AGENT-1461: Do not discard NMStateConfig when agent-config is on disk for unconfigured-ignition

[pawanpinjarkar]

Do not discard NMStateConfig when agent-config is on disk for unconfigured-ignition. This use case is particularly for the OVE use case when rendezvousIP and Static networking via NMStateconfig are provided via SaaS UI.

This PR follows a similar approach for already existing InfraEnv and InfraEnvFile assets.

[openshift-ci-robot]

@pawanpinjarkar: Jira Issue OCPBUGS-78420 is in a security level that is not in the allowed security levels for this repo.
Allowed security levels for this repo are:

• Red Hat Employee
• Red Hat Partner
• default

Details

In response to this:

Do not discard NMStateConfig when agent-config is on disk for unconfigured-ignition. This use case is particularly for the OVE use case when rendezvousIP and Static networking via NMStateconfig are provided via SaaS UI.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c5334766-c7c7-4d09-baa9-77ac42680d61

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Extracts file-backed assets AgentConfigFile and NMStateConfigFile, moves loading/validation into them, updates UnconfiguredIgnition to validate agent-config (rendezvousIP-only), and adds multiple unconfigured-ignition testdata and tests; updates callers and test fixtures to the new asset shapes.

Changes

Cohort / File(s)	Summary
Unconfigured-Ignition testdata cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt, cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt, cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-hosts.txt, cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-minimal-iso.txt, cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt	Adds tests and validation scenarios: one valid rendezvousIP case and several invalid-agent-config cases (bootArtifactsBaseURL, hosts, minimalISO, additional NTP sources).
AgentConfig refactor pkg/asset/agent/agentconfig/agent_config.go, pkg/asset/agent/agentconfig/agent_config_file.go	Splits AgentConfig into a lightweight AgentConfig (generator) and a new file-backed AgentConfigFile that handles Load, Validate, Persist, and template generation; removes legacy persistence/validation from the former.
NMStateConfig refactor pkg/asset/agent/manifests/nmstateconfig.go, pkg/asset/agent/manifests/nmstateconfigfile.go	Introduces NMStateConfigFile to load/validate NMState YAML(s) and produce StaticNetworkConfig; refactors NMStateConfig to embed/delegate to NMStateConfigFile and consolidate validation.
Unconfigured ignition logic & validation pkg/asset/agent/image/unconfigured_ignition.go, pkg/asset/agent/image/unconfigured_ignition_test.go	Wires AgentConfigFile and NMStateConfigFile into dependencies, updates rendezvousIP retrieval, adds validateAgentConfigForUnconfiguredIgnition enforcing rendezvousIP-only, and expands tests for multiple invalid agent-config permutations.
Tests & fixtures updated pkg/asset/agent/agentconfig/agenthosts_test.go, pkg/asset/agent/image/ignition_test.go, pkg/asset/agent/manifests/agent_test.go, pkg/asset/agent/manifests/util_test.go	Updates test fixtures and literals to use AgentConfigFile and NMStateConfigFile shapes and relocates access to nested Config/RendezvousIP fields.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rwsu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• cmd/openshift-install/testdata/agent/OWNERS
• pkg/asset/agent/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt`:
- Around line 53-58: Replace the real-looking base64 auth string in the test
fixture under the ".dockerconfigjson" object (the "auth" value currently
"c3VwZXItc2VjcmV0Cg==") with a clearly fake placeholder (e.g.
"PLACEHOLDER_AUTH_TOKEN") and update any other similar pull-secret fixtures to
use the same placeholder to avoid triggering the secret scanner; edit the
fixture in the testdata file and mirror the change across other new fixtures
referencing the same "auth" field so CI/gitleaks no longer flags it.

In
`@cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt`:
- Around line 42-47: The fixture contains a hardcoded base64 auth value ("auth":
"c3VwZXItc2VjcmV0Cg==") under the .dockerconfigjson object which tripped the
secret scanner; replace that value with a clear non-secret placeholder (e.g. a
base64 encode of "PLACEHOLDER" or a string like "BASE64_PLACEHOLDER") so it
remains syntactically valid JSON but contains no real credentials, updating the
"auth" field in the test fixture accordingly.

In `@pkg/asset/agent/agentconfig/agent_config_file.go`:
- Around line 57-63: PersistToFile currently writes only a.Template which can be
empty after Load, truncating the file; change PersistToFile in AgentConfigFile
so it writes a non-empty source: prefer a.Template if set, otherwise fall back
to a.File (the original file contents) and if that's empty marshal a.Config to
YAML and write that; update references to AgentConfigFile.PersistToFile,
AgentConfigFile.Template, AgentConfigFile.File and AgentConfigFile.Config to
implement this fallback before calling os.WriteFile for agentConfigFilename.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: de1dbbc4-b883-440a-9e4a-13571fbd3dc6

📥 Commits

Reviewing files that changed from the base of the PR and between 3528292 and 560b2be.

📒 Files selected for processing (15)

• cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-hosts.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-minimal-iso.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt
• pkg/asset/agent/agentconfig/agent_config.go
• pkg/asset/agent/agentconfig/agent_config_file.go
• pkg/asset/agent/agentconfig/agenthosts_test.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go
• pkg/asset/agent/manifests/agent_test.go
• pkg/asset/agent/manifests/nmstateconfig.go
• pkg/asset/agent/manifests/nmstateconfigfile.go
• pkg/asset/agent/manifests/util_test.go

[openshift-ci-robot]

@pawanpinjarkar: This pull request references AGENT-1461 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Do not discard NMStateConfig when agent-config is on disk for unconfigured-ignition. This use case is particularly for the OVE use case when rendezvousIP and Static networking via NMStateconfig are provided via SaaS UI.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/asset/agent/agentconfig/agent_config_file.go (1)

56-63: ⚠️ Potential issue | 🟠 Major

Persisting can silently truncate agent-config.yaml

At Line 58, PersistToFile writes only a.Template. After Load, a.Template is typically empty while a.File/a.Config are populated, so this can overwrite a valid file with empty content.

Proposed fix

 func (a *AgentConfigFile) PersistToFile(directory string) error {
 	templatePath := filepath.Join(directory, agentConfigFilename)
-	templateByte := []byte(a.Template)
-
-	err := os.WriteFile(templatePath, templateByte, 0600)
+	data := []byte(a.Template)
+	if len(data) == 0 && a.File != nil && len(a.File.Data) > 0 {
+		data = a.File.Data
+	}
+	if len(data) == 0 && a.Config != nil {
+		rendered, err := yaml.Marshal(a.Config)
+		if err != nil {
+			return errors.Wrapf(err, "failed to marshal %s", agentConfigFilename)
+		}
+		data = rendered
+	}
+
+	err := os.WriteFile(templatePath, data, 0600)
 	if err != nil {
 		return err
 	}
 
 	return nil
 }

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/agentconfig/agent_config_file.go` around lines 56 - 63, The
PersistToFile method writes only a.Template to the file, but after loading,
a.Template may be empty while a.File or a.Config hold the actual valid content.
To fix this, modify PersistToFile to serialize and write the authoritative data
source (likely a.Config or a.File) instead of a.Template to prevent overwriting
with empty content.

🧹 Nitpick comments (2)

pkg/asset/agent/manifests/nmstateconfigfile.go (2)

120-132: Potential empty name in error message.

When nmStateConfig.Name is empty (common for unnamed resources), the error message will be unclear: " does not have any label set".

♻️ Suggested improvement

 for _, nmStateConfig := range n.Config {
     if len(nmStateConfig.ObjectMeta.Labels) == 0 {
-        allErrs = append(allErrs, field.Required(fieldPath, fmt.Sprintf("%s does not have any label set", nmStateConfig.Name)))
+        name := nmStateConfig.Name
+        if name == "" {
+            name = "NMStateConfig"
+        }
+        allErrs = append(allErrs, field.Required(fieldPath, fmt.Sprintf("%s does not have any label set", name)))
     }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/manifests/nmstateconfigfile.go` around lines 120 - 132, The
error message in validateNMStateLabels can produce an unclear string when
nmStateConfig.Name is empty; update validateNMStateLabels to derive a safe
identifier (e.g., use nmStateConfig.Name or nmStateConfig.ObjectMeta.Name and
fall back to a sentinel like "<unnamed>" or use the resource's namespace/name
via GetName/GetNamespace if available) and include that identifier in the
field.Required message so it never emits an empty name; reference the
validateNMStateLabels function, the nmStateConfig loop, and the fieldPath/
nmStateConfig.ObjectMeta.Labels when making the change.

---

97-108: Log level manipulation is not thread-safe.

The logrus.SetLevel / logrus.GetLevel pattern modifies global state. If multiple goroutines load NMStateConfigFile concurrently, log messages from other components could be unexpectedly suppressed or the level could be restored incorrectly.

Consider using a logger instance with a specific level instead of modifying the global logger, or accept that this validation runs in a single-threaded installer context.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/manifests/nmstateconfigfile.go` around lines 97 - 108, The
current validateWithNMStateCtl uses global logrus.SetLevel/GetLevel which is not
thread-safe; replace that pattern by creating a dedicated logger instance (e.g.,
l := logrus.New()), set its level to logrus.WarnLevel on that instance, and pass
instance.WithField("pkg","manifests") into staticnetworkconfig.New instead of
logrus.WithField; remove the global GetLevel/SetLevel and defer restore, and
keep the call to staticNetworkConfigGenerator.ValidateStaticConfigParams
(referenced by staticNetworkConfigGenerator.ValidateStaticConfigParams and
NMStateConfigFile.validateWithNMStateCtl) otherwise unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt`:
- Around line 44-49: The fixture contains a sensitive-looking base64 string
under the .dockerconfigjson auth field ("c3VwZXItc2VjcmV0Cg=="); replace that
value with a clear non-secret placeholder (e.g. a descriptive dummy like
"BASE64_DUMMY_AUTH" or "REPLACE_WITH_DUMMY_AUTH") in this file and apply the
same replacement to any sibling validation fixtures that reuse the same literal
so secret scanners stop flagging the test data; ensure only the literal is
changed and the JSON structure (the "auths" -> "quay.io" -> "auth" hierarchy)
remains unchanged.

---

Duplicate comments:
In `@pkg/asset/agent/agentconfig/agent_config_file.go`:
- Around line 56-63: The PersistToFile method writes only a.Template to the
file, but after loading, a.Template may be empty while a.File or a.Config hold
the actual valid content. To fix this, modify PersistToFile to serialize and
write the authoritative data source (likely a.Config or a.File) instead of
a.Template to prevent overwriting with empty content.

---

Nitpick comments:
In `@pkg/asset/agent/manifests/nmstateconfigfile.go`:
- Around line 120-132: The error message in validateNMStateLabels can produce an
unclear string when nmStateConfig.Name is empty; update validateNMStateLabels to
derive a safe identifier (e.g., use nmStateConfig.Name or
nmStateConfig.ObjectMeta.Name and fall back to a sentinel like "<unnamed>" or
use the resource's namespace/name via GetName/GetNamespace if available) and
include that identifier in the field.Required message so it never emits an empty
name; reference the validateNMStateLabels function, the nmStateConfig loop, and
the fieldPath/ nmStateConfig.ObjectMeta.Labels when making the change.
- Around line 97-108: The current validateWithNMStateCtl uses global
logrus.SetLevel/GetLevel which is not thread-safe; replace that pattern by
creating a dedicated logger instance (e.g., l := logrus.New()), set its level to
logrus.WarnLevel on that instance, and pass
instance.WithField("pkg","manifests") into staticnetworkconfig.New instead of
logrus.WithField; remove the global GetLevel/SetLevel and defer restore, and
keep the call to staticNetworkConfigGenerator.ValidateStaticConfigParams
(referenced by staticNetworkConfigGenerator.ValidateStaticConfigParams and
NMStateConfigFile.validateWithNMStateCtl) otherwise unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a86d23f7-cc22-4fa7-8d21-44f057e10264

📥 Commits

Reviewing files that changed from the base of the PR and between dce4f85 and 033360d.

📒 Files selected for processing (15)

• cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-hosts.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-minimal-iso.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt
• pkg/asset/agent/agentconfig/agent_config.go
• pkg/asset/agent/agentconfig/agent_config_file.go
• pkg/asset/agent/agentconfig/agenthosts_test.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go
• pkg/asset/agent/manifests/agent_test.go
• pkg/asset/agent/manifests/nmstateconfig.go
• pkg/asset/agent/manifests/nmstateconfigfile.go
• pkg/asset/agent/manifests/util_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/asset/agent/manifests/util_test.go
• cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-hosts.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use a non-secret placeholder in pull-secret fixture to avoid scanner hits

Line 48 uses a value that is repeatedly flagged by secret scanners. Please replace it with a clear dummy placeholder (and apply the same replacement to sibling new validation fixtures using the same literal).

Proposed fixture update

-        "quay.io": {
-          "auth": "c3VwZXItc2VjcmV0Cg=="
-        }
+        "quay.io": {
+          "auth": "test-auth-placeholder"
+        }

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	.dockerconfigjson: |-
	{
	"auths": {
	"quay.io": {
	"auth": "c3VwZXItc2VjcmV0Cg=="
	}
	.dockerconfigjson: |-
	{
	"auths": {
	"quay.io": {
	"auth": "test-auth-placeholder"
	}

🧰 Tools

🪛 Gitleaks (8.30.0)

[high] 48-48: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt`
around lines 44 - 49, The fixture contains a sensitive-looking base64 string
under the .dockerconfigjson auth field ("c3VwZXItc2VjcmV0Cg=="); replace that
value with a clear non-secret placeholder (e.g. a descriptive dummy like
"BASE64_DUMMY_AUTH" or "REPLACE_WITH_DUMMY_AUTH") in this file and apply the
same replacement to any sibling validation fixtures that reuse the same literal
so secret scanners stop flagging the test data; ensure only the literal is
changed and the JSON structure (the "auths" -> "quay.io" -> "auth" hierarchy)
remains unchanged.

[bfournie]

/retest

[coderabbitai]

♻️ Duplicate comments (1)

cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt (1)

44-49: ⚠️ Potential issue | 🟠 Major

Replace secret-like auth fixture value with a clear dummy placeholder.

Line 48 uses a credential-looking base64 string that will keep triggering secret scanners in testdata.

Proposed minimal fix

         "quay.io": {
-          "auth": "c3VwZXItc2VjcmV0Cg=="
+          "auth": "BASE64_DUMMY_AUTH"
         }

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt`
around lines 44 - 49, Replace the secret-like base64 value under the
.dockerconfigjson "auth" field (currently "c3VwZXItc2VjcmV0Cg==") with a clear
non-secret dummy placeholder (e.g., "dummy-auth" or "REDACTED") so testdata
doesn't trigger secret scanners; update the value in the same .dockerconfigjson
JSON block where the "auths" -> "quay.io" -> "auth" key appears.

🧹 Nitpick comments (1)

pkg/asset/agent/agentconfig/agent_config_file.go (1)

157-160: Unused function unmarshalJSON.

This function is defined but never called within the file. Consider removing it if it's not needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/agentconfig/agent_config_file.go` around lines 157 - 160, The
function unmarshalJSON is defined but never used; either remove the unused
function unmarshalJSON entirely from agent_config_file.go, or if intended for
YAML-to-JSON conversion reuse, wire it into the code paths that decode config
(e.g., replace direct yaml.JSONToYAML calls with unmarshalJSON or call
unmarshalJSON from the relevant unmarshalling function); ensure you update
imports if removal eliminates yaml usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt`:
- Around line 44-49: Replace the secret-like base64 value under the
.dockerconfigjson "auth" field (currently "c3VwZXItc2VjcmV0Cg==") with a clear
non-secret dummy placeholder (e.g., "dummy-auth" or "REDACTED") so testdata
doesn't trigger secret scanners; update the value in the same .dockerconfigjson
JSON block where the "auths" -> "quay.io" -> "auth" key appears.

---

Nitpick comments:
In `@pkg/asset/agent/agentconfig/agent_config_file.go`:
- Around line 157-160: The function unmarshalJSON is defined but never used;
either remove the unused function unmarshalJSON entirely from
agent_config_file.go, or if intended for YAML-to-JSON conversion reuse, wire it
into the code paths that decode config (e.g., replace direct yaml.JSONToYAML
calls with unmarshalJSON or call unmarshalJSON from the relevant unmarshalling
function); ensure you update imports if removal eliminates yaml usage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c510f177-4595-444b-abbb-f605a557d013

📥 Commits

Reviewing files that changed from the base of the PR and between 033360d and 9957efb.

📒 Files selected for processing (15)

• cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-hosts.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-minimal-iso.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt
• pkg/asset/agent/agentconfig/agent_config.go
• pkg/asset/agent/agentconfig/agent_config_file.go
• pkg/asset/agent/agentconfig/agenthosts_test.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go
• pkg/asset/agent/manifests/agent_test.go
• pkg/asset/agent/manifests/nmstateconfig.go
• pkg/asset/agent/manifests/nmstateconfigfile.go
• pkg/asset/agent/manifests/util_test.go

✅ Files skipped from review due to trivial changes (1)

• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/asset/agent/agentconfig/agenthosts_test.go
• pkg/asset/agent/manifests/agent_test.go
• pkg/asset/agent/manifests/util_test.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/asset/agent/agentconfig/agent_config_file.go (1)

57-63: ⚠️ Potential issue | 🟠 Major

PersistToFile can still write an empty agent-config.yaml in Config-only state.

If Template is empty and File is nil/empty, this silently writes zero bytes even when Config is populated.

Proposed fix

 func (a *AgentConfigFile) PersistToFile(directory string) error {
 	templatePath := filepath.Join(directory, agentConfigFilename)
 	data := []byte(a.Template)
-	if a.File != nil && len(a.File.Data) > 0 {
+	if len(data) == 0 && a.File != nil && len(a.File.Data) > 0 {
 		data = a.File.Data
 	}
+	if len(data) == 0 && a.Config != nil {
+		marshaled, err := yaml.Marshal(a.Config)
+		if err != nil {
+			return errors.Wrap(err, "failed to marshal agent config")
+		}
+		data = marshaled
+	}
+	if len(data) == 0 {
+		return errors.New("no agent-config content available to persist")
+	}
 	err := os.WriteFile(templatePath, data, 0600)
 	if err != nil {
 		return err
 	}
 	return nil
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/agentconfig/agent_config_file.go` around lines 57 - 63,
PersistToFile currently chooses data from a.Template or a.File.Data but will
write an empty file if both are empty; update PersistToFile to check the
resulting data, and if it's empty and a.Config is populated, marshal a.Config
into YAML (e.g., using yaml.Marshal) and use that as data; if data is still
empty (or marshaling fails) return a clear non-nil error instead of writing an
empty file; keep the final os.WriteFile call (with mode 0600) using the
validated/generated data and propagate any write errors.

🧹 Nitpick comments (1)

pkg/asset/agent/image/unconfigured_ignition_test.go (1)

57-135: Add a direct regression case for agent-config + nmstateconfig together.

The table currently covers “nmstate only” and “agent-config only”, but not the exact combined path this PR is fixing. Add one case that injects both and asserts NMState network artifacts are still emitted.

Suggested test case addition

 		{
 			name: "with-nmstateconfigs",
 			overrideDeps: []asset.Asset{
 				&nmStateConfig,
 			},
 			expectedFiles: generatedFilesUnconfiguredIgnition("/etc/assisted/network/host0/eth0.nmconnection",
 				"/etc/assisted/network/host0/mac_interface.ini", "/usr/local/bin/pre-network-manager-config.sh", "/usr/local/bin/oci-eval-user-data.sh"),
 			serviceEnabledMap: map[string]bool{
 				"pre-network-manager-config.service": true,
 				"oci-eval-user-data.service":         true,
 				"agent-check-config-image.service":   true},
 		},
+		{
+			name: "with-nmstateconfigs-and-rendezvousIP-agentconfig",
+			overrideDeps: []asset.Asset{
+				&nmStateConfig,
+				&agentconfig.AgentConfig{
+					AgentConfigFile: agentconfig.AgentConfigFile{
+						Config: &agenttypes.Config{
+							RendezvousIP: "192.168.111.20",
+						},
+					},
+				},
+			},
+			expectedFiles: generatedFilesUnconfiguredIgnition(
+				"/etc/assisted/network/host0/eth0.nmconnection",
+				"/etc/assisted/network/host0/mac_interface.ini",
+				"/etc/assisted/rendezvous-host.env",
+				"/usr/local/bin/pre-network-manager-config.sh",
+				"/usr/local/bin/oci-eval-user-data.sh",
+			),
+		},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/agent/image/unconfigured_ignition_test.go` around lines 57 - 135,
Add a new table test case that injects both an agentconfig.AgentConfig and the
nmstate asset (e.g. nmstate.NMStateConfig) into overrideDeps to cover the
combined path; set agentconfig.AgentConfig.Config.RendezvousIP and a simple
nmstate config in nmstate.NMStateConfig, then assert expectedFiles includes the
usual generatedFilesUnconfiguredIgnition(...) plus the NMState network
artifact(s) (the nmstate output file(s) your code emits) and that
serviceEnabledMap remains correct; place this new case alongside the existing
cases so the test exercises the combined agent-config + nmstateconfig path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/asset/agent/manifests/nmstateconfigfile.go`:
- Around line 103-106: The code mutates the global Logrus level; instead create
a dedicated logger instance for staticnetworkconfig.New by constructing a new
logger (e.g., logger := logrus.New()), set its level to WarnLevel on that
instance (logger.SetLevel(logrus.WarnLevel)), create a fielded entry
(logrus.NewEntry(logger).WithField("pkg","manifests")) and pass that entry to
staticnetworkconfig.New along with the Config; remove the calls to
logrus.GetLevel and logrus.SetLevel and the defer so no global logger state is
changed.

---

Duplicate comments:
In `@pkg/asset/agent/agentconfig/agent_config_file.go`:
- Around line 57-63: PersistToFile currently chooses data from a.Template or
a.File.Data but will write an empty file if both are empty; update PersistToFile
to check the resulting data, and if it's empty and a.Config is populated,
marshal a.Config into YAML (e.g., using yaml.Marshal) and use that as data; if
data is still empty (or marshaling fails) return a clear non-nil error instead
of writing an empty file; keep the final os.WriteFile call (with mode 0600)
using the validated/generated data and propagate any write errors.

---

Nitpick comments:
In `@pkg/asset/agent/image/unconfigured_ignition_test.go`:
- Around line 57-135: Add a new table test case that injects both an
agentconfig.AgentConfig and the nmstate asset (e.g. nmstate.NMStateConfig) into
overrideDeps to cover the combined path; set
agentconfig.AgentConfig.Config.RendezvousIP and a simple nmstate config in
nmstate.NMStateConfig, then assert expectedFiles includes the usual
generatedFilesUnconfiguredIgnition(...) plus the NMState network artifact(s)
(the nmstate output file(s) your code emits) and that serviceEnabledMap remains
correct; place this new case alongside the existing cases so the test exercises
the combined agent-config + nmstateconfig path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f9607246-90c0-4bdf-8d89-caa8b322f0ff

📥 Commits

Reviewing files that changed from the base of the PR and between 9957efb and 1527eb9.

📒 Files selected for processing (15)

• cmd/openshift-install/testdata/agent/unconfigured-ignition/configurations/with-agent-config-rendezvousip.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-boot-artifacts-url.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-hosts.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-minimal-iso.txt
• cmd/openshift-install/testdata/agent/unconfigured-ignition/validations/agent-config-with-ntp-sources.txt
• pkg/asset/agent/agentconfig/agent_config.go
• pkg/asset/agent/agentconfig/agent_config_file.go
• pkg/asset/agent/agentconfig/agenthosts_test.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/image/unconfigured_ignition.go
• pkg/asset/agent/image/unconfigured_ignition_test.go
• pkg/asset/agent/manifests/agent_test.go
• pkg/asset/agent/manifests/nmstateconfig.go
• pkg/asset/agent/manifests/nmstateconfigfile.go
• pkg/asset/agent/manifests/util_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/asset/agent/manifests/util_test.go
• pkg/asset/agent/manifests/agent_test.go
• pkg/asset/agent/image/ignition_test.go
• pkg/asset/agent/agentconfig/agenthosts_test.go

[pawanpinjarkar]

/test e2e-agent-compact-ipv4-iso-no-registry

[pawanpinjarkar]

/test e2e-agent-compact-ipv4-iso-no-registry

[openshift-ci-robot]

@pawanpinjarkar: This pull request references AGENT-1461 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Do not discard NMStateConfig when agent-config is on disk for unconfigured-ignition. This use case is particularly for the OVE use case when rendezvousIP and Static networking via NMStateconfig are provided via SaaS UI.

This PR follows a similar approach for already existing InfraEnv and InfraEnvFile assets.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pawanpinjarkar]

/test e2e-agent-compact-ipv4-iso-no-registry

[andfasano]

I don't think this split is really required?

[pawanpinjarkar]

We need to also split NMStateConfig into NMStateConfig NMStateConfigFile because as the NMStateConfig has dependencies, when it's loaded from disk, the asset system marks it as "dirty" and tries to regenerate it. Since Generate() returns early when there are no agent hosts (line 76), the loaded network config is lost.
level=warning msg= Discarding the NMState Config that was provided in the target directory because its dependencies are dirty and it needs to be regenerated

[andfasano]

/test e2e-agent-compact-ipv4-iso-no-registry

[pawanpinjarkar]

/verified by ci/prow/integration-tests

[openshift-ci-robot]

@pawanpinjarkar: This PR has been marked as verified by [ci/prow/integration-tests](https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/10393/pull-ci-openshift-installer-main-integration-tests/2034361673384464384).

Details

In response to this:

/verified by ci/prow/integration-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[andfasano]

/lgtm

Let's see if we could get also a gree iso-no-registry run

/test e2e-agent-compact-ipv4-iso-no-registry

[andfasano]

/retest

[pawanpinjarkar]

/test e2e-agent-compact-ipv4-iso-no-registry

[pawanpinjarkar]

/cherrypick release-4.21

[openshift-cherrypick-robot]

@pawanpinjarkar: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@pawanpinjarkar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agent-two-node-fencing-ipv4	5889656	link	false	/test e2e-agent-two-node-fencing-ipv4
ci/prow/e2e-agent-compact-ipv4-iso-no-registry	5889656	link	false	/test e2e-agent-compact-ipv4-iso-no-registry

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pawanpinjarkar]

/hold

[pawanpinjarkar]

/hold cancel

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.