OCPBUGS-86059: Implement automatic LVMS rebase on the latest z-stream version

[ggiguash]

Summary by CodeRabbit

• New Features
  • Added latest REGISTRY XY_VERSION to automatically resolve and rebase to the newest matching LVMS z-stream tag.
• Bug Fixes
  • Made “rehearse” detection safe when job names are unset.
  • Simplified LVMS rebase execution and updated “last rebase” handling.
• Documentation
  • Updated contributor guidance and example commands to reference the correct LVMS rebase script names.
• Chores
  • Refreshed asset recipe references used for manifest generation/validation (LVMS and OSSM) and regenerated the “last rebase” helper script.

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-86059, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The PR adds a latest-tag LVMS rebase command, renames the generated wrapper script, updates asset recipe filenames, and refreshes LVMS rebase documentation.

Changes

LVMS rebase flow

Layer / File(s)	Summary
Latest-tag rebase path scripts/auto-rebase/rebase_job_entrypoint.sh, scripts/auto-rebase/rebase_lvms.sh	Adds the latest LVMS rebase command, resolves the newest matching registry tag, and routes the job entrypoint to it.
Generated wrapper and manifest updates scripts/auto-rebase/rebase_lvms.sh, scripts/auto-rebase/last_lvms_rebase.sh, scripts/auto-rebase/last_rebase_lvms.sh, scripts/auto-rebase/presubmit.py, scripts/auto-rebase/rebase_gateway_api.sh	Regenerates the last-rebase wrapper under the new script name and switches LVMS/OSSM asset recipe filenames.
Documentation updates docs/contributor/rebase.md	Updates LVMS rebase examples and script references to rebase_lvms.sh.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• pmtk
• pacevedom

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	scripts/auto-rebase/rebase_job_entrypoint.sh runs printenv under set -x, which can leak secrets, tokens, and hostnames into CI logs.	Remove the env dump or whitelist safe vars, and disable xtrace around secret-handling sections (or avoid tracing this job script).
Docstring Coverage	⚠️ Warning	Docstring coverage is 36.36% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: adding automatic LVMS rebase on the latest z-stream version.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No *_test.go files or Ginkgo title constructs were changed; the PR only touches docs and auto-rebase scripts.
Test Structure And Quality	✅ Passed	No changed files contain Ginkgo test code; the PR mainly updates docs and auto-rebase scripts.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes docs/scripts and non-test Go files, with no MicroShift-unsupported APIs in tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only changes docs and auto-rebase scripts; no Ginkgo e2e tests were added or modified, so SNO compatibility review is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR only changes rebase scripts/docs and C2CC routing config; no added affinity, nodeSelector, spread, PDB, or replica logic was introduced.
Ote Binary Stdout Contract	✅ Passed	PR only changes docs/shell/python scripts; no Go/binary entrypoints or stdout-to-JSON contract code were touched.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; changes are docs and auto-rebase scripts only, so this compatibility check is not applicable.
No-Weak-Crypto	✅ Passed	No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were added in the touched files.
Container-Privileges	✅ Passed	The PR only updates docs and rebase scripts; no changed file adds privileged, hostPID/Network/IPC, CAP_SYS_ADMIN, or allowPrivilegeEscalation settings.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ggiguash]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ggiguash]

/test ?

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-86059, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary by CodeRabbit

• New Features

• Added support for new device discovery policy options and clearer device path guidance in storage-related configuration.

• Expanded storage class options and validation to better preserve existing settings.

• Improved status reporting for device discovery policy defaults.

• Bug Fixes

• Tightened immutability rules for several storage settings to prevent unintended changes after creation.

• Updated toleration operator guidance and thin-pool list handling for more consistent configuration behavior.

• Chores

• Updated the bundled operator version to 4.22.0.

• Refreshed release images and rebase automation to track the latest supported build.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ggiguash]

/test e2e-aws-tests
/test e2e-aws-tests-arm
/test e2e-aws-tests-bootc-arm-el10
/test e2e-aws-tests-bootc-arm-el9

[ggiguash]

/test ?

[ggiguash]

/test test-rebase

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

assets/components/lvms/lvms-operator_rbac.authorization.k8s.io_v1_clusterrole.yaml (1)

47-52: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Split pods out so update does not apply to them.

Line 47 now shares the PVC verb set, so pods also get update. Keep update scoped to PVCs unless the operator has a proven pod-update path.

Proposed RBAC split

   - apiGroups:
       - ""
     resources:
       - persistentvolumeclaims
-      - pods
     verbs:
       - delete
       - get
       - list
       - update
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - get
+      - list
+      - watch

As per path instructions, “RBAC: least privilege; no cluster-admin for workloads.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@assets/components/lvms/lvms-operator_rbac.authorization.k8s.io_v1_clusterrole.yaml`
around lines 47 - 52, The ClusterRole rule currently groups pods with the same
verb set as PVCs, which unintentionally grants pods the update verb. Split the
RBAC rules in the ClusterRole manifest so the pods resource has only the
intended verbs and update remains scoped to the PVC rule; use the existing pods
and PVC entries in the role definition to separate them cleanly.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/components/lvms/lvm.topolvm.io_lvmclusters.yaml`:
- Around line 222-257: The immutability validations for additionalParameters,
reclaimPolicy, and volumeBindingMode are too strict for optional/defaulted
fields because oldSelf == self can reject a valid initial set when the previous
value is unset. Update the x-kubernetes-validations rules on these fields in the
LVMS schema to account for missing old values, using a pattern like
!has(oldSelf) || oldSelf == self so the fields can be set once and remain
immutable afterward. Locate the changes under the additionalParameters,
reclaimPolicy, and volumeBindingMode definitions in the device class schema and
apply the same rule consistently to each.

In
`@assets/components/lvms/lvms-operator_rbac.authorization.k8s.io_v1_clusterrole.yaml`:
- Around line 113-120: The RBAC rules for the operator still grant the core
events resource alongside the new events.k8s.io/events permissions, which
broadens access unnecessarily. Update the cluster role by removing the stale
core events grant from the RBAC manifest and keep only the permissions needed
for the target event API, using the existing events.k8s.io/events rule as the
reference point.

In `@assets/components/lvms/vg-manager_rbac.authorization.k8s.io_v1_role.yaml`:
- Around line 64-71: The Role currently grants event write permissions through
both the core and events.k8s.io APIs, so it is broader than necessary. In the
RBAC manifest for the vg-manager role, remove the core events rule if the
workload now uses events.k8s.io, and keep only the event API that is actually
referenced by the code so the Role remains least-privileged. Use the existing
events.k8s.io rule in this Role as the anchor when updating the permissions.

In `@scripts/auto-rebase/rebase-lvms.sh`:
- Around line 556-558: The latest case in the rebase dispatch currently forwards
$2 and $3 directly from the argument list, which can expand before usage() runs
when either argument is missing. Update the command handling around
rebase_lvms_latest in the latest branch to validate that both required arguments
are present before any expansion, and route invalid invocations to usage()
instead of calling the helper with unset parameters.
- Around line 44-51: The clean-tag lookup in rebase-lvms.sh is terminating early
under errexit/pipefail when grep finds no match, preventing the prerelease
fallback from running. Update the latest-tag lookup in the tag-selection logic
to tolerate an expected no-match before proceeding to the prerelease branch,
keeping the fallback reachable while preserving the existing sort/tail behavior
in the rebase-lvms.sh tag selection flow.

---

Outside diff comments:
In
`@assets/components/lvms/lvms-operator_rbac.authorization.k8s.io_v1_clusterrole.yaml`:
- Around line 47-52: The ClusterRole rule currently groups pods with the same
verb set as PVCs, which unintentionally grants pods the update verb. Split the
RBAC rules in the ClusterRole manifest so the pods resource has only the
intended verbs and update remains scoped to the PVC rule; use the existing pods
and PVC entries in the role definition to separate them cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6d970893-f8f8-4328-96bc-cc66ac8997d2

📥 Commits

Reviewing files that changed from the base of the PR and between 8d0593e and 1fab504.

📒 Files selected for processing (12)

• assets/components/lvms/lvm.topolvm.io_lvmclusters.yaml
• assets/components/lvms/lvm.topolvm.io_lvmvolumegroupnodestatuses.yaml
• assets/components/lvms/lvm.topolvm.io_lvmvolumegroups.yaml
• assets/components/lvms/lvms-operator_rbac.authorization.k8s.io_v1_clusterrole.yaml
• assets/components/lvms/topolvm-configmap_lvms-version.yaml
• assets/components/lvms/vg-manager_rbac.authorization.k8s.io_v1_clusterrole.yaml
• assets/components/lvms/vg-manager_rbac.authorization.k8s.io_v1_role.yaml
• assets/release/release-aarch64.json
• assets/release/release-x86_64.json
• scripts/auto-rebase/last_lvms_rebase.sh
• scripts/auto-rebase/rebase-lvms.sh
• scripts/auto-rebase/rebase_job_entrypoint.sh

[ggiguash]

/test e2e-aws-tests
/test e2e-aws-tests-arm
/test e2e-aws-tests-bootc-arm-el10
/test e2e-aws-tests-bootc-arm-el9
/test test-rebase

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/rebase_job_entrypoint.sh`:
- Around line 91-94: The LVMS rebase invocation in rebase_job_entrypoint.sh is
using a mismatched release version, with opm_release set to v4.22 but
rebase_lvms.sh still receiving 4.21. Update the version argument in the
rebase_lvms.sh call so it matches the job’s target release (the same X.Y used by
opm_release) and keep the release value consistent in this script.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 17ee17ed-320c-48c0-89d1-8f03e467f8e0

📥 Commits

Reviewing files that changed from the base of the PR and between bc3fb4a and bc46ec6.

📒 Files selected for processing (2)

• scripts/auto-rebase/last_rebase_lvms.sh
• scripts/auto-rebase/rebase_job_entrypoint.sh

✅ Files skipped from review due to trivial changes (1)

• scripts/auto-rebase/last_rebase_lvms.sh

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-86059, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary by CodeRabbit

• New Features

• Added latest REGISTRY XY_VERSION for LVMS rebase automation to automatically resolve and rebase to the newest matching z-stream tag.

• Updated generated rebase scripts to use the new LVMS rebase entry point and refreshed the “last rebase” updater flow.

• Bug Fixes

• Made “rehearse” detection safe when job names are unset.

• Simplified LVMS rebase execution by removing outdated fallback logic.

• Documentation

• Updated LVMS rebase contributor guidance and example commands to reference the correct script names.

• Chores

• Updated asset recipe references used during manifest generation and validation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ggiguash]

/test e2e-aws-tests
/test e2e-aws-tests-arm
/test e2e-aws-tests-bootc-arm-el10
/test e2e-aws-tests-bootc-arm-el9
/test test-rebase

[ggiguash]

/test test-rebase

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-86059, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added latest REGISTRY XY_VERSION for LVMS rebase automation to resolve and rebase to the newest matching z-stream tag.
• Refreshed generated rebase scripts to use the updated LVMS rebase entry point and “last rebase” update flow.
• Bug Fixes
• Made “rehearse” detection safe when job names are unset.
• Simplified LVMS rebase execution by removing outdated fallback/release-selection behavior.
• Documentation
• Updated contributor guidance and example commands to reference the correct script names.
• Chores
• Updated asset recipe references used for manifest generation and validation (LVMS and OSSM).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ggiguash]

/test test-rebase

[openshift-ci-robot]

@ggiguash: This pull request references Jira Issue OCPBUGS-86059, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added latest REGISTRY XY_VERSION to automatically resolve and rebase to the newest matching LVMS z-stream tag.
• Bug Fixes
• Made “rehearse” detection safe when job names are unset.
• Simplified LVMS rebase execution and updated “last rebase” handling.
• Documentation
• Updated contributor guidance and example commands to reference the correct LVMS rebase script names.
• Chores
• Refreshed asset recipe references used for manifest generation/validation (LVMS and OSSM) and regenerated the “last rebase” helper script.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/auto-rebase/rebase_lvms.sh`:
- Around line 38-41: The comment above resolve_latest_z_tag currently describes
prerelease fallback that no longer exists. Update the docstring in
resolve_latest_z_tag to state that it only searches for clean semver tags
matching vX.Y.Z for the given X.Y stream and fails if none are found, removing
any mention of pre-release fallback.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8f76bbb6-e841-46e2-8a20-5b4130d4c85e

📥 Commits

Reviewing files that changed from the base of the PR and between 0b34cb6 and 14fecbb.

📒 Files selected for processing (9)

• docs/contributor/rebase.md
• scripts/auto-rebase/assets_lvms.yaml
• scripts/auto-rebase/assets_ossm.yaml
• scripts/auto-rebase/last_lvms_rebase.sh
• scripts/auto-rebase/last_rebase_lvms.sh
• scripts/auto-rebase/presubmit.py
• scripts/auto-rebase/rebase_gateway_api.sh
• scripts/auto-rebase/rebase_job_entrypoint.sh
• scripts/auto-rebase/rebase_lvms.sh

💤 Files with no reviewable changes (1)

• scripts/auto-rebase/last_lvms_rebase.sh

✅ Files skipped from review due to trivial changes (1)

• docs/contributor/rebase.md

🚧 Files skipped from review as they are similar to previous changes (4)

• scripts/auto-rebase/last_rebase_lvms.sh
• scripts/auto-rebase/rebase_gateway_api.sh
• scripts/auto-rebase/presubmit.py
• scripts/auto-rebase/rebase_job_entrypoint.sh