OCPBUGS-77066: SRIOV per-arch kustomize images

[pacevedom]

$ du -ksh /tmp/images/*
1.5G	/tmp/images/sriov-arm
1.6G	/tmp/images/sriov-x86

Summary by CodeRabbit

• New Features

  • Added per-architecture SR-IOV deployment support (x86_64 and aarch64) with kustomize patches applying arch-specific images.
  • Packaging now assembles the correct SR-IOV manifests per architecture automatically.

• Chores

  • Updated SR-IOV operator container image source.
  • Refreshed all SR-IOV component image digests.
  • Streamlined deployment configuration by moving image settings to kustomize-driven env injection.
  • Bumped SR-IOV release baselines to newer versions.

[openshift-ci-robot]

@pacevedom: This pull request references Jira Issue OCPBUGS-77066, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jogeo

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

1.5G	/tmp/images/sriov-arm
1.6G	/tmp/images/sriov-x86```

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors SR-IOV operator configuration to support architecture-specific deployments using Kustomize overlays. The base operator deployment is simplified, while new per-architecture kustomization files inject environment variables and image digests. Build and rebase scripts are updated to apply these overlays.

Changes

Cohort / File(s)	Summary
Base Operator Deployment assets/optional/sriov/deploy/operator.yaml	Removed nine environment variables (CNI, device plugin, config daemon, webhook, RDMA, metrics images) and updated container image from Red Hat registry digest to quay.io/openshift/sriov-network-operator:latest.
Architecture-specific Kustomization Overlays assets/optional/sriov/kustomization.aarch64.yaml, assets/optional/sriov/kustomization.x86_64.yaml	New files defining per-architecture Kustomize patches that update operator image digest and inject nine environment variables for SR-IOV component images into the deployment.
Release Manifests assets/optional/sriov/release-sriov-aarch64.json, assets/optional/sriov/release-sriov-x86_64.json	Updated release base versions and image digests for all SR-IOV component references (CNI, device plugin, webhook, RDMA, metrics exporter, etc.).
RPM Build Configuration packaging/rpm/microshift.spec	Added conditional blocks to concatenate architecture-specific kustomization files (aarch64 and x86_64 variants) into the SR-IOV manifest assembly during RPM packaging.
Rebase Infrastructure scripts/auto-rebase/assets_sriov.yaml	Registered two new kustomization files for asset tracking.
Rebase Script Refactoring scripts/auto-rebase/rebase_sriov.sh	Introduced multi-architecture handling with ARCHS array, GOARCH_TO_UNAME_MAP mapping, new write_sriov_images_for_arch function, and per-architecture image resolution and kustomization generation logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly summarizes the main change: introducing per-architecture kustomize image configuration for SR-IOV operator, which is the core objective across all modified files.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@pacevedom: This pull request references Jira Issue OCPBUGS-77066, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jogeo

Details

In response to this:

1.5G	/tmp/images/sriov-arm
1.6G	/tmp/images/sriov-x86```

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

- New Features
 - Added per-architecture SR-IOV deployment support (x86_64 and aarch64) with kustomize patches applying arch-specific images.
 - Packaging now assembles the correct SR-IOV manifests per architecture automatically.

- Chores
 - Updated SR-IOV operator container image source.
 - Refreshed all SR-IOV component image digests.
 - Streamlined deployment configuration by moving image settings to kustomize-driven env injection.
 - Bumped SR-IOV release baselines to newer versions.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

scripts/auto-rebase/rebase_sriov.sh (1)

400-412: Global s/_/-/g sed operates on image URL values too.

The substitution is applied to the entire JSON string including image reference values. Any image URL containing an underscore (technically valid) would be silently corrupted. Scoping to keys only is safer:

♻️ Suggested alternative using jq

-    images_json=$(yq "
+    images_json=$(yq -o json "
       (
         [.spec.template.spec.containers[].env[] |
         select(.name | test(\"_IMAGE$\")) |
         {\"key\": (.name | downcase), \"value\": .value}] |
         from_entries
       ) as \$env_images |
       (
         .spec.template.spec.containers[] |
         {(.name): .image}
       ) as \$main_images |
-      (\$env_images + \$main_images)
-    " "${STAGING_SRIOV}/${OPERATOR_FILENAME}" -o json | sed 's/"sriov_\([^"]*\)_\([^"]*\)"/"sriov-\1-\2"/g; s/_/-/g')
+      (\$env_images + \$main_images)
+    " "${STAGING_SRIOV}/${OPERATOR_FILENAME}" | jq 'with_entries(.key |= gsub("_"; "-"))')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/auto-rebase/rebase_sriov.sh` around lines 400 - 412, The current
pipeline assigns images_json but then runs sed 's/_/-/g' which mangles
underscores inside image values; remove that global sed and instead post-process
the JSON with jq to only rewrite object keys (e.g. use with_entries and gsub to
replace "_" with "-" and also gsub("sriov_(\\w+)_(\\w+)"; "sriov-\\1-\\2") for
the sriov pattern). Update the pipeline that builds images_json (the yq ... |
sed ...) to pipe into jq and perform key-only transformations so image URL
values (from STAGING_SRIOV and OPERATOR_FILENAME processing) are left unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/auto-rebase/rebase_sriov.sh`:
- Around line 470-474: The current heredoc unconditionally splits
resolved_images["sriov-network-operator"] using %@* and #*@ which breaks if the
image has no '@' (tag-only). Update the write to ${kustomization_file} to detect
if the string contains '@' (check resolved_images["sriov-network-operator"] for
'@') and only emit the digest line (and use the %@* / #*@ splits) when present;
otherwise emit newName as the full image and omit the digest entry. Apply this
guard around the block that writes to kustomization_file and reference the
resolved_images["sriov-network-operator"] variable and the heredoc that creates
the kustomization content.

---

Nitpick comments:
In `@scripts/auto-rebase/rebase_sriov.sh`:
- Around line 400-412: The current pipeline assigns images_json but then runs
sed 's/_/-/g' which mangles underscores inside image values; remove that global
sed and instead post-process the JSON with jq to only rewrite object keys (e.g.
use with_entries and gsub to replace "_" with "-" and also
gsub("sriov_(\\w+)_(\\w+)"; "sriov-\\1-\\2") for the sriov pattern). Update the
pipeline that builds images_json (the yq ... | sed ...) to pipe into jq and
perform key-only transformations so image URL values (from STAGING_SRIOV and
OPERATOR_FILENAME processing) are left unchanged.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 4e5d27c and a12ef6c.

📒 Files selected for processing (8)

• assets/optional/sriov/deploy/operator.yaml
• assets/optional/sriov/kustomization.aarch64.yaml
• assets/optional/sriov/kustomization.x86_64.yaml
• assets/optional/sriov/release-sriov-aarch64.json
• assets/optional/sriov/release-sriov-x86_64.json
• packaging/rpm/microshift.spec
• scripts/auto-rebase/assets_sriov.yaml
• scripts/auto-rebase/rebase_sriov.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

%@* / #*@ expansions assume a digest separator is present.

If resolved_images["sriov-network-operator"] has no @ (tag-based fallback ref), both newName and digest would get the full image string. A small guard prevents generating a malformed kustomization:

🛡️ Suggested guard

+    local operator_img="${resolved_images["sriov-network-operator"]}"
+    if [[ "${operator_img}" != *@* ]]; then
+        >&2 echo "ERROR: sriov-network-operator image has no digest: ${operator_img}"
+        return 1
+    fi
+
 cat > "${kustomization_file}" <<EOF
 images:
   - name: quay.io/openshift/sriov-network-operator
-    newName: ${resolved_images["sriov-network-operator"]%@*}
-    digest: ${resolved_images["sriov-network-operator"]#*@}
+    newName: ${operator_img%@*}
+    digest: ${operator_img#*@}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cat > "${kustomization_file}" <<EOF
	images:
	- name: quay.io/openshift/sriov-network-operator
	newName: ${resolved_images["sriov-network-operator"]%@*}
	digest: ${resolved_images["sriov-network-operator"]#*@}
	local operator_img="${resolved_images["sriov-network-operator"]}"
	if [[ "${operator_img}" != *@* ]]; then
	>&2 echo "ERROR: sriov-network-operator image has no digest: ${operator_img}"
	return 1
	fi
	cat > "${kustomization_file}" <<EOF
	images:
	- name: quay.io/openshift/sriov-network-operator
	newName: ${operator_img%@*}
	digest: ${operator_img#*@}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/auto-rebase/rebase_sriov.sh` around lines 470 - 474, The current
heredoc unconditionally splits resolved_images["sriov-network-operator"] using
%@* and #*@ which breaks if the image has no '@' (tag-only). Update the write to
${kustomization_file} to detect if the string contains '@' (check
resolved_images["sriov-network-operator"] for '@') and only emit the digest line
(and use the %@* / #*@ splits) when present; otherwise emit newName as the full
image and omit the digest entry. Apply this guard around the block that writes
to kustomization_file and reference the
resolved_images["sriov-network-operator"] variable and the heredoc that creates
the kustomization content.

[pacevedom]

The sriov images are coming from a released bundle, which is always using image digests and therefore the @ is always present. If the digests were dropped there would be deeper changes in other parts of the test framework, and these would fail in CI jobs.

[coderabbitai]

@pacevedom, thanks for the clarification! That makes sense—if the bundle always provides digest-based references and CI would catch any deviation, the guard isn't necessary. I appreciate the context.

[pacevedom]

/verified by CI

[openshift-ci-robot]

@pacevedom: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@pacevedom: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.