Add AWS CPUOptions to conversion

[fangge1212]

This PR adds AWS CPUOptions to conversion, and adds fuzz tests for it.

Summary by CodeRabbit

• New Features

  • Support for AWS CPU Options in provider configs, including confidential compute settings for enhanced instance security.

• Tests

  • Expanded fuzz testing to cover CPU Options and confidential compute policies, improving conversion robustness and edge-case coverage.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds bidirectional conversion for AWS CPUOptions between CAPA and MAPI, wiring converters into provider spec construction and AWSMachineSpec assembly. Fuzz tests expanded to exercise CPUOptions and ConfidentialComputePolicy values and to normalize empty CPUOptions during fuzzing.

Changes

Cohort / File(s)	Summary
CAPA → MAPI conversion pkg/conversion/capi2mapi/aws.go	Adds ConvertAWSCPUOptionsToMAPI to map CAPA awsv1.CPUOptions (including ConfidentialCompute) to MAPI mapiv1beta1.CPUOptions and assigns it into the AWSMachineProviderConfig.
CAPA → MAPI fuzzing pkg/conversion/capi2mapi/aws_fuzz_test.go	Adds fuzz helpers for CPUOptions and ConfidentialComputePolicy, integrating them into AWSMachine fuzzing to cover Disabled, SEVSNP, and unspecified cases.
MAPI → CAPA conversion pkg/conversion/mapi2capi/aws.go	Adds convertAWSCPUOptionsToCAPI to translate MAPI CPUOptions into CAPA awsv1.CPUOptions, handling nil/empty inputs and mapping ConfidentialCompute values; wired into AWSMachineSpec construction.
MAPI → CAPA fuzzing pkg/conversion/mapi2capi/aws_fuzz_test.go	Replaces unconditional nil-ing of ps.CPUOptions with normalization (empty struct → nil). Adds fuzzAWSMachineSpecCPUOptions and fuzzAWSMachineSpecConfidentialComputePolicy and registers them in machine-set fuzzers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I hopped through code both ways today,

MAPI and CAPA in tidy array,
Confidential bits tucked in their nest,
Fuzzed and checked, now ready to rest,
A tiny rabbit cheers this conversion ballet 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add AWS CPUOptions to conversion' accurately and concisely describes the main change—adding CPUOptions transformation logic across CAPI/MAPI conversion files with corresponding fuzz tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between f587952 and c382a98.

📒 Files selected for processing (4)

• pkg/conversion/capi2mapi/aws.go
• pkg/conversion/capi2mapi/aws_fuzz_test.go
• pkg/conversion/mapi2capi/aws.go
• pkg/conversion/mapi2capi/aws_fuzz_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/conversion/mapi2capi/aws.go

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/conversion/mapi2capi/aws_fuzz_test.go (1)

pkg/conversion/test/fuzz/fuzz.go (1)

• MAPIMachineFuzzer (631-635)

🔇 Additional comments (7)

pkg/conversion/capi2mapi/aws.go (2)

144-144: LGTM!

The integration of CPUOptions conversion into the provider spec is correct and follows the established pattern for other fields.

---

718-734: Well-implemented conversion function.

The function correctly:

• Handles the two defined ConfidentialCompute policy values (Disabled and SEVSNP)
• Returns nil for empty CPUOptions, which optimizes the output and aligns with the normalization logic in the fuzz tests
• Uses a value parameter for the input, which is appropriate for this small struct

The logic of returning nil when the resulting MAPI CPUOptions would be empty is a good design choice that prevents unnecessary empty structs in the output.

pkg/conversion/capi2mapi/aws_fuzz_test.go (2)

161-161: LGTM!

Correctly wires the CPUOptions fuzzer into the AWSMachineSpec fuzzing path.

---

221-236: Comprehensive fuzzing coverage for CPUOptions.

The fuzzing implementation correctly:

• Fills the CPUOptions struct with random data
• Specifically fuzzes the ConfidentialComputePolicy to cover all three valid states: Disabled, SEVSNP, and empty string
• Ensures that conversion edge cases (including the empty value) are exercised during roundtrip testing

This should catch any conversion issues between CAPI and MAPI representations.

pkg/conversion/mapi2capi/aws_fuzz_test.go (3)

163-165: Important normalization for roundtrip consistency.

This conditional normalization ensures that empty CPUOptions structs are set to nil, which aligns with the behavior of ConvertAWSCPUOptionsToMAPI (which returns nil for empty options). This prevents false-positive failures in roundtrip conversion tests.

---

173-188: Well-designed MAPI-side fuzzing for CPUOptions.

The fuzzing implementation is appropriately adapted for MAPI:

• Uses FillNoCustom to populate the struct, which may naturally set pointer fields to nil
• Fuzzes ConfidentialComputePolicy to only 2 explicit values (Disabled, SEVSNP) rather than 3, since the nil case is already covered by the random fill
• The conditional check on line 176 is defensive and ensures the field is populated before fuzzing

This asymmetry with the CAPI fuzzer (3 cases vs 2) is intentional and correct given the different handling of the field (value vs pointer).

---

285-285: LGTM!

Correctly integrates the CPUOptions fuzzer into the machine set fuzzing path.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/conversion/mapi2capi/aws_fuzz_test.go (1)

173-188: Consider making fuzzAWSMachineSpecCPUOptions a standalone function for consistency.

The method fuzzAWSMachineSpecCPUOptions doesn't use the receiver f, but fuzzAWSMachineSpecConfidentialComputePolicy is already a standalone function. Consider making both consistent.

🔎 Proposed refactor

-func (f *awsProviderFuzzer) fuzzAWSMachineSpecCPUOptions(cpuOpts *mapiv1beta1.CPUOptions, c randfill.Continue) {
+func fuzzAWSMachineSpecCPUOptions(cpuOpts *mapiv1beta1.CPUOptions, c randfill.Continue) {
 	c.FillNoCustom(cpuOpts)
 
 	if cpuOpts.ConfidentialCompute != nil {
 		fuzzAWSMachineSpecConfidentialComputePolicy(cpuOpts.ConfidentialCompute, c)
 	}
 }

And update the reference at line 285:

 		f.fuzzProviderConfig,
-		f.fuzzAWSMachineSpecCPUOptions,
+		fuzzAWSMachineSpecCPUOptions,
 	}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 10f36ad and f587952.

📒 Files selected for processing (4)

• pkg/conversion/capi2mapi/aws.go
• pkg/conversion/capi2mapi/aws_fuzz_test.go
• pkg/conversion/mapi2capi/aws.go
• pkg/conversion/mapi2capi/aws_fuzz_test.go

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/conversion/mapi2capi/aws_fuzz_test.go (1)

pkg/conversion/test/fuzz/fuzz.go (1)

• MAPIMachineFuzzer (631-635)

🔇 Additional comments (4)

pkg/conversion/capi2mapi/aws_fuzz_test.go (1)

210-225: LGTM - CPUOptions fuzzing logic is correct.

The fuzzer properly covers the valid ConfidentialCompute policy values including the empty string case, which aligns with the conversion function ConvertAWSCPUOptionsToMAPI that returns nil when CPUOptions is empty.

pkg/conversion/mapi2capi/aws.go (1)

726-743: LGTM - MAPI to CAPI CPUOptions conversion is well-structured.

The function correctly handles nil input and maps the known ConfidentialCompute policy values. Unknown or empty values result in an empty CPUOptions, which is the expected default behavior.

pkg/conversion/mapi2capi/aws_fuzz_test.go (1)

163-165: LGTM - Proper normalization of empty CPUOptions.

The normalization ensures that a non-nil pointer to an empty CPUOptions struct is converted to nil, which is necessary for round-trip conversion consistency since the CAPA side returns an empty struct that gets normalized.

pkg/conversion/capi2mapi/aws.go (1)

691-707: LGTM - CAPI to MAPI CPUOptions conversion is correct.

The function properly handles the bidirectional conversion:

• Maps known ConfidentialCompute policy values (Disabled, SEVSNP)
• Returns nil when the resulting CPUOptions would be empty, ensuring clean serialization
• Unknown or empty CAPA values result in nil MAPI CPUOptions, which is the expected behavior

[damdo]

Thanks @fangge1212 will need rebasing :)

[damdo]

/approve
/lgtm

/assign @theobarberbany

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [damdo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@fangge1212: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.