fix(kubernetes): make MachineHealthCheck maxUnhealthy configurable

[myasnikovdaniil]

Same-repo mirror of #2752 by mattia-eleuteri, opened so the Build CI job can run. Fork PRs skip the OCIR registry login (if: !github.event.pull_request.head.repo.fork in pull-requests.yaml) and so can't push the per-PR images the build needs — meaning a fork PR can never pass Build, regardless of the change. The commits here are unchanged and authored by mattia-eleuteri; full description and discussion in #2752.

Supersedes #2752.

fix(kubernetes): MachineHealthCheck `maxUnhealthy` is now configurable per node group (default `100%`), restoring worker-node auto-remediation that was previously disabled by a hardcoded value of `0`.

Summary by CodeRabbit

• New Features

  • Added a configurable nodeGroups[].maxUnhealthy setting (integer or percentage) to control how many unhealthy nodes are tolerated before automatic remediation stops; default is now "100%".

• Documentation

  • Updated chart/application documentation, values examples, and configuration schemas to include maxUnhealthy and its default.

• Chores

  • Updated templates so per-node-group health remediation behavior respects the new maxUnhealthy value.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a configurable maxUnhealthy field (string, default "100%") to the Kubernetes node group configuration. The field is defined on the NodeGroup Go struct with kubebuilder markers, propagated through Helm values.yaml, values.schema.json, and the MachineHealthCheck template (replacing a hardcoded 0), and reflected in the ApplicationDefinition openAPISchema and README.

Changes

maxUnhealthy field for NodeGroup MachineHealthCheck

Layer / File(s)	Summary
NodeGroup.MaxUnhealthy field definition and schema api/apps/v1alpha1/kubernetes/types.go, packages/apps/kubernetes/values.yaml, packages/apps/kubernetes/values.schema.json	MaxUnhealthy is added to the NodeGroup Go struct with +kubebuilder:default="100%" and description markers; maxUnhealthy: "100%" is added to the values.yaml typedef and md0 example; the JSON schema gains the field as a string with default "100%" and a description accepting integer or percentage values.
Template rendering, ApplicationDefinition schema, and docs packages/apps/kubernetes/templates/cluster.yaml, packages/system/kubernetes-rd/cozyrds/kubernetes.yaml, packages/apps/kubernetes/README.md	MachineHealthCheck.spec.maxUnhealthy in the Helm template switches from the constant 0 to {{ $group.maxUnhealthy }} with default "100%" as a string; the ApplicationDefinition openAPISchema and keysOrder metadata are updated to include the new field; the README parameters table gains the nodeGroups[name].maxUnhealthy row.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 A node group once fixed at zero's cold grip,
Now freely admits a full hundred percent slip.
The MachineHealthCheck breathes with configurable grace,
A default of "100%" set firmly in place.
Schemas and templates all neatly aligned —
No unhealthy surprise left behind!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: making the MachineHealthCheck maxUnhealthy parameter configurable, which is the core purpose of this PR across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/kubernetes-mhc-maxunhealthy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a configurable maxUnhealthy parameter for MachineHealthCheck in the Kubernetes node group configuration. By making this value configurable (defaulting to '100%'), it restores the auto-remediation capabilities for worker nodes that were previously limited by a hardcoded value of 0.

Highlights

• Configuration: Added the maxUnhealthy field to the NodeGroup configuration, allowing users to define the tolerance for unhealthy nodes before auto-remediation stops.
• Defaults: Set the default value for maxUnhealthy to '100%', restoring worker-node auto-remediation functionality.
• Documentation: Updated the README and Helm values schema to include the new maxUnhealthy configuration option.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	Gemini (@gemini-code-assist)	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on Gemini (@gemini-code-assist) comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new maxUnhealthy configuration option for Kubernetes node groups, allowing users to specify the maximum number or percentage of unhealthy nodes tolerated before auto-remediation stops. This option is integrated across API types, Helm templates, values schemas, and documentation. Feedback on the changes highlights a bug in the Helm template where using the default function overrides a valid 0 value with "100%", and suggests using hasKey to correctly preserve falsy values.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Using the default function in Helm/Go templates treats falsy values like 0 (integer) as empty, which causes them to be overridden by the default value ("100%"). Since 0 is a valid value for maxUnhealthy (used to explicitly disable auto-remediation), this will prevent users from setting maxUnhealthy: 0 as an integer in their values.

Using hasKey allows us to check if the key is explicitly defined in the node group map, preserving 0 or any other falsy values.

  maxUnhealthy: {{ if hasKey $group "maxUnhealthy" }}{{ $group.maxUnhealthy | quote }}{{ else }}"100%"{{ end }}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

api/apps/v1alpha1/kubernetes/types.go (1)

255-257: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Consider adding validation for the maxUnhealthy format.

The MaxUnhealthy field accepts either an integer or a percentage string, but there's no kubebuilder validation to enforce this format. Adding a pattern validation would provide better user experience by catching invalid values at admission time rather than later during reconciliation.

📋 Proposed validation pattern

 // Max unhealthy nodes (integer or percentage) tolerated before the MachineHealthCheck stops auto-remediation.
 // +kubebuilder:default:="100%"
+// +kubebuilder:validation:Pattern=`^([0-9]+|[0-9]+%)$`
 MaxUnhealthy string `json:"maxUnhealthy,omitempty"`

This pattern ensures the value is either:

• An integer: 0, 1, 10, etc.
• A percentage: 0%, 50%, 100%, etc.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/apps/v1alpha1/kubernetes/types.go` around lines 255 - 257, The
MaxUnhealthy field currently lacks format validation, allowing invalid values to
pass through. Add a kubebuilder validation pattern constraint to the
MaxUnhealthy field definition to enforce that the value must be either a
non-negative integer or a percentage string (ending with %). This will catch
formatting errors at admission time by ensuring only valid formats like "100",
"50%", or "100%" are accepted, preventing invalid values from reaching
reconciliation logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/apps/v1alpha1/kubernetes/types.go`:
- Line 26: The kubebuilder default annotation contains JSON syntax errors for
array-type fields. The `roles` field currently uses object notation
`{"ingress-nginx"}` but must use array notation `["ingress-nginx"]` to match the
`Roles` field definition as `[]string` (line 264). Similarly, the `gpus` field
currently uses empty object notation `{}` but must use empty array notation `[]`
to match the `Gpus` field definition as `[]GPU` (line 246). Update both field
notations in the default annotation to use proper JSON array syntax with square
brackets instead of curly braces.

---

Nitpick comments:
In `@api/apps/v1alpha1/kubernetes/types.go`:
- Around line 255-257: The MaxUnhealthy field currently lacks format validation,
allowing invalid values to pass through. Add a kubebuilder validation pattern
constraint to the MaxUnhealthy field definition to enforce that the value must
be either a non-negative integer or a percentage string (ending with %). This
will catch formatting errors at admission time by ensuring only valid formats
like "100", "50%", or "100%" are accepted, preventing invalid values from
reaching reconciliation logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8f3ca1b7-0d88-464c-8bba-c3407b2c9a6d

📥 Commits

Reviewing files that changed from the base of the PR and between 6a9047d and dd1a6b9.

📒 Files selected for processing (6)

• api/apps/v1alpha1/kubernetes/types.go
• packages/apps/kubernetes/README.md
• packages/apps/kubernetes/templates/cluster.yaml
• packages/apps/kubernetes/values.schema.json
• packages/apps/kubernetes/values.yaml
• packages/system/kubernetes-rd/cozyrds/kubernetes.yaml

✅ Files skipped from review due to trivial changes (1)

• packages/apps/kubernetes/README.md

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/apps/kubernetes/values.yaml
• packages/apps/kubernetes/templates/cluster.yaml
• packages/system/kubernetes-rd/cozyrds/kubernetes.yaml
• packages/apps/kubernetes/values.schema.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the kubebuilder default annotation contains valid JSON matching the NodeGroup type

# Extract the default JSON from line 26
default_json='{"md0":{"diskSize":"20Gi","gpus":{},"instanceType":"u1.medium","kubelet":{},"maxReplicas":10,"maxUnhealthy":"100%","minReplicas":0,"resources":{},"roles":{"ingress-nginx"},"storageClass":""}}'

# Test JSON validity
echo "$default_json" | jq empty 2>&1

# Check if the roles field is an array
echo "$default_json" | jq '.md0.roles | type' 2>&1

Repository: cozystack/cozystack

Length of output: 213

---

🏁 Script executed:

cat -n api/apps/v1alpha1/kubernetes/types.go | sed -n '20,35p'

Repository: cozystack/cozystack

Length of output: 1070

---

🏁 Script executed:

cat -n api/apps/v1alpha1/kubernetes/types.go | sed -n '255,270p'

Repository: cozystack/cozystack

Length of output: 1258

---

🏁 Script executed:

cat -n api/apps/v1alpha1/kubernetes/types.go | sed -n '245,255p'

Repository: cozystack/cozystack

Length of output: 674

---

Fix JSON syntax in the kubebuilder default annotation — roles and gpus must use array notation.

The default JSON uses object syntax {"ingress-nginx"} for the roles field but Roles is defined as []string at line 264, and similarly gpus uses {} but Gpus is defined as []GPU at line 246. This causes JSON parsing to fail and breaks CRD generation.

🔧 Fix

-// +kubebuilder:default:={"md0":{"diskSize":"20Gi","gpus":{},"instanceType":"u1.medium","kubelet":{},"maxReplicas":10,"maxUnhealthy":"100%","minReplicas":0,"resources":{},"roles":{"ingress-nginx"},"storageClass":""}}
+// +kubebuilder:default:={"md0":{"diskSize":"20Gi","gpus":[],"instanceType":"u1.medium","kubelet":{},"maxReplicas":10,"maxUnhealthy":"100%","minReplicas":0,"resources":{},"roles":["ingress-nginx"],"storageClass":""}}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// +kubebuilder:default:={"md0":{"diskSize":"20Gi","gpus":{},"instanceType":"u1.medium","kubelet":{},"maxReplicas":10,"maxUnhealthy":"100%","minReplicas":0,"resources":{},"roles":{"ingress-nginx"},"storageClass":""}}
	// +kubebuilder:default:={"md0":{"diskSize":"20Gi","gpus":[],"instanceType":"u1.medium","kubelet":{},"maxReplicas":10,"maxUnhealthy":"100%","minReplicas":0,"resources":{},"roles":["ingress-nginx"],"storageClass":""}}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/apps/v1alpha1/kubernetes/types.go` at line 26, The kubebuilder default
annotation contains JSON syntax errors for array-type fields. The `roles` field
currently uses object notation `{"ingress-nginx"}` but must use array notation
`["ingress-nginx"]` to match the `Roles` field definition as `[]string` (line
264). Similarly, the `gpus` field currently uses empty object notation `{}` but
must use empty array notation `[]` to match the `Gpus` field definition as
`[]GPU` (line 246). Update both field notations in the default annotation to use
proper JSON array syntax with square brackets instead of curly braces.