OCPBUGS-86616,ARO-24037: feat(azure): add ACR pull identity to worker cloud.conf and VMSS

[twolff-gh]

What this PR does / why we need it:

Adds an optional ImageRegistryCredentials field to AzurePlatformSpec that configures worker nodes to pull images from Azure Container Registry using a user-assigned managed identity.

When set, CPO writes userAssignedIdentityID into the worker cloud.conf and the NodePool controller attaches the MI to the VMSS via CAPZ.

This gives kubelet's ACR credential provider the identity it needs to authenticate without image pull secrets.

Which issue(s) this PR fixes:

Fixes ARO-24037

Special notes for your reviewer:

cloud-provider-azure accepts both ARM resource ID and client ID formats in userAssignedIdentityID — see auth_func.go#L80

We use the ARM resource ID since CAPZ also needs it for VMSS identity attachment.

Only the worker cloud.conf (ConfigMap) is modified — the CP cloud.conf (Secret) is unchanged.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Azure platform spec can optionally specify Image Registry Credentials using a user-assigned managed identity for pulling from Azure Container Registry.

• Behavior Changes

  • Control-plane cloud config includes the configured user-assigned identity.
  • Worker machine templates are configured to use the specified user-assigned identity when present.

• Tests

  • Added tests for config generation, secret handling (no credential leakage), machine-template wiring, and JSON compatibility.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

These changes add optional image registry credentials to AzurePlatformSpec to specify a user-assigned managed identity (resourceID) for pulling images from Azure Container Registry. The control-plane operator propagates the managed identity ID into the generated Azure cloud config when present. The nodepool controller configures worker VM identity and user-assigned identities on Azure VM scale sets using the provided resourceID. Unit tests were added/updated to verify API serialization compatibility, cloud config output, secret contents, and machine template identity wiring.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant API_Server as Kubernetes API
    participant CPO as Control-Plane Operator
    participant NPC as NodePool Controller
    participant Azure as Azure (VMSS / ACR)

    User->>API_Server: Create/Update HostedCluster/NodePool\nwith platform.azure.imageRegistryCredentials.managedIdentity.resourceID
    API_Server->>CPO: CPO watches HostedCluster spec
    CPO->>CPO: adaptConfig reads managedIdentity.resourceID
    CPO->>API_Server: Write ConfigMap (cloud.conf) including userAssignedIdentityID
    API_Server->>NPC: NPC watches HostedCluster/NodePool spec
    NPC->>NPC: azureMachineTemplateSpec reads managedIdentity.resourceID
    NPC->>Azure: Create/Update VMSS with\nidentity: UserAssigned + UserAssignedIdentities[providerID]
    Azure->>Azure: VMSS uses managed identity to pull images from ACR
    Azure->>NPC: VMSS status/events

Loading

Possibly related PRs

• openshift/hypershift#7157: Related changes touching Azure cloud.conf creation/ownership and managed identity fields in control-plane/operator cloud config.

Suggested reviewers

• enxebre
• muraee
• devguyio

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check for Ginkgo test names is not applicable. PR uses only standard Go tests with t.Run() subtests. All test names are static and descriptive with no dynamic values.
Test Structure And Quality	✅ Passed	Tests follow quality standards: single responsibility, meaningful assertion messages, consistent with codebase patterns, and no cluster operations requiring cleanup.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All new tests are standard Go unit tests using the testing package. The custom check only applies to Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only standard Go unit tests (using testing.T), not Ginkgo e2e tests. The custom check specifically targets Ginkgo e2e tests with multi-node assumptions. No Ginkgo e2e tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds ACR pull identity support with no scheduling constraints. Only API types, configuration, and Azure VM template changes. No pod affinity, topology spread, PDB, or topology-dependent logic.
Ote Binary Stdout Contract	✅ Passed	No stdout violations detected. PR changes contain only library/controller code with no main(), init(), TestMain(), or Ginkgo suite setup functions. No stdout writes found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All tests are standard Go unit tests using func TestName(t *testing.T) syntax, so the IPv6/disconnected network check does not apply.
Title check	✅ Passed	The title accurately reflects the main change: adding ACR pull identity to worker cloud.conf and VMSS via ImageRegistryCredentials field.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hypershift-operator/controllers/nodepool/azure.go`:
- Around line 248-256: The code is prepending capzutil.ProviderIDPrefix to the
user-assigned identity but CAPZ v1.21 requires a raw ARM resource ID; update the
block that populates azureMachineTemplate.Template.Spec.UserAssignedIdentities
so the ProviderID is set directly from
hostedCluster.Spec.Platform.Azure.AcrImagePullManagedIdentityID (remove
capzutil.ProviderIDPrefix) while keeping the same append logic and
VMIdentityUserAssigned assignment on
azureMachineTemplate.Template.Spec.Identity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 651c0b52-b089-404a-a89f-e3b0947abee4

📥 Commits

Reviewing files that changed from the base of the PR and between bded456 and 5491fa7.

⛔ Files ignored due to path filters (40)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go is excluded by !client/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/testdata/zz_fixture_TestConfigWithAcrMI.yaml is excluded by !**/testdata/**
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md
• docs/content/reference/api.md is excluded by !docs/content/reference/api.md
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*

📒 Files selected for processing (5)

• api/hypershift/v1beta1/azure.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config_test.go
• hypershift-operator/controllers/nodepool/azure.go
• hypershift-operator/controllers/nodepool/azure_test.go

[twolff-gh]

/retest

[coderabbitai]

🧹 Nitpick comments (2)

api/hypershift/v1beta1/azure.go (2)

558-567: ⚡ Quick win

Consider adding detailed component validation for consistency.

The validation pattern for AzureManagedIdentityResourceID uses a single rule that checks the overall format, but other ARM resource IDs in this file (e.g., encryptionSetID at lines 336-340, subnetID at lines 428-435) include multiple detailed rules validating each component:

• Subscription ID as a valid UUID (8-4-4-4-12 format)
• Resource group name constraints (1-90 chars, valid characters, no trailing period)
• Resource/identity name constraints

Adding similar granular validation would improve input validation consistency and provide clearer error messages when individual components are malformed.

✨ Suggested additional validation rules

 // +kubebuilder:validation:XValidation:rule="self.lowerAscii().matches('^/subscriptions/[^/]+/resourcegroups/[^/]+/providers/microsoft.managedidentity/userassignedidentities/[^/]+$')",message="must be an ARM resource ID in the format /subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}"
+// +kubebuilder:validation:XValidation:rule="self.split('/')[2].matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$')",message="the subscriptionID must be a valid UUID in the form 8-4-4-4-12"
+// +kubebuilder:validation:XValidation:rule=`self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}')`,message="the resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and parenthesis"
+// +kubebuilder:validation:XValidation:rule="!self.split('/')[4].endsWith('.')",message="the resourceGroupName must not end with a period (.)"
+// +kubebuilder:validation:XValidation:rule="self.split('/')[8].matches('[a-zA-Z0-9-_]{1,128}')",message="the identityName should be between 1 and 128 characters, consisting only of alphanumeric characters, hyphens and underscores"
 // +kubebuilder:validation:MinLength=1
 // +kubebuilder:validation:MaxLength=512
 type AzureManagedIdentityResourceID string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/hypershift/v1beta1/azure.go` around lines 558 - 567, Update the
AzureManagedIdentityResourceID validation to add component-level checks similar
to encryptionSetID and subnetID: keep the existing overall XValidation rule but
add additional XValidation or kubebuilder:validation patterns that (1) validate
the subscription ID is a UUID (8-4-4-4-12), (2) validate the resourceGroupName
follows 1-90 char rules (allowed chars, no trailing period), and (3) validate
the userAssignedIdentities/{identityName} segment enforces resource name
constraints (length and allowed characters); target the
AzureManagedIdentityResourceID type and mirror the same annotation style used
for encryptionSetID and subnetID so each component produces a clear, specific
error when invalid.

---

472-479: 💤 Low value

Consider whether ImageRegistryCredentials should be immutable.

Many infrastructure fields in AzurePlatformSpec are marked immutable (e.g., location, resourceGroup, vnetID, subnetID). Since ImageRegistryCredentials configures VM scale set identity attachment, consider whether it should also be immutable once set, as changing VMSS identities post-creation can have operational implications.

If mutability is intentional for operational flexibility, this is fine—just confirming the design choice.

💭 Optional immutability constraint

 // imageRegistryCredentials configures authentication for worker nodes pulling images
 // from Azure Container Registry (ACR) using a user-assigned managed identity.
 // When set, the identity is attached to worker VM scale sets and its resource ID is written
 // into the worker cloud provider config so kubelet's credential provider can authenticate
 // to ACR without image pull secrets.
 //
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.imageRegistryCredentials) || has(self.imageRegistryCredentials)",message="imageRegistryCredentials cannot be removed once set"
 // +optional
 ImageRegistryCredentials *AzureImageRegistryCredentials `json:"imageRegistryCredentials,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/hypershift/v1beta1/azure.go` around lines 472 - 479, Decide and enforce
immutability for the ImageRegistryCredentials field: either mark
ImageRegistryCredentials on AzurePlatformSpec as immutable by adding the
kubebuilder validation tag (e.g., +kubebuilder:validation:Immutable) and update
the field comment to state it cannot be changed post-creation (since changing
VMSS identities is disruptive), or if mutability is intentional, add a clear
comment on ImageRegistryCredentials explaining why it must remain mutable and
document any operational steps/impacts; update any validation logic or docs
accordingly and reference the AzurePlatformSpec, ImageRegistryCredentials, and
analogous immutable fields (location, resourceGroup, vnetID, subnetID) when
making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@api/hypershift/v1beta1/azure.go`:
- Around line 558-567: Update the AzureManagedIdentityResourceID validation to
add component-level checks similar to encryptionSetID and subnetID: keep the
existing overall XValidation rule but add additional XValidation or
kubebuilder:validation patterns that (1) validate the subscription ID is a UUID
(8-4-4-4-12), (2) validate the resourceGroupName follows 1-90 char rules
(allowed chars, no trailing period), and (3) validate the
userAssignedIdentities/{identityName} segment enforces resource name constraints
(length and allowed characters); target the AzureManagedIdentityResourceID type
and mirror the same annotation style used for encryptionSetID and subnetID so
each component produces a clear, specific error when invalid.
- Around line 472-479: Decide and enforce immutability for the
ImageRegistryCredentials field: either mark ImageRegistryCredentials on
AzurePlatformSpec as immutable by adding the kubebuilder validation tag (e.g.,
+kubebuilder:validation:Immutable) and update the field comment to state it
cannot be changed post-creation (since changing VMSS identities is disruptive),
or if mutability is intentional, add a clear comment on ImageRegistryCredentials
explaining why it must remain mutable and document any operational
steps/impacts; update any validation logic or docs accordingly and reference the
AzurePlatformSpec, ImageRegistryCredentials, and analogous immutable fields
(location, resourceGroup, vnetID, subnetID) when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f0a439d2-15ae-489a-aa26-a3dbf24251a3

📥 Commits

Reviewing files that changed from the base of the PR and between 5491fa7 and ba0c25b.

⛔ Files ignored due to path filters (27)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (1)

• api/hypershift/v1beta1/azure.go

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.55%. Comparing base (4755e9c) to head (10118f1).
⚠️ Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
hypershift-operator/controllers/nodepool/azure.go	80.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8472      +/-   ##
==========================================
+ Coverage   41.54%   41.55%   +0.01%     
==========================================
  Files         758      758              
  Lines       93838    93854      +16     
==========================================
+ Hits        38986    39005      +19     
+ Misses      52107    52100       -7     
- Partials     2745     2749       +4     

Files with missing lines	Coverage Δ
...lplane/v2/cloud_controller_manager/azure/config.go	68.10% <100.00%> (+6.15%)	⬆️
hypershift-operator/controllers/nodepool/azure.go	89.70% <80.00%> (-0.88%)	⬇️

Flag	Coverage Δ
cmd-support	34.96% <ø> (ø)
cpo-hostedcontrolplane	43.64% <100.00%> (+0.04%)	⬆️
cpo-other	43.17% <ø> (ø)
hypershift-operator	51.63% <80.00%> (+0.01%)	⬆️
other	31.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

♻️ Duplicate comments (1)

hypershift-operator/controllers/nodepool/azure.go (1)

248-257: ⚠️ Potential issue | 🔴 Critical | ⚖️ Poor tradeoff

Remove the azure:// prefix from ProviderID on line 254.

CAPZ v1.21.0 expects the raw ARM resource ID format starting with /subscriptions/ without the azure:// prefix. Adding the prefix causes parsing failures with error: "invalid resource ID: resource id 'azure:///subscriptions/...' must start with '/'".

Diff

-				ProviderID: capzutil.ProviderIDPrefix + resourceID,
+				ProviderID: resourceID,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/controllers/nodepool/azure.go` around lines 248 - 257,
The ProviderID is being constructed with an "azure://" prefix which CAPZ v1.21.0
rejects; in the hostedCluster block that sets
azureMachineTemplate.Template.Spec.UserAssignedIdentities, strip any leading
"azure://" (or "azure:///" variants) from
hostedCluster.Spec.Platform.Azure.ImageRegistryCredentials.ManagedIdentity.ResourceID
so resourceID starts with "/subscriptions/..." before concatenating with
capzutil.ProviderIDPrefix and assigning to ProviderID; update the code that
computes resourceID in that block (referencing hostedCluster,
azureMachineTemplate.Template.Spec.UserAssignedIdentities and ProviderID) to
perform this sanitization.

🧹 Nitpick comments (1)

api/hypershift/v1beta1/azure_test.go (1)

20-102: LGTM! Good N-1/N+1 compatibility coverage.

The test correctly verifies:

• JSON serialization includes the field when set
• JSON omits the field when zero-valued (via omitzero)
• Legacy code (N-1) can unmarshal JSON from current version (N)
• Current version (N) preserves zero value when unmarshaling from N-1

The test follows table-driven patterns and "When ... it should ..." naming conventions as per coding guidelines.

♻️ Optional: Consider using gomega for more expressive assertions

 import (
 	"encoding/json"
 	"strings"
 	"testing"
+	. "github.com/onsi/gomega"
 )

 func TestAzurePlatformSpecSerializationCompatibility(t *testing.T) {
+	g := NewWithT(t)
 	// ...
 	if tt.expectFieldInJSON {
-		if !strings.Contains(jsonStr, `"imageRegistryCredentials"`) {
-			t.Errorf("expected imageRegistryCredentials in JSON, got: %s", jsonStr)
-		}
+		g.Expect(jsonStr).To(ContainSubstring(`"imageRegistryCredentials"`))

This is purely optional; the current assertions work correctly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/hypershift/v1beta1/azure_test.go` around lines 20 - 102, The reviewer
gave LGTM and suggested an optional refactor to use gomega for more expressive
assertions; to apply this, update
TestAzurePlatformSpecSerializationCompatibility to use gomega's NewWithT(t) and
Expect(...) assertions instead of t.Fatalf/t.Errorf and manual if checks for
JSON contents and field values (references:
TestAzurePlatformSpecSerializationCompatibility, AzurePlatformSpec,
azurePlatformSpecNMinus1, ImageRegistryCredentials, ManagedIdentity.ResourceID);
add the gomega import and convert the key assertions (marshal/unmarshal errors,
presence/absence of `"imageRegistryCredentials"`, expected ResourceID, Location
and zero-value checks) to Expect-style calls while preserving the same test
cases and logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@hypershift-operator/controllers/nodepool/azure.go`:
- Around line 248-257: The ProviderID is being constructed with an "azure://"
prefix which CAPZ v1.21.0 rejects; in the hostedCluster block that sets
azureMachineTemplate.Template.Spec.UserAssignedIdentities, strip any leading
"azure://" (or "azure:///" variants) from
hostedCluster.Spec.Platform.Azure.ImageRegistryCredentials.ManagedIdentity.ResourceID
so resourceID starts with "/subscriptions/..." before concatenating with
capzutil.ProviderIDPrefix and assigning to ProviderID; update the code that
computes resourceID in that block (referencing hostedCluster,
azureMachineTemplate.Template.Spec.UserAssignedIdentities and ProviderID) to
perform this sanitization.

---

Nitpick comments:
In `@api/hypershift/v1beta1/azure_test.go`:
- Around line 20-102: The reviewer gave LGTM and suggested an optional refactor
to use gomega for more expressive assertions; to apply this, update
TestAzurePlatformSpecSerializationCompatibility to use gomega's NewWithT(t) and
Expect(...) assertions instead of t.Fatalf/t.Errorf and manual if checks for
JSON contents and field values (references:
TestAzurePlatformSpecSerializationCompatibility, AzurePlatformSpec,
azurePlatformSpecNMinus1, ImageRegistryCredentials, ManagedIdentity.ResourceID);
add the gomega import and convert the key assertions (marshal/unmarshal errors,
presence/absence of `"imageRegistryCredentials"`, expected ResourceID, Location
and zero-value checks) to Expect-style calls while preserving the same test
cases and logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 457f2777-b2e1-49ac-af2d-51f62f556244

📥 Commits

Reviewing files that changed from the base of the PR and between ba0c25b and b80128b.

⛔ Files ignored due to path filters (43)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• client/applyconfiguration/hypershift/v1beta1/azureimageregistrycredentials.go is excluded by !client/**
• client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go is excluded by !client/**
• client/applyconfiguration/hypershift/v1beta1/userassignedmanagedidentity.go is excluded by !client/**
• client/applyconfiguration/utils.go is excluded by !client/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/testdata/zz_fixture_TestConfigWithAcrMI.yaml is excluded by !**/testdata/**
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md
• docs/content/reference/api.md is excluded by !docs/content/reference/api.md
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*

📒 Files selected for processing (6)

• api/hypershift/v1beta1/azure.go
• api/hypershift/v1beta1/azure_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config_test.go
• hypershift-operator/controllers/nodepool/azure.go
• hypershift-operator/controllers/nodepool/azure_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config_test.go
• hypershift-operator/controllers/nodepool/azure_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/hypershift/v1beta1/azure.go`:
- Around line 558-567: Update the AzureManagedIdentityResourceID type
validation: change the kubebuilder:validation:MinLength from 129 to 132 and
replace the permissive component regex with component-level validation similar
to encryptionSetID—require a UUID pattern for the subscriptionID, constrain
resourceGroupName to allowed characters and length (1–90), and enforce
identityName minimum length 3 and allowed characters; keep the overall
XValidation rule to match the complete ARM path but ensure its subpatterns
validate each component (subscription, resourceGroupName,
userAssignedIdentities/{identityName}) to mirror Azure's documented constraints.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 29e87b7e-4823-400b-a997-52ab9f368df6

📥 Commits

Reviewing files that changed from the base of the PR and between 5a90422 and 76d2a13.

⛔ Files ignored due to path filters (43)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/TLSAdherence.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• client/applyconfiguration/hypershift/v1beta1/azurecontainerregistrycredentials.go is excluded by !client/**
• client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go is excluded by !client/**
• client/applyconfiguration/hypershift/v1beta1/userassignedmanagedidentity.go is excluded by !client/**
• client/applyconfiguration/utils.go is excluded by !client/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/testdata/zz_fixture_TestConfigWithAcrMI.yaml is excluded by !**/testdata/**
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md
• docs/content/reference/api.md is excluded by !docs/content/reference/api.md
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*

📒 Files selected for processing (6)

• api/hypershift/v1beta1/azure.go
• api/hypershift/v1beta1/azure_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config_test.go
• hypershift-operator/controllers/nodepool/azure.go
• hypershift-operator/controllers/nodepool/azure_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
• hypershift-operator/controllers/nodepool/azure.go
• api/hypershift/v1beta1/azure_test.go
• hypershift-operator/controllers/nodepool/azure_test.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config_test.go

[bennerv]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2060382969079533568 | Cost: $2.31090125 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[JoelSpeed]

Needs to be explained in this godoc so that it ends up in the generated docs the user would see with kubectl explain.

Please expand this comment on the field to explain the valid input

[twolff-gh]

/retest-required

[twolff-gh]

/retest-required

[bryan-cox]

/retest

[bryan-cox]

@twolff-gh since you already lost lgtm, would you mind rebasing the branch please? 😄

That should fix the codecov/project error you are seeing.

[twolff-gh]

@twolff-gh since you already lost lgtm, would you mind rebasing the branch please? 😄

That should fix the codecov/project error you are seeing.

Will do!

[JoelSpeed]

/approve for API

Thanks @twolff-gh

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, JoelSpeed, twolff-gh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]
• api/OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[enxebre]

how does this relate to UseManagedIdentityExtension input in the config file? should if influence it?

[enxebre]

dropped some questions, lgtm overall

[bennerv]

two super minor things.

[twolff-gh]

how does this relate to UseManagedIdentityExtension input in the config file? should if influence it?

Theyre related but I dont think we need to change UseManagedIdentityExtension here.

Its already set true on the ARO HCP worker cloud.conf. userAssignedIdentityID is read by the kubelet credential provider for ACR token acquisition. It needs UseManagedIdentityExtension=true as a prereq, which is already set.

What do you think? Hopefully this helped 🙏

@enxebre

[openshift-ci]

@twolff-gh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gke	f14d7bb	link	false	/test e2e-gke

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

This confirms the root cause. The failing check run (80646555992) evaluated a stale commit (9129cdb) while the PR has since been updated to 10118f1. On the latest commit, codecov/project actually passes with 41.55% (+0.01%). The failure is a stale/outdated check run artifact that GitHub hasn't cleared.

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/project (GitHub Check Run, not a Prow CI job)
• Build ID: Check Run ID 80646555992
• PR: #8472 — OCPBUGS-86616,ARO-24037: feat(azure): add ACR pull identity to worker cloud.conf and VMSS
• Repository: openshift/hypershift

Test Failure Analysis

Error

codecov/project: 41.51% (-0.04%) compared to 4755e9c

⚠️ Current head 9129cdb differs from pull request most recent head 10118f1
Please upload reports for the commit 10118f1 to get more accurate results.

Summary

The codecov/project check run is failing because it evaluated a stale commit (9129cdb) that is no longer the HEAD of the PR. The PR has since been updated to commit 10118f1, and Codecov successfully re-evaluated that latest commit with a passing result: 41.55% (+0.01%). The displayed failure is a leftover GitHub Check Run from an older push that GitHub's UI surfaces as the status for the check, even though a newer passing run exists on the actual HEAD commit.

Root Cause

The failure is caused by a stale Codecov check run attached to an older commit (9129cdb) that no longer reflects the current state of the PR.

Here is the sequence of events:

1. The PR was pushed with commit 9129cdb. Codecov evaluated this commit and found project coverage at 41.51%, a -0.04% decrease from the base (4755e9c). This triggered a failure conclusion on the check run.
2. The PR was subsequently updated with new commits, with the latest HEAD now at 10118f1. This new commit added/improved test coverage (the coverage diff shows +19 hits, -7 misses).
3. Codecov re-evaluated on the new HEAD 10118f1 and reported 41.55% (+0.01%) — a passing result.
4. However, GitHub's Check Runs API still surfaces the older failing check run (ID 80646555992, attached to 9129cdb) in the PR's status checks. The check run itself warns: "Current head 9129cdb differs from pull request most recent head 10118f1".

The -0.04% coverage drop on the old commit was caused by 9 files with "indirect coverage changes" — code that existed before the PR but whose coverage numbers shifted due to test suite changes between the base and that intermediate commit. The PR's own patch coverage is 83.33% (3 lines uncovered in hypershift-operator/controllers/nodepool/azure.go), and the actual new code contributed a net positive to coverage.

The 3 uncovered lines in azure.go are in the azureMachineTemplate method (lines ~269-270) — the nil-guard chain c.hostedCluster != nil && c.hostedCluster.Spec.Platform.Azure != nil && ... — which is a higher-level caller path not directly exercised by the unit tests (the unit tests cover azureMachineTemplateSpec directly, not the CAPI.azureMachineTemplate wrapper). This is a minor gap but was not the cause of the check failure.

Recommendations

1. No action required for the codecov/project failure — The check is passing on the latest commit (10118f1) with coverage at 41.55% (+0.01%). The failing check run is stale.

2. Rebase the branch to clear stale check runs — As suggested by a reviewer in the PR comments: "since you already lost lgtm, would you mind rebasing the branch please? That should fix the codecov/project error you are seeing." A rebase will force GitHub to associate only the new commit's check runs with the PR status.

3. Optional: Add coverage for the wrapper method — The 3 uncovered lines in azureMachineTemplate() (the nil-guard for c.hostedCluster.Spec.Platform.Azure.ContainerRegistry.Credentials.ManagedIdentity.ResourceID) could be covered by adding a test case to the CAPI.azureMachineTemplate method that exercises the hostedCluster → acrIdentityResourceID extraction path. This is low priority since the core logic is already tested via TestAzureMachineTemplateSpec.

Evidence

Evidence	Detail
Failing check run commit	9129cdb (stale — no longer PR HEAD)
Current PR HEAD commit	10118f1
Codecov result on stale commit	41.51% (-0.04%) → failure
Codecov result on latest commit	41.55% (+0.01%) → success
Stale commit warning	"Current head 9129cdb differs from pull request most recent head 10118f1"
Check Run ID (failing/stale)	80646555992
Patch coverage	83.33% (3 lines uncovered in nodepool/azure.go)
Uncovered lines	azureMachineTemplate() nil-guard chain (lines ~269-270) for ACR identity extraction
File with coverage drop	hypershift-operator/controllers/nodepool/azure.go: 89.70% → -0.88% delta
File with coverage gain	cloud_controller_manager/azure/config.go: 68.10% → +6.15% delta
Reviewer comment	"would you mind rebasing the branch please? That should fix the codecov/project error"

---

[bennerv]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke