OTA-1860: Stop blocking patch updates when cluster version overrides are set

[harche]

Summary

• When cv.spec.overrides has any entry with unmanaged: true, CVO sets Upgradeable=False and blocks all upgrades, including z-stream/patch updates. This is overly restrictive — patch updates deliver security fixes and bug fixes that should not be blocked just because an override is set.
• This change makes the override precondition check a non-blocking warning for patch-level updates instead of a hard block, effectively reverting the patch-blocking behavior introduced in PR Bug 1822844: Block z level upgrades when ClusterVersionOverridesSet is set #364.
• Minor/major version upgrades remain blocked by Upgradeable=False when overrides are set — that behavior is unchanged.
• The warning message is updated to reflect the new scope: "Disabling ownership via cluster version overrides prevents minor/major version upgrades."

Behavior after this change

Update type	Overrides set	Result
Patch (4.21.1 → 4.21.2)	Yes	Allowed with accepted risk recorded
Minor (4.21.x → 4.22.0)	Yes	Blocked by Upgradeable=False
Major	Yes	Blocked by Upgradeable=False

Test plan

• All existing unit tests pass with updated message strings
• New test: patch update with overrides produces non-blocking warning
• New test: minor update with overrides is still blocking
• Integration test: cluster with overrides set can complete a z-stream update (accepted risk recorded in history)
• Integration test: cluster with overrides set is still blocked from minor version update

Jira: https://issues.redhat.com/browse/OTA-1860

🤖 Generated with Claude Code

[openshift-ci-robot]

@harche: This pull request references OTA-1860 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• In 4.21, the default openshift ClusterImagePolicy enforces Sigstore signature verification for release images. Disabling it via cv.spec.overrides is a supported operation (disconnected environments, CI with unsigned builds).
• Previously, any override with unmanaged: true caused CVO to set Upgradeable=False, blocking all upgrades including z-stream patches.
• This change adds an IsAllowedOverride() helper that exempts the specific openshift ClusterImagePolicy override (group: config.openshift.io, kind: ClusterImagePolicy, name: openshift) from triggering Upgradeable=False. All other overrides continue to block as before.

Files changed

File	Change
pkg/internal/constants.go	Added IsAllowedOverride() helper using configv1.GroupName
pkg/payload/precondition/clusterversion/upgradeable.go	Filter allowed overrides in ClusterVersionOverridesCondition()
pkg/cvo/upgradeable.go	Filter allowed overrides in clusterVersionOverridesUpgradeable.Check()
pkg/payload/precondition/clusterversion/upgradeable_test.go	8 new test cases for ClusterVersionOverridesCondition
pkg/cvo/upgradeable_test.go	5 new test cases for clusterVersionOverridesUpgradeable

Test plan

• go test ./pkg/payload/precondition/clusterversion/ — all 28 tests pass
• go test ./pkg/cvo/ -run TestClusterVersionOverrides — all 5 new tests pass
• go test ./pkg/cvo/ -run TestUpgrade — all existing upgrade tests pass
• Integration test on a cluster with only the openshift ClusterImagePolicy override set to unmanaged: true — verify Upgradeable is not False due to ClusterVersionOverridesSet
• Integration test with both the allowed override and another unmanaged override — verify Upgradeable=False is still set

Jira: https://issues.redhat.com/browse/OTA-1860

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

ClusterVersion override detection was changed to return a non-blocking precondition warning (new NonBlockingWarning on precondition.Error) and wording was clarified to state overrides prevent upgrades "between minor or major versions". Tests and CVO messages were updated to exercise and reflect this behavior.

Changes

Cohort / File(s)	Summary
Upgradeable precondition logic pkg/payload/precondition/clusterversion/upgradeable.go	When a ClusterVersionOverridesCondition is detected, return a precondition.Error with NonBlockingWarning: true and update the returned/logged message to specify upgrades are prevented "between minor or major versions".
Precondition API pkg/payload/precondition/...	Added exported field NonBlockingWarning bool to precondition.Error to signal non-blocking warnings to callers.
Precondition tests pkg/payload/precondition/clusterversion/upgradeable_test.go	Added overrides []configv1.ComponentOverride to test cases, applied overrides to the test ClusterVersion.Spec, and added test cases covering override scenarios (one expecting a non-blocking warning, one expecting blocking behavior).
CVO wording & tests pkg/cvo/upgradeable.go, pkg/cvo/cvo_test.go	Adjusted messaging to state ownership-overrides prevent upgrades "between minor or major versions" and updated tests to match the revised phrasing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: harche
Once this PR has been reviewed and has the lgtm label, please assign pratikmahajan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/payload/precondition/clusterversion/upgradeable.go (1)

34-47: ⚠️ Potential issue | 🔴 Critical

ClusterVersionOverridesCondition does not filter the exempted ClusterImagePolicy override.

The function at lines 34-47 blocks upgrades on any Unmanaged: true override without exemption logic. Verification found no IsAllowedOverride() function or override exemption filtering anywhere in the codebase—neither in pkg/cvo/upgradeable.go, pkg/internal/constants.go, nor elsewhere. This means the exempted openshift ClusterImagePolicy override (group config.openshift.io, kind ClusterImagePolicy, name openshift) will incorrectly block minor/major version upgrades, despite PR objectives to exempt it.

The precondition path (line 104) marks override warnings as NonBlockingWarning: true for patch updates, but for minor/major updates, the condition is not used. Instead, line 127 propagates the Upgradeable condition status directly, meaning blocking overrides will still prevent these upgrades. The exemption filtering needs to be implemented in this function to check the override's group, kind, and name before returning a blocking condition.

[harche]

/retest ci/prow/verify-deps

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/cvo/upgradeable.go (1)

250-262: ⚠️ Potential issue | 🟠 Major

Both clusterVersionOverridesUpgradeable.Check() and the precondition ClusterVersionOverridesCondition() lack filtering for allowed overrides.

Per the commit message "Exempt openshift ClusterImagePolicy override from blocking upgrades," these methods should exempt the openshift ClusterImagePolicy override from blocking upgrades. Currently, any unmanaged override blocks the upgrade in both code paths:

• pkg/cvo/upgradeable.go lines 250–262
• pkg/payload/precondition/clusterversion/upgradeable.go lines 35–47

Both implementations iterate through overrides and return a blocking condition if any has Unmanaged=true. Add filtering logic to exempt the allowed override before checking the condition.

[openshift-ci-robot]

@harche: This pull request references OTA-1860 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• When cv.spec.overrides has any entry with unmanaged: true, CVO sets Upgradeable=False and blocks all upgrades, including z-stream/patch updates. This is overly restrictive — patch updates deliver security fixes and bug fixes that should not be blocked just because an override is set.
• This change makes the override precondition check a non-blocking warning for patch-level updates instead of a hard block, effectively reverting the patch-blocking behavior introduced in PR Bug 1822844: Block z level upgrades when ClusterVersionOverridesSet is set #364.
• Minor/major version upgrades remain blocked by Upgradeable=False when overrides are set — that behavior is unchanged.
• The warning message is updated to reflect the new scope: "Disabling ownership via cluster version overrides prevents minor/major version upgrades."

Behavior after this change

Update type	Overrides set	Result
Patch (4.21.1 → 4.21.2)	Yes	Allowed with accepted risk recorded
Minor (4.21.x → 4.22.0)	Yes	Blocked by Upgradeable=False
Major	Yes	Blocked by Upgradeable=False

Test plan

• All existing unit tests pass with updated message strings
• New test: patch update with overrides produces non-blocking warning
• New test: minor update with overrides is still blocking
• Integration test: cluster with overrides set can complete a z-stream update (accepted risk recorded in history)
• Integration test: cluster with overrides set is still blocked from minor version update

Jira: https://issues.redhat.com/browse/OTA-1860

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/payload/precondition/clusterversion/upgradeable.go (1)

34-47: ⚠️ Potential issue | 🔴 Critical

IsAllowedOverride filtering is not implemented.

The PR objectives state "Added IsAllowedOverride() helper to exempt the openshift ClusterImagePolicy override" and "Filter allowed overrides in precondition and upgradeable checks." However:

1. The IsAllowedOverride() function does not exist in the codebase
2. ClusterVersionOverridesCondition() iterates all overrides without filtering
3. clusterVersionOverridesUpgradeable.Check() in pkg/cvo/upgradeable.go uses identical logic—no filtering applied

If a cluster has only the exempted override, both implementations will still block upgrades, contrary to the stated PR objectives.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/payload/precondition/clusterversion/upgradeable.go (1)

34-47: ⚠️ Potential issue | 🔴 Critical

IsAllowedOverride filtering is not implemented.

The PR objectives state "Added IsAllowedOverride() helper to exempt the openshift ClusterImagePolicy override" and "Filter allowed overrides in precondition and upgradeable checks." However:

1. The IsAllowedOverride() function does not exist in the codebase
2. ClusterVersionOverridesCondition() iterates all overrides without filtering
3. clusterVersionOverridesUpgradeable.Check() in pkg/cvo/upgradeable.go uses identical logic—no filtering applied

If a cluster has only the exempted override, both implementations will still block upgrades, contrary to the stated PR objectives.

[wking]

This is effectively reverting #364, although now that we have history[].acceptedRisks, we want to preserve some kind of warning to grumble in that property without blocking updates (for patch updates, we still want to block major/minor bumps, because they change APIs and such).

[wking]

I think we probably need to qualify "Please remove overrides before continuing." to "Please remove overrides before requesting a minor or major version update.". Or just drop the sentence. Or something. Because with this pull, you no longer need to remove the overrides before continuing with a patch update.

Otherwise the current pull state looks good to me; thanks!

[harche]

/test okd-scos-images

[openshift-ci]

@harche: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-images	6f8f984	link	true	/test okd-scos-images
ci/prow/e2e-agnostic-ovn	6f8f984	link	true	/test e2e-agnostic-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.