Skip to content

STOR-2954: Inject TLS from CVO to operators, update hypershift TLS based on CVO#712

Open
dfajmon wants to merge 2 commits into
openshift:mainfrom
dfajmon:STOR-2954-tls-compliance
Open

STOR-2954: Inject TLS from CVO to operators, update hypershift TLS based on CVO#712
dfajmon wants to merge 2 commits into
openshift:mainfrom
dfajmon:STOR-2954-tls-compliance

Conversation

@dfajmon

@dfajmon dfajmon commented Jun 12, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

Release Notes

  • New Features
    • Added ConfigMap-based operator configuration for multiple CSI driver backends, including HyperShift management-side operator configuration.
    • Exposed operator metrics on port 8443.
  • Infrastructure
    • Operators now read configuration from a mounted config path and stop when the config changes.
    • HyperShift deployments derive serving TLS settings from the HostedControlPlane TLS security profile; management ConfigMaps are adjusted to avoid static TLS injection.
  • Tests
    • Added unit coverage for TLS profile-to-cipher/min-TLS mapping and fallback behavior.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 12, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 12, 2026
edited by openshift-ci Bot
Loading

Copy link
Copy Markdown
Contributor

@dfajmon: This pull request references STOR-2594 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.21" instead.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 12, 2026
@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Walkthrough

This PR extends all nine CSI driver operators to load configuration from mounted ConfigMaps, exposes metrics ports for monitoring, and implements a TLS injection mechanism for HyperShift by deriving security settings from the HostedControlPlane into management-cluster operator configs.

Changes

CSI Operator Configuration and TLS Management

Layer / File(s) Summary
Operator Config Type and Management Asset Field
pkg/operator/csidriveroperator/csioperatorclient/types.go		 Adds exported MgmtOperatorConfigAsset string field to CSIOperatorConfig struct. This field holds an asset path for an operator-config ConfigMap deployed in the HyperShift management cluster; when set, TLS settings from the HostedControlPlane are injected into that ConfigMap instead of deploying TLS as a static asset.
Operator Configuration Manifests for All CSI Drivers
assets/csidriveroperators/aws-ebs/base/*, assets/csidriveroperators/azure-disk/base/*, assets/csidriveroperators/azure-file/base/*, assets/csidriveroperators/gcp-pd/*, assets/csidriveroperators/ibm-vpc-block/*, assets/csidriveroperators/openstack-cinder/base/*, assets/csidriveroperators/openstack-manila/base/*, assets/csidriveroperators/powervs-block/*/*, assets/csidriveroperators/vsphere/*		 New ConfigMaps define GenericOperatorConfig payloads with TLS injection annotations. Each deployment now passes --config=/var/run/configmaps/config/config.yaml and --terminate-on-files=/var/run/configmaps/config/config.yaml arguments, exposes metrics port (8443), mounts the operator config volume at /var/run/configmaps/config, and references it in pod volumes. Kustomization files register the new ConfigMap resources. HyperShift management kustomizations add JSON patch operations to remove TLS injection and guest removal annotations from ConfigMaps.
Asset Registration in Driver Config Functions
pkg/operator/csidriveroperator/csioperatorclient/aws.go, pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go, pkg/operator/csidriveroperator/csioperatorclient/azure-file.go, pkg/operator/csidriveroperator/csioperatorclient/cinder.go, pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go, pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go, pkg/operator/csidriveroperator/csioperatorclient/manila.go, pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go, pkg/operator/csidriveroperator/csioperatorclient/vsphere.go		 Each driver's config getter function is updated to register the operator config asset. In standalone mode, the generated operator-config ConfigMap YAML is appended to StaticAssets. In HyperShift mode, MgmtOperatorConfigAsset is set to point to the generated management-side operator-config ConfigMap YAML.
HyperShift Management TLS Injection and Reconciliation
pkg/operator/csidriveroperator/hypershift_deployment_controller.go, pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go		 When MgmtOperatorConfigAsset is set, the Sync method reconciles an additional management operator ConfigMap. The reconcileOperatorConfigMap function reads the asset YAML, substitutes ${CONTROLPLANE_NAMESPACE}, unmarshals it into a ConfigMap, derives TLS serving settings from the HostedControlPlane's security profile (custom, modern, intermediate, or unknown types), converts OpenSSL cipher names to IANA cipher suite names via crypto.OpenSSLToIANACipherSuites, serializes a GenericOperatorConfig with those TLS settings to YAML, stores it in the ConfigMap's config.yaml field, and applies the result to the management cluster. Includes helper functions getHostedControlPlaneTLSSettings and tlsSettingsFromHCP for extracting and resolving TLS profiles. Test coverage includes TestTLSSettingsFromHCP with table-driven cases for empty, intermediate, modern, custom, and unknown profile types, validating correct minimum TLS versions and cipher suite mappings including custom cipher-name conversions.
Metrics Storage Class Counting
pkg/operator/operator_starter.go		 Adds call to metrics.CountStorageClasses during HyperShift operator startup, executed before VAC mismatch metrics initialization and CSI driver controller creation.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly and specifically describes the main objective: injecting TLS configurations from CVO to operators and updating HyperShift TLS settings based on CVO, which is directly reflected throughout the changeset including ConfigMap additions, deployment updates, and hypershift controller logic.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All test names in the new test function TestTLSSettingsFromHCP are static and deterministic with no dynamic elements like pod names, timestamps, UUIDs, or variable interpolation.
Test Structure And Quality ✅ Passed This PR does not contain any Ginkgo tests. The only test added is TestTLSSettingsFromHCP in hypershift_deployment_controller_test.go, which uses standard Go testing package with testing.T, not Gink...
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. The only new test file is hypershift_deployment_controller_test.go, which is a standard Go unit test using the testing package, not Ginkgo. This check...
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests are added in this PR. The only new test is TestTLSSettingsFromHCP, a standard Go unit test using testing.T that validates TLS cipher suite logic with no multi-node assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed PR does not introduce topology-unfriendly scheduling. Changes add ConfigMap-based operator config without modifying any affinity, topology spread, nodeSelector, or replica constraints.
Ote Binary Stdout Contract ✅ Passed No OTE Binary Stdout Contract violations detected. PR contains no fmt.Print/os.Stdout in process-level code, all klog properly configured to stderr via lib-go, and metrics calls safe.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests (It, Describe, Context, When) are added in this PR. Only a standard Go unit test file (hypershift_deployment_controller_test.go) is added, which is outside the scope of this...
No-Weak-Crypto ✅ Passed No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or unsafe secret comparisons detected. PR uses only strong modern TLS ciphers and OpenShi...
Container-Privileges ✅ Passed No privileged settings, hostAccess flags, SYS_ADMIN capabilities, or privilege escalation enabled in any container/K8s manifests. All deployments enforce runAsNonRoot, drop ALL capabilities, and di...
No-Sensitive-Data-In-Logs ✅ Passed No logging exposes sensitive data. TLS settings and cipher suites are stored in ConfigMaps but never logged. All klog statements are for lifecycle/metadata only.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@dfajmon dfajmon changed the title STOR-2594: Inject TLS from CVO to operators, update hypershift TLS based on CVO STOR-2954: Inject TLS from CVO to operators, update hypershift TLS based on CVO Jun 12, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 12, 2026
edited by openshift-ci Bot
Loading

Copy link
Copy Markdown
Contributor

@dfajmon: This pull request references STOR-2954 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfajmon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2026
coderabbitai[bot]
coderabbitai Bot reviewed Jun 12, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml (1)

29-99: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the restricted security context in the HyperShift overlay.

This management-cluster deployment still relies on ambient SCC defaults, while assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml explicitly sets readOnlyRootFilesystem, allowPrivilegeEscalation: false, capabilities.drop: [ALL], runAsNonRoot, and seccompProfile. That leaves the HyperShift variant with weaker manifest-level guarantees for the same operator.

As per coding guidelines, Kubernetes manifests should set securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, and Drop ALL capabilities, add only what is required.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`
around lines 29 - 99, The HyperShift management deployment is missing the
restricted container securityContext present in the standalone variant; update
the container named powervs-block-csi-driver-operator (and optionally the pod
spec) to set container.securityContext with readOnlyRootFilesystem: true,
allowPrivilegeEscalation: false, runAsNonRoot: true (and a non-zero runAsUser if
used in standalone), capabilities.drop: ["ALL"], and seccompProfile: { type:
"RuntimeDefault" } so the HyperShift overlay matches the hardened manifest-level
guarantees in the standalone/06_deployment.yaml.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml`:
- Around line 81-84: The pod template for the Deployment that adds the new
containerPort 8443 (named metrics) must include the network-policy label
openshift.storage.network-policy.operator-metrics-range: allow so the metrics
endpoint is scrappable; edit the Deployment resource (the podTemplateSpec for
the openstack-cinder-csi-driver-operator deployment) and add that label under
metadata.labels in the spec.template section to match the other operators that
expose metrics.

In `@pkg/operator/csidriveroperator/hypershift_deployment_controller.go`:
- Around line 258-286: tlsSettingsFromHCP currently defaults empty or
unrecognized TLS profile types to Modern (TLS 1.3) which contradicts the
fallback behavior in getHostedControlPlaneTLSSettings; update tlsSettingsFromHCP
so that when profileType is empty it sets pt =
configv1.TLSProfileIntermediateType and when profileSpec lookup fails (ok ==
false or profileSpec == nil) it falls back to
configv1.TLSProfiles[configv1.TLSProfileIntermediateType] instead of Modern;
ensure you only change the defaulting logic inside tlsSettingsFromHCP
(references: getHostedControlPlaneTLSSettings and tlsSettingsFromHCP) so tests
expecting Intermediate become correct.

---

Outside diff comments:
In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`:
- Around line 29-99: The HyperShift management deployment is missing the
restricted container securityContext present in the standalone variant; update
the container named powervs-block-csi-driver-operator (and optionally the pod
spec) to set container.securityContext with readOnlyRootFilesystem: true,
allowPrivilegeEscalation: false, runAsNonRoot: true (and a non-zero runAsUser if
used in standalone), capabilities.drop: ["ALL"], and seccompProfile: { type:
"RuntimeDefault" } so the HyperShift overlay matches the hardened manifest-level
guarantees in the standalone/06_deployment.yaml.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 737cfc09-102c-4580-9bb4-134faa48d093

📥 Commits

Reviewing files that changed from the base of the PR and between 1e36024 and ed53370.

⛔ Files ignored due to path filters (21)
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/guest/generated/default_operator.openshift.io_v1_clustercsidriver_manila.csi.openstack.org.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
📒 Files selected for processing (38)
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/09_deployment.yaml
  • assets/csidriveroperators/aws-ebs/base/kustomization.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/08_deployment.yaml
  • assets/csidriveroperators/azure-disk/base/kustomization.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/08_deployment.yaml
  • assets/csidriveroperators/azure-file/base/kustomization.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/07_deployment.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/kustomization.yaml
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-manila/base/kustomization.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • assets/csidriveroperators/vsphere/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/manila.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
  • pkg/operator/operator_starter.go

Comment thread assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
Comment on lines +81 to +84
ports:
- containerPort: 8443
name: metrics
protocol: TCP

@coderabbitai coderabbitai Bot Jun 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add the metrics NetworkPolicy allow-label with the new 8443 listener.

This deployment now exposes the metrics port, but unlike gcp-pd and ibm-vpc-block in the same PR, its pod template still lacks openshift.storage.network-policy.operator-metrics-range: allow. That leaves openstack-cinder-csi-driver-operator as the outlier and can block scraping of the new endpoint.

💡 Suggested fix 
       labels:
         name: openstack-cinder-csi-driver-operator
+        openshift.storage.network-policy.operator-metrics-range: allow
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml` around
lines 81 - 84, The pod template for the Deployment that adds the new
containerPort 8443 (named metrics) must include the network-policy label
openshift.storage.network-policy.operator-metrics-range: allow so the metrics
endpoint is scrappable; edit the Deployment resource (the podTemplateSpec for
the openstack-cinder-csi-driver-operator deployment) and add that label under
metadata.labels in the spec.template section to match the other operators that
expose metrics.

Comment thread pkg/operator/csidriveroperator/hypershift_deployment_controller.go
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch from ed53370 to 9473ccf Compare June 15, 2026 14:27
@dfajmon dfajmon marked this pull request as ready for review June 15, 2026 14:28
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 15, 2026
@openshift-ci openshift-ci Bot requested review from mandre and stephenfin June 15, 2026 14:28
dfajmon and others added 2 commits June 15, 2026 17:21
@dfajmon @claude
STOR-2954: add operator config configmaps with TLS injection to CSI d…
66188ef 
…river operators

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dfajmon @claude
STOR-2954: inject HCP TLS into operator-config in HyperShift
55a8b32 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch from 9473ccf to 55a8b32 Compare June 15, 2026 15:23
coderabbitai[bot]
coderabbitai Bot reviewed Jun 15, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml (2)

64-67: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set CPU/memory limits for the operator container.

Line 64 currently sets only requests. Missing limits can allow noisy-neighbor behavior and reduce scheduling/runtime predictability on management clusters.

Suggested patch 
           resources:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 250Mi
+              cpu: 200m

As per coding guidelines, every container in Kubernetes/OpenShift manifests should define CPU and memory resource limits.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`
around lines 64 - 67, The resources section for the operator container currently
defines only requests for memory and cpu, but is missing the corresponding
limits. Add a limits subsection under resources that specifies both cpu and
memory limits (in addition to the existing requests) to prevent noisy-neighbor
behavior and ensure predictable scheduling and runtime behavior on management
clusters, as required by the coding guidelines for Kubernetes/OpenShift
manifests.

Source: Coding guidelines

29-79: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden pod/container securityContext before merge.

Line 29 onward defines the operator container without explicit allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, dropped capabilities, and runAsNonRoot at pod level. This leaves a weaker security baseline than the other driver deployments.

Suggested patch 
       containers:
         - args:
@@
           resources:
             requests:
               memory: 50Mi
               cpu: 10m
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
@@
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       priorityClassName: hypershift-control-plane

As per coding guidelines, Kubernetes/OpenShift manifests must enforce securityContext hardening (runAsNonRoot, allowPrivilegeEscalation: false, and least-privilege capability posture).

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`
around lines 29 - 79, The container specification for
powervs-block-csi-driver-operator in the deployment lacks required security
hardening. Add a securityContext block at the pod spec level (before containers)
with runAsNonRoot set to true, and add a securityContext block within the
powervs-block-csi-driver-operator container specification with
allowPrivilegeEscalation set to false, readOnlyRootFilesystem set to true, and
capabilities drop set to ALL. This ensures the container runs with non-root
privileges, prevents privilege escalation, uses a read-only root filesystem, and
drops all unnecessary capabilities in alignment with security hardening
standards.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`:
- Around line 64-67: The resources section for the operator container currently
defines only requests for memory and cpu, but is missing the corresponding
limits. Add a limits subsection under resources that specifies both cpu and
memory limits (in addition to the existing requests) to prevent noisy-neighbor
behavior and ensure predictable scheduling and runtime behavior on management
clusters, as required by the coding guidelines for Kubernetes/OpenShift
manifests.
- Around line 29-79: The container specification for
powervs-block-csi-driver-operator in the deployment lacks required security
hardening. Add a securityContext block at the pod spec level (before containers)
with runAsNonRoot set to true, and add a securityContext block within the
powervs-block-csi-driver-operator container specification with
allowPrivilegeEscalation set to false, readOnlyRootFilesystem set to true, and
capabilities drop set to ALL. This ensures the container runs with non-root
privileges, prevents privilege escalation, uses a read-only root filesystem, and
drops all unnecessary capabilities in alignment with security hardening
standards.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f694e5e1-4423-45b6-8f67-157b8e6babb3

📥 Commits

Reviewing files that changed from the base of the PR and between 9473ccf and 55a8b32.

⛔ Files ignored due to path filters (25)
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/v1_service_openstack-cinder-csi-driver-operator-metrics.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/rbac.authorization.k8s.io_v1_role_manila-csi-driver-operator-role.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/rbac.authorization.k8s.io_v1_rolebinding_manila-csi-driver-operator-rolebinding.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_service_manila-csi-driver-operator-metrics.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_serviceaccount_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
📒 Files selected for processing (43)
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/09_deployment.yaml
  • assets/csidriveroperators/aws-ebs/base/kustomization.yaml
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/08_deployment.yaml
  • assets/csidriveroperators/azure-disk/base/kustomization.yaml
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/08_deployment.yaml
  • assets/csidriveroperators/azure-file/base/kustomization.yaml
  • assets/csidriveroperators/azure-file/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/07_deployment.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/kustomization.yaml
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-manila/base/kustomization.yaml
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • assets/csidriveroperators/vsphere/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/manila.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
  • pkg/operator/operator_starter.go
✅ Files skipped from review due to trivial changes (10)
  • assets/csidriveroperators/aws-ebs/base/kustomization.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • assets/csidriveroperators/openstack-manila/base/kustomization.yaml
  • assets/csidriveroperators/openstack-cinder/base/kustomization.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • pkg/operator/operator_starter.go
  • assets/csidriveroperators/azure-file/base/kustomization.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
🚧 Files skipped from review as they are similar to previous changes (25)
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • assets/csidriveroperators/azure-disk/base/kustomization.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • assets/csidriveroperators/azure-file/base/08_deployment.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/08_deployment.yaml
  • assets/csidriveroperators/gcp-pd/07_deployment.yaml
  • assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
  • assets/csidriveroperators/vsphere/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller.go

@dfajmon

dfajmon commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

@dfajmon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-csi 55a8b32 link true /test e2e-azure-csi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mandre mandre Awaiting requested review from mandre

@stephenfin stephenfin Awaiting requested review from stephenfin

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dfajmon @openshift-ci-robot