OCPBUGS-77940 Reject custom feature gates when FeatureSet is empty

[agullon]

Summary

• Adds missing validation on main that rejects CustomNoUpgrade enabled/disabled lists when FeatureSet is empty
• This validation exists on release-4.21 but was lost on main during merge conflict resolution in PR OCPBUGS-71236: Align featureGate validations with openshift #6138
• Without this fix, users can configure custom feature gates with an empty FeatureSet, which silently ignores them
• Updates the etcd vendor copy and fixes the corresponding unit test expectation

⚠️ Note: This issue only affects the main branch. The release-4.21 branch already has the correct validation in place.

Details

The case "" branch in validateFeatureGates() on main returns nil without checking if CustomNoUpgrade lists are populated. On release-4.21, it correctly rejects this misconfiguration.

This divergence was caused by the following sequence of events:

1. Jan 14 — PR OCPBUGS-73946: Ignore (Dev|Tech)PreviewNoUpgrade FeatureSets #6082 merged to main: added FeatureSet validation (Dev/TechPreviewNoUpgrade rejection)
2. Jan 23 — PR OCPBUGS-71236: Align featureGate validations with openshift #6138 opened on main: realigned featureGate validations — merge conflict resolution inadvertently dropped the empty-FeatureSet check and set the test to expectErr: false
3. Jan 28 — PR [release-4.21] OCPBUGS-74575: Ignore (Dev|Tech)PreviewNoUpgrade FeatureSets #6162 cherry-picked OCPBUGS-73946: Ignore (Dev|Tech)PreviewNoUpgrade FeatureSets #6082 to release-4.21: conflict resolution correctly preserved the validation and set expectErr: true
4. Feb 3 — PR OCPBUGS-71236: Align featureGate validations with openshift #6138 merged to main: the incorrect expectErr: false landed on main
5. Feb 6 — PR [release-4.21] OCPBUGS-75794: Align featureGate validations with openshift #6186 cherry-picked OCPBUGS-71236: Align featureGate validations with openshift #6138 to release-4.21: kept the correct expectErr: true

As a result, release-4.21 has the validation while main does not.

Test plan

• Unit test feature-gates-custom-no-upgrade-with-feature-set-empty now expects expectErr: true
• Verify go test ./pkg/config/ -run TestValidate passes

[openshift-ci-robot]

@agullon: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Adds missing validation on main that rejects CustomNoUpgrade enabled/disabled lists when FeatureSet is empty
• This validation exists on release-4.21 but was lost on main during merge conflict resolution in PR OCPBUGS-71236: Align featureGate validations with openshift #6138
• Without this fix, users can configure custom feature gates with an empty FeatureSet, which silently ignores them
• Updates the etcd vendor copy and fixes the corresponding unit test expectation

Details

The case "" branch in validateFeatureGates() on main returns nil without checking if CustomNoUpgrade lists are populated. On release-4.21, it correctly rejects this misconfiguration. This divergence was caused by PR #6082 and #6138 landing on main in a different order than their cherry-picks (#6162 and #6186) on release-4.21.

Test plan

• Unit test feature-gates-custom-no-upgrade-with-feature-set-empty now expects expectErr: true
• Verify go test ./pkg/config/ -run TestValidate passes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [agullon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

When FeatureSet is empty, the validation now rejects non-empty CustomNoUpgrade enabled/disabled lists by returning an error, whereas previously it allowed them.

Changes

Cohort / File(s)	Summary
Feature Gate Validation pkg/config/apiserver.go	Added validation to reject non-empty CustomNoUpgrade lists when FeatureSet is empty.
Test Updates pkg/config/config_test.go	Updated test case "feature-gates-custom-no-upgrade-with-feature-set-empty" to expect an error instead of passing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Stable And Deterministic Test Names	✅ Passed	Test case name is stable, deterministic, and descriptive without dynamic information like timestamps or generated IDs.
Test Structure And Quality	✅ Passed	PR modifications affect standard Go table-driven tests in pkg/config/config_test.go using the testing package, not Ginkgo tests. The check is not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: rejecting custom feature gates when FeatureSet is empty, which matches the core validation logic added in FeatureGates.validateFeatureGates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/config/apiserver.go (1)

196-200: LGTM! Validation correctly restored.

The check properly rejects CustomNoUpgrade lists when FeatureSet is empty, as intended.

Minor consideration: SpecialHandlingSupportExceptionRequired is also not validated when FeatureSet is empty (early return at line 200). If users set that field with an empty FeatureSet, it would similarly be silently ignored. Consider applying consistent validation for both, or document that only CustomNoUpgrade requires a FeatureSet.

,

🔧 Optional: also validate SpecialHandlingSupportExceptionRequired

 case "":
-	if len(fg.CustomNoUpgrade.Enabled) > 0 || len(fg.CustomNoUpgrade.Disabled) > 0 {
-		return fmt.Errorf("CustomNoUpgrade enabled/disabled lists must be empty when FeatureSet is empty")
+	if len(fg.CustomNoUpgrade.Enabled) > 0 || len(fg.CustomNoUpgrade.Disabled) > 0 ||
+		len(fg.SpecialHandlingSupportExceptionRequired.Enabled) > 0 || len(fg.SpecialHandlingSupportExceptionRequired.Disabled) > 0 {
+		return fmt.Errorf("feature gate enabled/disabled lists must be empty when FeatureSet is empty")
 	}
 	return nil

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/config/apiserver.go` around lines 196 - 200, The early-return branch for
case "" currently checks fg.CustomNoUpgrade but not
fg.SpecialHandlingSupportExceptionRequired; update the same validation block
(the case "" branch handling an empty FeatureSet) to also reject a non-empty
SpecialHandlingSupportExceptionRequired by returning an error when
fg.SpecialHandlingSupportExceptionRequired is set (similar to the existing
CustomNoUpgrade check), referencing the same fg variable and the case "" branch
so both fields are consistently validated when FeatureSet is empty.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/config/apiserver.go`:
- Around line 196-200: The early-return branch for case "" currently checks
fg.CustomNoUpgrade but not fg.SpecialHandlingSupportExceptionRequired; update
the same validation block (the case "" branch handling an empty FeatureSet) to
also reject a non-empty SpecialHandlingSupportExceptionRequired by returning an
error when fg.SpecialHandlingSupportExceptionRequired is set (similar to the
existing CustomNoUpgrade check), referencing the same fg variable and the case
"" branch so both fields are consistently validated when FeatureSet is empty.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 518385b4-a426-4eeb-932c-f44366bdaffa

📥 Commits

Reviewing files that changed from the base of the PR and between 1c734b2 and 0aa362d.

⛔ Files ignored due to path filters (1)

• etcd/vendor/github.com/openshift/microshift/pkg/config/apiserver.go is excluded by !**/vendor/**

📒 Files selected for processing (2)

• pkg/config/apiserver.go
• pkg/config/config_test.go

[copejon]

/retest

[copejon]

/jira refresh

[openshift-ci-robot]

@copejon: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[agullon]

/retest

[agullon]

/retest

[agullon]

/retest

[agullon]

/retest

[openshift-ci]

@agullon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/test-rpm	0aa362d	link	true	/test test-rpm
ci/prow/verify-deps	0aa362d	link	true	/test verify-deps
ci/prow/test-rebase	0aa362d	link	false	/test test-rebase
ci/prow/e2e-aws-tests-cache-arm	0aa362d	link	true	/test e2e-aws-tests-cache-arm
ci/prow/ocp-full-conformance-serial-rhel-eus	0aa362d	link	true	/test ocp-full-conformance-serial-rhel-eus
ci/prow/security	0aa362d	link	false	/test security
ci/prow/ocp-full-conformance-rhel-eus	0aa362d	link	true	/test ocp-full-conformance-rhel-eus
ci/prow/e2e-aws-tests	0aa362d	link	true	/test e2e-aws-tests
ci/prow/e2e-aws-tests-bootc-arm	0aa362d	link	true	/test e2e-aws-tests-bootc-arm
ci/prow/e2e-aws-tests-arm	0aa362d	link	true	/test e2e-aws-tests-arm
ci/prow/e2e-aws-tests-bootc	0aa362d	link	true	/test e2e-aws-tests-bootc
ci/prow/e2e-aws-tests-cache	0aa362d	link	true	/test e2e-aws-tests-cache
ci/prow/e2e-aws-tests-periodic-arm	0aa362d	link	true	/test e2e-aws-tests-periodic-arm
ci/prow/test-unit	0aa362d	link	true	/test test-unit
ci/prow/verify	0aa362d	link	true	/test verify
ci/prow/e2e-aws-ai-model-serving	0aa362d	link	true	/test e2e-aws-ai-model-serving
ci/prow/e2e-aws-tests-bootc-release-arm	0aa362d	link	true	/test e2e-aws-tests-bootc-release-arm
ci/prow/e2e-aws-tests-bootc-release	0aa362d	link	true	/test e2e-aws-tests-bootc-release

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.