CNFCERT-1258: Add kustomize validation check

[sebrandon1]

Similar to: openshift-kni/telco-reference#433

Changes:

• Adds a quick PR check that attempts to kustomize build appropriate files. Only runs against main.
• Adds a make path for make test-kustomize which runs the script. Users can run this locally as well as there are safeguards to ensure kustomize exists first.
• Skips YAMLs that might require external plugins. See EXCLUDED_DIRS.

Example run:

$ make test-kustomize 
hack/test-kustomize.sh
Checking all kustomization.yaml files can build successfully...

  ./config/crd: OK
  ./config/default: OK
  ./config/kind-ci: OK
  ./config/manager: OK
  ./config/manifests: OK
  ./config/networkpolicy: OK
  ./config/prometheus: OK
  ./config/rbac: OK
  ./config/samples: OK
  ./config/scorecard: OK

Summary: Checked 10 kustomization.yaml files, skipped 0 (require external plugins)
All kustomization files validated successfully!

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign ffromani for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sebrandon1]

https://github.com/openshift-kni/numaresources-operator/actions/runs/18952979705/job/54122262347?pr=2398 It's already running and passing! 🎉

[ffromani]

The CI failure is legit, PTAL.

[ffromani]

Not sure how beneficial is this validation, but should not hurt either

[openshift-ci-robot]

@sebrandon1: This pull request references CNFCERT-1258 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Similar to: openshift-kni/telco-reference#433

Changes:

• Adds a quick PR check that attempts to kustomize build appropriate files. Only runs against main.
• Adds a make path for make test-kustomize which runs the script. Users can run this locally as well as there are safeguards to ensure kustomize exists first.
• Skips YAMLs that might require external plugins. See EXCLUDED_DIRS.

Example run:

$ make test-kustomize 
hack/test-kustomize.sh
Checking all kustomization.yaml files can build successfully...

 ./config/crd: OK
 ./config/default: OK
 ./config/kind-ci: OK
 ./config/manager: OK
 ./config/manifests: OK
 ./config/networkpolicy: OK
 ./config/prometheus: OK
 ./config/rbac: OK
 ./config/samples: OK
 ./config/scorecard: OK

Summary: Checked 10 kustomization.yaml files, skipped 0 (require external plugins)
All kustomization files validated successfully!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sebrandon1]

/retest

[ffromani]

still relevant?

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates the NUMA Resources Operator project from version 4.21 to 4.22 across the entire infrastructure. Changes include updating container image tags, version references, and related build configuration files. A new GitHub Actions workflow for Kustomize validation and corresponding test script were also added.

Changes

Cohort / File(s)	Summary
CI/CD Workflows .github/workflows/kustomize-validation.yml, .github/workflows/release-testsuite.yaml	Added new Kustomize validation workflow and updated test image tag from 4.21 to 4.22 in release pipeline.
Tekton Pipelines .tekton/build-pipeline.yaml, .tekton/build-pipeline-must-gather.yaml, .tekton/fbc-pipeline.yaml, .tekton/images-mirror-set.yaml, .tekton/numaresources-*.yaml (8 files)	Updated Tekton task bundle image digests and version references from 4.21 to 4.22 across operator, bundle, must-gather, and FBC pipeline triggers (pull-request and push variants).
Konflux Build Configuration .konflux/container-build.args, .konflux/bundle/bundle.konflux.Dockerfile, .konflux/bundle/overlay/*, .konflux/catalog/*, .konflux/must-gather/must-gather.konflux.Dockerfile, .konflux/operator/konflux.Dockerfile	Updated OpenShift version from 4.21 to 4.22, changed builder image digests, updated CPE labels, bundle channel annotations, and image pinning configurations.
Container Image & Version References Makefile, README.tests.md, config/manager/kustomization.yaml	Updated default project version, bundle naming, and example image tags from 4.21 to 4.22; added new test-kustomize make target.
Operator Manifests bundle/manifests/numaresources-operator.clusterserviceversion.yaml, config/manifests/bases/numaresources-operator.clusterserviceversion.yaml	Updated ClusterServiceVersion metadata, provider version, skip ranges, and referenced operator/scheduler-plugin image tags to 4.22.
Sample & Example Configurations config/samples/*.yaml, doc/examples/*.yaml	Updated scheduler-plugins image specification from 4.21-snapshot to 4.22-snapshot across all NUMAResourcesScheduler example manifests.
Test Infrastructure & Validation hack/test-kustomize.sh, test/e2e/must-gather/must_gather_suite_test.go, pkg/numaresourcesscheduler/manifests/yaml/configmap.nrt.yaml	Added new Kustomize validation script, updated must-gather test image reference, and added multiPoint plugin configuration disabling DynamicResources.
Feature Constants & Test Logic internal/api/features/types.go, internal/controller/numaresourcesscheduler_controller_test.go	Updated feature version constant from v4.21.0 to v4.22.0 and adjusted platform version thresholds in kubelet-fix test cases.
Dependency Artifacts .konflux/must-gather/rpms.lock.yaml	Updated locked tar RPM package from version 1.34-7 to 1.34-9 with corresponding size and checksum updates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a kustomize validation check as a GitHub Actions workflow and related tooling.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of the new kustomize validation check and providing concrete example output.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch add_kustomization_test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

README.tests.md (1)

33-37: ⚠️ Potential issue | 🟠 Major

Fix broken shell continuation in runnable examples.

The command block is not copy/paste runnable because Line 35 misses a trailing \ before Line 36. The same issue recurs later before --skip (Line 114). Please fix all affected podman run snippets.

Proposed doc fix

 podman run -ti \
 	-v $KUBECONFIG:/kubeconfig:z \
-	-e KUBECONFIG=/kubeconfig
+	-e KUBECONFIG=/kubeconfig \
 	-e E2E_NROP_INSTALL_SKIP_KC=true \
 	quay.io/openshift-kni/numaresources-operator-tests:4.22.999-snapshot
@@
 	-e E2E_NUMACELL_DEVICE_PLUGIN_URL=${E2E_IMAGE_URL} \
 	-e E2E_PAUSE_IMAGE_URL=${E2E_IMAGE_URL} \
-	${E2E_IMAGE_URL}
+	${E2E_IMAGE_URL} \
 	--skip '.*reboot_required.*'

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.tests.md` around lines 33 - 37, The shell continuation in the podman
run snippets is broken: ensure each line intended to continue the command ends
with a trailing backslash so the entire podman run invocation is copy/paste
runnable; specifically add a trailing "\" after the KUBECONFIG=/kubeconfig line
in the podman run that sets -v $KUBECONFIG and -e KUBECONFIG, and likewise fix
the later podman run snippet that wraps the --skip argument (look for the podman
run lines and the --skip flag) so every fragmented line ends with "\" to
maintain proper shell continuation.

🧹 Nitpick comments (3)

.github/workflows/release-testsuite.yaml (1)

26-26: Avoid hardcoding the release tag directly in Line 26.

This value changes every release and is easy to miss; centralizing it as a workflow env var reduces drift risk.

♻️ Proposed refactor

 name: CI testsuite release flow
+env:
+  TEST_IMAGE_TAG: 4.22.999-snapshot

 on:
   workflow_dispatch:
@@
       - name: Build Image
         id: build-image
         uses: redhat-actions/buildah-build@v2
         with:
           image: numaresources-operator-tests
-          tags: 4.22.999-snapshot
+          tags: ${{ env.TEST_IMAGE_TAG }}
           dockerfiles: |
             ./Dockerfile.tests

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-testsuite.yaml at line 26, The hardcoded tag value
"4.22.999-snapshot" should be replaced with a reusable env var; define
RELEASE_TAG in the workflow's top-level env block (or as a
workflow_dispatch/input) and change the tags entry to reference it (use GitHub
Actions expression syntax like ${{ env.RELEASE_TAG }}), so update the workflow
file to declare RELEASE_TAG and replace the literal "4.22.999-snapshot" with
that env reference.

.github/workflows/kustomize-validation.yml (1)

19-43: Consider pinning kustomize version for reproducible builds.

The current approach downloads the latest install_kustomize.sh script from the master branch, which installs the latest kustomize version. This could lead to non-reproducible CI behavior if a new kustomize version introduces breaking changes or incompatibilities.

Consider specifying a version by passing an argument to the install script (e.g., | bash -s -- <version>) or using a pinned release URL instead of master.

💡 Suggested improvement for version pinning

           while [ $ATTEMPT -le $MAX_ATTEMPTS ]; do
             echo "Attempt $ATTEMPT of $MAX_ATTEMPTS: Downloading kustomize install script..."
-            if curl -fsSL --retry 3 --retry-delay 2 "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; then
+            if curl -fsSL --retry 3 --retry-delay 2 "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s -- 5.5.0; then
               echo "Successfully downloaded and installed kustomize"
               break

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/kustomize-validation.yml around lines 19 - 43, The
workflow currently pipes the installer from the master branch (the curl line
fetching "install_kustomize.sh") which installs the latest kustomize and causes
non-deterministic CI; change the curl invocation to pin a specific kustomize
version by either passing the version to the script (invoke the script with
"bash -s -- <VERSION>" instead of plain "bash") or by downloading a
release-tagged install script URL (replace the master URL with the specific
release tag) so that the installed kustomize version is deterministic; update
any references around MAX_ATTEMPTS/ATTEMPT and the sudo mv/kustomize steps to
remain compatible with the pinned installer behavior.

hack/test-kustomize.sh (1)

38-45: Make exclusion matching normalized and prefix-aware.

Current equality matching is fragile (./ prefix differences) and only skips exact directories, not nested overlays under an excluded root.

♻️ Proposed refactor

 is_excluded() {
-    local dir="$1"
+    local dir="${1#./}"
     for excluded in "${EXCLUDED_DIRS[@]}"; do
-        if [ "$dir" = "$excluded" ]; then
+        local ex="${excluded#./}"
+        if [[ "$dir" == "$ex" || "$dir" == "$ex/"* ]]; then
             return 0
         fi
     done
     return 1
 }

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

Also applies to: 64-65

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/test-kustomize.sh` around lines 38 - 45, The is_excluded function
currently uses exact equality and fails on ./ prefixes or nested paths; update
is_excluded to normalize the incoming dir and each EXCLUDED_DIRS entry by
removing any leading ./ and trailing slashes, then test exclusion by checking
either exact equality or prefix-match (excluded + "/" as a prefix) so
directories under an excluded root are also skipped; reference the is_excluded
function and the EXCLUDED_DIRS array in your change and ensure the same
normalization/prefix logic is applied wherever is_excluded is called.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@README.tests.md`:
- Around line 33-37: The shell continuation in the podman run snippets is
broken: ensure each line intended to continue the command ends with a trailing
backslash so the entire podman run invocation is copy/paste runnable;
specifically add a trailing "\" after the KUBECONFIG=/kubeconfig line in the
podman run that sets -v $KUBECONFIG and -e KUBECONFIG, and likewise fix the
later podman run snippet that wraps the --skip argument (look for the podman run
lines and the --skip flag) so every fragmented line ends with "\" to maintain
proper shell continuation.

---

Nitpick comments:
In @.github/workflows/kustomize-validation.yml:
- Around line 19-43: The workflow currently pipes the installer from the master
branch (the curl line fetching "install_kustomize.sh") which installs the latest
kustomize and causes non-deterministic CI; change the curl invocation to pin a
specific kustomize version by either passing the version to the script (invoke
the script with "bash -s -- <VERSION>" instead of plain "bash") or by
downloading a release-tagged install script URL (replace the master URL with the
specific release tag) so that the installed kustomize version is deterministic;
update any references around MAX_ATTEMPTS/ATTEMPT and the sudo mv/kustomize
steps to remain compatible with the pinned installer behavior.

In @.github/workflows/release-testsuite.yaml:
- Line 26: The hardcoded tag value "4.22.999-snapshot" should be replaced with a
reusable env var; define RELEASE_TAG in the workflow's top-level env block (or
as a workflow_dispatch/input) and change the tags entry to reference it (use
GitHub Actions expression syntax like ${{ env.RELEASE_TAG }}), so update the
workflow file to declare RELEASE_TAG and replace the literal "4.22.999-snapshot"
with that env reference.

In `@hack/test-kustomize.sh`:
- Around line 38-45: The is_excluded function currently uses exact equality and
fails on ./ prefixes or nested paths; update is_excluded to normalize the
incoming dir and each EXCLUDED_DIRS entry by removing any leading ./ and
trailing slashes, then test exclusion by checking either exact equality or
prefix-match (excluded + "/" as a prefix) so directories under an excluded root
are also skipped; reference the is_excluded function and the EXCLUDED_DIRS array
in your change and ensure the same normalization/prefix logic is applied
wherever is_excluded is called.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: bca4010d-efe6-42eb-ac46-e5af0d588300

📥 Commits

Reviewing files that changed from the base of the PR and between 3336c91 and 2666389.

📒 Files selected for processing (41)

• .github/workflows/kustomize-validation.yml
• .github/workflows/release-testsuite.yaml
• .konflux/bundle/bundle.konflux.Dockerfile
• .konflux/bundle/metadata/annotations.yaml
• .konflux/bundle/overlay/pin_images.in.yaml
• .konflux/bundle/overlay/release.in.yaml
• .konflux/catalog/bundle.builds.in.yaml
• .konflux/catalog/catalog-idms.yaml
• .konflux/catalog/catalog-template.in.yaml
• .konflux/container-build.args
• .konflux/must-gather/must-gather.konflux.Dockerfile
• .konflux/must-gather/rpms.lock.yaml
• .konflux/operator/konflux.Dockerfile
• .tekton/build-pipeline-must-gather.yaml
• .tekton/build-pipeline.yaml
• .tekton/fbc-pipeline.yaml
• .tekton/images-mirror-set.yaml
• .tekton/numaresources-must-gather-4-22-pull-request.yaml
• .tekton/numaresources-must-gather-4-22-push.yaml
• .tekton/numaresources-operator-4-22-pull-request.yaml
• .tekton/numaresources-operator-4-22-push.yaml
• .tekton/numaresources-operator-bundle-4-22-pull-request.yaml
• .tekton/numaresources-operator-bundle-4-22-push.yaml
• .tekton/numaresources-operator-fbc-4-22-pull-request.yaml
• .tekton/numaresources-operator-fbc-4-22-push.yaml
• Makefile
• README.tests.md
• bundle/manifests/numaresources-operator.clusterserviceversion.yaml
• config/manager/kustomization.yaml
• config/manifests/bases/numaresources-operator.clusterserviceversion.yaml
• config/samples/nodetopology_v1_numaresourcesscheduler.yaml
• config/samples/nodetopology_v1alpha1_numaresourcesscheduler.yaml
• doc/examples/sched.debug.yaml
• doc/examples/sched.ha.yaml
• doc/examples/sched.nocache.yaml
• doc/examples/sched.yaml
• hack/test-kustomize.sh
• internal/api/features/types.go
• internal/controller/numaresourcesscheduler_controller_test.go
• pkg/numaresourcesscheduler/manifests/yaml/configmap.nrt.yaml
• test/e2e/must-gather/must_gather_suite_test.go

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-unit	2666389	link	true	/test ci-unit
ci/prow/security	2666389	link	false	/test security
ci/prow/ci-index-tested-numaresources-operator-bundle	2666389	link	true	/test ci-index-tested-numaresources-operator-bundle
ci/prow/ci-e2e-compact	2666389	link	false	/test ci-e2e-compact
ci/prow/ci-install-e2e-compact	2666389	link	false	/test ci-install-e2e-compact
ci/prow/ci-must-gather-e2e	2666389	link	true	/test ci-must-gather-e2e
ci/prow/ci-e2e-install-hypershift	2666389	link	true	/test ci-e2e-install-hypershift
ci/prow/images	2666389	link	true	/test images
ci/prow/ci-e2e	2666389	link	true	/test ci-e2e
ci/prow/ci-install-e2e	2666389	link	true	/test ci-install-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Tal-or]

Hey @sebrandon1,

if still relevant please rebase