OCPBUGS-84692: UPSTREAM-SYNC: Merge https://github.com/kubernetes-sigs/cluster-api:v1.12.7 (b5fa593) into master

[damdo]

Summary by CodeRabbit

• Bug Fixes

  • Fixed control plane deletion to tolerate missing infrastructure templates

• Chores

  • Upgraded cert-manager to v1.20.2
  • Upgraded cluster-api to v1.12.7
  • Updated Kubernetes test environments from v1.36.0-beta.0 to v1.36.0-rc.1
  • Updated CI/CD container images and dependencies
  • Added security exception for non-impactful CVE

• Documentation

  • Updated cert-manager and example configuration references

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [damdo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This pull request updates cert-manager to v1.20.2, Kubernetes test versions to v1.36.0-rc.1, and Cluster API provider version to v1.12.7. It also fixes KubeadmControlPlane deletion handling to tolerate missing infrastructure machine templates, and updates build dependencies and configurations.

Changes

Cohort / File(s)	Summary
Cert-Manager Version Upgrade (v1.20.1 → v1.20.2) cmd/clusterctl/client/config/cert_manager_client.go, docs/book/src/clusterctl/commands/init.md, docs/book/src/developer/getting-started.md, scripts/ci-e2e-lib.sh, test/e2e/config/docker.yaml	Default cert-manager version updated from v1.20.1 to v1.20.2 across code, documentation, and test configurations.
Kubernetes Version Updates (v1.36.0-beta.0 → v1.36.0-rc.1) test/e2e/config/docker.yaml, test/infrastructure/docker/examples/*	Test configurations and example manifests updated to use Kubernetes v1.36.0-rc.1 for control-plane and worker nodes.
KubeadmControlPlane Deletion Robustness controlplane/kubeadm/internal/filters.go, controlplane/kubeadm/internal/filters_test.go	Bug fix: matchesInfraMachine now tolerates NotFound errors when KCP is being deleted, preventing deletion from being blocked on missing infra machine templates. New regression test added.
Cluster API Provider Version (v1.12.7) openshift/capi-operator-manifests/default/metadata.yaml, openshift/provider-version.mk	OpenShift manifest and make variable updated to reflect v1.12.7 release.
Build and Infrastructure Updates .trivyignore, cloudbuild-nightly.yaml, cloudbuild.yaml, openshift/tools/go.mod	Security ignore config added for CVE-2026-39883, Cloud Build container image digests updated, and OpenShift tool dependencies bumped.
Documentation Updates docs/book/src/tasks/experimental-features/runtime-sdk/implement-upgrade-plan-hooks.md	GenerateUpgradePlanRequest YAML example split fromKubernetesVersion into separate fromControlPlaneKubernetesVersion and fromWorkersKubernetesVersion fields.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: merging upstream cluster-api v1.12.7 into the master branch, which is confirmed by version updates across multiple files (.mk, metadata.yaml) and dependency updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test titles in the modified file are static and descriptive with no dynamic values such as timestamps, UUIDs, or pod names.
Test Structure And Quality	✅ Passed	The test changes follow good unit test structure with single responsibilities, proper setup patterns, no indefinite waits, and consistency with existing codebase conventions.
Microshift Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests; only modifies unit test file outside e2e directory.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not introduce new Ginkgo e2e tests requiring SNO compatibility verification. Only standard Go tests in controlplane/kubeadm/internal/filters_test.go were modified.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request introduces only version bumps, documentation updates, and error handling code changes with no topology-incompatible scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	PR contains no violations of OTE Binary Stdout Contract; only version upgrades, configuration updates, documentation changes, and internal library function modifications with no stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; only a standard Go unit test was added with no IPv4-specific issues.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@damdo: This pull request is an upstream sync and explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (7)

openshift/capi-operator-manifests/default/metadata.yaml (1)

1-7: LGTM: metadata attributes.version updated consistently with provider version.

The update to attributes.version: v1.12.7 is correctly placed under attributes (with type: core intact) and should align with the repo’s operator/manifests generation expectations.

Optional: add/keep a short note in surrounding generator logic (if it exists) clarifying that versions must include the leading v prefix, to prevent future mismatches.

If there’s validation tooling or a schema that enforces a specific version string format, verify this v1.12.7 format satisfies it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openshift/capi-operator-manifests/default/metadata.yaml` around lines 1 - 7,
Update the generator/validation to ensure the attributes.version field always
includes the leading "v" and add a brief inline comment near the generator logic
documenting that versions must include the leading "v" to avoid future
mismatches; specifically check and, if needed, adjust the code that emits
attributes.version (and any validation/schema checks that read it) so "v1.12.7"
is accepted and preserved, and run the repository's schema/validation tooling
against attributes.version to confirm it passes.

.trivyignore (1)

1-5: Suggestion: add a re-check/expiry note to avoid a stale ignore.

The rationale is detailed, but this sort of ignore often needs a “re-evaluate when” marker (e.g., when the release branch picks up Go ≥ 1.25 / otel/sdk v1.43.0 backport / when image base OS changes). That helps prevent the ignore from silently persisting beyond the condition it was meant for.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.trivyignore around lines 1 - 5, Append a short “re-evaluate”/expiry note to
this .trivyignore entry for CVE-2026-39883 explaining when to re-check (e.g.,
when the release branch upgrades to Go >= 1.25, when otel/sdk v1.43.0 is
backported, or if the image base OS changes), include a target review date or
version boundary and reference tools/indicators (govulncheck, Go version,
otel/sdk version) so the ignore cannot remain stale.

docs/book/src/tasks/experimental-features/runtime-sdk/implement-upgrade-plan-hooks.md (2)

147-147: Fix minor grammar: “comply the” → “comply with”.

Line [147] reads “In all the cases above, the GenerateUpgradePlanResponse content must comply the following validation rules:”. Consider changing to “must comply with the following…”.

Proposed change

-In all the cases above, the `GenerateUpgradePlanResponse` content must comply the following validation rules:
+In all the cases above, the `GenerateUpgradePlanResponse` content must comply with the following validation rules:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/book/src/tasks/experimental-features/runtime-sdk/implement-upgrade-plan-hooks.md`
at line 147, Update the sentence at the mentioned location to correct the
grammar by inserting "with" after "comply" so it reads: "In all the cases above,
the `GenerateUpgradePlanResponse` content must comply with the following
validation rules:"; locate the text referencing GenerateUpgradePlanResponse and
make this replacement.

---

162-162: Remove trailing whitespace in the workersUpgrades bullet.

Line [162] ends with an extra space (“workersUpgrades should be set and ”). Please remove the trailing whitespace to keep diffs clean and avoid lint/style issues.

Proposed change

-- If instead for any reason a custom upgrade plan for workers is required, `workersUpgrades` should be set and 
+- If instead for any reason a custom upgrade plan for workers is required, `workersUpgrades` should be set and

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/book/src/tasks/experimental-features/runtime-sdk/implement-upgrade-plan-hooks.md`
at line 162, Remove the trailing whitespace at the end of the bullet that
mentions workersUpgrades so the sentence reads "...`workersUpgrades` should be
set and" without the extra space; locate the bullet containing the symbol
`workersUpgrades` in the document and delete the trailing space character after
"and".

scripts/ci-e2e-lib.sh (1)

257-269: Update cert-manager pre-pull tags to v1.20.2; consider preventing future drift.

The tag bump to v1.20.2 is consistent with the other changes. To minimize future breakage, it’d be good to confirm that e2e actually references these exact tags for:

• cert-manager-cainjector
• cert-manager-webhook
• cert-manager-controller

Optional refactor: derive the cert-manager version from a single source of truth (env var or generated constant) instead of hardcoding v1.20.2 in Bash.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/ci-e2e-lib.sh` around lines 257 - 269, The cert-manager image tags
are hardcoded to v1.20.2 inside kind:prepullAdditionalImages; change the three
kind::prepullImage calls for cert-manager-cainjector, cert-manager-webhook, and
cert-manager-controller to use a single source-of-truth variable (e.g.,
CERT_MANAGER_TAG) with a sensible default of "v1.20.2" so future bumps only need
one change; ensure the variable is read from the environment if set and fallback
to the default before calling kind::prepullImage, and leave the rest of the loop
that preloads DOCKER_PRELOAD_IMAGES unchanged.

cloudbuild-nightly.yaml (1)

7-16: Pinned Cloud Build image digest changed—verify digest/comment sync + alignment with cloudbuild.yaml.

No other step changes here, which is good. Still, since this is a supply-chain/pinning change, please ensure:

1. the # v20251211-4c812d4cd8 comment actually matches the new digest, and
2. cloudbuild.yaml uses the same digest/comment pairing (to avoid nightly/staging build drift).

Optional: reduce duplication by generating both files from a shared source or validating them in CI.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cloudbuild-nightly.yaml` around lines 7 - 16, The pinned Cloud Build image
digest in the steps block (image string
'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud@sha256:8d6a3a5b895e6776dbe9115b75db1412fbe57299b8db329d45cb54680e462b0b'
and inline comment '# v20251211-4c812d4cd8') must be verified and kept in sync
with cloudbuild.yaml: confirm the sha256 actually matches the referenced release
tag string in the comment and update the comment to the correct tag if it
doesn’t, then ensure the exact same digest+comment pairing is used in
cloudbuild.yaml (or centralize generation/validation in CI) so nightly and
staging builds cannot drift.

docs/book/src/developer/getting-started.md (1)

81-97: Doc install URL updated—ensure it stays in sync with clusterctl defaults.

The kubectl apply -f URL bump to v1.20.2 is consistent with the code change. Minor ask: confirm there are no other cert-manager install URLs in this repo still pointing at v1.20.1 (especially under docs/book/src/clusterctl/commands/init.md and any CI/e2e config).

If you want to avoid future drift, consider referencing a single generated/common value (or a documented constant) rather than duplicating the version in multiple Markdown files.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/book/src/developer/getting-started.md` around lines 81 - 97, Update any
remaining hard-coded cert-manager install URLs to the new v1.20.2 URL used in
the Cert-Manager section (the kubectl apply -f
https://github.com/cert-manager/cert-manager/releases/download/v1.20.2/cert-manager.yaml
line) by searching the repo for v1.20.1 or cert-manager.yaml (especially check
docs/book/src/clusterctl/commands/init.md and CI/e2e config files) and replace
them so all docs and configs are consistent; additionally, to prevent future
drift, consolidate the version into a single source (e.g., a documented constant
or an include/templated value used by Markdown generation) and update
documentation to reference that shared value instead of duplicating the URL.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.trivyignore:
- Around line 1-5: Append a short “re-evaluate”/expiry note to this .trivyignore
entry for CVE-2026-39883 explaining when to re-check (e.g., when the release
branch upgrades to Go >= 1.25, when otel/sdk v1.43.0 is backported, or if the
image base OS changes), include a target review date or version boundary and
reference tools/indicators (govulncheck, Go version, otel/sdk version) so the
ignore cannot remain stale.

In `@cloudbuild-nightly.yaml`:
- Around line 7-16: The pinned Cloud Build image digest in the steps block
(image string
'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud@sha256:8d6a3a5b895e6776dbe9115b75db1412fbe57299b8db329d45cb54680e462b0b'
and inline comment '# v20251211-4c812d4cd8') must be verified and kept in sync
with cloudbuild.yaml: confirm the sha256 actually matches the referenced release
tag string in the comment and update the comment to the correct tag if it
doesn’t, then ensure the exact same digest+comment pairing is used in
cloudbuild.yaml (or centralize generation/validation in CI) so nightly and
staging builds cannot drift.

In `@docs/book/src/developer/getting-started.md`:
- Around line 81-97: Update any remaining hard-coded cert-manager install URLs
to the new v1.20.2 URL used in the Cert-Manager section (the kubectl apply -f
https://github.com/cert-manager/cert-manager/releases/download/v1.20.2/cert-manager.yaml
line) by searching the repo for v1.20.1 or cert-manager.yaml (especially check
docs/book/src/clusterctl/commands/init.md and CI/e2e config files) and replace
them so all docs and configs are consistent; additionally, to prevent future
drift, consolidate the version into a single source (e.g., a documented constant
or an include/templated value used by Markdown generation) and update
documentation to reference that shared value instead of duplicating the URL.

In
`@docs/book/src/tasks/experimental-features/runtime-sdk/implement-upgrade-plan-hooks.md`:
- Line 147: Update the sentence at the mentioned location to correct the grammar
by inserting "with" after "comply" so it reads: "In all the cases above, the
`GenerateUpgradePlanResponse` content must comply with the following validation
rules:"; locate the text referencing GenerateUpgradePlanResponse and make this
replacement.
- Line 162: Remove the trailing whitespace at the end of the bullet that
mentions workersUpgrades so the sentence reads "...`workersUpgrades` should be
set and" without the extra space; locate the bullet containing the symbol
`workersUpgrades` in the document and delete the trailing space character after
"and".

In `@openshift/capi-operator-manifests/default/metadata.yaml`:
- Around line 1-7: Update the generator/validation to ensure the
attributes.version field always includes the leading "v" and add a brief inline
comment near the generator logic documenting that versions must include the
leading "v" to avoid future mismatches; specifically check and, if needed,
adjust the code that emits attributes.version (and any validation/schema checks
that read it) so "v1.12.7" is accepted and preserved, and run the repository's
schema/validation tooling against attributes.version to confirm it passes.

In `@scripts/ci-e2e-lib.sh`:
- Around line 257-269: The cert-manager image tags are hardcoded to v1.20.2
inside kind:prepullAdditionalImages; change the three kind::prepullImage calls
for cert-manager-cainjector, cert-manager-webhook, and cert-manager-controller
to use a single source-of-truth variable (e.g., CERT_MANAGER_TAG) with a
sensible default of "v1.20.2" so future bumps only need one change; ensure the
variable is read from the environment if set and fallback to the default before
calling kind::prepullImage, and leave the rest of the loop that preloads
DOCKER_PRELOAD_IMAGES unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1c56c861-8702-4549-a822-cc80dd280991

📥 Commits

Reviewing files that changed from the base of the PR and between e9e01a1 and e777ff5.

⛔ Files ignored due to path filters (13)

• hack/tools/vendor/sigs.k8s.io/cluster-api/cmd/clusterctl/client/config/cert_manager_client.go is excluded by !**/vendor/**
• openshift/tools/go.sum is excluded by !**/*.sum
• openshift/tools/vendor/github.com/openshift/api/config/v1/types.go is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/api/config/v1/types_dns.go is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**
• openshift/tools/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !**/zz_generated*
• openshift/tools/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !**/zz_generated*
• openshift/tools/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !**/zz_generated*
• openshift/tools/vendor/modules.txt is excluded by !**/vendor/**
• test/vendor/sigs.k8s.io/cluster-api/cmd/clusterctl/client/config/cert_manager_client.go is excluded by !**/vendor/**

📒 Files selected for processing (18)

• .trivyignore
• cloudbuild-nightly.yaml
• cloudbuild.yaml
• cmd/clusterctl/client/config/cert_manager_client.go
• controlplane/kubeadm/internal/filters.go
• controlplane/kubeadm/internal/filters_test.go
• docs/book/src/clusterctl/commands/init.md
• docs/book/src/developer/getting-started.md
• docs/book/src/tasks/experimental-features/runtime-sdk/implement-upgrade-plan-hooks.md
• openshift/capi-operator-manifests/default/metadata.yaml
• openshift/provider-version.mk
• openshift/tools/go.mod
• scripts/ci-e2e-lib.sh
• test/e2e/config/docker.yaml
• test/infrastructure/docker/examples/machine-pool.yaml
• test/infrastructure/docker/examples/simple-cluster-ipv6.yaml
• test/infrastructure/docker/examples/simple-cluster-without-kcp.yaml
• test/infrastructure/docker/examples/simple-cluster.yaml

[damdo]

/test e2e-hypershift

[openshift-ci]

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

/verified by ci

[openshift-ci-robot]

@damdo: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[racheljpg]

/lgtm

[racheljpg]

/retitle OCPBUGS-84692: UPSTREAM-SYNC: Merge https://github.com/kubernetes-sigs/cluster-api:v1.12.7 (b5fa593) into master

[openshift-ci-robot]

@damdo: Jira Issue Verification Checks: Jira Issue OCPBUGS-84692
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-84692 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary by CodeRabbit

• Bug Fixes

• Fixed control plane deletion to tolerate missing infrastructure templates

• Chores

• Upgraded cert-manager to v1.20.2

• Upgraded cluster-api to v1.12.7

• Updated Kubernetes test environments from v1.36.0-beta.0 to v1.36.0-rc.1

• Updated CI/CD container images and dependencies

• Added security exception for non-impactful CVE

• Documentation

• Updated cert-manager and example configuration references

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.