WIP: Align automation with hco v1 api

[hmeir]

What this PR does / why we need it:

HCO CRD storage version changes to v1 in the 4.23/5.0 release.
All existing automation must be updated to use the v1 apiVersion so all teams align with the new storage version and avoid continuing to generate or maintain automation against the older API version.

Which issue(s) this PR fixes:

Existing automation must use HCO v1 api.

Special notes for reviewer:

Modified AGENTS.md to force it for new incoming automation,

jira-ticket:

https://redhat.atlassian.net/browse/CNV-87694

Summary by CodeRabbit

• New Features

  • Updated configuration handling to use the latest HCO resource structure, including nested settings for virtualization, deployment, networking, storage, and workload sources.
  • Feature gates now follow a list-based format, supporting explicit enabled/disabled states.

• Bug Fixes

  • Improved compatibility for node placement, uninstall settings, crypto policy, live migration, and console/metrics options.
  • Fixed multiple tests and validations to match the current API version and avoid failures when settings are missing or nested differently.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates all HCO CR interactions from the flat v1beta1-style spec layout to the hierarchical HCO v1 API spec structure. get_hyperconverged_resource is updated to target v1, a new get_hyperconverged_resource_v1beta1 helper is added, and AGENTS.md codifies the v1 field-path standards. Every spec patch and assertion across tests and utilities is updated to the new nested paths.

Changes

HCO v1 API spec path migration

Layer / File(s)	Summary
Core utility functions: v1 spec paths and API version split utilities/hco.py, utilities/infra.py	apply_np_changes targets spec.deployment.nodePlacements; boot-image-import helpers use spec.workloadSources; update_hco_templates_spec nests under spec.workloadSources; enabled_aaq_in_hco patches spec.deployment.applicationAwareConfig. get_hyperconverged_resource targets v1; new get_hyperconverged_resource_v1beta1 carries the old v1beta1 logic.
Constants, feature-gate shape, and AGENTS.md standards AGENTS.md, tests/install_upgrade_operators/constants.py, tests/install_upgrade_operators/strict_reconciliation/constants.py, tests/install_upgrade_operators/launcher_updates/constants.py	HCO_DEFAULT_FEATUREGATES changed to empty list; HCO_V1BETA1_DEFAULT_FEATUREGATES, FG_STATE_ENABLED, FG_STATE_DISABLED, HCO_SECURITY_KEY, and HCO_VIRTUALIZATION_KEY added; CUSTOM_WORKLOAD_STRATEGY_SPEC wraps under virtualization; obsolete CPU model constants renamed. AGENTS.md documents all v1 field-path rules.
Node placement: workload key rename and spec.deployment.nodePlacements nesting tests/conftest.py, tests/install_upgrade_operators/node_component/*, tests/storage/hpp/utils.py, tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_nondefault_fields.py	Renames workloads→workload in all node-placement fixture parameters and updates all spec patch paths to spec.deployment.nodePlacements.
Feature-gate format: dict→list-of-{name} objects tests/install_upgrade_operators/conftest.py, tests/install_upgrade_operators/feature_gates/*, tests/install_upgrade_operators/strict_reconciliation/conftest.py, tests/infrastructure/vhostmd/*, tests/storage/test_hotplug.py, tests/storage/upgrade/conftest.py	All spec.featureGates patches changed from boolean-map to list-of-{name} objects; hco_with_non_default_feature_gates builds the new list format; comparison helpers updated to handle both set and list expected types.
spec.virtualization nesting: workloadUpdateStrategy, liveMigration, virtualMachineOptions, etc. tests/install_upgrade_operators/launcher_updates/*, tests/virt/..., tests/storage/cross_cluster_live_migration/utils.py, tests/virt/upgrade/conftest.py, tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_modify_defaults.py, tests/install_upgrade_operators/strict_reconciliation/test_hco_default_cpu_model.py, tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_nondefault_fields.py	All patches and assertions for workloadUpdateStrategy, liveMigrationConfig, virtualMachineOptions, ksmConfiguration, higherWorkloadDensity, permittedHostDevices, and logVerbosityConfig are nested under spec.virtualization.
spec.security and spec.deployment nesting: crypto, certconfig, uninstall, deployment fields tests/install_upgrade_operators/crypto_policy/*, tests/install_upgrade_operators/product_uninstall/*, tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_defaults_on_stanza_deletion.py, tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_modify_defaults.py, tests/infrastructure/vm_console_proxy/conftest.py, tests/virt/cluster/aaq/conftest.py	TLS/crypto patches moved under spec.security; certconfig parametrizations nested under HCO_SECURITY_KEY; uninstallStrategy moved to spec.deployment.uninstallStrategy; deployVmConsoleProxy and applicationAwareConfig moved under spec.deployment.
spec.workloadSources and spec.networking nesting tests/infrastructure/golden_images/..., tests/install_upgrade_operators/hco_enablement_golden_image_updates/*, tests/virt/cluster/common_templates/..., tests/network/kubemacpool/explicit_range/conftest.py, tests/storage/cdi_config/test_cdi_config.py, tests/utils.py	dataImportCronTemplates, commonBootImageNamespace, enableCommonBootImageImport, and common-template namespace patches moved under spec.workloadSources; MAC pool config moved under spec.networking; separate HCO/CDI scratch-space constants added.
API version test: v1beta1→v1 assertion tests/install_upgrade_operators/csv/test_hco_api_version.py	test_hyperconverged_cr_api_version updated to assert exact v1 apiVersion string using HyperConverged.ApiGroup.HCO_KUBEVIRT_IO and Resource.ApiVersion.V1.
Unit tests: updated mock shapes for new spec paths utilities/unittests/test_hco.py	All unit test mocks updated to reflect new nested deployment.nodePlacements, workloadSources, and deployment.applicationAwareConfig shapes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• RedHatQE/openshift-virtualization-tests#3577: Modifies the same vGPU fixture hco_cr_with_node_specific_mdev_permitted_hostdevices in tests/virt/node/gpu/vgpu/conftest.py, changing the permittedHostDevices spec payload shape.

Suggested reviewers

• dshchedr
• rnetser
• vsibirsk
• RoniKishner
• OhadRevah

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	All required sections are present, including purpose, issue note, reviewer notes, and Jira ticket URL.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stp Link Required	✅ Passed	PASS: The PR only modifies existing test files; no newly added test files or new test_* functions are present, so STP/RFE/Jira links aren't required.
Title check	✅ Passed	The title is concise and clearly summarizes the PR’s main change: aligning automation with the HCO v1 API.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 1 linked repositories, but your current plan allows 0. Analyzed ``, skipped RedHatQE/openshift-virtualization-tests-design-docs.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-virtualization-qe-bot-4]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message
• /security-override - Set security check runs to pass (maintainers only)
• /security-override cancel - Re-run security checks

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest verify-bugs-are-open - verify-bugs-are-open
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3
• /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

• /rebase - Rebase this PR branch onto its base branch

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• EdDev
• dshchedr
• jpeimer
• myakove
• rnetser
• vsibirsk

Reviewers:

• Acedus
• Ahmad-Hafe
• Anatw
• Dsanatar
• EdDev
• OhadRevah
• RoniKishner
• SamAlber
• acinko-rh
• akalenyu
• akri3i
• albarker-rh
• awels
• azhivovk
• dalia-frank
• dshchedr
• ema-aka-young
• frenzyfriday
• geetikakay
• hmeir
• josemacassan
• jpeimer
• kgoldbla
• kshvaika
• mijankow
• nirdothan
• orelmisan
• rlobillo
• rnetser
• servolkov
• vsibirsk
• yossisegev

Available Labels

• hold
• verified
• wip
• lgtm
• approve

AI Features

• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6-1m)

Security Checks

• Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
• Committer Identity Check: Verifies last committer matches PR author
• Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[hmeir]

/wip

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

utilities/infra.py (1)

611-634: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

HIGH: Type and document the public HCO getters.

get_hyperconverged_resource_v1beta1() is a new public utility under utilities/, so it needs a typed signature. Both helpers now also carry non-obvious behavior (defaulting to v1 vs explicit v1beta1 compatibility, plus raising on miss), so a short Google-style docstring will keep callers from picking the wrong helper.

Example

-def get_hyperconverged_resource(client, hco_ns_name):
+def get_hyperconverged_resource(client: DynamicClient, hco_ns_name: str) -> HyperConverged:
+    """Return the v1 HyperConverged resource from the given namespace.
+
+    Args:
+        client: Cluster client.
+        hco_ns_name: Namespace containing the HyperConverged resource.
+
+    Returns:
+        The v1 HyperConverged resource.
+
+    Raises:
+        ResourceNotFoundError: If the resource does not exist.
+    """
     ...

-def get_hyperconverged_resource_v1beta1(client, hco_ns_name):  # skip-unused-code
+def get_hyperconverged_resource_v1beta1(  # skip-unused-code
+    client: DynamicClient, hco_ns_name: str
+) -> HyperConverged:
+    """Return the v1beta1 HyperConverged resource for compatibility tests.
+
+    Args:
+        client: Cluster client.
+        hco_ns_name: Namespace containing the HyperConverged resource.
+
+    Returns:
+        The v1beta1 HyperConverged resource.
+
+    Raises:
+        ResourceNotFoundError: If the resource does not exist.
+    """
     ...

As per coding guidelines, "Type hints are mandatory for new public Python functions" and "Write Google-format docstrings for public functions that have non-obvious return values or side effects." Based on learnings, functions under utilities/ are treated as public APIs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@utilities/infra.py` around lines 611 - 634, Both public HCO getter helpers
need explicit typing and documentation: add type hints to
get_hyperconverged_resource and get_hyperconverged_resource_v1beta1 (including
parameter and return types), and add short Google-style docstrings explaining
that they resolve a HyperConverged resource for the requested API version and
raise ResourceNotFoundError when missing. Keep the behavior in sync with the
symbols get_hyperconverged_resource, get_hyperconverged_resource_v1beta1,
HyperConverged, and ResourceNotFoundError so callers can clearly choose between
the default v1 and compatibility v1beta1 variants.

Sources: Coding guidelines, Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/install_upgrade_operators/cert_renewal/conftest.py`:
- Around line 42-46: The patch path in the cert renewal fixture hardcodes the
"security" key instead of using the shared HCO_SECURITY_KEY constant. Update the
fixture in conftest.py where the patches dict is built to reference
HCO_SECURITY_KEY in the spec path, matching the existing contract used elsewhere
and keeping the patch aligned with shared patterns.

In `@tests/install_upgrade_operators/csv/test_hco_api_version.py`:
- Around line 13-14: Add a failure message to the apiVersion assertion in the
test that compares hyperconverged_resource_scope_function.instance.apiVersion
against expected_api_version. Update the assertion so it clearly states the
expected/actual contract for this check, following the pytest-with-message
convention used under tests/**, and keep the change localized to the test case
involving HyperConverged.ApiGroup.HCO_KUBEVIRT_IO and Resource.ApiVersion.V1.

In
`@tests/install_upgrade_operators/launcher_updates/test_reset_custom_values.py`:
- Around line 28-47: The parametrized test ids in test_reset_custom_values.py do
not match the fields being patched in the pytest.param cases. Update the id
values in the relevant pytest.param entries so they clearly reflect the actual
reset targets in the WORKLOAD_UPDATE_STRATEGY_KEY_NAME patch, specifically
batchEvictionInterval and batchEvictionSize, to keep pytest node names and
failure output accurate.

In `@tests/install_upgrade_operators/strict_reconciliation/conftest.py`:
- Around line 124-130: The feature-gate patching in the strict-reconciliation
fixture only appends missing names, so any requested gate already present in HCO
featureGates but set to Disabled is left unchanged. Update the logic around
existing_fg_names and updated_fgs so every fg_name in new_fgs is forced to state
FG_STATE_ENABLED, whether it already exists or not. Use the featureGates patch
construction in this fixture to replace the matching entry instead of skipping
it, so ResourceEditorValidateHCOReconcile always applies the requested enabled
state.

In
`@tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_defaults_on_stanza_deletion.py`:
- Around line 272-273: Add descriptive pytest failure messages to the nested
spec assertions in the strict reconciliation test, especially the check in
test_hco_cr_defaults_on_stanza_deletion and the other referenced spec
comparisons. Update the assertions that read from
hyperconverged_resource_scope_function.instance.to_dict()["spec"] so they
include an explicit message showing the expected value and the actual nested
value when HCO_SECURITY_KEY/HCO_CR_CERT_CONFIG_KEY do not match. Keep the
assertion logic the same, but make the failure output explain which spec field
was wrong to speed up reconciliation debugging.

In
`@tests/install_upgrade_operators/strict_reconciliation/test_hco_default_cpu_model.py`:
- Around line 21-24: The post-patch assertions in test_hco_default_cpu_model
should fail fast instead of hiding missing schema data, so replace the chained
.get(..., {}) lookup for spec.virtualization.virtualMachineOptions with direct
indexing through the HCO spec path in the test helper and in the later assertion
block. Use the existing symbols HCO_VIRTUALIZATION_KEY,
VIRTUAL_MACHINE_OPTIONS_KEY, and HCO_DEFAULT_CPU_MODEL_KEY to access the
required fields directly so any reconcile/schema break surfaces immediately and
precisely.

---

Outside diff comments:
In `@utilities/infra.py`:
- Around line 611-634: Both public HCO getter helpers need explicit typing and
documentation: add type hints to get_hyperconverged_resource and
get_hyperconverged_resource_v1beta1 (including parameter and return types), and
add short Google-style docstrings explaining that they resolve a HyperConverged
resource for the requested API version and raise ResourceNotFoundError when
missing. Keep the behavior in sync with the symbols get_hyperconverged_resource,
get_hyperconverged_resource_v1beta1, HyperConverged, and ResourceNotFoundError
so callers can clearly choose between the default v1 and compatibility v1beta1
variants.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a69238a0-7ada-4780-93c6-5d69f2ac7312

📥 Commits

Reviewing files that changed from the base of the PR and between 6a87444 and f75bac3.

📒 Files selected for processing (57)

• AGENTS.md
• tests/conftest.py
• tests/infrastructure/golden_images/update_boot_source/conftest.py
• tests/infrastructure/vhostmd/test_downwardmetrics_virtio.py
• tests/infrastructure/vhostmd/test_vhostmd.py
• tests/infrastructure/vm_console_proxy/conftest.py
• tests/install_upgrade_operators/cert_renewal/conftest.py
• tests/install_upgrade_operators/conftest.py
• tests/install_upgrade_operators/constants.py
• tests/install_upgrade_operators/crypto_policy/test_crypto_policy_default.py
• tests/install_upgrade_operators/crypto_policy/test_hco_crypto_policy_propagation.py
• tests/install_upgrade_operators/crypto_policy/test_hco_custom_profile_negative.py
• tests/install_upgrade_operators/crypto_policy/utils.py
• tests/install_upgrade_operators/csv/test_hco_api_version.py
• tests/install_upgrade_operators/feature_gates/test_default_featuregates.py
• tests/install_upgrade_operators/feature_gates/test_update_featuregate_hco.py
• tests/install_upgrade_operators/hco_enablement_golden_image_updates/test_custom_golden_images_namespace.py
• tests/install_upgrade_operators/hco_enablement_golden_image_updates/test_enable_common_boot_image_import.py
• tests/install_upgrade_operators/launcher_updates/conftest.py
• tests/install_upgrade_operators/launcher_updates/constants.py
• tests/install_upgrade_operators/launcher_updates/test_default_launcher_updates.py
• tests/install_upgrade_operators/launcher_updates/test_negative_kubevirt_update.py
• tests/install_upgrade_operators/launcher_updates/test_reset_custom_values.py
• tests/install_upgrade_operators/launcher_updates/test_update_default_workload_strategy.py
• tests/install_upgrade_operators/launcher_updates/test_update_workload_strategy.py
• tests/install_upgrade_operators/must_gather/conftest.py
• tests/install_upgrade_operators/node_component/conftest.py
• tests/install_upgrade_operators/node_component/test_deploy_cnv_on_subset_of_nodes_sanity.py
• tests/install_upgrade_operators/node_component/test_hco_vm.py
• tests/install_upgrade_operators/node_component/test_node_placement_cr.py
• tests/install_upgrade_operators/product_uninstall/test_remove_hco.py
• tests/install_upgrade_operators/product_uninstall/test_remove_kubevirt.py
• tests/install_upgrade_operators/strict_reconciliation/conftest.py
• tests/install_upgrade_operators/strict_reconciliation/constants.py
• tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_defaults_on_stanza_deletion.py
• tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_modify_defaults.py
• tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_nondefault_fields.py
• tests/install_upgrade_operators/strict_reconciliation/test_hco_default_cpu_model.py
• tests/network/kubemacpool/explicit_range/conftest.py
• tests/storage/cdi_config/test_cdi_config.py
• tests/storage/cross_cluster_live_migration/utils.py
• tests/storage/hpp/utils.py
• tests/storage/test_hotplug.py
• tests/storage/upgrade/conftest.py
• tests/utils.py
• tests/virt/cluster/aaq/conftest.py
• tests/virt/cluster/common_templates/custom_namespace/conftest.py
• tests/virt/node/gpu/gpu_pci_passthrough/conftest.py
• tests/virt/node/gpu/vgpu/conftest.py
• tests/virt/node/log_verbosity/conftest.py
• tests/virt/node/workload_density/test_free_page_reporting.py
• tests/virt/node/workload_density/test_kernel_samepage_merging.py
• tests/virt/upgrade/conftest.py
• tests/virt/utils.py
• utilities/hco.py
• utilities/infra.py
• utilities/unittests/test_hco.py

[coderabbitai]

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

LOW: Prefer shared HCO_SECURITY_KEY over hardcoded "security" in patch path.

Using the shared constant keeps this fixture aligned with central path contracts and reduces drift risk.

Suggested patch

-                "spec": {"security": {HCO_CR_CERT_CONFIG_KEY: target_certconfig_stanza}}
+                "spec": {HCO_SECURITY_KEY: {HCO_CR_CERT_CONFIG_KEY: target_certconfig_stanza}}

As per coding guidelines, "REUSE existing code and patterns — only write new when nothing exists."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	patches={
	hyperconverged_resource_scope_class: {
	"spec": {"security": {HCO_CR_CERT_CONFIG_KEY: target_certconfig_stanza}}
	}
	},
	patches={
	hyperconverged_resource_scope_class: {
	"spec": {HCO_SECURITY_KEY: {HCO_CR_CERT_CONFIG_KEY: target_certconfig_stanza}}
	}
	},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/install_upgrade_operators/cert_renewal/conftest.py` around lines 42 -
46, The patch path in the cert renewal fixture hardcodes the "security" key
instead of using the shared HCO_SECURITY_KEY constant. Update the fixture in
conftest.py where the patches dict is built to reference HCO_SECURITY_KEY in the
spec path, matching the existing contract used elsewhere and keeping the patch
aligned with shared patterns.

Source: Coding guidelines

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

MEDIUM: Add a failure message to the apiVersion assertion.

When this fails in CI, the current assertion gives less context than the repo standard expects for tests/**. Please include the expected/actual contract in the message.

Suggested change

 expected_api_version = f"{HyperConverged.ApiGroup.HCO_KUBEVIRT_IO}/{Resource.ApiVersion.V1}"
-assert hyperconverged_resource_scope_function.instance.apiVersion == expected_api_version
+assert (
+    hyperconverged_resource_scope_function.instance.apiVersion == expected_api_version
+), (
+    f"Expected HyperConverged apiVersion to be {expected_api_version}, "
+    f"got {hyperconverged_resource_scope_function.instance.apiVersion}"
+)

As per coding guidelines, tests under tests/ must "Use pytest assertions with failure messages".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	expected_api_version = f"{HyperConverged.ApiGroup.HCO_KUBEVIRT_IO}/{Resource.ApiVersion.V1}"
	assert hyperconverged_resource_scope_function.instance.apiVersion == expected_api_version
	expected_api_version = f"{HyperConverged.ApiGroup.HCO_KUBEVIRT_IO}/{Resource.ApiVersion.V1}"
	assert (
	hyperconverged_resource_scope_function.instance.apiVersion == expected_api_version
	), (
	f"Expected HyperConverged apiVersion to be {expected_api_version}, "
	f"got {hyperconverged_resource_scope_function.instance.apiVersion}"
	)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/install_upgrade_operators/csv/test_hco_api_version.py` around lines 13
- 14, Add a failure message to the apiVersion assertion in the test that
compares hyperconverged_resource_scope_function.instance.apiVersion against
expected_api_version. Update the assertion so it clearly states the
expected/actual contract for this check, following the pytest-with-message
convention used under tests/**, and keep the change localized to the test case
involving HyperConverged.ApiGroup.HCO_KUBEVIRT_IO and Resource.ApiVersion.V1.

Source: Coding guidelines

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

LOW: Fix the parametrized ids so they match the patched field.

Line 36 resets batchEvictionInterval, but the id says batch_eviction_size. Line 46 resets batchEvictionSize, but the id says workload_update_methods. Pytest uses these ids in node names and failure output, so the current labels make triage and -k targeting misleading.

Proposed fix

-                id="test_hyperconverged_reset_workload_update_strategy_batch_eviction_size",
+                id="test_hyperconverged_reset_workload_update_strategy_batch_eviction_interval",
...
-                id="test_hyperconverged_reset_workload_update_strategy_workload_update_methods",
+                id="test_hyperconverged_reset_workload_update_strategy_batch_eviction_size",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	pytest.param(
	{
	"patch": {"spec": {WORKLOAD_UPDATE_STRATEGY_KEY_NAME: {"batchEvictionInterval": None}}},
	"patch": {
	"spec": {"virtualization": {WORKLOAD_UPDATE_STRATEGY_KEY_NAME: {"batchEvictionInterval": None}}}
	},
	},
	MOD_CUST_DEFAULT_BATCH_EVICTION_INTERVAL,
	marks=pytest.mark.polarion("CNV-6929"),
	id="test_hyperconverged_reset_workload_update_strategy_batch_eviction_size",
	),
	pytest.param(
	{
	"patch": {"spec": {WORKLOAD_UPDATE_STRATEGY_KEY_NAME: {"batchEvictionSize": None}}},
	"patch": {
	"spec": {"virtualization": {WORKLOAD_UPDATE_STRATEGY_KEY_NAME: {"batchEvictionSize": None}}}
	},
	},
	MOD_CUST_DEFAULT_BATCH_EVICTION_SIZE,
	marks=pytest.mark.polarion("CNV-6930"),
	id="test_hyperconverged_reset_workload_update_strategy_workload_update_methods",
	),
	pytest.param(
	{
	"patch": {
	"spec": {"virtualization": {WORKLOAD_UPDATE_STRATEGY_KEY_NAME: {"batchEvictionInterval": None}}}
	},
	},
	MOD_CUST_DEFAULT_BATCH_EVICTION_INTERVAL,
	marks=pytest.mark.polarion("CNV-6929"),
	id="test_hyperconverged_reset_workload_update_strategy_batch_eviction_interval",
	),
	pytest.param(
	{
	"patch": {
	"spec": {"virtualization": {WORKLOAD_UPDATE_STRATEGY_KEY_NAME: {"batchEvictionSize": None}}}
	},
	},
	MOD_CUST_DEFAULT_BATCH_EVICTION_SIZE,
	marks=pytest.mark.polarion("CNV-6930"),
	id="test_hyperconverged_reset_workload_update_strategy_batch_eviction_size",
	),

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/install_upgrade_operators/launcher_updates/test_reset_custom_values.py`
around lines 28 - 47, The parametrized test ids in test_reset_custom_values.py
do not match the fields being patched in the pytest.param cases. Update the id
values in the relevant pytest.param entries so they clearly reflect the actual
reset targets in the WORKLOAD_UPDATE_STRATEGY_KEY_NAME patch, specifically
batchEvictionInterval and batchEvictionSize, to keep pytest node names and
failure output accurate.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

HIGH: Force requested feature gates to Enabled, don’t only append missing names.

If spec.featureGates already contains one of new_fgs with state: "Disabled", this loop skips it because the name is already in existing_fg_names, so the fixture never actually enables the requested gate. That makes the fixture state-dependent and can leave strict-reconciliation tests patching the wrong HCO spec.

Suggested fix

-    existing_fg_names = {fg["name"] for fg in hco_fgs}
-    updated_fgs = list(hco_fgs)
-    for fg_name in new_fgs:
-        if fg_name not in existing_fg_names:
-            updated_fgs.append({"name": fg_name, "state": FG_STATE_ENABLED})
+    updated_fgs_by_name = {fg["name"]: dict(fg) for fg in hco_fgs}
+    for fg_name in new_fgs:
+        updated_fgs_by_name[fg_name] = {"name": fg_name, "state": FG_STATE_ENABLED}
+
+    updated_fgs = list(updated_fgs_by_name.values())
     with ResourceEditorValidateHCOReconcile(
         patches={hyperconverged_resource_scope_function: {"spec": {"featureGates": updated_fgs}}},

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	existing_fg_names = {fg["name"] for fg in hco_fgs}
	updated_fgs = list(hco_fgs)
	for fg_name in new_fgs:
	if fg_name not in existing_fg_names:
	updated_fgs.append({"name": fg_name, "state": FG_STATE_ENABLED})
	with ResourceEditorValidateHCOReconcile(
	patches={hyperconverged_resource_scope_function: {"spec": {"featureGates": hco_fgs}}},
	patches={hyperconverged_resource_scope_function: {"spec": {"featureGates": updated_fgs}}},
	updated_fgs_by_name = {fg["name"]: dict(fg) for fg in hco_fgs}
	for fg_name in new_fgs:
	updated_fgs_by_name[fg_name] = {"name": fg_name, "state": FG_STATE_ENABLED}
	updated_fgs = list(updated_fgs_by_name.values())
	with ResourceEditorValidateHCOReconcile(
	patches={hyperconverged_resource_scope_function: {"spec": {"featureGates": updated_fgs}}},

🧰 Tools

🪛 Ruff (0.15.18)

[warning] 128-128: Use list.extend to create a transformed list

(PERF401)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/install_upgrade_operators/strict_reconciliation/conftest.py` around
lines 124 - 130, The feature-gate patching in the strict-reconciliation fixture
only appends missing names, so any requested gate already present in HCO
featureGates but set to Disabled is left unchanged. Update the logic around
existing_fg_names and updated_fgs so every fg_name in new_fgs is forced to state
FG_STATE_ENABLED, whether it already exists or not. Use the featureGates patch
construction in this fixture to replace the matching entry instead of skipping
it, so ResourceEditorValidateHCOReconcile always applies the requested enabled
state.

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

MEDIUM: Add explicit assertion failure messages on nested spec checks.

These assertions currently fail without contextual diagnostics, which slows reconciliation triage.

Suggested patch

-        assert hco_spec.get(HCO_SECURITY_KEY, {}).get(HCO_CR_CERT_CONFIG_KEY) == expected
+        assert hco_spec.get(HCO_SECURITY_KEY, {}).get(HCO_CR_CERT_CONFIG_KEY) == expected, (
+            f"Expected hco.spec.{HCO_SECURITY_KEY}.{HCO_CR_CERT_CONFIG_KEY}={expected}, "
+            f"actual={hco_spec.get(HCO_SECURITY_KEY, {}).get(HCO_CR_CERT_CONFIG_KEY)}"
+        )
@@
-        assert hco_spec.get(HCO_VIRTUALIZATION_KEY, {}).get(LIVE_MIGRATION_CONFIG_KEY) == expected
+        assert hco_spec.get(HCO_VIRTUALIZATION_KEY, {}).get(LIVE_MIGRATION_CONFIG_KEY) == expected, (
+            f"Expected hco.spec.{HCO_VIRTUALIZATION_KEY}.{LIVE_MIGRATION_CONFIG_KEY}={expected}, "
+            f"actual={hco_spec.get(HCO_VIRTUALIZATION_KEY, {}).get(LIVE_MIGRATION_CONFIG_KEY)}"
+        )

As per coding guidelines, "Use pytest assertions with failure messages." Based on learnings, integration tests under tests/ should include descriptive assertion messages.

Also applies to: 493-494

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@tests/install_upgrade_operators/strict_reconciliation/test_hco_cr_defaults_on_stanza_deletion.py`
around lines 272 - 273, Add descriptive pytest failure messages to the nested
spec assertions in the strict reconciliation test, especially the check in
test_hco_cr_defaults_on_stanza_deletion and the other referenced spec
comparisons. Update the assertions that read from
hyperconverged_resource_scope_function.instance.to_dict()["spec"] so they
include an explicit message showing the expected value and the actual nested
value when HCO_SECURITY_KEY/HCO_CR_CERT_CONFIG_KEY do not match. Keep the
assertion logic the same, but make the failure output explain which spec field
was wrong to speed up reconciliation debugging.

Sources: Coding guidelines, Learnings

[coderabbitai]

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

MEDIUM: Prefer direct indexing for the required HCO path.

Line 21-24 and Line 38-40 are assertion helpers for the post-patch state, so spec.virtualization.virtualMachineOptions should exist here. Chained .get(..., {}) hides a broken reconcile/schema change by collapsing it to None, which makes the test fail later with a less precise signal.

Suggested change

-    hco_cpu_model = (
-        hco_spec.get(HCO_VIRTUALIZATION_KEY, {}).get(VIRTUAL_MACHINE_OPTIONS_KEY, {}).get(HCO_DEFAULT_CPU_MODEL_KEY)
-    )
+    hco_cpu_model = hco_spec[HCO_VIRTUALIZATION_KEY][VIRTUAL_MACHINE_OPTIONS_KEY][HCO_DEFAULT_CPU_MODEL_KEY]

As per coding guidelines, "Do not use defensive programming unless it falls under an allowed exception; prefer fail-fast behavior and trust schema-guaranteed data."

Also applies to: 38-40

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@tests/install_upgrade_operators/strict_reconciliation/test_hco_default_cpu_model.py`
around lines 21 - 24, The post-patch assertions in test_hco_default_cpu_model
should fail fast instead of hiding missing schema data, so replace the chained
.get(..., {}) lookup for spec.virtualization.virtualMachineOptions with direct
indexing through the HCO spec path in the test helper and in the later assertion
block. Use the existing symbols HCO_VIRTUALIZATION_KEY,
VIRTUAL_MACHINE_OPTIONS_KEY, and HCO_DEFAULT_CPU_MODEL_KEY to access the
required fields directly so any reconcile/schema break surfaces immediately and
precisely.

Source: Coding guidelines

[geetikakay]

use constants + hyperconverged_resource_scope_function: {

•            "spec": {HCO_SPEC_WORKLOAD_SOURCES: {SSP_CR_COMMON_TEMPLATES_LIST_KEY_NAME: [data_import_cron_dict]}}
  

[geetikakay]

ditto

[geetikakay]

•                HCO_SPEC_DEPLOYMENT: {
  

•                    HCO_DEPLOY_VM_CONSOLE_PROXY: True,
  

•                },