feat(karpenter): add envtest and e2e tests for kubelet config

Add envtest suites for CEL validation rules including threshold
ordering, field promotion ratcheting, and generated ratcheting tests.
Add e2e test infrastructure for verifying kubelet config on nodes.

Signed-off-by: John Kyros <jkyros@redhat.com>

Author: jkyros

Makefile

@@ -200,6 +200,7 @@ karpenter-api: $(CONTROLLER_GEN) $(YQ)
 	karpenter-operator/hack/adjust-cel.sh
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./api/karpenter/..." output:crd:artifacts:config=karpenter-operator/controllers/karpenter/assets
 	cp karpenter-operator/controllers/karpenter/assets/karpenter.hypershift.openshift.io_openshiftec2nodeclasses.yaml karpenter-operator/controllers/karpenter/assets/zz_generated.crd-manifests/openshiftec2nodeclasses.crd.yaml
+	$(GO) run ./hack/kubelet-ratcheting-gen/main.go
 
 .PHONY: control-plane-operator
 control-plane-operator:

api/karpenter/v1/kubelet_config.go

@@ -42,7 +42,6 @@ func init() {
 // +kubebuilder:validation:XValidation:rule="!has(self.podsPerCore) || !has(self.maxPods) || self.podsPerCore <= self.maxPods",message="podsPerCore must not exceed maxPods"
 // +kubebuilder:validation:XValidation:rule="!has(self.evictionSoft) || (has(self.evictionSoftGracePeriod) && self.evictionSoft.all(e, e in self.evictionSoftGracePeriod))",message="evictionSoft entry does not have a matching evictionSoftGracePeriod"
 // +kubebuilder:validation:XValidation:rule="!has(self.evictionSoftGracePeriod) || (has(self.evictionSoft) && self.evictionSoftGracePeriod.all(e, e in self.evictionSoft))",message="evictionSoftGracePeriod entry does not have a matching evictionSoft"
-// +kubebuilder:validation:XValidation:rule="!has(self.evictionHard) || !has(self.evictionSoft) || self.evictionHard.all(key, !(key in self.evictionSoft) || (self.evictionSoft[key].endsWith('%') && self.evictionHard[key].endsWith('%')) ? (self.evictionSoft[key].size() <= 1 || self.evictionHard[key].size() <= 1 || double(self.evictionSoft[key].substring(0, self.evictionSoft[key].size() - 1)) >= double(self.evictionHard[key].substring(0, self.evictionHard[key].size() - 1))) : (!(isQuantity(self.evictionSoft[key]) && isQuantity(self.evictionHard[key])) || quantity(self.evictionSoft[key]).compareTo(quantity(self.evictionHard[key])) >= 0))",message="evictionSoft threshold must be greater than or equal to evictionHard threshold for the same signal (soft eviction should fire before hard)"
 type KubeletConfiguration struct {
 	// maxPods is the maximum number of pods that can run on a node.
 	// The value must be between 1 and 2500, inclusive.

hack/kubelet-ratcheting-gen/main.go

@@ -0,0 +1,178 @@
+// kubelet-ratcheting-gen generates the envtest ratcheting testsuite for KubeletConfiguration.
+// It reflects over KubeletConfiguration to enumerate all typed fields, verifies each has a
+// fixture value, and writes a testsuite YAML that simulates a pre-upgrade → post-upgrade
+// CRD schema swap. Run via: go run ./hack/kubelet-ratcheting-gen/main.go (from repo root).
+//
+// When adding a new typed field to KubeletConfiguration:
+//  1. Add a fixture value to the fixtures map below.
+//  2. Run `make karpenter-api` to regenerate the testsuite.
+//  3. Commit the updated testsuite YAML.
+package main
+
+import (
+	"fmt"
+	"os"
+	"reflect"
+	"strings"
+	"text/template"
+
+	karpenterv1 "github.com/openshift/hypershift/api/karpenter/v1"
+)
+
+const outputPath = "karpenter-operator/controllers/karpenter/assets/tests/" +
+	"openshiftec2nodeclasses.karpenter.hypershift.openshift.io/" +
+	"stable.openshiftec2nodeclasses.kubelet-ratcheting.testsuite.yaml"
+
+// fixtures maps each KubeletConfiguration JSON field name to a valid YAML snippet.
+// Values must satisfy all CRD validation rules (min/max, CEL cross-field constraints).
+// Add an entry here when promoting a new field from overflow to typed.
+var fixtures = map[string]string{
+	"maxPods":                     "110",
+	"podsPerCore":                 "10",
+	"systemReserved":              "cpu: \"100m\"\n            memory: \"256Mi\"",
+	"kubeReserved":                "cpu: \"200m\"\n            memory: \"512Mi\"",
+	"evictionHard":                "memory.available: \"100Mi\"\n            nodefs.available: \"10%\"",
+	"evictionSoft":                "memory.available: \"200Mi\"",
+	"evictionSoftGracePeriod":     "memory.available: \"30s\"",
+	"evictionMaxPodGracePeriod":   "60",
+	"imageGCHighThresholdPercent": "85",
+	"imageGCLowThresholdPercent":  "80",
+	"cpuCFSQuota":                 "true",
+}
+
+// mapFields are fields whose fixture value is a YAML mapping (rendered with extra indentation).
+var mapFields = map[string]bool{
+	"systemReserved":          true,
+	"kubeReserved":            true,
+	"evictionHard":            true,
+	"evictionSoft":            true,
+	"evictionSoftGracePeriod": true,
+}
+
+const testsuiteTmpl = `# Code generated by hack/kubelet-ratcheting-gen. DO NOT EDIT.
+# To regenerate: make karpenter-api
+# To add a new field: add a fixture in hack/kubelet-ratcheting-gen/main.go, then regenerate.
+apiVersion: apiextensions.k8s.io/v1
+name: "OpenshiftEC2NodeClass kubelet ratcheting validation"
+crdName: openshiftec2nodeclasses.karpenter.hypershift.openshift.io
+version: v1
+# Verifies that all currently-typed kubelet fields survive a CRD schema upgrade.
+# initialCRDPatches strip the entire kubelet typed-field schema back to a pure
+# "type: object, x-kubernetes-preserve-unknown-fields: true" — the state that existed
+# before any fields were promoted from overflow. The initial object is created with all
+# typed fields set (they land in overflow under the patched schema). The patches are then
+# reverted and the update is applied, verifying every field survives the upgrade seamlessly.
+tests:
+  onUpdate:
+  - name: When all typed kubelet fields were set before they were typed they should remain valid after CRD upgrade
+    initialCRDPatches:
+      # Strip all typed field schemas, leaving type: object, x-kubernetes-preserve-unknown-fields: true.
+      - op: remove
+        path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/kubelet/properties
+      # Strip all CEL cross-field validation rules.
+      - op: remove
+        path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/kubelet/x-kubernetes-validations
+    initial: |
+      apiVersion: karpenter.hypershift.openshift.io/v1
+      kind: OpenshiftEC2NodeClass
+      spec:
+        subnetSelectorTerms:
+        - tags:
+            env: test
+        securityGroupSelectorTerms:
+        - id: sg-0123456789abcdef0
+        kubelet:
+{{- range .Fields}}
+          {{.Name}}:{{if .IsMap}}
+            {{.Value}}{{else}} {{.Value}}{{end}}
+{{- end}}
+    updated: |
+      apiVersion: karpenter.hypershift.openshift.io/v1
+      kind: OpenshiftEC2NodeClass
+      spec:
+        subnetSelectorTerms:
+        - tags:
+            env: test
+        securityGroupSelectorTerms:
+        - id: sg-0123456789abcdef0
+        kubelet:
+{{- range .Fields}}
+          {{.Name}}:{{if .IsMap}}
+            {{.Value}}{{else}} {{.Value}}{{end}}
+{{- end}}
+`
+
+type field struct {
+	Name  string
+	Value string
+	IsMap bool
+}
+
+func main() {
+	if err := run(); err != nil {
+		fmt.Fprintf(os.Stderr, "error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	fields, err := collectFields()
+	if err != nil {
+		return err
+	}
+
+	tmpl, err := template.New("testsuite").Parse(testsuiteTmpl)
+	if err != nil {
+		return fmt.Errorf("parsing template: %w", err)
+	}
+
+	f, err := os.Create(outputPath)
+	if err != nil {
+		return fmt.Errorf("creating output file %s: %w", outputPath, err)
+	}
+	defer f.Close()
+
+	if err := tmpl.Execute(f, struct{ Fields []field }{Fields: fields}); err != nil {
+		return fmt.Errorf("executing template: %w", err)
+	}
+
+	fmt.Printf("generated %s (%d fields)\n", outputPath, len(fields))
+	return nil
+}
+
+// collectFields reflects over KubeletConfiguration, enumerates typed fields by JSON tag,
+// and looks up each one in the fixtures map. Missing fixtures cause a hard failure.
+func collectFields() ([]field, error) {
+	t := reflect.TypeOf(karpenterv1.KubeletConfiguration{})
+	var fields []field
+	var missing []string
+
+	for i := range t.NumField() {
+		f := t.Field(i)
+		tag := f.Tag.Get("json")
+		if tag == "" || tag == "-" {
+			continue
+		}
+		name, _, _ := strings.Cut(tag, ",")
+		if name == "" || name == "-" {
+			continue
+		}
+
+		val, ok := fixtures[name]
+		if !ok {
+			missing = append(missing, fmt.Sprintf("%s (json:%q)", f.Name, name))
+			continue
+		}
+		fields = append(fields, field{Name: name, Value: val, IsMap: mapFields[name]})
+	}
+
+	if len(missing) > 0 {
+		return nil, fmt.Errorf(
+			"no fixture value for the following KubeletConfiguration fields — "+
+				"add them to the fixtures map in hack/kubelet-ratcheting-gen/main.go:\n  %s",
+			strings.Join(missing, "\n  "),
+		)
+	}
+
+	return fields, nil
+}

karpenter-operator/controllers/karpenter/assets/karpenter.hypershift.openshift.io_openshiftec2nodeclasses.yaml

@@ -396,17 +396,6 @@ spec:
                     evictionSoft
                   rule: '!has(self.evictionSoftGracePeriod) || (has(self.evictionSoft)
                     && self.evictionSoftGracePeriod.all(e, e in self.evictionSoft))'
-                - message: evictionSoft threshold must be greater than or equal to
-                    evictionHard threshold for the same signal (soft eviction should
-                    fire before hard)
-                  rule: '!has(self.evictionHard) || !has(self.evictionSoft) || self.evictionHard.all(key,
-                    !(key in self.evictionSoft) || (self.evictionSoft[key].endsWith(''%'')
-                    && self.evictionHard[key].endsWith(''%'')) ? (self.evictionSoft[key].size()
-                    <= 1 || self.evictionHard[key].size() <= 1 || double(self.evictionSoft[key].substring(0,
-                    self.evictionSoft[key].size() - 1)) >= double(self.evictionHard[key].substring(0,
-                    self.evictionHard[key].size() - 1))) : (!(isQuantity(self.evictionSoft[key])
-                    && isQuantity(self.evictionHard[key])) || quantity(self.evictionSoft[key]).compareTo(quantity(self.evictionHard[key]))
-                    >= 0))'
               metadataOptions:
                 description: |-
                   metadataOptions contains parameters for specifying the exposure of the