tools: codegen: increase sippy request timeout for feature promotion verification

[everettraven]

We've seen a few instances of Sippy serving slow responses when performing feature promotion verification checks causing the verification check to fail due to exceeding the 30 second timeout.

A recent example of this being https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_api/2738/pull-ci-openshift-api-master-verify-feature-promotion/2037154787757133824

While we don't want to wait for a response from Sippy for forever, it seems like it is becoming a bit more frequent that some sippy queries take more time to receive a response. To be a bit more resilient to slow Sippy responses while trying to balance runtime, I've bumped it from 30 seconds -> 2 minutes for a client timeout. This 4X increase should help us be more resilient to these rarer cases of slow Sippy responses without making worst case runtime (which should not occur often) too bad.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @everettraven! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b03c3de1-5992-4a68-bf4e-9ffe35bcac24

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR increases the Sippy API per-request timeout from 30s to 2m. It moves the ImageModeStatusReporting row within features.md. features/features.go expands FeatureGateImageModeStatusReporting enablement to include inOKD() and inDefault() in addition to existing preview conditions. Multiple payload FeatureGate manifests for 4.10 (Hypershift, SelfManagedHA, OKD, Default variants) move ImageModeStatusReporting from status.featureGates[].disabled to status.featureGates[].enabled. Two MachineConfigNode CRDs add spec.configImage.desiredImage and status.configImage (currentImage, desiredImage) with OCI digest validations.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[everettraven]

Want to cross-test this.

/hold

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tools/codegen/cmd/featuregate-test-analyzer.go (1)

836-870: ⚠️ Potential issue | 🟠 Major

Bind Sippy requests to command context to prevent hanging under timeout conditions

The command-level timeout (10 seconds) is not propagated to HTTP requests in listTestResultForVariant. Requests are created with http.NewRequest() instead of http.NewRequestWithContext(), so they ignore the command's cancellation signal. Combined with the 2-minute HTTP client timeout, this allows stalled requests to block the analyzer far longer than intended.

Required changes

-func listTestResultFor(featureGate string, clusterProfiles sets.Set[string]) (map[JobVariant]*TestingResults, error) {
+func listTestResultFor(ctx context.Context, featureGate string, clusterProfiles sets.Set[string]) (map[JobVariant]*TestingResults, error) {
@@
-        jobVariantResults, err := listTestResultForVariant(featureGate, jobVariant)
+        jobVariantResults, err := listTestResultForVariant(ctx, featureGate, jobVariant)
@@
-func listTestResultForVariant(featureGate string, jobVariant JobVariant) (*TestingResults, error) {
+func listTestResultForVariant(ctx context.Context, featureGate string, jobVariant JobVariant) (*TestingResults, error) {
@@
-        req, err := http.NewRequest(http.MethodGet, currURL.String(), nil)
+        req, err := http.NewRequestWithContext(ctx, http.MethodGet, currURL.String(), nil)

-        testingResults, err := listTestResultFor(enabledFeatureGate, clusterProfiles)
+        testingResults, err := listTestResultFor(ctx, enabledFeatureGate, clusterProfiles)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/codegen/cmd/featuregate-test-analyzer.go` around lines 836 - 870, In
listTestResultForVariant, HTTP requests are created with http.NewRequest so they
don't observe the command's cancellation; replace http.NewRequest(...) with
http.NewRequestWithContext(ctx, ...) (or the command's context variable name
used in this function) and ensure the function signature or surrounding scope
provides that context. Use this context when creating each request before
calling sippyClient.Do(req) so timeouts/cancellations at the command level are
honored for the sippyClient calls.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@tools/codegen/cmd/featuregate-test-analyzer.go`:
- Around line 836-870: In listTestResultForVariant, HTTP requests are created
with http.NewRequest so they don't observe the command's cancellation; replace
http.NewRequest(...) with http.NewRequestWithContext(ctx, ...) (or the command's
context variable name used in this function) and ensure the function signature
or surrounding scope provides that context. Use this context when creating each
request before calling sippyClient.Do(req) so timeouts/cancellations at the
command level are honored for the sippyClient calls.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 6bf8c284-ee0a-40bc-87c8-e02345a875ba

📥 Commits

Reviewing files that changed from the base of the PR and between 30c2ef7 and 0315193.

📒 Files selected for processing (1)

• tools/codegen/cmd/featuregate-test-analyzer.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@payload-manifests/crds/0000_80_machine-config_01_machineconfignodes-OKD.crd.yaml`:
- Around line 123-125: The CEL regex in the rule string (the pattern starting
with '^([a-zA-Z0-9-]+\\.)+...') allows an empty repository namespace and empty
image name (it uses {0,61} and *), letting invalid refs like
"registry.example.com/@sha256:..." slip through; update the pattern used in the
rule entries so the namespace segment is {1,61} (not {0,61}) and require a
non-empty image name (replace the trailing '*$' segment with a '+'-style
requirement, e.g. change [a-zA-Z0-9-_.]*?$ to [a-zA-Z0-9-_.]+?$), and apply this
exact replacement to all three occurrences of that rule in the file (the rule
lines containing self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[...')).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 81671c20-9cab-4023-959e-7e87fcc0d967

📥 Commits

Reviewing files that changed from the base of the PR and between 612919a and 1aa1ed4.

⛔ Files ignored due to path filters (2)

• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfignodes-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*

📒 Files selected for processing (9)

• features.md
• features/features.go
• payload-manifests/crds/0000_80_machine-config_01_machineconfignodes-Default.crd.yaml
• payload-manifests/crds/0000_80_machine-config_01_machineconfignodes-OKD.crd.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• tools/codegen/cmd/featuregate-test-analyzer.go

✅ Files skipped from review due to trivial changes (2)

• tools/codegen/cmd/featuregate-test-analyzer.go
• features.md

🚧 Files skipped from review as they are similar to previous changes (4)

• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Tighten image-name CEL regex; it currently accepts invalid empty repo paths.

At Line 125, Line 300, and Line 318, the pattern allows empty repository names ({0,61} namespace + * name). Invalid refs like registry.example.com/@sha256:<digest> can pass schema validation and fail later during reconciliation.

Proposed regex tightening

-                      rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{0,61}/)?[a-zA-Z0-9-_.]*?$'))
+                      rule: (self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[a-zA-Z0-9-]+(:[0-9]{2,5})?/([a-zA-Z0-9-_]{1,61}/)?[a-zA-Z0-9-_.]+$'))

Apply the same replacement to all three occurrences in this file.

Also applies to: 298-300, 316-318

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@payload-manifests/crds/0000_80_machine-config_01_machineconfignodes-OKD.crd.yaml`
around lines 123 - 125, The CEL regex in the rule string (the pattern starting
with '^([a-zA-Z0-9-]+\\.)+...') allows an empty repository namespace and empty
image name (it uses {0,61} and *), letting invalid refs like
"registry.example.com/@sha256:..." slip through; update the pattern used in the
rule entries so the namespace segment is {1,61} (not {0,61}) and require a
non-empty image name (replace the trailing '*$' segment with a '+'-style
requirement, e.g. change [a-zA-Z0-9-_.]*?$ to [a-zA-Z0-9-_.]+?$), and apply this
exact replacement to all three occurrences of that rule in the file (the rule
lines containing self.split('@')[0].matches('^([a-zA-Z0-9-]+\\.)+[...')).

[JoelSpeed]

Changing the timeout seems ok to me, push without the proof and I'll tag up for merge

[JoelSpeed]

/lgtm

[openshift-ci-robot]

Pipeline controller notification

No second-stage tests were triggered for this PR.

This can happen when:

• The changed files don't match any pipeline_run_if_changed patterns
• All files match pipeline_skip_if_only_changed patterns
• No pipeline-controlled jobs are defined for the master branch

Use /test ? to see all available tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

tooling only change, no product impact.

/verified bypass

[openshift-ci-robot]

@everettraven: The verified label has been added.

Details

In response to this:

tooling only change, no product impact.

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[everettraven]

/hold cancel

[openshift-ci]

@everettraven: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.