MULTIARCH-6014: PowerVS: Use PowerVS Stock Catalogue Images

[AshwinHIBM]

If a stock catalogue OS image is available in the Workspace, use it. If not, fall back to importing the image from public COS.

Why this change:
Importing images from COS is time consuming and introduces a failure mode that can be avoided by using an existing stock catalogue image.

Summary by CodeRabbit

• New Features
  • PowerVS machine provisioning now dynamically selects the RHCOS boot image from the workspace (based on configured zone and service instance).
• Bug Fixes / Reliability
  • If no active workspace image is found, or the lookup fails, the system falls back to the existing rhcos-<clusterID> default and logs a warning.
• Internal Improvements
  • PowerVS machine specifications now consistently reference the resolved boot image when configuring the machine.

[openshift-ci-robot]

@AshwinHIBM: This pull request references MULTIARCH-6014 which is a valid jira issue.

Details

In response to this:

If a stock catalogue OS image is available in the Workspace, use it. If not, fall back to importing the image from public COS.

Why this change:
Importing images from COS is time consuming and introduces a failure mode that can be avoided by using an existing stock catalogue image.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 85a190ca-5f57-42c1-9eef-63a52bdb4aa3

📥 Commits

Reviewing files that changed from the base of the PR and between b05cb3c and a6ab913.

📒 Files selected for processing (3)

• pkg/asset/machines/powervs/images.go
• pkg/asset/machines/powervs/machinesets.go
• pkg/asset/machines/powervs/powervsmachines.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/asset/machines/powervs/images.go
• pkg/asset/machines/powervs/machinesets.go
• pkg/asset/machines/powervs/powervsmachines.go

---

📝 Walkthrough

Walkthrough

Adds GetBootImageFromWorkspace to query the PowerVS workspace for active RHCOS images, falling back to rhcos-{clusterID}. Both MachineSets and machine generation code now call this function instead of deriving the image name inline. GenerateMachine also replaces the machine spec image field from ImageRef (local object reference) to Image (IBMPowerVSResourceReference).

Changes

PowerVS Boot Image Resolution

Layer / File(s)	Summary
Boot image workspace lookup pkg/asset/machines/powervs/images.go	New GetBootImageFromWorkspace function constructs PowerVS client and PI session, queries workspace images, returns the first active image with valid name, falls back to rhcos-{clusterID}, and wraps all errors with informational logging.
MachineSets integration pkg/asset/machines/powervs/machinesets.go	Adds context and logrus imports; calls GetBootImageFromWorkspace with 2-minute timeout instead of deriving image name inline; logs warning on lookup failure and falls back to rhcos-{clusterID}.
Machine generation integration pkg/asset/machines/powervs/powervsmachines.go	Adds context and logrus imports; GenerateMachines calls GetBootImageFromWorkspace with 2-minute timeout and warning fallback; GenerateMachine changes machine spec image field from ImageRef: &v1.LocalObjectReference{Name: image} to Image: &capibm.IBMPowerVSResourceReference populated with the resolved image name.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Error objects from IBM SDK calls are logged with logrus.Warnf(...error: %v), which could expose credentials, tokens, or internal details in error messages.	Sanitize error logging by logging only a generic error message without the full error object, or use structured logging to redact sensitive fields from error messages.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: using PowerVS stock catalogue images instead of importing from COS, which aligns with the PR's core objective of optimizing image handling.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests were added or modified in this PR. All changes are to production code files (images.go, machinesets.go, powervsmachines.go), so the test naming check is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo tests are present in this PR. The custom check applies only to test code quality; since no tests were added or modified, the check does not apply.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; it only modifies production code for PowerVS machine provisioning. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All changes are implementation-only in pkg/asset/machines/powervs/, making the SNO test compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies infrastructure provisioning code to improve image lookup logic. It does not introduce operator deployments, pod scheduling constraints, affinity rules, topology spread constraints, or a...
Ote Binary Stdout Contract	✅ Passed	Code is in openshift-installer (not openshift-tests/OTE binary). Functions are asset generators, not process-level code. No stdout writes detected; logrus logging uses stderr by default.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes are infrastructure/library code only (GetBootImageFromWorkspace, MachineSets, GenerateMachines functions). Check not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptography, custom crypto, or non-constant-time secret comparisons detected. Code uses only standard libraries and official SDKs for authentication and image retrieval operations.
Container-Privileges	✅ Passed	PR contains only Go source code for image selection logic; no Kubernetes manifests or container privilege settings present.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mjturek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/asset/machines/powervs/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/asset/machines/powervs/images.go`:
- Around line 18-51: The GetBootImageFromWorkspace function currently hard-fails
when errors occur during PowerVS client creation (after NewClient call), PowerVS
session creation (after NewIBMPISession call), or image retrieval (after GetAll
call). Instead of returning errors at these three failure points, treat the
image lookup as best-effort and gracefully fall back to returning the default
fallback value of rhcos-{clusterID} whenever any of these operations fail. This
ensures that missing or invalid serviceInstanceGUID values and other lookup
failures do not cause the function to fail, allowing the system to continue with
the fallback boot image instead.
- Around line 15-72: The GetBootImageFromWorkspace function has multiple
decision branches that are not covered by unit tests, which violates the coding
guidelines requiring tests for all pkg/ code. Create a new test file
(images_test.go) in the same directory and write comprehensive unit tests that
cover all branches of the GetBootImageFromWorkspace function: successful
retrieval of an active image, fallback when no images exist, fallback when
images exist but none are active, error handling when the image client creation
fails, and error handling when GetAll fails to retrieve images. Use mocking or
test doubles for the PowerVS client and image client dependencies to isolate the
function logic from external dependencies.
- Around line 61-65: The boot image selection loop starting at line 61 with the
range over images.Images returns the first active image with a non-null name
without verifying it is a RHCOS image. This is too broad and can result in
incompatible images being selected in workspaces with multiple active images.
Add additional filtering logic to the condition checking image.State and
image.Name to also validate that the image is specifically a RHCOS image, either
by checking the image name contains expected RHCOS naming patterns or by
validating image metadata. Only return the image name when all conditions are
satisfied: active state, non-empty name, and confirmed RHCOS identity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 27447613-bc0e-4e59-a97d-10b991f12419

📥 Commits

Reviewing files that changed from the base of the PR and between 1785dc2 and b144e1d.

📒 Files selected for processing (3)

• pkg/asset/machines/powervs/images.go
• pkg/asset/machines/powervs/machinesets.go
• pkg/asset/machines/powervs/powervsmachines.go

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Selection predicate is too broad for boot image resolution.

At Line 61-64, the code returns the first active image regardless of OS/image intent. In workspaces with multiple active images, this can pick a non-RHCOS image and break node boot compatibility. Filter explicitly for the expected RHCOS image naming/metadata and require non-empty names.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/asset/machines/powervs/images.go` around lines 61 - 65, The boot image
selection loop starting at line 61 with the range over images.Images returns the
first active image with a non-null name without verifying it is a RHCOS image.
This is too broad and can result in incompatible images being selected in
workspaces with multiple active images. Add additional filtering logic to the
condition checking image.State and image.Name to also validate that the image is
specifically a RHCOS image, either by checking the image name contains expected
RHCOS naming patterns or by validating image metadata. Only return the image
name when all conditions are satisfied: active state, non-empty name, and
confirmed RHCOS identity.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/asset/machines/powervs/powervsmachines.go`:
- Around line 42-51: The error handling for the GetBootImageFromWorkspace call
in the powervsmachines.go file diverges from the identical call in
machinesets.go. Currently, when GetBootImageFromWorkspace returns an error
(auth/network/session failures), the code falls back to a default image name
pattern and logs a warning. Instead, align this with the machinesets.go approach
by propagating the error up the call stack using a formatted error (e.g.,
fmt.Errorf wrapping the original error). Remove the error handling block that
catches the error and falls back to the rhcos-clusterID pattern, allowing real
lookup failures to be treated as fatal rather than masked by a potentially
non-existent default image name.
- Around line 123-127: The powervsmachines.go file lacks unit test coverage
entirely, violating repository requirements that all code under pkg/ must have
tests. Create a new test file powervsmachines_test.go that includes test cases
covering both the happy path for the main functionality and the critical
fallback branch (lines 47-51) that handles errors when GetBootImageFromWorkspace
fails. Ensure the tests exercise all code paths including the error case where
the bootstrap image lookup returns an error, and verify that the fallback
behavior correctly uses the default image value when the primary lookup fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 745168e0-bda5-4415-a219-effe8d30890e

📥 Commits

Reviewing files that changed from the base of the PR and between b144e1d and 915b6da.

📒 Files selected for processing (3)

• pkg/asset/machines/powervs/images.go
• pkg/asset/machines/powervs/machinesets.go
• pkg/asset/machines/powervs/powervsmachines.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/asset/machines/powervs/machinesets.go
• pkg/asset/machines/powervs/images.go

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/asset/machines/powervs/machinesets.go`:
- Around line 32-37: The GetBootImageFromWorkspace function returns the first
active image without verifying it is RHCOS-specific, which can cause wrong image
selection in workspaces with multiple active images. After the
GetBootImageFromWorkspace call succeeds, add validation to check that the
returned image is RHCOS-specific (such as verifying it matches the expected
RHCOS naming pattern or contains RHCOS identifiers). If the returned image does
not match RHCOS criteria, treat it as a failure and fall back to the default
image naming pattern, similar to the existing error handling. This ensures only
appropriate RHCOS images are selected before passing the image variable to the
provider function call.
- Line 32: The GetBootImageFromWorkspace function call uses context.TODO() which
leaves the IBM PowerVS API call unbounded, potentially causing manifest
generation to hang indefinitely if the API stalls. Replace context.TODO() with
context.WithTimeout() to establish a deadline for the API call, and ensure you
defer cancel() to clean up the context. Apply this same fix to both the
GetBootImageFromWorkspace call in machinesets.go at line 32 and any similar
calls in powervsmachines.go.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7c907315-4a63-4fee-b4d0-d8ce03d85ecd

📥 Commits

Reviewing files that changed from the base of the PR and between 915b6da and 3883583.

📒 Files selected for processing (3)

• pkg/asset/machines/powervs/images.go
• pkg/asset/machines/powervs/machinesets.go
• pkg/asset/machines/powervs/powervsmachines.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/asset/machines/powervs/images.go
• pkg/asset/machines/powervs/powervsmachines.go

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Constrain workspace image selection before using it for MachineSets.

This path now trusts GetBootImageFromWorkspace(...), but that helper currently returns the first active image, not a verified RHCOS candidate. In a workspace with multiple active images, this can select the wrong boot image and break provisioning. Please enforce RHCOS-specific selection (or explicit reject/fallback) before passing image into provider(...).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/asset/machines/powervs/machinesets.go` around lines 32 - 37, The
GetBootImageFromWorkspace function returns the first active image without
verifying it is RHCOS-specific, which can cause wrong image selection in
workspaces with multiple active images. After the GetBootImageFromWorkspace call
succeeds, add validation to check that the returned image is RHCOS-specific
(such as verifying it matches the expected RHCOS naming pattern or contains
RHCOS identifiers). If the returned image does not match RHCOS criteria, treat
it as a failure and fall back to the default image naming pattern, similar to
the existing error handling. This ensures only appropriate RHCOS images are
selected before passing the image variable to the provider function call.

[openshift-ci]

@AshwinHIBM: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	a6ab913	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.