Allow mpls and vrf kernel modules in Worker and Control Plane files

[csalomon1]

Updated base64-encoded allowed kernel modules in Worker and Control Plane files
(reference-crs-kube-compare) to include mpls and vrf as acceptable variations.

The changes were made by decoding the files, adding mpls and vrf to the allowed modules list, and encoding them back to Base64.

Ticket: https://redhat.atlassian.net/browse/CNF-21265

[openshift-ci]

Hi @csalomon1. Thanks for your PR.

I'm waiting for a openshift-kni member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Warning

Rate limit exceeded

@csalomon1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 7 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 402cae6f-67b5-4345-9e56-ec3424dbd97d

📥 Commits

Reviewing files that changed from the base of the PR and between 739419c and 243e792.

📒 Files selected for processing (8)

• .tekton/build-pipeline-telco-core-rds.yaml
• .tekton/build-pipeline-telco-hub-rds.yaml
• OWNERS_ALIASES
• telco-core/Dockerfile.telco-core
• telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml
• telco-core/configuration/reference-crs-kube-compare/optional/other/worker-load-kernel-modules.yaml
• telco-core/install/example-standard-clusterinstance.yaml
• telco-hub/Dockerfile.telco-hub

📝 Walkthrough

Walkthrough

MachineConfig files for control-plane and worker kernel module loading now compute /etc/modules-load.d/kernel-load.conf contents via Go templating: they search .spec.config.storage.files for a matching path to extract a user contents.source and pass it through validateBase64List with a predefined fallback module list instead of using a fixed Base64 payload.

Changes

Cohort / File(s)	Summary
Kernel module MachineConfigs with templated source resolution telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml, telco-core/configuration/reference-crs-kube-compare/optional/other/worker-load-kernel-modules.yaml	Replaced hardcoded Base64 contents.source with Go template logic that initializes a $userSource, scans .spec.config.storage.files for /etc/modules-load.d/kernel-load.conf, assigns that file's contents.source to $userSource if present, and produces the final source via validateBase64List using $userSource plus a predefined fallback list of kernel module identifiers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references allowing mpls and vrf kernel modules, but the actual changes show a shift from hardcoded Base64 payloads to templating logic using validateBase64List function, which is the primary technical change.	Consider revising the title to highlight the main change: either the shift to templating (e.g., 'Refactor kernel module config to use Go templating') or clarify that mpls/vrf additions are the primary goal despite the implementation approach.
Description check	⚠️ Warning	The description states changes were made by decoding, adding modules, and re-encoding to Base64, but the code summaries show the changes implement Go templating with validateBase64List function instead of fixed Base64 payloads.	Update the description to accurately reflect that the implementation uses Go templating with validateBase64List function rather than simple Base64 encoding/decoding of the kernel modules list.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 55 minutes and 7 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml (1)

34-40: Keep the inline module list comments aligned with the generated fallback list.

The comments above this block still stop at nfnetlink_log, but Line 40 now also allows mpls and vrf. In a templated payload like this, stale comments make future edits easier to get wrong.

Suggested update

           # nf_reject_ipv4
           # nf_reject_ipv6
           # nfnetlink_log
+          # mpls
+          # vrf
           {{- $userSource := "" }}

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml`
around lines 34 - 40, Update the inline comment that lists kernel modules so it
matches the generated fallback list used in the source call to template
"validateBase64List"; specifically ensure the human-readable comment above the
block includes "mpls" and "vrf" alongside the existing modules (the block that
sets $userSource and calls template "validateBase64List" with the list) so the
comment and the actual fallback list stay in sync and avoid stale documentation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml`:
- Around line 34-40: Update the inline comment that lists kernel modules so it
matches the generated fallback list used in the source call to template
"validateBase64List"; specifically ensure the human-readable comment above the
block includes "mpls" and "vrf" alongside the existing modules (the block that
sets $userSource and calls template "validateBase64List" with the list) so the
comment and the actual fallback list stay in sync and avoid stale documentation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: fcf0a826-eb6d-42be-a4de-cd93152cfa0b

📥 Commits

Reviewing files that changed from the base of the PR and between b5ac4eb and 686df9e.

📒 Files selected for processing (2)

• telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml
• telco-core/configuration/reference-crs-kube-compare/optional/other/worker-load-kernel-modules.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@telco-core/configuration/reference-crs-kube-compare/optional/other/worker-load-kernel-modules.yaml`:
- Line 40: The fallback list passed to the template call validateBase64List (the
expression using source: {{ template "validateBase64List" (list $userSource
(list "ip_gre" "nf_tables" "nf_conntrack" "nft_ct" "nft_limit" "nft_log"
"nft_nat" "nft_chain_nat" "nf_reject_ipv4" "nf_reject_ipv6" "nfnetlink_log"))
}}) is missing the worker allowlist entries for mpls and vrf; update that inner
list to include "mpls" and "vrf" so the worker validateBase64List fallback
accepts those kernel modules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 44b89340-920e-4e44-b4b3-799f0c386a00

📥 Commits

Reviewing files that changed from the base of the PR and between 686df9e and 739419c.

📒 Files selected for processing (2)

• telco-core/configuration/reference-crs-kube-compare/optional/other/control-plane-load-kernel-modules.yaml
• telco-core/configuration/reference-crs-kube-compare/optional/other/worker-load-kernel-modules.yaml

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: csalomon1

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment