-
Notifications
You must be signed in to change notification settings - Fork 239
OTA-1956: install: Split multi-document YAML and add missing annotations #1423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates. | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| workload.openshift.io/allowed: management | ||
| labels: | ||
| openshift.io/cluster-monitoring: "true" | ||
| pod-security.kubernetes.io/audit: restricted | ||
| pod-security.kubernetes.io/enforce: restricted | ||
| pod-security.kubernetes.io/warn: restricted |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: cluster-update-console-plugin | ||
| namespace: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates. | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| name: default-deny | ||
| namespace: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: This NetworkPolicy is used to deny all ingress and egress traffic by default in this namespace, matching all Pods, and serving as a baseline. | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| spec: | ||
| podSelector: {} | ||
| policyTypes: | ||
| - Ingress | ||
| - Egress | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: cluster-update-console-plugin | ||
| namespace: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: Nginx configuration for the cluster-update console plugin. | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| data: | ||
| nginx.conf: | | ||
| error_log /dev/stderr; | ||
| events {} | ||
| http { | ||
| access_log /dev/stdout; | ||
| include /etc/nginx/mime.types; | ||
| default_type application/octet-stream; | ||
| keepalive_timeout 65; | ||
| server { | ||
| listen 9001 ssl; | ||
| listen [::]:9001 ssl; | ||
| ssl_certificate /var/cert/tls.crt; | ||
| ssl_certificate_key /var/cert/tls.key; | ||
| root /usr/share/nginx/html; | ||
| } | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: cluster-update-console-plugin | ||
| namespace: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates. | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: cluster-update-console-plugin | ||
| strategy: | ||
| rollingUpdate: | ||
| maxSurge: 25% | ||
| maxUnavailable: 1 | ||
| type: RollingUpdate | ||
|
Comment on lines
+16
to
+20
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Prevent rollout downtime and add health probes. With Set As per path instructions, Kubernetes/OpenShift manifests must define liveness and readiness probes. Also applies to: 31-38 🤖 Prompt for AI AgentsSource: Path instructions |
||
| template: | ||
| metadata: | ||
| annotations: | ||
| target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' | ||
| openshift.io/required-scc: restricted-v3 | ||
| labels: | ||
| app: cluster-update-console-plugin | ||
| spec: | ||
| serviceAccountName: cluster-update-console-plugin | ||
| automountServiceAccountToken: false | ||
| containers: | ||
| - name: plugin | ||
| image: '{{index .Images "cluster-update-console-plugin"}}' | ||
| imagePullPolicy: IfNotPresent | ||
| ports: | ||
| - name: https | ||
| containerPort: 9001 | ||
| resources: | ||
| requests: | ||
| cpu: 20m | ||
| memory: 50Mi | ||
|
Comment on lines
+38
to
+41
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win Add CPU and memory limits. Only resource requests are defined. Without limits, a faulty or unexpectedly busy plugin can consume unbounded node resources. Add bounded CPU and memory limits based on measured workload usage. As per path instructions, every Kubernetes container must define CPU and memory resource limits. 🤖 Prompt for AI AgentsSource: Path instructions |
||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| capabilities: | ||
| drop: | ||
| - ALL | ||
|
Comment on lines
+42
to
+46
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Show the relevant deployment file with line numbers
sed -n '1,220p' install/0000_50_cluster-update-console-plugin_50_deployment.yaml | cat -n
# Find any existing readOnlyRootFilesystem settings in the repo
rg -n "readOnlyRootFilesystem|allowPrivilegeEscalation|securityContext|volumeMounts|emptyDir|configMap|secret" install/0000_50_cluster-update-console-plugin_50_deployment.yaml install -g '!**/vendor/**' -g '!**/node_modules/**' || true
# Locate the image/build definition for this workload
rg -n "cluster-update-console-plugin|console-plugin|static content|nginx|httpd|serve" . -g '!**/vendor/**' -g '!**/node_modules/**' || trueRepository: openshift/cluster-version-operator Length of output: 50390 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Show only the relevant section if the file is large
wc -l install/0000_50_cluster-update-console-plugin_50_deployment.yaml
sed -n '1,140p' install/0000_50_cluster-update-console-plugin_50_deployment.yaml | cat -nRepository: openshift/cluster-version-operator Length of output: 3276 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect any image/package references that might imply writable runtime paths
rg -n "cluster-update-console-plugin|console plugin|nginx|httpd|dist/|/tmp|/var/cache|/var/run|/usr/share" . -g '!**/vendor/**' -g '!**/node_modules/**' || trueRepository: openshift/cluster-version-operator Length of output: 6593 🏁 Script executed: #!/bin/bash
set -euo pipefail
# Map nearby manifests and templates for this component
git ls-files install | rg 'cluster-update-console-plugin|console-plugin' || trueRepository: openshift/cluster-version-operator Length of output: 632 🏁 Script executed: #!/bin/bash
set -euo pipefail
file=install/0000_50_cluster-update-console-plugin_50_deployment.yaml
wc -l "$file"
sed -n '1,180p' "$file" | cat -nRepository: openshift/cluster-version-operator Length of output: 3276 Enable 🤖 Prompt for AI AgentsSource: Path instructions |
||
| terminationMessagePolicy: FallbackToLogsOnError | ||
| volumeMounts: | ||
| - mountPath: /var/cert | ||
| name: cluster-update-console-plugin-cert | ||
| readOnly: true | ||
| - mountPath: /etc/nginx/nginx.conf | ||
| name: nginx-conf | ||
| readOnly: true | ||
| subPath: nginx.conf | ||
| dnsPolicy: ClusterFirst | ||
| hostUsers: false | ||
| nodeSelector: | ||
| kubernetes.io/os: linux | ||
| priorityClassName: system-cluster-critical | ||
| securityContext: | ||
| runAsNonRoot: true | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| terminationGracePeriodSeconds: 30 | ||
| tolerations: | ||
| - effect: NoSchedule | ||
| key: node-role.kubernetes.io/infra | ||
| operator: Exists | ||
| volumes: | ||
| - name: cluster-update-console-plugin-cert | ||
| secret: | ||
| defaultMode: 420 | ||
| secretName: cluster-update-console-plugin-cert | ||
| - name: nginx-conf | ||
| configMap: | ||
| name: cluster-update-console-plugin | ||
| defaultMode: 420 | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: openshift-cluster-update-console-plugin | ||
| namespace: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates. | ||
| service.beta.openshift.io/serving-cert-secret-name: cluster-update-console-plugin-cert | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| spec: | ||
| type: ClusterIP | ||
| selector: | ||
| app: cluster-update-console-plugin | ||
| ports: | ||
| - name: https | ||
| port: 9001 | ||
| targetPort: https |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| apiVersion: console.openshift.io/v1 | ||
| kind: ConsolePlugin | ||
| metadata: | ||
| name: openshift-cluster-update-console-plugin | ||
| annotations: | ||
| kubernetes.io/description: The OpenShift cluster-update console plugin provides a web-console interface for managing ClusterVersion updates. | ||
| capability.openshift.io/name: Console | ||
| release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
| exclude.release.openshift.io/internal-openshift-hosted: "true" | ||
| include.release.openshift.io/self-managed-high-availability: "true" | ||
| spec: | ||
| displayName: Cluster Updates | ||
| i18n: | ||
| loadType: Preload | ||
| backend: | ||
| type: Service | ||
| service: | ||
| name: openshift-cluster-update-console-plugin | ||
| namespace: openshift-cluster-update-console-plugin | ||
| port: 9001 | ||
| basePath: / |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ImageStream | ||
| apiVersion: image.openshift.io/v1 | ||
| spec: | ||
| tags: | ||
| - name: cluster-update-console-plugin | ||
| from: | ||
| kind: DockerImage | ||
| name: placeholder.url.oc.will.replace.this.example.org:cluster-update-console-plugin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: openshift/cluster-version-operator
Length of output: 2985
🏁 Script executed:
Repository: openshift/cluster-version-operator
Length of output: 175
🏁 Script executed:
Repository: openshift/cluster-version-operator
Length of output: 2805
🏁 Script executed:
pwdRepository: openshift/cluster-version-operator
Length of output: 191
🌐 Web query:
OpenShift ConsolePlugin backend service network policy source ingress router namespace💡 Result:
To configure network policies for an OpenShift ConsolePlugin, you must account for the traffic flow initiated by the OpenShift web console backend. The console backend proxies requests to your plugin service and, if configured, to additional in-cluster services via the ConsolePlugin service proxy [1][2][3]. Key points for network policy configuration: 1. Console Backend to Plugin Service: The OpenShift console backend initiates connections to your plugin's service (specified in spec.backend.service) to fetch assets and extension manifests [4][5][6]. Your network policy in the plugin's namespace must allow ingress traffic from the namespace where the OpenShift console is running (typically the openshift-console namespace) to the plugin service's port [4][7]. 2. Service Proxy Traffic: If your plugin uses the ConsolePlugin service proxy feature (spec.proxy) to communicate with other in-cluster services, the console backend acts as the proxy [1][2][3]. Requests to these services originate from the console backend pod, not directly from your plugin's pod [1][2]. Consequently, network policies for those target services must also allow ingress from the openshift-console namespace [1][2]. 3. Router/Ingress Considerations: ConsolePlugin backend services do not require an OpenShift Route or Ingress to be exposed to the outside world [4][5]. The console backend communicates with them over the internal cluster network using the service name and namespace [4][6]. Because the console backend uses the service CA bundle for secure communication, your plugin service must support HTTPS and be configured with a serving certificate (often via the service-ca operator) [4][7][3]. In summary, you should ensure that your network policies permit ingress to your plugin service specifically from the OpenShift console namespace [4][1]. You do not need to expose these services via a router/ingress [4]. If your plugin proxies requests to other services, verify that those target services allow ingress from the console namespace as well [1][2].
Citations:
Allow ingress from
openshift-console. This namespace-wide default-deny policy has no ingress rule, so the ConsolePlugin backend service inopenshift-cluster-update-console-pluginwill be unreachable from the console unless another policy adds that exception.🤖 Prompt for AI Agents