ACM-34978: apply disk encryption defaults on cluster create and update

[andrej1991]

Normalize nil or empty disk_encryption enable_on and mode to none and
tpmv2 when syncing from AgentClusterInstall and when persisting cluster
updates. Prevents writing an empty enable_on while mode stays tpmv2,
which could leave hosts stuck in Discovering during hardware validation.

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Summary by CodeRabbit

• Bug Fixes
  • Improved consistency of disk-encryption handling across create/update, validations, preflight hardware checks, and manifest generation, including correct TPM behavior when encryption is unset vs explicitly disabled.
  • Updated Tang connectivity checks to align with the new enablement/role logic.
  • Ensured the stored disk-encryption mode is concrete in the disabled (“none”) scenario.
• Refactor
  • Centralized disk-encryption normalization/defaulting and enablement rules into shared utilities.
• Tests
  • Expanded coverage for defaults, request detection, enablement/role behavior, and TPM requirements.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR refactors disk encryption configuration logic by introducing a new internal/diskencryption package with reusable helpers, then systematically updating all callers across the codebase to use the centralized implementation instead of scattered inline checks or local helpers.

Changes

Disk Encryption Refactoring

Layer / File(s)	Summary
Disk encryption helpers foundation internal/diskencryption/disk_encryption.go, internal/diskencryption/disk_encryption_test.go	New package introduces IsEnabled, IsConfigured, RequestsConfiguration, DiskEncryptionFieldDefaults, ApplyDiskEncryptionDefaults, IsSetWithTpm, and EnabledForRole functions with comprehensive Ginkgo test coverage for nil inputs, empty values, explicit settings, and all host role combinations.
Inventory and controller integration internal/bminventory/inventory.go, internal/controller/controllers/clusterdeployments_controller.go	Inventory usage tracking and controller day-1/day-2 cluster operations apply disk-encryption defaults via ApplyDiskEncryptionDefaults and DiskEncryptionFieldDefaults, normalize update payloads, and use IsEnabled when constructing create/update parameters.
Host validators and helper removal internal/host/validator.go, internal/host/hostutil/host_utils.go	Host validation preflight checks replace local nil/EnableOn comparisons with IsConfigured and swap deprecated IsDiskEncryptionEnabledForRole calls for EnabledForRole from the new package; the hostutil helper is deleted.
Hardware validator and TPM requirements internal/hardware/validator.go, internal/hardware/validator_test.go	Hardware preflight requirements replace local isDiskEncryptionSetWithTpm with centralized IsSetWithTpm; new test verifies TPMv2 mode without explicit EnableOn is treated as disabled.
Tang connectivity, manifests, and validation internal/host/hostcommands/tang_connectivity_check_cmd.go, internal/network/manifests_generator.go, internal/cluster/validations/validations.go, subsystem/kubeapi/kubeapi_test.go	Tang connectivity checks short-circuit when disk encryption is not configured and validate per-role enablement; manifest generation and validation use IsConfigured and RequestsConfiguration for config detection; kubeapi test expectation updated to expect default tpmv2 mode when EnableOn is "none".

Sequence Diagrams

sequenceDiagram
    participant Inventory
    participant Controller
    participant DiskEncryption as diskencryption pkg
    participant Database
    
    Inventory->>DiskEncryption: ApplyDiskEncryptionDefaults(de)
    DiskEncryption-->>Inventory: (normalized EnableOn, Mode)
    Inventory->>Inventory: setDiskEncryptionUsage(IsConfigured)
    Inventory->>Database: Persist normalized config
    
    Controller->>DiskEncryption: IsEnabled(enable_on)
    DiskEncryption-->>Controller: bool
    Controller->>DiskEncryption: DiskEncryptionFieldDefaults(spec values)
    DiskEncryption-->>Controller: (defaulted fields)
    Controller->>Database: Update with defaults

Loading

sequenceDiagram
    participant Validator as Host/Hardware Validator
    participant DiskEncryption as diskencryption pkg
    participant HostRole
    
    Validator->>DiskEncryption: IsConfigured(de)
    DiskEncryption-->>Validator: bool
    Validator->>DiskEncryption: IsSetWithTpm(de)
    DiskEncryption-->>Validator: bool
    Validator->>DiskEncryption: EnabledForRole(de, role)
    DiskEncryption->>HostRole: Parse enable_on string
    DiskEncryption-->>Validator: bool (role matched)

Loading

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 64.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Multiple tests violate single responsibility principle: diskencryption_test.go's "returns false for nil or disabled configuration" test asserts 3 different scenarios; validator_test.go's TPM tests...	Refactor tests to assert one behavior per It block. Split multi-scenario assertions into separate tests or add context-describing failure messages to assertions.
Description check	❓ Inconclusive	The PR description provides a clear explanation of the change (normalizing nil/empty disk encryption fields to prevent hosts stuck in Discovering state) but lacks completion of required checklist items and issue linking.	Complete the issue-type checklist to indicate whether this is a bug fix or enhancement, and address the missing JIRA issue link that the PR labels suggest should be present.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test titles in the PR (disk_encryption_test.go and validator_test.go) use stable, static strings. No dynamic values like UUIDs, timestamps, or random identifiers appear in test names; an...
Microshift Test Compatibility	✅ Passed	No new e2e tests added in this PR. Tests added are unit tests (internal/diskencryption, internal/hardware) and a modification to existing subsystem tests (subsystem/kubeapi), not e2e tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds unit and integration tests only to the assisted-service repository, not OpenShift e2e tests. The check targets OpenShift e2e tests in test/extended/, which do not exist here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR is not applicable to topology-aware scheduling check—all changes are disk encryption configuration and validation logic with no deployment manifests, operator scheduling constraints, or topology...
Ote Binary Stdout Contract	✅ Passed	PR complies with OTE Binary Stdout Contract: disk_encryption.go is pure library code with no stdout writes; disk_encryption_test.go properly uses Ginkgo with TestDiskEncryption() entry point and al...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds Ginkgo unit/integration tests (disk_encryption_test.go, validator_test.go additions, kubeapi_test.go modification), not e2e tests. Tests have no IPv4 hardcoded addresses, no IPv4-only a...
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography usage (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode), no custom crypto implementations, and no non-constant-time secret comparisons; new code only performs config...
Container-Privileges	✅ Passed	PR modifies only Go source files (internal/ directory). No K8s manifests, container configs, or privilege-related declarations are present or modified.
No-Sensitive-Data-In-Logs	✅ Passed	The PR introduces no active logging of sensitive data. The new diskencryption package contains no logging, and modified files don't log passwords, tokens, API keys, PII, or sensitive configuration...
Title check	✅ Passed	The PR title accurately and concisely captures the main change: applying disk encryption defaults when clusters are created or updated.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@andrej1991: This pull request explicitly references no jira issue.

Details

In response to this:

Normalize nil or empty disk_encryption enable_on and mode to none and
tpmv2 when syncing from AgentClusterInstall and when persisting cluster
updates. Prevents writing an empty enable_on while mode stays tpmv2,
which could leave hosts stuck in Discovering during hardware validation.

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Summary by CodeRabbit

Release Notes

• Bug Fixes

• Fixed disk encryption configuration to properly apply and normalize default values when clusters are created or updated with disk encryption settings.

• Tests

• Added tests to validate disk encryption default handling behavior and verify correct hardware requirement calculations for TPM-enabled encryption configurations.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

internal/common/disk_encryption.go (1)

8-19: 💤 Low value

Consider clarifying that empty strings are treated as nil.

The function correctly uses swag.StringValue() which converts both nil and empty string pointers to "", then applies defaults. This behavior is robust but not explicitly documented. Consider updating the godoc to mention that empty strings are normalized to defaults.

📝 Suggested documentation enhancement

-// DiskEncryptionFieldDefaults returns enable_on and mode with defaults for nil or empty values.
+// DiskEncryptionFieldDefaults returns enable_on and mode with defaults applied.
+// Both nil pointers and empty strings are treated as unset and replaced with defaults:
+// - enableOn defaults to "none" (DiskEncryptionEnableOnNone)
+// - mode defaults to "tpmv2" (DiskEncryptionModeTpmv2)
 func DiskEncryptionFieldDefaults(enableOn, mode *string) (string, string) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/common/disk_encryption.go` around lines 8 - 19, Update the godoc for
DiskEncryptionFieldDefaults to explicitly state that both nil pointers and
pointers to empty strings are normalized by swag.StringValue to the empty string
and therefore will receive the default values (models.DiskEncryptionEnableOnNone
for enable_on and models.DiskEncryptionModeTpmv2 for mode); mention the use of
swag.StringValue in the description so readers know empty string inputs are
treated the same as nil and will be replaced with defaults.

internal/common/disk_encryption_test.go (1)

11-23: ⚡ Quick win

Consider testing mixed scenarios for better edge case coverage.

The current test covers "all nil", "all empty", and "all set" cases, but doesn't test scenarios where only one field is nil/empty while the other is explicitly set. These are valid real-world scenarios.

🧪 Suggested edge case tests

func TestDiskEncryptionFieldDefaults_MixedInputs(t *testing.T) {
	// enableOn set, mode nil
	enableOn, mode := DiskEncryptionFieldDefaults(swag.String(models.DiskEncryptionEnableOnMasters), nil)
	assert.Equal(t, models.DiskEncryptionEnableOnMasters, enableOn)
	assert.Equal(t, models.DiskEncryptionModeTpmv2, mode)

	// enableOn nil, mode set
	enableOn, mode = DiskEncryptionFieldDefaults(nil, swag.String(models.DiskEncryptionModeTang))
	assert.Equal(t, models.DiskEncryptionEnableOnNone, enableOn)
	assert.Equal(t, models.DiskEncryptionModeTang, mode)

	// enableOn set, mode empty
	enableOn, mode = DiskEncryptionFieldDefaults(swag.String(models.DiskEncryptionEnableOnWorkers), swag.String(""))
	assert.Equal(t, models.DiskEncryptionEnableOnWorkers, enableOn)
	assert.Equal(t, models.DiskEncryptionModeTpmv2, mode)
}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/common/disk_encryption_test.go` around lines 11 - 23, Add tests
covering mixed nil/empty/value combinations for DiskEncryptionFieldDefaults:
call DiskEncryptionFieldDefaults with (1) enableOn set + mode nil and assert
enableOn stays the provided value and mode defaults to DiskEncryptionModeTpmv2,
(2) enableOn nil + mode set and assert enableOn defaults to
DiskEncryptionEnableOnNone while mode stays provided, and (3) enableOn set +
mode empty string and assert enableOn stays provided while mode defaults to
DiskEncryptionModeTpmv2; place these cases in a new
TestDiskEncryptionFieldDefaults_MixedInputs in
internal/common/disk_encryption_test.go referencing DiskEncryptionFieldDefaults
and the models constants used in existing tests.

internal/hardware/validator_test.go (1)

1880-1897: ⚡ Quick win

Add explicit empty-string enable_on regression coverage.

This case validates EnableOn == nil; please add a sibling case with EnableOn: swag.String("") to lock the exact empty-string regression path.

Suggested test addition

+		It("TPM - empty enable_on with tpmv2 mode is treated as disabled", func() {
+			diskEncryptionClusterID := strfmt.UUID(uuid.New().String())
+			diskEncryptionCluster := &common.Cluster{Cluster: models.Cluster{
+				ID:               &diskEncryptionClusterID,
+				OpenshiftVersion: openShiftVersionNotInConfig,
+				DiskEncryption: &models.DiskEncryption{
+					EnableOn: swag.String(""),
+					Mode:     swag.String(models.DiskEncryptionModeTpmv2),
+				},
+			}}
+
+			operatorsMock.EXPECT().GetPreflightRequirementsBreakdownForCluster(gomock.Any(), gomock.Eq(diskEncryptionCluster)).Return(operatorRequirements, nil)
+
+			result, err := hwvalidator.GetPreflightHardwareRequirements(context.TODO(), diskEncryptionCluster)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(result.Ocp.Master.Quantitative.TpmEnabledInBios).To(BeFalse())
+			Expect(result.Ocp.Worker.Quantitative.TpmEnabledInBios).To(BeFalse())
+		})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/hardware/validator_test.go` around lines 1880 - 1897, Add a sibling
test in internal/hardware/validator_test.go mirroring the "TPM - unset enable_on
with tpmv2 mode is treated as disabled" case but set DiskEncryption.EnableOn to
swag.String("") (empty string) instead of nil; create a cluster instance with
DiskEncryption: &models.DiskEncryption{Mode:
swag.String(models.DiskEncryptionModeTpmv2), EnableOn: swag.String("")}, keep
the same operatorsMock.EXPECT().GetPreflightRequirementsBreakdownForCluster(...)
return and call hwvalidator.GetPreflightHardwareRequirements(context.TODO(),
<that cluster>), then assert result.Ocp.Master.Quantitative.TpmEnabledInBios and
result.Ocp.Worker.Quantitative.TpmEnabledInBios are false to lock the
empty-string regression path.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/common/disk_encryption_test.go`:
- Around line 11-23: Add unit tests for ApplyDiskEncryptionDefaults covering nil
input, nil fields, empty-string fields, and explicit values: call
ApplyDiskEncryptionDefaults(nil) to ensure it doesn't panic; create de :=
&models.DiskEncryption{} and call ApplyDiskEncryptionDefaults(de) and assert
*de.EnableOn == models.DiskEncryptionEnableOnNone and *de.Mode ==
models.DiskEncryptionModeTpmv2; create de with EnableOn and Mode set to
swag.String("") and assert defaults are applied; create de with
EnableOn/swagt.String(models.DiskEncryptionEnableOnMasters) and
Mode/swagt.String(models.DiskEncryptionModeTang) and assert those explicit
values are preserved.

---

Nitpick comments:
In `@internal/common/disk_encryption_test.go`:
- Around line 11-23: Add tests covering mixed nil/empty/value combinations for
DiskEncryptionFieldDefaults: call DiskEncryptionFieldDefaults with (1) enableOn
set + mode nil and assert enableOn stays the provided value and mode defaults to
DiskEncryptionModeTpmv2, (2) enableOn nil + mode set and assert enableOn
defaults to DiskEncryptionEnableOnNone while mode stays provided, and (3)
enableOn set + mode empty string and assert enableOn stays provided while mode
defaults to DiskEncryptionModeTpmv2; place these cases in a new
TestDiskEncryptionFieldDefaults_MixedInputs in
internal/common/disk_encryption_test.go referencing DiskEncryptionFieldDefaults
and the models constants used in existing tests.

In `@internal/common/disk_encryption.go`:
- Around line 8-19: Update the godoc for DiskEncryptionFieldDefaults to
explicitly state that both nil pointers and pointers to empty strings are
normalized by swag.StringValue to the empty string and therefore will receive
the default values (models.DiskEncryptionEnableOnNone for enable_on and
models.DiskEncryptionModeTpmv2 for mode); mention the use of swag.StringValue in
the description so readers know empty string inputs are treated the same as nil
and will be replaced with defaults.

In `@internal/hardware/validator_test.go`:
- Around line 1880-1897: Add a sibling test in
internal/hardware/validator_test.go mirroring the "TPM - unset enable_on with
tpmv2 mode is treated as disabled" case but set DiskEncryption.EnableOn to
swag.String("") (empty string) instead of nil; create a cluster instance with
DiskEncryption: &models.DiskEncryption{Mode:
swag.String(models.DiskEncryptionModeTpmv2), EnableOn: swag.String("")}, keep
the same operatorsMock.EXPECT().GetPreflightRequirementsBreakdownForCluster(...)
return and call hwvalidator.GetPreflightHardwareRequirements(context.TODO(),
<that cluster>), then assert result.Ocp.Master.Quantitative.TpmEnabledInBios and
result.Ocp.Worker.Quantitative.TpmEnabledInBios are false to lock the
empty-string regression path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 990aa00e-6d40-4350-bcf1-b9e382996bfb

📥 Commits

Reviewing files that changed from the base of the PR and between 299fbae and 13d5d2b.

📒 Files selected for processing (6)

• internal/bminventory/inventory.go
• internal/common/disk_encryption.go
• internal/common/disk_encryption_test.go
• internal/controller/controllers/clusterdeployments_controller.go
• internal/hardware/validator.go
• internal/hardware/validator_test.go

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 45.20%. Comparing base (299fbae) to head (3cddec3).
⚠️ Report is 48 commits behind head on master.

Files with missing lines	Patch %	Lines
internal/cluster/validations/validations.go	0.00%	2 Missing ⚠️
internal/hardware/validator.go	75.00%	1 Missing and 1 partial ⚠️
internal/common/disk_encryption.go	98.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10442      +/-   ##
==========================================
+ Coverage   44.34%   45.20%   +0.86%     
==========================================
  Files         420      423       +3     
  Lines       73064    78322    +5258     
==========================================
+ Hits        32401    35409    +3008     
- Misses      37730    39909    +2179     
- Partials     2933     3004      +71     

Files with missing lines	Coverage Δ
internal/bminventory/inventory.go	79.66% <100.00%> (+8.02%)	⬆️
...oller/controllers/clusterdeployments_controller.go	73.55% <100.00%> (+0.16%)	⬆️
...l/host/hostcommands/tang_connectivity_check_cmd.go	81.70% <100.00%> (-0.44%)	⬇️
internal/host/hostutil/host_utils.go	55.90% <ø> (-1.67%)	⬇️
internal/host/validator.go	82.36% <100.00%> (-1.20%)	⬇️
internal/network/manifests_generator.go	82.46% <100.00%> (+5.10%)	⬆️
internal/common/disk_encryption.go	98.00% <98.00%> (ø)
internal/cluster/validations/validations.go	46.21% <0.00%> (ø)
internal/hardware/validator.go	79.88% <75.00%> (-0.45%)	⬇️

... and 29 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[andrej1991]

/retest

[andrej1991]

/retest e2e-agent-compac-ipv4

[andrej1991]

/retest e2e-agent-compact-ipv4

[andrej1991]

/hold

[andrej1991]

/test e2e-agent-compact-ipv4

[rccrdpccl]

There are other parts of the code that are handling what appears to be non-normalize data (i.e. https://github.com/andrej1991/assisted-service/blob/c50cd6cb2d576daf449dd14210582df95240dadb/internal/network/manifests_generator.go#L378-L381)

How are clusters already in the DB handled? We do not seem to normalize data coming from the DB

[rccrdpccl]

unrelated to this PR, as this is a common pattern in this repo.

However I think adding anything to the already tangled common package helps the probability of getting circular imports.

As this is a clean helper, with little dependencies (and no internal dependencies apart from models), I think it's a great candidate to move to its own package, something like internal/diskencryption.
There are other helpers around the codebase that could be moved in there as well:

  - IsDiskEncryptionEnabledForRole in internal/host/hostutil/ — checks if encryption is enabled for a given host role. Only depends on models, swag, go-funk.
  - isDiskEncryptionSetWithTpm in internal/hardware/validator.go — checks if TPM encryption is configured. Only models, swag.
  - isDiskEncryptionEnabled in clusterdeployments_controller.go — checks if the CRD spec has encryption enabled. Only swag, models.

However this is probably not part of this PR: would you mind either creating a new task about it or a follow up PR with this simple refactor? 🙏

[andrej1991]

"There are other parts of the code that are handling what appears to be non-normalize data (i.e. https://github.com/andrej1991/assisted-service/blob/c50cd6cb2d576daf449dd14210582df95240dadb/internal/network/manifests_generator.go#L378-L381)

How are clusters already in the DB handled? We do not seem to normalize data coming from the DB"

From now on only normalized data will end up in the DB. The new validation can handle the already existing data. The normalization was added due to API consistency.

The second comment is fixed in the last commit.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/host/validator.go (1)

492-494: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Potential nil pointer dereference at line 492 (existing code affecting changed segment)

Line 492 accesses c.cluster.DiskEncryption.EnableOn without checking if c.cluster.DiskEncryption is nil. If disk encryption is not configured for the cluster, this will panic before reaching the changed code at line 533.

Other call sites in this PR include defensive nil checks:

• manifests_generator.go:353: c.DiskEncryption == nil || ...
• tang_connectivity_check_cmd.go:74: cluster.DiskEncryption == nil || ...

This suggests DiskEncryption can be nil in practice.

Note: This issue exists in surrounding code, not introduced by the PR. However, since this PR refactors disk-encryption logic, it's a good opportunity to add the missing guard.

🛡️ Proposed fix

-	if c.infraEnv != nil || swag.StringValue(c.cluster.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone {
+	if c.infraEnv != nil || c.cluster.DiskEncryption == nil || swag.StringValue(c.cluster.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone {
 		return ValidationSuccessSuppressOutput, ""
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/host/validator.go` around lines 492 - 494, The code checks
c.cluster.DiskEncryption.EnableOn without guarding against
c.cluster.DiskEncryption being nil; update the conditional that currently reads
"if c.infraEnv != nil || swag.StringValue(c.cluster.DiskEncryption.EnableOn) ==
models.DiskEncryptionEnableOnNone" to first check "c.cluster.DiskEncryption ==
nil" (e.g., "if c.infraEnv != nil || c.cluster.DiskEncryption == nil ||
swag.StringValue(c.cluster.DiskEncryption.EnableOn) ==
models.DiskEncryptionEnableOnNone") so the nil pointer is avoided and the
function (returning ValidationSuccessSuppressOutput, "") behaves the same when
DiskEncryption is absent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@internal/host/validator.go`:
- Around line 492-494: The code checks c.cluster.DiskEncryption.EnableOn without
guarding against c.cluster.DiskEncryption being nil; update the conditional that
currently reads "if c.infraEnv != nil ||
swag.StringValue(c.cluster.DiskEncryption.EnableOn) ==
models.DiskEncryptionEnableOnNone" to first check "c.cluster.DiskEncryption ==
nil" (e.g., "if c.infraEnv != nil || c.cluster.DiskEncryption == nil ||
swag.StringValue(c.cluster.DiskEncryption.EnableOn) ==
models.DiskEncryptionEnableOnNone") so the nil pointer is avoided and the
function (returning ValidationSuccessSuppressOutput, "") behaves the same when
DiskEncryption is absent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 85d850a2-ab1d-4a55-be9a-74b7bf249bec

📥 Commits

Reviewing files that changed from the base of the PR and between 13d5d2b and 65c9520.

📒 Files selected for processing (11)

• internal/bminventory/inventory.go
• internal/controller/controllers/clusterdeployments_controller.go
• internal/diskencryption/disk_encryption.go
• internal/diskencryption/disk_encryption_test.go
• internal/hardware/validator.go
• internal/host/hostcommands/tang_connectivity_check_cmd.go
• internal/host/hostutil/host_utils.go
• internal/host/hostutil/host_utils_test.go
• internal/host/validator.go
• internal/network/manifests_generator.go
• subsystem/kubeapi/kubeapi_test.go

💤 Files with no reviewable changes (2)

• internal/host/hostutil/host_utils_test.go
• internal/host/hostutil/host_utils.go

✅ Files skipped from review due to trivial changes (1)

• internal/diskencryption/disk_encryption.go

🚧 Files skipped from review as they are similar to previous changes (3)

• internal/bminventory/inventory.go
• internal/controller/controllers/clusterdeployments_controller.go
• subsystem/kubeapi/kubeapi_test.go

[rccrdpccl]

Please stick to ginkgo tests, as the rest of the codebase

[rccrdpccl]

There are others places in the code where we inline this check. Even if it still working OK in that case, please change it to be consistent with the new way, so we don't have 2 ways of achieving the same throughout the codebase

[rccrdpccl]

/override ci/prow/edge-e2e-ai-operator-disconnected-capi

[rccrdpccl]

/lgtm
/approve

[openshift-ci]

@rccrdpccl: Overrode contexts on behalf of rccrdpccl: ci/prow/edge-e2e-ai-operator-ztp-capi

Details

In response to this:

/override ci/prow/edge-e2e-ai-operator-ztp-capi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrej1991, rccrdpccl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rccrdpccl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@rccrdpccl: Overrode contexts on behalf of rccrdpccl: ci/prow/edge-e2e-ai-operator-disconnected-capi

Details

In response to this:

/override ci/prow/edge-e2e-ai-operator-disconnected-capi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gamli75]

/retitle ACM-34978: apply disk encryption defaults on cluster create and update

[openshift-ci-robot]

@andrej1991: This pull request references ACM-34978 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Normalize nil or empty disk_encryption enable_on and mode to none and
tpmv2 when syncing from AgentClusterInstall and when persisting cluster
updates. Prevents writing an empty enable_on while mode stays tpmv2,
which could leave hosts stuck in Discovering during hardware validation.

List all the issues related to this PR

• New Feature
• Enhancement
• Bug fix
• Tests
• Documentation
• CI/CD

What environments does this code impact?

• Automation (CI, tools, etc)
• Cloud
• Operator Managed Deployments
• None

How was this code tested?

• assisted-test-infra environment
• dev-scripts environment
• Reviewer's test appreciated
• Waiting for CI to do a full test run
• Manual (Elaborate on how it was tested)
• No tests needed

Checklist

• Title and description added to both, commit and PR.
• Relevant issues have been associated (see CONTRIBUTING guide)
• This change does not require a documentation update (docstring, docs, README, etc)
• Does this change include unit-tests (note that code changes require unit-tests)

Reviewers Checklist

• Are the title and description (in both PR and commit) meaningful and clear?
• Is there a bug required (and linked) for this change?
• Should this PR be backported?

Summary by CodeRabbit

• Bug Fixes
• Improved consistency of disk-encryption handling across create/update, validations, preflight hardware checks, and manifest generation, including correct TPM behavior when encryption is unset vs explicitly disabled.
• Updated Tang connectivity checks to align with the new enablement/role logic.
• Ensured the stored disk-encryption mode is concrete in the disabled (“none”) scenario.
• Refactor
• Centralized disk-encryption normalization/defaulting and enablement rules into shared utilities.
• Tests
• Expanded coverage for defaults, request detection, enablement/role behavior, and TPM requirements.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gamli75]

/jira refresh

[openshift-ci-robot]

@gamli75: This pull request references ACM-34978 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "ACM 5.0.0" instead.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 7c10bff and 2 for PR HEAD 3cddec3 in total

[andrej1991]

/retest

[andrej1991]

/override ci/prow/edge-e2e-ai-operator-ztp-capi

[openshift-ci]

@andrej1991: andrej1991 unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers.

Details

In response to this:

/override ci/prow/edge-e2e-ai-operator-ztp-capi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD b91c174 and 1 for PR HEAD 3cddec3 in total

[rccrdpccl]

/override ci/prow/edge-e2e-ai-operator-disconnected-capi ci/prow/edge-e2e-ai-operator-ztp-capi

[openshift-ci]

@rccrdpccl: Overrode contexts on behalf of rccrdpccl: ci/prow/edge-e2e-ai-operator-disconnected-capi, ci/prow/edge-e2e-ai-operator-ztp-capi

Details

In response to this:

/override ci/prow/edge-e2e-ai-operator-disconnected-capi ci/prow/edge-e2e-ai-operator-ztp-capi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rccrdpccl]

/override ci/prow/edge-e2e-ai-operator-ztp-capi

[openshift-ci]

@rccrdpccl: Overrode contexts on behalf of rccrdpccl: ci/prow/edge-e2e-ai-operator-ztp-capi

Details

In response to this:

/override ci/prow/edge-e2e-ai-operator-ztp-capi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@andrej1991: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[andrej1991]

/cherry-pick release-ocm-2.17

[andrej1991]

/cherry-pick release-ocm-2.16

[openshift-cherrypick-robot]

@andrej1991: new pull request created: #10513

Details

In response to this:

/cherry-pick release-ocm-2.17

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@andrej1991: new pull request created: #10514

Details

In response to this:

/cherry-pick release-ocm-2.16

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.