Skip to content

OTA-1956: install: Split multi-document YAML and add missing annotations#1423

Open
jhadvig wants to merge 1 commit into
openshift:mainfrom
jhadvig:revert-1420-revert-1398-1783563071689
Open

OTA-1956: install: Split multi-document YAML and add missing annotations#1423
jhadvig wants to merge 1 commit into
openshift:mainfrom
jhadvig:revert-1420-revert-1398-1783563071689

Conversation

@jhadvig

@jhadvig jhadvig commented Jul 14, 2026

Copy link
Copy Markdown
Member

Reverts #1420
Original PR #1398

ccing @wking

Summary by CodeRabbit

  • New Features

    • Added the Cluster Update Console Plugin and its supporting deployment resources.
    • Enabled secure HTTPS serving through an internal service.
    • Registered the plugin for the OpenShift web console with ClusterVersion update management capabilities.
    • Added image configuration for deploying the plugin.
  • Tests

    • Updated manifest validation to support the plugin image and image reference configuration.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 14, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@jhadvig: This pull request references OTA-1956 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Reverts #1420
Original PR #1398

ccing @wking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jhadvig

jhadvig commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

/payload-job periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Walkthrough

Adds the Kubernetes resources, image reference, service exposure, and OpenShift ConsolePlugin registration for the cluster-update console plugin. Updates manifest-rendering tests with the plugin image and excludes the image-reference file from annotation validation.

Changes

Cluster Update Console Plugin

Layer / File(s) Summary
Namespace and security resources
install/0000_50_cluster-update-console-plugin_10_namespace.yaml, install/0000_50_cluster-update-console-plugin_15_serviceaccount.yaml, install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml
Creates the plugin namespace, service account, pod-security labels, and default-deny ingress and egress policy.
Plugin runtime and service
install/0000_50_cluster-update-console-plugin_30_configmap.yaml, install/0000_50_cluster-update-console-plugin_50_deployment.yaml, install/0000_50_cluster-update-console-plugin_60_service.yaml, install/image-references
Configures Nginx TLS serving, deploys a hardened plugin container on port 9001, defines the HTTPS ClusterIP service, and adds the plugin image stream reference.
Console registration and rendering validation
install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml, pkg/payload/render_test.go
Registers the service as a ConsolePlugin and updates manifest rendering to provide the plugin image while skipping image-references during annotation validation.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant OpenShiftConsole
  participant ConsolePlugin
  participant PluginService
  participant PluginDeployment
  OpenShiftConsole->>ConsolePlugin: load plugin configuration
  ConsolePlugin->>PluginService: send requests to port 9001
  PluginService->>PluginDeployment: select plugin pods
  PluginDeployment-->>PluginService: serve HTTPS plugin content
Loading
🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: splitting install YAML and adding the missing annotations.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PASS: The patch only changes render-test setup and file skipping; it adds no new test titles, and existing t.Run names are static strings.
Test Structure And Quality ✅ Passed PASS: The only changed test is a file-based unit test, not Ginkgo; it uses explicit fatal/error messages and has no cluster waits, setup/cleanup, or timeouts to violate.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the Go change is only a unit-test fixture update, so MicroShift compatibility isn’t implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the only test change is a unit test in pkg/payload/render_test.go, so SNO multi-node assumptions are not implicated.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: The new Deployment only uses a linux nodeSelector and infra NoSchedule toleration; it adds no control-plane affinity, topology spread, or maxUnavailable:0 constraint.
Ote Binary Stdout Contract ✅ Passed Touched Go test code has no main/init/TestMain/RunSpecs stdout writes; remaining changes are Kubernetes manifests only.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the changed render test is a plain unit test with no IPv4-only logic or external connectivity.
No-Weak-Crypto ✅ Passed PASS: The touched files are manifests/test tweaks only; searches found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed No changed manifest sets privileged/hostPID/hostNetwork/hostIPC, and the deployment explicitly disables privilege escalation and runs non-root.
No-Sensitive-Data-In-Logs ✅ Passed No changed file logs secrets or PII; Nginx only sends standard access/error logs to stdout/stderr with no sensitive fields.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@jhadvig: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ea731e80-7f45-11f1-97f3-ddecb5eb0e9a-0

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jhadvig
Once this PR has been reviewed and has the lgtm label, please assign davidhurta for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml`:
- Around line 12-16: Update the NetworkPolicy containing podSelector {} and
policyTypes Ingress/Egress to add an ingress rule permitting traffic from the
openshift-console namespace. Preserve the existing default-deny behavior for all
other ingress sources and retain the current egress policy.

In `@install/0000_50_cluster-update-console-plugin_50_deployment.yaml`:
- Around line 38-41: Add CPU and memory limits to the container resources block
alongside the existing requests in the deployment manifest. Set bounded limit
values based on the plugin’s measured workload usage, ensuring both cpu and
memory are explicitly defined.
- Around line 16-20: Update the Deployment rollingUpdate strategy to use
maxUnavailable: 0 with an appropriate maxSurge to keep the single replica
available during rollout. Add HTTPS readiness and liveness probes targeting the
named https port, with suitable probe paths and settings. Update the associated
NetworkPolicy to allow the probe traffic.
- Around line 42-46: Update the container securityContext in the deployment
manifest to set readOnlyRootFilesystem to true. Preserve the existing read-only
config and certificate mounts, and add writable scratch mounts only if required
by the container image.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 26e0d70a-062c-4e66-9b45-379ce85a86c3

📥 Commits

Reviewing files that changed from the base of the PR and between b5833af and fd68328.

📒 Files selected for processing (9)
  • install/0000_50_cluster-update-console-plugin_10_namespace.yaml
  • install/0000_50_cluster-update-console-plugin_15_serviceaccount.yaml
  • install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml
  • install/0000_50_cluster-update-console-plugin_30_configmap.yaml
  • install/0000_50_cluster-update-console-plugin_50_deployment.yaml
  • install/0000_50_cluster-update-console-plugin_60_service.yaml
  • install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml
  • install/image-references
  • pkg/payload/render_test.go

Comment on lines +12 to +16
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

set -euo pipefail

printf '\n## File list\n'
git ls-files install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml

printf '\n## NetworkPolicy file\n'
cat -n install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml

printf '\n## ConsolePlugin file\n'
cat -n install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml

printf '\n## Related NetworkPolicies under install\n'
fd -a '.*networkpolicy.*\.ya?ml$' install

printf '\n## Search for network policy and console plugin references\n'
rg -n --hidden --glob 'install/**' -e 'kind: NetworkPolicy|kind: ConsolePlugin|namespaceSelector|podSelector|policyTypes|ingress:|egress:' install

Repository: openshift/cluster-version-operator

Length of output: 2985


🏁 Script executed:

set -euo pipefail
echo hi

Repository: openshift/cluster-version-operator

Length of output: 175


🏁 Script executed:

set -euo pipefail

echo '--- networkpolicy file ---'
cat -n install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml

echo '--- consoleplugin file ---'
cat -n install/0000_50_cluster-update-console-plugin_90_consoleplugin.yaml

echo '--- install networkpolicy files ---'
fd -a '.*networkpolicy.*\.ya?ml$' install

echo '--- relevant references ---'
rg -n --hidden --glob 'install/**' -e 'kind: NetworkPolicy|kind: ConsolePlugin|namespaceSelector|podSelector|policyTypes|ingress:|egress:' install

Repository: openshift/cluster-version-operator

Length of output: 2805


🏁 Script executed:

pwd

Repository: openshift/cluster-version-operator

Length of output: 191


🌐 Web query:

OpenShift ConsolePlugin backend service network policy source ingress router namespace

💡 Result:

To configure network policies for an OpenShift ConsolePlugin, you must account for the traffic flow initiated by the OpenShift web console backend. The console backend proxies requests to your plugin service and, if configured, to additional in-cluster services via the ConsolePlugin service proxy [1][2][3]. Key points for network policy configuration: 1. Console Backend to Plugin Service: The OpenShift console backend initiates connections to your plugin's service (specified in spec.backend.service) to fetch assets and extension manifests [4][5][6]. Your network policy in the plugin's namespace must allow ingress traffic from the namespace where the OpenShift console is running (typically the openshift-console namespace) to the plugin service's port [4][7]. 2. Service Proxy Traffic: If your plugin uses the ConsolePlugin service proxy feature (spec.proxy) to communicate with other in-cluster services, the console backend acts as the proxy [1][2][3]. Requests to these services originate from the console backend pod, not directly from your plugin's pod [1][2]. Consequently, network policies for those target services must also allow ingress from the openshift-console namespace [1][2]. 3. Router/Ingress Considerations: ConsolePlugin backend services do not require an OpenShift Route or Ingress to be exposed to the outside world [4][5]. The console backend communicates with them over the internal cluster network using the service name and namespace [4][6]. Because the console backend uses the service CA bundle for secure communication, your plugin service must support HTTPS and be configured with a serving certificate (often via the service-ca operator) [4][7][3]. In summary, you should ensure that your network policies permit ingress to your plugin service specifically from the OpenShift console namespace [4][1]. You do not need to expose these services via a router/ingress [4]. If your plugin proxies requests to other services, verify that those target services allow ingress from the console namespace as well [1][2].

Citations:


Allow ingress from openshift-console. This namespace-wide default-deny policy has no ingress rule, so the ConsolePlugin backend service in openshift-cluster-update-console-plugin will be unreachable from the console unless another policy adds that exception.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install/0000_50_cluster-update-console-plugin_20_networkpolicy.yaml` around
lines 12 - 16, Update the NetworkPolicy containing podSelector {} and
policyTypes Ingress/Egress to add an ingress rule permitting traffic from the
openshift-console namespace. Preserve the existing default-deny behavior for all
other ingress sources and retain the current egress policy.

Comment on lines +16 to +20
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 1
type: RollingUpdate

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Prevent rollout downtime and add health probes.

With replicas omitted, this Deployment runs one pod, while maxUnavailable: 1 permits zero available pods during a rollout. It also has no readiness or liveness probes, so traffic can reach a merely-running container and a hung Nginx process will not be restarted.

Set maxUnavailable: 0 with an appropriate surge, and add HTTPS readiness/liveness probes on the named https port. Ensure the NetworkPolicy also permits the required probe traffic.

As per path instructions, Kubernetes/OpenShift manifests must define liveness and readiness probes.

Also applies to: 31-38

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install/0000_50_cluster-update-console-plugin_50_deployment.yaml` around
lines 16 - 20, Update the Deployment rollingUpdate strategy to use
maxUnavailable: 0 with an appropriate maxSurge to keep the single replica
available during rollout. Add HTTPS readiness and liveness probes targeting the
named https port, with suitable probe paths and settings. Update the associated
NetworkPolicy to allow the probe traffic.

Source: Path instructions

Comment on lines +38 to +41
resources:
requests:
cpu: 20m
memory: 50Mi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add CPU and memory limits.

Only resource requests are defined. Without limits, a faulty or unexpectedly busy plugin can consume unbounded node resources. Add bounded CPU and memory limits based on measured workload usage.

As per path instructions, every Kubernetes container must define CPU and memory resource limits.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install/0000_50_cluster-update-console-plugin_50_deployment.yaml` around
lines 38 - 41, Add CPU and memory limits to the container resources block
alongside the existing requests in the deployment manifest. Set bounded limit
values based on the plugin’s measured workload usage, ensuring both cpu and
memory are explicitly defined.

Source: Path instructions

Comment on lines +42 to +46
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant deployment file with line numbers
sed -n '1,220p' install/0000_50_cluster-update-console-plugin_50_deployment.yaml | cat -n

# Find any existing readOnlyRootFilesystem settings in the repo
rg -n "readOnlyRootFilesystem|allowPrivilegeEscalation|securityContext|volumeMounts|emptyDir|configMap|secret" install/0000_50_cluster-update-console-plugin_50_deployment.yaml install -g '!**/vendor/**' -g '!**/node_modules/**' || true

# Locate the image/build definition for this workload
rg -n "cluster-update-console-plugin|console-plugin|static content|nginx|httpd|serve" . -g '!**/vendor/**' -g '!**/node_modules/**' || true

Repository: openshift/cluster-version-operator

Length of output: 50390


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show only the relevant section if the file is large
wc -l install/0000_50_cluster-update-console-plugin_50_deployment.yaml
sed -n '1,140p' install/0000_50_cluster-update-console-plugin_50_deployment.yaml | cat -n

Repository: openshift/cluster-version-operator

Length of output: 3276


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect any image/package references that might imply writable runtime paths
rg -n "cluster-update-console-plugin|console plugin|nginx|httpd|dist/|/tmp|/var/cache|/var/run|/usr/share" . -g '!**/vendor/**' -g '!**/node_modules/**' || true

Repository: openshift/cluster-version-operator

Length of output: 6593


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map nearby manifests and templates for this component
git ls-files install | rg 'cluster-update-console-plugin|console-plugin' || true

Repository: openshift/cluster-version-operator

Length of output: 632


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=install/0000_50_cluster-update-console-plugin_50_deployment.yaml
wc -l "$file"
sed -n '1,180p' "$file" | cat -n

Repository: openshift/cluster-version-operator

Length of output: 3276


Enable readOnlyRootFilesystem for this container. The existing config and cert mounts are already read-only; if the image needs scratch space, add only the required writable mounts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install/0000_50_cluster-update-console-plugin_50_deployment.yaml` around
lines 42 - 46, Update the container securityContext in the deployment manifest
to set readOnlyRootFilesystem to true. Preserve the existing read-only config
and certificate mounts, and add writable scratch mounts only if required by the
container image.

Source: Path instructions

@jhadvig

jhadvig commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

/test ci/prow/e2e-agnostic-operator ci/prow/e2e-agnostic-ovn-techpreview-serial-1of3 ci/prow/e2e-agnostic-ovn-techpreview-serial-3of3 ci/prow/e2e-agnostic-ovn-upgrade-out-of-change

@jhadvig

jhadvig commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

/test e2e-agnostic-operator e2e-agnostic-ovn-techpreview-serial-1of3 e2e-agnostic-ovn-techpreview-serial-3of3 e2e-agnostic-ovn-upgrade-out-of-change

@jhadvig

jhadvig commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

/retest

@jhadvig

jhadvig commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

/payload-job periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview
🤞

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@jhadvig: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/771cf5b0-7f94-11f1-8e4e-1916fa640362-0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants