDK: Add defensive response status checking in runtime client (`#12898`)
- Runtime SDK: Add hint to look into controller logs to runtime client error response (`#12849`)
- Runtime SDK: Add httpClientCache to runtime client (`#13080`)
- Runtime SDK: Deduplicate extension filtering and response validation logic (`#12905`)
- Runtime SDK: Migrate from Requeue to RequeueAfter in extensionconfig (`#13000`)
- Testing: Add clusterapi crd groups to audit logs for envtest (`#12883`)
- Testing: Enable audit logs for envtest-based unit tests if ARTIFACTS env var is set (`#12847`)
- Testing: Implement unit-tests for desired state generator (`#12656`)
- Testing: Update version matrix for GitHub workflows for release 1.11 (`#12586`)
- util: Add check version against metadata utility (`#12529`)
- util: Add items to cache immediately after apply (`#12877`)
:book: Additionally, there have been 44 contributions to our documentation and book. (`#12085`, `#12199`, `#12329`, `#12562`, `#12581`, `#12582`, `#12593`, `#12600`, `#12601`, `#12647`, `#12662`, `#12663`, `#12673`, `#12710`, `#12741`, `#12761`, `#12777`, `#12779`, `#12797`, `#12810`, `#12814`, `#12835`, `#12836`, `#12854`, `#12866`, `#12880`, `#12885`, `#12892`, `#12893`, `#12896`, `#12917`, `#12934`, `#12942`, `#12944`, `#12951`, `#12961`, `#12970`, `#12998`, `#13010`, `#13011`, `#13012`, `#13021`, `#13057`, `#13098`)
### Dependencies (detailed)
🧰 Tools
🪛 LanguageTool

[style] ~143-~143: This phrase is redundant. Consider using “outside”.
Context: ... ExtensionConfig controller can be used outside of the core provider (#12754) - Runtime SD...

(OUTSIDE_OF)

[uncategorized] ~293-~293: The official name of this software platform is spelled with a capital “H”.
Context: ...sting: Added test cases for list.go and github.go (#11937) - Release: Clarify semantic...

(GITHUB)

🪛 markdownlint-cli2 (0.22.1)

[warning] 89-89: Multiple headings with the same content

(MD024, no-duplicate-heading)

[warning] 146-146: Multiple headings with the same content

(MD024, no-duplicate-heading)

[warning] 190-190: Multiple headings with the same content

(MD024, no-duplicate-heading)

[warning] 311-311: Multiple headings with the same content

(MD024, no-duplicate-heading)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG/v1.12.0-rc.1.md` around lines 85 - 311, The release note contains
duplicate top-level headings within the <details> block (e.g., "##
:chart_with_upwards_trend: Overview", "## :bug: Bug Fixes", "## :seedling:
Others", "## Dependencies") which triggers markdownlint MD024; remove or rename
the duplicated headings inside the <details> section (or convert them to
lower-level headings like "###" or inline labels) so only one instance of each
top-level heading remains (search for the exact heading strings above to locate
the duplicated blocks).

Comment thread CHANGELOG/v1.12.0.md
Comment on lines +308 to +373
- cel.dev/expr: v0.19.1 → v0.24.0
- cloud.google.com/go/storage: v1.49.0 → v1.5.0
- cloud.google.com/go: v0.116.0 → v0.53.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: [v1.25.0 → v1.26.0](https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/compare/detectors/gcp/v1.25.0...detectors/gcp/v1.26.0)
- github.com/Masterminds/semver/v3: [v3.3.0 → v3.4.0](https://github.com/Masterminds/semver/compare/v3.3.0...v3.4.0)
- github.com/census-instrumentation/opencensus-proto: [v0.4.1 → v0.2.1](https://github.com/census-instrumentation/opencensus-proto/compare/v0.4.1...v0.2.1)
- github.com/cncf/xds/go: [cff3c89 → 2f00578](https://github.com/cncf/xds/compare/cff3c89...2f00578)
- github.com/coredns/corefile-migration: [v1.0.27 → v1.0.29](https://github.com/coredns/corefile-migration/compare/v1.0.27...v1.0.29)
- github.com/emicklei/go-restful/v3: [v3.12.2 → v3.13.0](https://github.com/emicklei/go-restful/compare/v3.12.2...v3.13.0)
- github.com/fsnotify/fsnotify: [v1.8.0 → v1.9.0](https://github.com/fsnotify/fsnotify/compare/v1.8.0...v1.9.0)
- github.com/fxamacker/cbor/v2: [v2.7.0 → v2.9.0](https://github.com/fxamacker/cbor/compare/v2.7.0...v2.9.0)
- github.com/go-viper/mapstructure/v2: [v2.3.0 → v2.4.0](https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0)
- github.com/golang/groupcache: [41bb18b → 8c9f03a](https://github.com/golang/groupcache/compare/41bb18b...8c9f03a)
- github.com/google/cel-go: [v0.23.2 → v0.26.0](https://github.com/google/cel-go/compare/v0.23.2...v0.26.0)
- github.com/google/gnostic-models: [v0.6.9 → v0.7.0](https://github.com/google/gnostic-models/compare/v0.6.9...v0.7.0)
- github.com/google/pprof: [27863c8 → f64d9cf](https://github.com/google/pprof/compare/27863c8...f64d9cf)
- github.com/googleapis/gax-go/v2: [v2.14.1 → v2.0.5](https://github.com/googleapis/gax-go/compare/v2.14.1...v2.0.5)
- github.com/grpc-ecosystem/grpc-gateway/v2: [v2.24.0 → v2.26.3](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.24.0...v2.26.3)
- github.com/ianlancetaylor/demangle: [bd984b5 → f615e6b](https://github.com/ianlancetaylor/demangle/compare/bd984b5...f615e6b)
- github.com/jonboulle/clockwork: [v0.4.0 → v0.5.0](https://github.com/jonboulle/clockwork/compare/v0.4.0...v0.5.0)
- github.com/mattn/go-colorable: [v0.1.13 → v0.1.14](https://github.com/mattn/go-colorable/compare/v0.1.13...v0.1.14)
- github.com/mattn/go-runewidth: [v0.0.14 → v0.0.16](https://github.com/mattn/go-runewidth/compare/v0.0.14...v0.0.16)
- github.com/modern-go/reflect2: [v1.0.2 → 35a7c28](https://github.com/modern-go/reflect2/compare/v1.0.2...35a7c28)
- github.com/olekukonko/tablewriter: [v0.0.5 → v1.0.9](https://github.com/olekukonko/tablewriter/compare/v0.0.5...v1.0.9)
- github.com/onsi/ginkgo/v2: [v2.23.4 → v2.27.2](https://github.com/onsi/ginkgo/compare/v2.23.4...v2.27.2)
- github.com/onsi/gomega: [v1.38.0 → v1.38.2](https://github.com/onsi/gomega/compare/v1.38.0...v1.38.2)
- github.com/pelletier/go-toml/v2: [v2.2.3 → v2.2.4](https://github.com/pelletier/go-toml/compare/v2.2.3...v2.2.4)
- github.com/prometheus/client_model: [v0.6.1 → v0.6.2](https://github.com/prometheus/client_model/compare/v0.6.1...v0.6.2)
- github.com/rivo/uniseg: [v0.4.2 → v0.4.7](https://github.com/rivo/uniseg/compare/v0.4.2...v0.4.7)
- github.com/rogpeppe/go-internal: [v1.13.1 → v1.14.1](https://github.com/rogpeppe/go-internal/compare/v1.13.1...v1.14.1)
- github.com/sagikazarmark/locafero: [v0.7.0 → v0.11.0](https://github.com/sagikazarmark/locafero/compare/v0.7.0...v0.11.0)
- github.com/sourcegraph/conc: [v0.3.0 → 5f936ab](https://github.com/sourcegraph/conc/compare/v0.3.0...5f936ab)
- github.com/spf13/afero: [v1.12.0 → v1.15.0](https://github.com/spf13/afero/compare/v1.12.0...v1.15.0)
- github.com/spf13/cast: [v1.7.1 → v1.10.0](https://github.com/spf13/cast/compare/v1.7.1...v1.10.0)
- github.com/spf13/cobra: [v1.9.1 → v1.10.1](https://github.com/spf13/cobra/compare/v1.9.1...v1.10.1)
- github.com/spf13/pflag: [v1.0.7 → v1.0.10](https://github.com/spf13/pflag/compare/v1.0.7...v1.0.10)
- github.com/spf13/viper: [v1.20.1 → v1.21.0](https://github.com/spf13/viper/compare/v1.20.1...v1.21.0)
- github.com/stretchr/testify: [v1.10.0 → v1.11.1](https://github.com/stretchr/testify/compare/v1.10.0...v1.11.1)
- go.etcd.io/bbolt: v1.3.11 → v1.4.2
- go.etcd.io/etcd/api/v3: v3.5.22 → v3.6.6
- go.etcd.io/etcd/client/pkg/v3: v3.5.22 → v3.6.6
- go.etcd.io/etcd/client/v3: v3.5.22 → v3.6.6
- go.etcd.io/etcd/pkg/v3: v3.5.21 → v3.6.4
- go.etcd.io/etcd/server/v3: v3.5.21 → v3.6.4
- go.opencensus.io: v0.24.0 → v0.22.3
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.58.0 → v0.60.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.33.0 → v1.34.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.33.0 → v1.34.0
- go.opentelemetry.io/otel/metric: v1.34.0 → v1.35.0
- go.opentelemetry.io/otel/trace: v1.34.0 → v1.35.0
- go.opentelemetry.io/otel: v1.34.0 → v1.35.0
- go.opentelemetry.io/proto/otlp: v1.4.0 → v1.5.0
- go.uber.org/zap: v1.27.0 → v1.27.1
- go.yaml.in/yaml/v3: v3.0.3 → v3.0.4
- golang.org/x/crypto: v0.40.0 → v0.45.0
- golang.org/x/mod: v0.25.0 → v0.29.0
- golang.org/x/net: v0.42.0 → v0.47.0
- golang.org/x/oauth2: v0.30.0 → v0.33.0
- golang.org/x/sync: v0.16.0 → v0.18.0
- golang.org/x/sys: v0.34.0 → v0.38.0
- golang.org/x/telemetry: bda5523 → 078029d
- golang.org/x/term: v0.33.0 → v0.37.0
- golang.org/x/text: v0.27.0 → v0.31.0
- golang.org/x/tools: v0.34.0 → v0.38.0
- google.golang.org/api: v0.215.0 → v0.17.0
- google.golang.org/genproto/googleapis/api: 5f5ef82 → a0af3ef
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify whether versions documented in CHANGELOG/v1.12.0.md match current go.mod.
modfile="$(fd '^go\.mod$' | head -n1)"
echo "Using go.mod: ${modfile:-<not found>}"
[ -n "${modfile:-}" ] || { echo "go.mod not found"; exit 1; }

echo
echo "=== Versions currently in go.mod (spot-check suspicious modules) ==="
rg -n '^\s*(cloud\.google\.com/go($|/storage)|google\.golang\.org/api|github\.com/googleapis/gax-go/v2|go\.opencensus\.io)\s' "$modfile"

echo
echo "=== Changelog entries for the same modules ==="
rg -n 'cloud\.google\.com/go/storage|cloud\.google\.com/go:|google\.golang\.org/api|github\.com/googleapis/gax-go/v2|go\.opencensus\.io' CHANGELOG/v1.12.0.md

echo
echo "If go.mod versions do not match the 'to' versions in changelog, regenerate/fix the dependency section."

Repository: openshift/cluster-api

Length of output: 156

🏁 Script executed:

# First, check if the CHANGELOG file exists and read the suspicious lines
if [ -f CHANGELOG/v1.12.0.md ]; then
  echo "=== CHANGELOG/v1.12.0.md exists. Reading lines 308-320 ==="
  sed -n '308,320p' CHANGELOG/v1.12.0.md
  echo
  echo "=== Lines 360-373 ==="
  sed -n '360,373p' CHANGELOG/v1.12.0.md
else
  echo "CHANGELOG/v1.12.0.md not found"
  ls -la CHANGELOG/ 2>/dev/null | head -20
fi

Repository: openshift/cluster-api

Length of output: 2159

🏁 Script executed:

# Check the current go.mod and look for some of the suspicious modules
echo "=== Current go.mod modules (first 50 lines) ==="
head -50 go.mod
echo
echo "=== Searching for google.golang.org/api in go.mod ==="
rg 'google\.golang\.org/api' go.mod -A 0
echo
echo "=== Searching for cloud.google.com/go in go.mod ==="
rg 'cloud\.google\.com/go' go.mod -A 0 | head -10

Repository: openshift/cluster-api

Length of output: 1961

Dependency transition table contains multiple downgrade entries that appear incorrect.

Several entries in the ### Changed section show version downgrades rather than upgrades, which is unusual for a release changelog:

  • Line 309: cloud.google.com/go/storage: v1.49.0 → v1.5.0 (downgrade)
  • Line 310: cloud.google.com/go: v0.116.0 → v0.53.0 (downgrade)
  • Line 314: github.com/census-instrumentation/opencensus-proto: [v0.4.1 → v0.2.1] (downgrade)
  • Line 324: github.com/googleapis/gax-go/v2: [v2.14.1 → v2.0.5] (downgrade)
  • Line 336: go.opencensus.io: v0.24.0 → v0.22.3 (downgrade)
  • Line 372: google.golang.org/api: v0.215.0 → v0.17.0 (downgrade)

These entries would mislead users during upgrade planning and incident triage. Verify whether the version arrows are reversed or if these should be removed from the changelog entirely.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG/v1.12.0.md` around lines 308 - 373, The dependency transition table
in the "### Changed" section contains apparent downgrades (e.g.,
cloud.google.com/go/storage, cloud.google.com/go,
github.com/census-instrumentation/opencensus-proto,
github.com/googleapis/gax-go/v2, go.opencensus.io, google.golang.org/api);
verify the intended direction by checking the authoritative source
(go.mod/go.sum or the release tooling that produced the list), then correct each
line to show the proper "old → new" version or remove any incorrect entries;
update the specific entries for cloud.google.com/go/storage,
cloud.google.com/go, github.com/census-instrumentation/opencensus-proto,
github.com/googleapis/gax-go/v2, go.opencensus.io, and google.golang.org/api in
the changelog so the arrow direction and versions match the actual dependency
changes.

Comment thread CHANGELOG/v1.13.0-beta.0.md
- Devtools: Enable native histograms in Grafana / Prometheus (#13304)
- Devtools: Make kind image configurable via env var for make tilt-up (#13333)
- Devtools: Updated dev observability stack (#13044)
- e2e: 0 in e2e tests (#13429)
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed changelog entry.

This entry is incomplete and unclear: "0 in e2e tests" does not describe what change was made. Please verify the correct description for PR #13429 and update the entry accordingly.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG/v1.13.0-beta.0.md` at line 135, The changelog line "e2e: 0 in e2e
tests" is malformed and must be replaced with a clear summary of PR `#13429`;
review PR `#13429` to determine the intended change and update the entry to a
concise, conventional changelog phrase (e.g., "e2e: fix flakey test X" or "e2e:
add test for Y"), keeping the same prefix/scope format used in other entries and
preserving bullet/list formatting so the entry is meaningful and consistent with
surrounding lines.

Comment thread CHANGELOG/v1.13.0-beta.1.md
- Devtools: Enable native histograms in Grafana / Prometheus (#13304)
- Devtools: Make kind image configurable via env var for make tilt-up (#13333)
- Devtools: Updated dev observability stack (#13044)
- e2e: 0 in e2e tests (#13429)
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix malformed changelog entry.

This entry is incomplete and unclear: "0 in e2e tests" does not describe what change was made. Please verify the correct description for PR #13429 and update the entry accordingly.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG/v1.13.0-beta.1.md` at line 207, The changelog contains a malformed
entry "e2e: 0 in e2e tests" that must be replaced with the actual description
from PR `#13429`; open PR `#13429` to confirm the intended change (what was
added/fixed in e2e tests) and update the entry in CHANGELOG/v1.13.0-beta.1.md to
a clear, concise sentence referencing the fix or feature (e.g., "e2e: <brief
description of change/fix> (`#13429`)"), ensuring the PR number remains included
for traceability.

Comment thread config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml
Comment on lines +594 to +600
value:
description: |-
value is the taint value corresponding to the taint key.
It must be a valid label value of maximum size 63 characters.
maxLength: 63
minLength: 1
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Allow empty taint values.

The pattern already permits "", and taint values are optional, but minLength: 1 rejects that valid case. This makes manifests with an explicit empty taint value fail validation for no functional reason.

Suggested schema change 
                             value:
                               description: |-
                                 value is the taint value corresponding to the taint key.
                                 It must be a valid label value of maximum size 63 characters.
                               maxLength: 63
-                              minLength: 1
                               pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                               type: string
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
value:
description: |-
value is the taint value corresponding to the taint key.
It must be a valid label value of maximum size 63 characters.
maxLength: 63
minLength: 1
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
value:
description: |-
value is the taint value corresponding to the taint key.
It must be a valid label value of maximum size 63 characters.
maxLength: 63
pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/crd/bases/cluster.x-k8s.io_machinedeployments.yaml` around lines 594 -
600, The CRD schema for the taint "value" field currently has minLength: 1 which
rejects valid empty taint values even though the regex pattern allows the empty
string; update the "value" schema (the value property under the taint
definition) to allow empty values by removing the minLength constraint or
setting minLength: 0 so the pattern and length constraints are consistent and
manifests with an explicit empty taint value validate successfully.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 7, 2026

@cloud-team-rebase-bot[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-techpreview e801fc2 link true /test e2e-aws-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@damdo damdo Awaiting requested review from damdo

@RadekManak RadekManak Awaiting requested review from RadekManak

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.