[codex] update HCS provider documentation

[chinameok]

What changed

• synced the HCS shared CRD reference docs with the fix/subnetname-compatibility provider branch for HCSCluster and HCSMachineConfigPool
• updated the HCS create-cluster and manage-nodes guides so the YAML examples reflect the current provider behavior for config pool validation, subnet field usage, worker bootstrap, and control plane bootstrap security settings
• clarified upgrade guidance so copied machine templates do not carry runtime identity fields such as providerID and serverId
• fixed the control plane PSA example so /etc/kubernetes/admission/psa-config.yaml is a complete PodSecurityConfiguration

Why

The product docs were lagging behind the provider behavior in fix/subnetname-compatibility, especially around HCSMachineConfigPool validation and the control plane bootstrap configuration. The PSA example was also incomplete, which made the published YAML unsafe to copy directly.

Impact

Users and AI coding agents can rely on the HCS docs to generate cluster and worker manifests that match the intended provider behavior. The API reference now exposes the current CRD constraints for the affected HCS resources.

Root cause

The docs and shared CRD assets had not been fully synchronized with the provider branch that introduced subnet field compatibility, stricter validation, and additional bootstrap security configuration.

Validation

• compared the updated docs and shared CRDs against /Users/changjia/alauda/cluster-api-provider-hcs on origin/fix/subnetname-compatibility
• performed document-level review of the HCS create/manage/upgrade content and YAML examples
• did not run Kubernetes runtime validation in this environment
• did not run yarn build; the user will validate with yarn dev

Summary by CodeRabbit

• Documentation
  • CRD validation tightened: require non-empty HCSCluster identityRef.name; HCSMachineConfigPool.spec.configs minItems=1, each config requires hostname and networks (networks minItems=1, ipAddress required); hostname length/pattern validated; deprecated misspelled subnet key documented.
  • Guidance: use credential Secret name in spec.identityRef.name; prefer subnetName for new manifests; subnetId allowed as alternative (set exactly one).
  • Control plane docs: controlPlaneLoadBalancer (vip settings) required in examples; controlPlaneEndpoint removed; ELB DNS/behavior notes.
  • Kubeadm/control-plane examples: rolloutStrategy (maxSurge: 0), bootstrap files, kubelet patches, and recommended /var/cpaas volume; note runtime identity fields must be unset.
  • Upgrade/disk guidance: provider does not preserve/reattach data disks; follow rolling-replacement constraints.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 42a36cad-a322-45c1-8907-7c32cbbc04df

📥 Commits

Reviewing files that changed from the base of the PR and between 5dba9bd and 2e5dc2a.

📒 Files selected for processing (2)

• docs/en/create-cluster/huawei-cloud-stack.mdx
• docs/en/upgrade-cluster/huawei-cloud-stack.mdx

✅ Files skipped from review due to trivial changes (1)

• docs/en/upgrade-cluster/huawei-cloud-stack.mdx

---

Walkthrough

Documentation and CRD schema updates for the Huawei Cloud Stack provider: tightened validation (required identity name, hostname pattern, non-empty configs/networks), clarified subnet fields and manifest guidance (including deprecated misspelling), prohibited runtime identity fields in templates, and expanded kubeadm/kubelet/bootstrap examples and notes.

Changes

Cohort / File(s)	Summary
HCS Documentation docs/en/create-cluster/huawei-cloud-stack.mdx, docs/en/manage-nodes/huawei-cloud-stack.mdx, docs/en/overview/providers/huawei-cloud-stack.mdx, docs/en/upgrade-cluster/huawei-cloud-stack.mdx	Expanded kubeadm/kubelet/bootstrap examples (PSA, kubelet patches, encryption, audit, postKubeadmCommands, rolloutStrategy), added control-plane ELB/loadbalancer guidance and VIP placeholders, introduced Control Plane Security Bootstrap and Availability Zone Selection notes, consolidated admonitions, recommended subnetName for new manifests and documented subnetId usage and the deprecated subenetName, and prohibited setting runtime identity fields (providerID, serverId) in machine templates.
HCSCluster CRD docs/shared/crds/providers/huawei-cloud-stack/infrastructure.cluster.x-k8s.io_hcsclusters.yaml	spec.identityRef.name changed from optional/empty-default to required with minLength: 1 and included in spec.identityRef.required (enforces non-empty credential Secret name).
HCSMachineConfigPool CRD docs/shared/crds/providers/huawei-cloud-stack/infrastructure.cluster.x-k8s.io_hcsmachineconfigpools.yaml	Tightened schema: spec.configs minItems: 1, each config required: [hostname, networks]; hostname has maxLength: 253 and DNS-label-like pattern; networks has minItems: 1 and requires ipAddress. Added deprecated misspelled subenetName, restored subnetName entry; docs introduce subnetId alternative and validation guidance (set exactly one).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• wgkingk

Poem

🐰 I hop through docs and YAML seas,

snug hostnames, subnets, and keys,
I patch the bootstrap, hold surge at zero,
whispering secrets the controller will know —
tiny changes, clearer flows, a rabbit's gentle prose.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: updating HCS (Huawei Cloud Stack) provider documentation, which aligns with all file modifications in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch AIT-68208

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chinameok]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

docs/en/create-cluster/huawei-cloud-stack.mdx (1)

321-335: Minor inconsistency: protect-kernel-defaults in initConfiguration but not joinConfiguration.

The initConfiguration.nodeRegistration.kubeletExtraArgs includes protect-kernel-defaults: "true" (line 327), but joinConfiguration.nodeRegistration.kubeletExtraArgs (lines 333-335) does not include this flag.

While the kubelet patch file at line 257 sets protectKernelDefaults: true via KubeletConfiguration (which takes precedence), having the CLI arg in only one place may cause confusion.

Consider adding it to joinConfiguration for consistency, or remove it from initConfiguration since the patch file handles it:

Option: Add to joinConfiguration for consistency

       nodeRegistration:
         kubeletExtraArgs:
           node-labels: "kube-ovn/role=master"
+          protect-kernel-defaults: "true"
           volume-plugin-dir: "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/create-cluster/huawei-cloud-stack.mdx` around lines 321 - 335, The
init/join kubelet CLI args are inconsistent:
initConfiguration.nodeRegistration.kubeletExtraArgs includes
protect-kernel-defaults but joinConfiguration.nodeRegistration.kubeletExtraArgs
does not; update the manifest so both places are consistent by either adding
protect-kernel-defaults: "true" to
joinConfiguration.nodeRegistration.kubeletExtraArgs or removing it from
initConfiguration.nodeRegistration.kubeletExtraArgs (since the
KubeletConfiguration patch uses protectKernelDefaults: true). Locate the keys
initConfiguration, joinConfiguration, nodeRegistration.kubeletExtraArgs and the
protect-kernel-defaults entry and make the chosen change so both
initConfiguration and joinConfiguration reflect the same kubelet CLI args.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/en/create-cluster/huawei-cloud-stack.mdx`:
- Around line 321-335: The init/join kubelet CLI args are inconsistent:
initConfiguration.nodeRegistration.kubeletExtraArgs includes
protect-kernel-defaults but joinConfiguration.nodeRegistration.kubeletExtraArgs
does not; update the manifest so both places are consistent by either adding
protect-kernel-defaults: "true" to
joinConfiguration.nodeRegistration.kubeletExtraArgs or removing it from
initConfiguration.nodeRegistration.kubeletExtraArgs (since the
KubeletConfiguration patch uses protectKernelDefaults: true). Locate the keys
initConfiguration, joinConfiguration, nodeRegistration.kubeletExtraArgs and the
protect-kernel-defaults entry and make the chosen change so both
initConfiguration and joinConfiguration reflect the same kubelet CLI args.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 19835da1-4f11-42cf-b3ca-0839089eacf4

📥 Commits

Reviewing files that changed from the base of the PR and between d2524f3 and 2e814ba.

📒 Files selected for processing (6)

• docs/en/create-cluster/huawei-cloud-stack.mdx
• docs/en/manage-nodes/huawei-cloud-stack.mdx
• docs/en/overview/providers/huawei-cloud-stack.mdx
• docs/en/upgrade-cluster/huawei-cloud-stack.mdx
• docs/shared/crds/providers/huawei-cloud-stack/infrastructure.cluster.x-k8s.io_hcsclusters.yaml
• docs/shared/crds/providers/huawei-cloud-stack/infrastructure.cluster.x-k8s.io_hcsmachineconfigpools.yaml

[cloudflare-workers-and-pages]

Deploying alauda-immutable-infra with    Cloudflare Pages

Latest commit:	2e5dc2a
Status:	✅  Deploy successful!
Preview URL:	https://58ec499f.alauda-immutable-infra.pages.dev
Branch Preview URL:	https://ait-68208.alauda-immutable-infra.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/en/manage-nodes/huawei-cloud-stack.mdx`:
- Line 47: Update the guidance to consistently describe the three subnet fields
(deprecated `subenetName`, current `subnetName`, and `subnetId`) and the allowed
combinations: state that for existing manifests that use the deprecated
`subenetName` you may optionally include `subnetName` only if its value exactly
matches `subenetName`; for new manifests use either `subnetName` or `subnetId`
but not both; and warn not to supply conflicting values across these fields.
Also add a short note that the mutual-exclusivity is enforced by the
provider/webhook and not by the CRD schema (the CRD lists all three as
optional), so users should follow the provider-level constraint.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5df3f749-01e2-41ee-8b4b-7bc1966ebe56

📥 Commits

Reviewing files that changed from the base of the PR and between 2e814ba and 5dba9bd.

📒 Files selected for processing (3)

• docs/en/manage-nodes/huawei-cloud-stack.mdx
• docs/en/overview/providers/huawei-cloud-stack.mdx
• docs/en/upgrade-cluster/huawei-cloud-stack.mdx

✅ Files skipped from review due to trivial changes (2)

• docs/en/overview/providers/huawei-cloud-stack.mdx
• docs/en/upgrade-cluster/huawei-cloud-stack.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify subnet guidance in docs vs CRD schema constraints (read-only).
rg -n -C2 'subenetName|subnetName|subnetId|Set either|required:|oneOf|allOf' \
  docs/en/manage-nodes/huawei-cloud-stack.mdx \
  docs/shared/crds/providers/huawei-cloud-stack/infrastructure.cluster.x-k8s.io_hcsmachineconfigpools.yaml

Repository: alauda/immutable-infra-docs

Length of output: 7293

---

Clarify subnet field guidance to address conflicting expectations.

The documentation presents conflicting guidance on subnet field usage: Line 47 allows both subenetName and subnetName when values match, while Line 80 states "Set either subnetName or subnetId." Additionally, Line 47 doesn't address subnetId, and Line 80 omits the deprecated field entirely. Clarify that users choosing between three fields (deprecated subenetName, subnetName, and subnetId) must:

1. For existing manifests with subenetName: optionally pair with subnetName only if values match
2. For new manifests: use subnetName or subnetId, but not both

Also specify that this "either/or" constraint is enforced at the provider/webhook level (the CRD schema shows all three fields as optional with no schema-level mutual-exclusivity constraint).

🧰 Tools

🪛 LanguageTool

[grammar] ~47-~47: Ensure spelling is correct
Context: ...e provider still accepts the deprecated subenetName field for existing manifests, but do no...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/manage-nodes/huawei-cloud-stack.mdx` at line 47, Update the guidance
to consistently describe the three subnet fields (deprecated `subenetName`,
current `subnetName`, and `subnetId`) and the allowed combinations: state that
for existing manifests that use the deprecated `subenetName` you may optionally
include `subnetName` only if its value exactly matches `subenetName`; for new
manifests use either `subnetName` or `subnetId` but not both; and warn not to
supply conflicting values across these fields. Also add a short note that the
mutual-exclusivity is enforced by the provider/webhook and not by the CRD schema
(the CRD lists all three as optional), so users should follow the provider-level
constraint.