[Infra] virtual machine template STP

[RoniKishner]

STP Metadata

VEP issue: https://github.com/kubevirt/enhancements/blob/main/veps/sig-compute/76-vmtemplates/vmtemplate-proposal.md

What this PR does

Add STP for new virtual machine template CRD

DCO

Signed-off-by: Roni Kishner rkishner@redhat.com

Summary by CodeRabbit

• Documentation
  • Added a comprehensive test plan for VirtualMachine templating covering end-to-end workflows (process/convert/create), VM creation from images or existing VMs, parameter substitution, cross-namespace usage, RBAC and instance-type/preferences integration, admission-time validation and feature-gate behavior, prioritized test tiers, environment/operator prerequisites, explicit out-of-scope items, traceability, risks, and a GA readiness checklist.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new Software Test Plan document detailing test scope, scenarios, environment requirements, entry criteria, risks, and GA readiness checks for native in-cluster VirtualMachineTemplate and VirtualMachineTemplateRequest functionality (feature-gated Template support).

Changes

Cohort / File(s)

Summary

Test Plan Documentation stps/sig-infra/virtual-machine-template.md

Adds a comprehensive Software Test Plan covering terminology, feature overview, Tech Preview/feature-gate context, requirements/limitations (including template flattening), SIG responsibilities, in-scope functional coverage (template/VMTR lifecycle, parameter substitution, server-side /process and /create, virtctl template subcommands, VM creation from golden-image and VM-derived templates, cross-namespace usage, RBAC, instance-types/preferences integration, admission-time validation, behavior when Template feature-gate is disabled/toggled), out-of-scope items, test strategy/environment setup (operator with feature gate), tiered scenario-to-issue traceability (CNV-73392), entry criteria, risks, and GA readiness checklist.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[Infra] virtual machine template STP' directly and accurately summarizes the main change: adding a Software Test Plan document for virtual machine templates under the sig-infra domain.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-virtualization-qe-bot-2]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest all - Run all available tests

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)

📊 Review Process

Approvers and Reviewers

Approvers:

• RoniKishner
• geetikakay

Reviewers:

• RoniKishner
• geetikakay

Available Labels

• hold
• verified
• wip
• lgtm
• approve

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is automatically removed on each new commit
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@stps/sig-infra/virtual-machine-template.md`:
- Line 120: Update the table row containing the "Compute Resources" entry so the
environment requirement uses the proper noun capitalization: change the cell
text "Sufficient for windows VM and snapshot/clone operations." to "Sufficient
for Windows VM and snapshot/clone operations." Locate the row that starts with
"**Compute Resources**" in virtual-machine-template.md and replace the lowercase
"windows" with "Windows" to correct the casing.
- Around line 74-84: Ensure priority tiers are consistent between the "Testing
Goals" list and the traceability matrix by picking a single priority for each
scenario and updating both sections to match; specifically reconcile entries
such as "Verify virt-operator deploys virt-template", "Verify cross-namespace:
template in namespace A, VM creation in namespace B", and other duplicated
scenarios (e.g., virtctl template convert/create, golden-image template flow) so
each scenario appears once with the agreed priority in both the Testing Goals
and the traceability matrix; update the priority tags (P0/P1/P2) for the
duplicated items and run a diff to confirm no mismatches remain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63370dec-8dd4-40e9-b1da-760b84ee2256

📥 Commits

Reviewing files that changed from the base of the PR and between de81e3d and ff38850.

📒 Files selected for processing (1)

• stps/sig-infra/virtual-machine-template.md

[geetikakay]

I have few comments

1. Possibly a test case: VAP rejects VMTR when creator lacks permission
   Reference from VEP : To validate that the user creating the VirtualMachineTemplateRequest has appropriate permissions to create a template from the original VirtualMachine (reading its definition and snapshotting it), suitable ValidatingAdmissionPolicy objects will be provided to check the permissions of the user before creation of the VirtualMachineTemplateRequest is allowed. If the user does not have sufficient permissions the creation must be rejected.

2. Should we add a section defining what goes in tier1, what comes under sig-infra and sig-virt?

3. Featuregate disable and toggle scenarios(rollback)

[rnetser]

I havne't reviwed the stp but from an overview it contains low level implementation details; an stp is a high level plan
the text should be phrased from end user perspective and not reference CRD names etc
for example
Verify virtctl template create: generates a VirtualMachineTemplateRequest from existing VM; async flow completes and template is ready for process/create.
an end user does not care about these details; As an admin, I can create VM templates from the cli or something similar.

[rnetser]

not sure what it means; will there be ui testing? is the ui team involved?

[RoniKishner]

We already have some, I removed any mention to UI

[rnetser]

confirm existing objects are handled predictably and supported workflows work again. - this is low level
should be something like create a new VM from a template successfully" - btw - why is this tier2?

[RoniKishner]

This is about disabling and enabling the feature repeatedly

[rnetser]

please rephrase as requirements review summary
e.g
capturing templates from existing VMs
the requirement for each item is not clear

[rnetser]

RBAC-related acceptance criteria is missing

[rnetser]

the out of scope includes perf as something that will not be tested. please add a ref here to this section

[rnetser]

please add a link to the ui epic

[rnetser]

this comment was not addressed
e.g Feature-toggle tests are required to verify expected behavior when template workflows are enabled, disabled, and re-enabled. is not related to this section and is already mentioned above

[rnetser]

why is this related to the stp? is the team planning on testing 4.21?

[rnetser]

there's already a section about feature maturity
and this describes a generic backport approach
please keep the stp simple and remove anything that is not directly tied to the feature

[rnetser]

this can be dropped as the stp is only for the infra team (there are no other sigs involved - based on the metadata above)

[rnetser]

testing goals should not be a 1-1 to test scnerios.
proposed consolidation (done by claude, please check):

   - **[P0]** As a VM owner, I can create a runnable VM from a template
     backed by a boot source, with correct CPU, memory, disk, and boot
     configuration — using both declarative and CLI-driven flows.
   - **[P0]** As a VM owner, I can capture a template from an existing VM
     and see clear success or failure; on success the template is reusable
     in the expected namespace.
   - **[P0]** As a cluster admin, I can restrict which users may create or
     capture templates and which may create VMs from them.
   - **[P1]** As a template owner, I can convert an OpenShift Template that
     contains a VM into a native VM template without losing customer-facing
     parameters.
   - **[P1]** As a VM owner, templates honor sizing profiles and preferences
     so created VMs pick up the chosen shapes and defaults.
   - **[P1]** As a Windows VM owner, I can build a Windows-oriented template
     and create a guest that boots with expected disks, network, and
     Windows-specific settings.
   - **[P1]** As a cluster admin, templates and in-flight capture requests
     survive cluster upgrade and remain usable afterward.
   - **[P2]** As a VM owner, I can use a template from another namespace to
     create a VM where cross-namespace creation is supported.
   - **[P2]** As a cluster admin, when I disable and re-enable the Template
     capability, workflows are blocked while disabled and recover
     predictably after re-enable; the cluster rejects template definitions
     that would always produce an invalid VM.