[IUO] Apply new Lazy IDMS strategy for upgrade and install lanes

[hmeir]

Short description:

This PR modifies the IDMS patching logic to follow a per-image strategy, aligning with Konflux build requirements.

More details:

This change aligns the code with the DevOps per-image IDMS strategy to reduce execution time and avoid unnecessary VM migrations that cause PSI execution failures.

• For Konflux builds: The code checks if the upgrade target version image (e.g., v4.22) already exists in the IDMS per related image; if it does, no action is taken.
• Missing versions: If the version is missing, the existing IDMS is patched.
• Fallback: If no IDMS exists at all, a new namespaced IDMS is created.

What this PR does / why we need it:

• Improves CI Stability: Minimizes VM migrations by avoiding redundant IDMS patching, leading to more reliable test results.
• DevOps Alignment: Ensures registry mirroring logic follows the current per-image strategy.

Special notes for reviewer:

Review the logic in the IDMS patching helper functions to ensure the image version check is robust.

jira-ticket:

🤖 Assisted with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@hmeir has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 36 minutes and 4 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 36 minutes and 4 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6fa7521b-def6-4944-afa4-5fa8cc0ecbb0

📥 Commits

Reviewing files that changed from the base of the PR and between d0a45ce and 8aa7ba6.

📒 Files selected for processing (6)

• tests/install_upgrade_operators/conftest.py
• tests/install_upgrade_operators/constants.py
• tests/install_upgrade_operators/product_install/conftest.py
• tests/install_upgrade_operators/product_upgrade/conftest.py
• tests/install_upgrade_operators/utils.py
• utilities/pytest_utils.py

📝 Walkthrough

Walkthrough

Added Konflux/IDMS constants, introduced a session fixture that queries Version Explorer (iib_build_info), and refactored IDMS mirror handling: new helper to merge per-image mirrors, changed apply_konflux_idms behavior, and updated fixtures to gate/skip IDMS updates based on pipeline and cluster state.

Changes

Cohort / File(s)	Summary
Constants Module tests/install_upgrade_operators/constants.py	Added five new module-level constants: KONFLUX_IDMS_NAME, KONFLUX_MIRROR_BASE_URL, RH_IDMS_SOURCE, KONFLUX_PIPELINE, BREW_MIRROR_BASE_URL.
Top-level Test Conftest tests/install_upgrade_operators/conftest.py	Added iib_build_info session fixture that parses IIB number from cnv_image_url for osbs/fbc, queries Version Explorer (GetBuildByIIB), and exits pytest on missing response. Also added re import and imported wait_for_version_explorer_response / exit_pytest_execution.
Product Install Fixture tests/install_upgrade_operators/product_install/conftest.py	Switched imports to use constants (KONFLUX_IDMS_NAME, KONFLUX_MIRROR_BASE_URL) and removed the installed_konflux_idms fixture and its early-exit logic; IDMS application no longer happens implicitly via that fixture.
Product Upgrade Fixtures tests/install_upgrade_operators/product_upgrade/conftest.py	Removed cnv_image_name fixture; added request to signatures and now obtain iib_build_info via fixture. updated_konflux_idms / eus_updated_konflux_idms now skip unless iib_build_info["pipeline"] == KONFLUX_PIPELINE, always call apply_konflux_idms, and conditionally append BREW_MIRROR_BASE_URL when IDMS resource does not exist; removed prior early-return checks and HOTFIX gating.
IDMS Mirror Logic tests/install_upgrade_operators/utils.py	Removed fixed-Konflux constants, added _get_entries_with_missing_mirrors(idms, required_mirrors) to merge per-image mirror entries, changed apply_konflux_idms() to: compute updated entries, return early if no changes (without MCP pause), patch with merged entries or create using idms.name and RH_IDMS_SOURCE; removed idms_has_all_mirrors().
Pytest Utilities utilities/pytest_utils.py	get_cnv_version_explorer_url(pytest_config) now treats --upgrade == "cnv" the same as "eus" when requiring CNV_VERSION_EXPLORER_URL.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[IUO] Apply new Lazy IDMS strategy for upgrade and install lanes' clearly summarizes the main change: implementing a per-image IDMS patching strategy for both upgrade and install workflows.
Description check	✅ Passed	The PR description covers all major required template sections with clear information about what changed and why.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.66%. Comparing base (b4ad2e0) to head (8aa7ba6).
⚠️ Report is 79 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4453      +/-   ##
==========================================
+ Coverage   98.63%   98.66%   +0.02%     
==========================================
  Files          25       25              
  Lines        2420     2469      +49     
==========================================
+ Hits         2387     2436      +49     
  Misses         33       33              

Flag	Coverage Δ
utilities	98.66% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-virtualization-qe-bot-5]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest verify-bugs-are-open - verify-bugs-are-open
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

• dshchedr
• myakove
• rnetser
• vsibirsk

Reviewers:

• OhadRevah
• RoniKishner
• albarker-rh
• dshchedr
• geetikakay
• hmeir
• rlobillo
• rnetser
• vsibirsk

Available Labels

• hold
• verified
• wip
• lgtm
• approve

AI Features

• Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6[1m])

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/install_upgrade_operators/product_upgrade/conftest.py`:
- Around line 125-140: The disconnected-cluster guard in updated_konflux_idms
runs too late because pytest resolves the iib_build_info fixture eagerly
(triggering Version Explorer lookups); change updated_konflux_idms to accept a
lazy provider (e.g., iib_build_info_getter callable/ lambda) or defer accessing
iib_build_info until after the is_disconnected_cluster check so the disconnected
check short-circuits before any Version Explorer logic; update callers/fixtures
to pass a zero-arg function (or move the disconnected check into the
iib_build_info fixture itself) and ensure all references in updated_konflux_idms
use the lazily obtained value when comparing to KONFLUX_PIPELINE.

In `@tests/install_upgrade_operators/utils.py`:
- Around line 347-352: The fallback IDMS created in the create path uses an
aggregate source (RH_IDMS_SOURCE) which is incompatible with the patch helper
_get_entries_with_missing_mirrors() that expects per-image sources of the form
registry.redhat.io/container-native-virtualization/<image>; fix by either (A)
changing the creation logic around ImageDigestMirrorSet (where
image_digest_mirrors is set and ImageDigestMirrorSet(...) is constructed) to
emit per-image entries (expand required_mirrors into entries like
RH_IDMS_SOURCE/<image> for each image name) or (B) updating
_get_entries_with_missing_mirrors() to detect the aggregate fallback (source
equals RH_IDMS_SOURCE with no path component) and handle it as a special case
(skip per-image parsing and apply mirrors appropriately) so it doesn’t derive
malformed image_name values.
- Around line 309-312: The current check uses any(m.startswith(url) for m in
mirrors) which matches any image under the same version prefix; instead compute
the full candidate mirror string (f"{url}/{image_name}") and check existence
per-image (e.g., any(m == candidate for m in mirrors) or
any(m.startswith(candidate) if tags/digests may follow) ) when building missing
from required_mirrors; then set entry["mirrors"] = mirrors + missing and
has_changes = True as before. Ensure you reference the local variables
required_mirrors, image_name, mirrors, missing, and entry["mirrors"] when making
the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8b1962de-bc7f-41fb-871e-cb115b317c18

📥 Commits

Reviewing files that changed from the base of the PR and between fd0844e and 244c596.

📒 Files selected for processing (5)

• tests/install_upgrade_operators/constants.py
• tests/install_upgrade_operators/product_install/conftest.py
• tests/install_upgrade_operators/product_upgrade/conftest.py
• tests/install_upgrade_operators/utils.py
• utilities/pytest_utils.py

[openshift-virtualization-qe-bot-3]

/retest all

Auto-triggered: Files in this PR were modified by merged PR #4467.

Overlapping files

tests/install_upgrade_operators/constants.py

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

utilities/pytest_utils.py (1)

269-275: 🛠️ Refactor suggestion | 🟠 Major

MEDIUM: Add the required public-helper docstring.

This public utility now has non-obvious behavior: it may return a URL, return None, or raise based on pytest flags and CNV_VERSION_EXPLORER_URL. Documenting that contract prevents callers from treating CNV upgrade runs like the non-upgrade path.

Proposed docstring

 def get_cnv_version_explorer_url(pytest_config):
+    """Return the CNV Version Explorer URL for install and selected upgrade flows.
+
+    Args:
+        pytest_config: Pytest config object.
+
+    Returns:
+        CNV Version Explorer URL from `CNV_VERSION_EXPLORER_URL` when `--install`
+        is used or `--upgrade` is `eus` or `cnv`; otherwise `None`.
+
+    Raises:
+        MissingEnvironmentVariableError: If the URL is required but the environment
+            variable is unset.
+    """
     if pytest_config.getoption("install") or pytest_config.getoption("upgrade") in ("eus", "cnv"):
         LOGGER.info("Checking for cnv version explorer url:")
         version_explorer_url = os.environ.get("CNV_VERSION_EXPLORER_URL")

Based on learnings, public functions are those defined under libs/ or utilities/; As per coding guidelines, “Google-format docstrings are REQUIRED for all public functions with non-obvious return values OR side effects.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@utilities/pytest_utils.py` around lines 269 - 275, The function
get_cnv_version_explorer_url lacks a Google-style docstring describing its
non-obvious contract: depending on pytest flags it may return a URL string,
return None, or raise MissingEnvironmentVariableError if
CNV_VERSION_EXPLORER_URL is unset during CNV-related install/upgrade; add a
Google-format docstring immediately above get_cnv_version_explorer_url that
documents parameters (pytest_config), the return value (str or None), the
conditions under which it raises MissingEnvironmentVariableError, and any side
effects (reads CNV_VERSION_EXPLORER_URL and calls LOGGER.info) so callers
understand the different behaviors.

tests/install_upgrade_operators/product_upgrade/conftest.py (1)

426-428: ⚠️ Potential issue | 🟠 Major

HIGH: include the brew fallback mirror for new EUS IDMS resources.

The non-EUS path adds BREW_MIRROR_BASE_URL when the IDMS does not exist, but the EUS path creates a fresh fallback IDMS with only Konflux version mirrors. Fresh EUS runs can miss the brew fallback mirror and diverge from the non-EUS behavior.

Proposed fix

     apply_konflux_idms(
         idms=idms,
-        required_mirrors=required_mirrors,
+        required_mirrors=required_mirrors if idms.exists else required_mirrors + [BREW_MIRROR_BASE_URL],
         machine_config_pools=machine_config_pools,
         mcp_conditions=machine_config_pools_conditions_scope_module,
         nodes=nodes,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/install_upgrade_operators/product_upgrade/conftest.py` around lines 426
- 428, The EUS branch that creates a fresh fallback IDMS is missing the brew
fallback mirror; update the logic in apply_konflux_idms (and its callers that
build required_mirrors) to ensure BREW_MIRROR_BASE_URL is appended to the mirror
list when creating new EUS IDMS resources just like the non-EUS path does;
locate the code paths that build required_mirrors and the EUS-specific
conditional and add the same fallback mirror insertion so fresh EUS runs include
the brew fallback.

♻️ Duplicate comments (1)

tests/install_upgrade_operators/utils.py (1)

293-315: ⚠️ Potential issue | 🟠 Major

HIGH: update the aggregate fallback entry instead of treating it as complete.

Line 349 creates a fallback entry with source == RH_IDMS_SOURCE, but lines 305-314 only update RH_IDMS_SOURCE/<image> entries. On the next run, that fallback IDMS is ignored and line 340 returns early, so new target-version mirrors are never added.

Proposed fix

-    for entry in mirror_entries:
-        if entry["source"].startswith(f"{RH_IDMS_SOURCE}/"):
-            image_name = entry["source"].removeprefix(f"{RH_IDMS_SOURCE}/")
-            mirrors = entry.get("mirrors", [])
-            missing = [
-                expected_mirror for url in required_mirrors if (expected_mirror := f"{url}/{image_name}") not in mirrors
-            ]
-            if missing:
-                entry["mirrors"] = mirrors + missing
-                has_changes = True
+    for entry in mirror_entries:
+        mirrors = entry.get("mirrors", [])
+        if entry["source"] == RH_IDMS_SOURCE:
+            missing = [url for url in required_mirrors if url not in mirrors]
+        elif entry["source"].startswith(f"{RH_IDMS_SOURCE}/"):
+            image_name = entry["source"].removeprefix(f"{RH_IDMS_SOURCE}/")
+            missing = [
+                expected_mirror for url in required_mirrors if (expected_mirror := f"{url}/{image_name}") not in mirrors
+            ]
+        else:
+            continue
+
+        if missing:
+            entry["mirrors"] = mirrors + missing
+            has_changes = True

Also applies to: 349-349

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/install_upgrade_operators/utils.py` around lines 293 - 315, _in
_get_entries_with_missing_mirrors_, the code only updates entries whose source
startswith RH_IDMS_SOURCE + "/", so the aggregate fallback entry whose source ==
RH_IDMS_SOURCE is left unchanged and future runs skip adding new target-version
mirrors; fix by handling the exact-match fallback: inside the loop over
mirror_entries (refer to variables entry, entry["source"], mirrors, missing,
has_changes) add a branch for entry["source"] == RH_IDMS_SOURCE that computes
missing mirrors from required_mirrors (use the base URLs themselves, not
per-image paths) and appends them to entry["mirrors"], otherwise keep the
existing logic for RH_IDMS_SOURCE/<image> where you build expected_mirror as
f"{url}/{image_name}"; set has_changes when you append mirrors and return
mirror_entries if has_changes else [].

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@tests/install_upgrade_operators/product_upgrade/conftest.py`:
- Around line 426-428: The EUS branch that creates a fresh fallback IDMS is
missing the brew fallback mirror; update the logic in apply_konflux_idms (and
its callers that build required_mirrors) to ensure BREW_MIRROR_BASE_URL is
appended to the mirror list when creating new EUS IDMS resources just like the
non-EUS path does; locate the code paths that build required_mirrors and the
EUS-specific conditional and add the same fallback mirror insertion so fresh EUS
runs include the brew fallback.

In `@utilities/pytest_utils.py`:
- Around line 269-275: The function get_cnv_version_explorer_url lacks a
Google-style docstring describing its non-obvious contract: depending on pytest
flags it may return a URL string, return None, or raise
MissingEnvironmentVariableError if CNV_VERSION_EXPLORER_URL is unset during
CNV-related install/upgrade; add a Google-format docstring immediately above
get_cnv_version_explorer_url that documents parameters (pytest_config), the
return value (str or None), the conditions under which it raises
MissingEnvironmentVariableError, and any side effects (reads
CNV_VERSION_EXPLORER_URL and calls LOGGER.info) so callers understand the
different behaviors.

---

Duplicate comments:
In `@tests/install_upgrade_operators/utils.py`:
- Around line 293-315: _in _get_entries_with_missing_mirrors_, the code only
updates entries whose source startswith RH_IDMS_SOURCE + "/", so the aggregate
fallback entry whose source == RH_IDMS_SOURCE is left unchanged and future runs
skip adding new target-version mirrors; fix by handling the exact-match
fallback: inside the loop over mirror_entries (refer to variables entry,
entry["source"], mirrors, missing, has_changes) add a branch for entry["source"]
== RH_IDMS_SOURCE that computes missing mirrors from required_mirrors (use the
base URLs themselves, not per-image paths) and appends them to entry["mirrors"],
otherwise keep the existing logic for RH_IDMS_SOURCE/<image> where you build
expected_mirror as f"{url}/{image_name}"; set has_changes when you append
mirrors and return mirror_entries if has_changes else [].

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b6217507-43c8-4f0b-a58e-88badbf3f11d

📥 Commits

Reviewing files that changed from the base of the PR and between 244c596 and d0a45ce.

📒 Files selected for processing (6)

• tests/install_upgrade_operators/conftest.py
• tests/install_upgrade_operators/constants.py
• tests/install_upgrade_operators/product_install/conftest.py
• tests/install_upgrade_operators/product_upgrade/conftest.py
• tests/install_upgrade_operators/utils.py
• utilities/pytest_utils.py

💤 Files with no reviewable changes (1)

• tests/install_upgrade_operators/product_install/conftest.py

[openshift-virtualization-qe-bot-3]

Clean rebase detected — no code changes compared to previous head (d0a45ce).
The following labels were preserved: commented-hmeir, commented-coderabbitai[bot].