Skip to content

Mc/rox 33465 openshift autosensing 6 #19968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mclasmeier wants to merge 28 commits into from
Closed

Mc/rox 33465 openshift autosensing 6 #19968

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
9169241
CHANGELOG
Mar 27, 2026
c6c020a
Remove openshift 3 templating
Mar 27, 2026
9f57afc
Remove openshift 3 support from roxctl
Mar 26, 2026
de59b9d
Remove more OpenShift 3 cruft from Helm/Bundle code
Apr 9, 2026
e342a1d
Remove OpenShift 3 roxctl test
Mar 26, 2026
9ae2bd1
Change openshift auto-sensing in Helm chart to only check for config.…
Mar 18, 2026
e6632dd
Helm tests: Replace openshift-4.1.0 schema with openshift-4.12.
Apr 8, 2026
a23285a
Helm tests: remove openshift 3 tests.
Apr 8, 2026
33cf606
Helm tests: remove kubernetes server capabilities.
Apr 8, 2026
430dd3f
Helm tests: extend test case.
Apr 8, 2026
4184e4d
Helm tests: modify test from openshift 3 for openshift 4
Apr 8, 2026
2639886
Helm test: remove outdated test.
Apr 8, 2026
3691373
New roxctl test: verifying that --openshift-version=3 fails
Apr 8, 2026
772f586
Adjust rendering unit test for centralDb.
Apr 8, 2026
4039256
Adjust rendering unit test for secured-cluster-services bundle.
Apr 9, 2026
150a1eb
Add comment.
Apr 9, 2026
1e0512a
Tests: Remove OpenShift 3 test data
Apr 9, 2026
5dc132c
Deprecate OPENSHIFT_CLUSTER enum value
Apr 9, 2026
653812f
Generated protos
Apr 9, 2026
e662b82
Proto lock commit
Apr 9, 2026
5954132
Fail validation if cluster type is OpenShift 3
Apr 9, 2026
c278bdf
Tests: Remove OpenShift 3 data
Apr 9, 2026
71c3c3e
Tests: Remove OpenShift 3 data
Apr 9, 2026
1facce1
Make addScripts() fail for OpenShift 3 cluster types.
Apr 9, 2026
a8ca7fd
Test: Adjust for updated error message
Apr 9, 2026
8dbc34d
Remove OpenShift 3 test data
Apr 9, 2026
ee842ce
Remove OpenShift 3 test data from platformcve tests to make them pass…
Apr 10, 2026
ea80cab
Remove openshift 3 test case
Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ Changes should still be described appropriately in JIRA/doc input pages, for inc

### Technical Changes

- OpenShift 3 support removed from Helm charts and roxctl manifest bundle generation.

## [4.10.0]


Expand Down
1 change: 0 additions & 1 deletion central/cluster/datastore/datastore_impl_postgres_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -977,7 +977,6 @@ func (s *ClusterPostgresDataStoreTestSuite) TestAddDefaults() {
expectedDisabledLogs bool
}{
"Kubernetes cluster": {&storage.Cluster{Type: storage.ClusterType_KUBERNETES_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint}, true},
"Openshift 3 cluster": {&storage.Cluster{Type: storage.ClusterType_OPENSHIFT_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint}, true},
"Openshift 4 cluster": {&storage.Cluster{Type: storage.ClusterType_OPENSHIFT4_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint}, false},
"Openshift 4 cluster with disabled logs": {&storage.Cluster{Type: storage.ClusterType_OPENSHIFT4_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint,
DynamicConfig: &storage.DynamicClusterConfig{DisableAuditLogs: true}}, true},
Expand Down
2 changes: 1 addition & 1 deletion central/clusters/zip/render_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func TestRenderWithNoCollection(t *testing.T) {
cluster := &storage.Cluster{
Name: "cluster",
MainImage: "stackrox/main:abc",
Type: storage.ClusterType_OPENSHIFT_CLUSTER,
Type: storage.ClusterType_OPENSHIFT4_CLUSTER,
CollectionMethod: storage.CollectionMethod_NO_COLLECTION,
}

Expand Down
6 changes: 3 additions & 3 deletions central/graphql/resolvers/cluster_vulnerabilities_postgres_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,16 +403,16 @@ func (s *GraphQLClusterVulnerabilityTestSuite) TestEnvImpact() {
ctx := SetAuthorizerOverride(s.ctx, allow.Anonymous())

vuln := s.getClusterVulnerabilityResolver(ctx, "clusterCve1")

clusterCount := len(s.clusterIDs)
impact, err := vuln.EnvImpact(ctx)
s.NoError(err)
s.Equal(float64(1)/8, impact)
s.Equal(float64(1)/float64(clusterCount), impact)

vuln = s.getClusterVulnerabilityResolver(ctx, "clusterCve2")

impact, err = vuln.EnvImpact(ctx)
s.NoError(err)
s.Equal(float64(2)/8, impact)
s.Equal(float64(2)/float64(clusterCount), impact)
}

func (s *GraphQLClusterVulnerabilityTestSuite) getClusterResolver(ctx context.Context, id string) *clusterResolver {
Expand Down
12 changes: 0 additions & 12 deletions central/graphql/resolvers/test_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,18 +268,6 @@ func testCluster() []*storage.Cluster {
MainImage: mainImage,
CentralApiEndpoint: centralEndpoint,
},
{
Name: "os_cluster1",
Type: storage.ClusterType_OPENSHIFT_CLUSTER,
MainImage: mainImage,
CentralApiEndpoint: centralEndpoint,
},
{
Name: "os_cluster2",
Type: storage.ClusterType_OPENSHIFT_CLUSTER,
MainImage: mainImage,
CentralApiEndpoint: centralEndpoint,
},
{
Name: "os4_cluster1",
Type: storage.ClusterType_OPENSHIFT4_CLUSTER,
Expand Down
2 changes: 2 additions & 0 deletions central/telemetry/centralclient/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ func newCentralClient(instanceId string) *CentralClient {
func getCentralDeploymentProperties() map[string]any {
orchestrator := storage.ClusterType_KUBERNETES_CLUSTER.String()
if env.Openshift.BooleanSetting() {
// Should probably be changed to OPENSHIFT4_CLUSTER, but since this is production code, keeping it for now
// due to compatibility concerns.
orchestrator = storage.ClusterType_OPENSHIFT_CLUSTER.String()
}
Comment on lines +117 to 120
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Telemetry still reports the deprecated OpenShift 3 platform label.

At Line 119, all OpenShift deployments are still tagged as OPENSHIFT_CLUSTER, which now represents deprecated/unsupported OpenShift 3 semantics. This will misclassify OpenShift 4 telemetry.

Suggested fix 
  if env.Openshift.BooleanSetting() {
-     // Should probably be changed to OPENSHIFT4_CLUSTER, but since this is production code, keeping it for now
-     // due to compatibility concerns.
-     orchestrator = storage.ClusterType_OPENSHIFT_CLUSTER.String()
+     orchestrator = storage.ClusterType_OPENSHIFT4_CLUSTER.String()
  }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Should probably be changed to OPENSHIFT4_CLUSTER, but since this is production code, keeping it for now
// due to compatibility concerns.
orchestrator = storage.ClusterType_OPENSHIFT_CLUSTER.String()
}
if env.Openshift.BooleanSetting() {
orchestrator = storage.ClusterType_OPENSHIFT4_CLUSTER.String()
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@central/telemetry/centralclient/client.go` around lines 117 - 120, The code
currently sets orchestrator = storage.ClusterType_OPENSHIFT_CLUSTER.String(),
which labels all OpenShift installs as the deprecated OpenShift 3 type; change
the mapping so OpenShift 4 installs use
storage.ClusterType_OPENSHIFT4_CLUSTER.String() instead (update the assignment
of the orchestrator variable in client.go where
storage.ClusterType_OPENSHIFT_CLUSTER is used), and if compatibility logic is
required preserve any conditional branch by adding a detection/flag to choose
OPENSHIFT4_CLUSTER for v4 clusters while keeping OPENSHIFT_CLUSTER only for
explicit legacy/OpenShift3 cases.

// k8s apiserver is not accessible in cloud service environment.
Expand Down
45 changes: 11 additions & 34 deletions central/views/platformcve/view_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -428,21 +428,21 @@ func (s *PlatformCVEViewTestSuite) testCases() []testCase {
desc: "search one cluster",
ctx: context.Background(),
q: search.NewQueryBuilder().
AddExactMatches(search.Cluster, "openshift-1").ProtoQuery(),
AddExactMatches(search.Cluster, "openshift4-1").ProtoQuery(),
matchFilter: matchAllFilter().withClusterFilter(func(cluster *storage.Cluster) bool {
return cluster.GetName() == "openshift-1"
return cluster.GetName() == "openshift4-1"
}),
},
{
desc: "search one cve + one cluster",
ctx: context.Background(),
q: search.NewQueryBuilder().
AddExactMatches(search.CVE, "cve-2").
AddExactMatches(search.Cluster, "openshift-2").
AddExactMatches(search.Cluster, "openshift4-2").
ProtoQuery(),
matchFilter: matchAllFilter().
withClusterFilter(func(cluster *storage.Cluster) bool {
return cluster.GetName() == "openshift-2"
return cluster.GetName() == "openshift4-2"
}).
withCVEPartsFilter(func(cveParts converterV2.ClusterCVEParts) bool {
return cveParts.CVE.GetCveBaseInfo().GetCve() == "cve-2"
Expand Down Expand Up @@ -614,39 +614,36 @@ func (s *PlatformCVEViewTestSuite) sacTestCases(ctx context.Context) []sacTestCa
visibleClusters: set.NewStringSet(
s.clusterNameToIDMap["generic-1"], s.clusterNameToIDMap["generic-2"],
s.clusterNameToIDMap["kubernetes-1"], s.clusterNameToIDMap["kubernetes-2"],
s.clusterNameToIDMap["openshift-1"], s.clusterNameToIDMap["openshift-2"],
s.clusterNameToIDMap["openshift4-1"], s.clusterNameToIDMap["openshift4-2"],
),
},
{
desc: "generic-1, kubernetes-1, openshift-1 and openshift4-1 clusters visible",
desc: "generic-1, kubernetes-1 and openshift4-1 clusters visible",
ctx: sac.WithGlobalAccessScopeChecker(ctx,
sac.AllowFixedScopes(
sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
sac.ResourceScopeKeys(resources.Cluster),
sac.ClusterScopeKeys(
s.clusterNameToIDMap["generic-1"], s.clusterNameToIDMap["kubernetes-1"],
s.clusterNameToIDMap["openshift-1"], s.clusterNameToIDMap["openshift4-1"]))),
s.clusterNameToIDMap["openshift4-1"]))),
visibleClusters: set.NewStringSet(
s.clusterNameToIDMap["generic-1"],
s.clusterNameToIDMap["kubernetes-1"],
s.clusterNameToIDMap["openshift-1"],
s.clusterNameToIDMap["openshift4-1"],
),
},
{
desc: "generic-2, kubernetes-2, openshift-2, openshift4-2 clusters visible",
desc: "generic-2, kubernetes-2 and openshift4-2 clusters visible",
ctx: sac.WithGlobalAccessScopeChecker(ctx,
sac.AllowFixedScopes(
sac.AccessModeScopeKeys(storage.Access_READ_ACCESS),
sac.ResourceScopeKeys(resources.Cluster),
sac.ClusterScopeKeys(
s.clusterNameToIDMap["generic-2"], s.clusterNameToIDMap["kubernetes-2"],
s.clusterNameToIDMap["openshift-2"], s.clusterNameToIDMap["openshift4-2"]))),
s.clusterNameToIDMap["openshift4-2"]))),
visibleClusters: set.NewStringSet(
s.clusterNameToIDMap["generic-2"],
s.clusterNameToIDMap["kubernetes-2"],
s.clusterNameToIDMap["openshift-2"],
s.clusterNameToIDMap["openshift4-2"],
),
},
Expand Down Expand Up @@ -943,26 +940,6 @@ func getTestData() (map[string]*storage.Cluster, map[storage.CVE_CVEType][]conve
})
clusterMap[kubernetes2.GetId()] = kubernetes2

openshift1 := generateTestCluster(&testClusterFields{
Name: "openshift-1",
PlatformType: storage.ClusterType_OPENSHIFT_CLUSTER,
ProviderType: storage.ClusterMetadata_OCP,
Labels: map[string]string{"platform-type": "openshift"},
K8sVersion: "8.0",
IsOpenshift: true,
})
clusterMap[openshift1.GetId()] = openshift1

openshift2 := generateTestCluster(&testClusterFields{
Name: "openshift-2",
PlatformType: storage.ClusterType_OPENSHIFT_CLUSTER,
ProviderType: storage.ClusterMetadata_OSD,
Labels: map[string]string{"platform-type": "openshift"},
K8sVersion: "8.0",
IsOpenshift: true,
})
clusterMap[openshift2.GetId()] = openshift2

openshift41 := generateTestCluster(&testClusterFields{
Name: "openshift4-1",
PlatformType: storage.ClusterType_OPENSHIFT4_CLUSTER,
Expand Down Expand Up @@ -1004,9 +981,9 @@ func getTestData() (map[string]*storage.Cluster, map[storage.CVE_CVEType][]conve
converterV2.NewClusterCVEParts(cve3Openshift, []*storage.Cluster{generic2}, ""),
converterV2.NewClusterCVEParts(cve4K8, []*storage.Cluster{kubernetes1, kubernetes2}, "9.3"),
converterV2.NewClusterCVEParts(cve5K8, []*storage.Cluster{kubernetes1, kubernetes2}, "9.2"),
converterV2.NewClusterCVEParts(cve1Openshift, []*storage.Cluster{openshift1, openshift41, openshift42}, ""),
converterV2.NewClusterCVEParts(cve2Openshift, []*storage.Cluster{openshift1, openshift2, openshift42}, "4.15"),
converterV2.NewClusterCVEParts(cve4Openshift, []*storage.Cluster{openshift2, openshift42}, "4.13"),
converterV2.NewClusterCVEParts(cve1Openshift, []*storage.Cluster{openshift41, openshift42}, ""),
converterV2.NewClusterCVEParts(cve2Openshift, []*storage.Cluster{openshift42}, "4.15"),
converterV2.NewClusterCVEParts(cve4Openshift, []*storage.Cluster{openshift42}, "4.13"),
converterV2.NewClusterCVEParts(cve5Openshift, []*storage.Cluster{openshift41, openshift42}, "4.15"),
converterV2.NewClusterCVEParts(cve1Istio, []*storage.Cluster{generic1}, ""),
converterV2.NewClusterCVEParts(cve5Istio, []*storage.Cluster{openshift41}, "4.15"),
Expand Down
7 changes: 4 additions & 3 deletions generated/storage/cluster.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion image/embed_charts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ func (i *Image) GetSensorChart(values *charts.MetaValues, certs *sensor.Certs) (
func (i *Image) addScripts(values *charts.MetaValues) ([]*loader.BufferedFile, error) {
if values.ClusterType == storage.ClusterType_KUBERNETES_CLUSTER.String() {
return i.scripts(values, k8sScriptsFileMap)
} else if values.ClusterType == storage.ClusterType_OPENSHIFT_CLUSTER.String() || values.ClusterType == storage.ClusterType_OPENSHIFT4_CLUSTER.String() {
} else if values.ClusterType == storage.ClusterType_OPENSHIFT4_CLUSTER.String() {
return i.scripts(values, osScriptsFileMap)
}
return nil, errors.Errorf("unable to create sensor bundle, invalid cluster type for cluster %s",
Expand Down
10 changes: 3 additions & 7 deletions image/templates/helm/shared/templates/02-scanner-v4-01-security.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,9 @@

{{- if or ._rox.scannerV4._indexerEnabled ._rox.scannerV4._matcherEnabled }}
{{- if ._rox.env.openshift }}
{{- if eq ._rox.env.openshift 3 }}
{{ include "srox.warn" (list . "On OpenShift 3.x no SecurityContextConstraint will be configured for Scanner V4.") }}
{{- else }}
{{/* Use a default SCC that ships with OpenShift 4.x.
We only need to create a Role and a RoleBinding for
associating the SCC with the Scanner V4 deployment. */}}
{{/* Use a default SCC that ships with OpenShift 4.x.
We only need to create a Role and a RoleBinding for
associating the SCC with the Scanner V4 deployment. */}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand Down Expand Up @@ -47,6 +44,5 @@ subjects:
- kind: ServiceAccount
name: scanner-v4
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end }}
36 changes: 14 additions & 22 deletions image/templates/helm/shared/templates/_openshift.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,11 @@
This function detects the OpenShift version automatically based on the cluster the Helm chart is installed onto.
It writes the result to ._rox.env.openshift as an integer.
Possible results are:
- 3 (OpenShift 3)
- 4 (OpenShift 4)
- 0 (Non-Openshift cluster)

If "true" is passed for $._rox.env.openshift the OpenShift version is detected based on the Kubernetes cluster version.
If the Kubernetes version is not available (i.e. when using Helm template) auto-sensing falls back on OpenShift 3 to be
backward compatible.
If "true" is passed for $._rox.env.openshift, this is unconditionally mapped to OpenShift version "4", because that is the only
major version we currently support.
Comment on lines +10 to +11
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): The documented behavior for passing "true" does not match the implemented behavior.

This comment now states that passing "true" for $._rox.env.openshift always maps to OpenShift 4, but the code only special-cases kindIs "bool" $env.openshift. If a user sets openshift: "true" (string) in values, it will go through the int cast instead and likely fail rendering. Please either handle the string values "true"/"false" explicitly, or update the docs to clarify that openshift must be a boolean, not a string.

*/}}

{{ define "srox.autoSenseOpenshiftVersion" }}
Expand All @@ -20,31 +18,25 @@

{{/* Infer OpenShift, if needed */}}
{{ if kindIs "invalid" $env.openshift }}
{{/* The API GroupVersion project.openshift.io/v1 contains the core OpenShift API 'Project' of
compatibility level 1, which comes with the strongest stability guarantees among the OpenShift APIs.
This API is available in OpenShift 3.x and 4.x. */}}
{{ $_ := set $env "openshift" (has "project.openshift.io/v1" $._rox._apiServer.apiResources) }}
{{/* This CRD API reliably indicates OpenShift 4. */}}
{{ $_ := set $env "openshift" (has "config.openshift.io/v1" $._rox._apiServer.apiResources) }}
{{- if $env.openshift -}}
{{- include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift 4.x cluster.")) -}}
{{- end -}}
{{ end }}

{{/* Infer openshift version */}}
{{ if and $env.openshift (kindIs "bool" $env.openshift) }}
{{/* Parse and add KubeVersion as semver from built-in resources. This is necessary to compare valid integer numbers. */}}
{{ $kubeVersion := semver $.Capabilities.KubeVersion.Version }}

{{/* Default to OpenShift 3 if no openshift resources are available, i.e. in helm template commands */}}
{{ if not (has "project.openshift.io/v1" $._rox._apiServer.apiResources) }}
{{ $_ := set $._rox.env "openshift" 3 }}
{{ else if gt $kubeVersion.Minor 11 }}
{{ $_ := set $env "openshift" 4 }}
{{ else }}
{{ $_ := set $env "openshift" 3 }}
{{ end }}
{{ include "srox.note" (list $ (printf "Based on API server properties, we have inferred that you are deploying into an OpenShift %d.x cluster. Set the `env.openshift` property explicitly to 3 or 4 to override the auto-sensed value." $env.openshift)) }}
{{/* We only support OpenShift 4. */}}
{{ $_ := set $env "openshift" 4 }}
{{ end }}

{{ if not (kindIs "bool" $env.openshift) }}
{{ $_ := set $env "openshift" (int $env.openshift) }}
{{ else if not $env.openshift }}
{{ $_ := set $env "openshift" 0 }}
{{ end }}

{{- if and (ne $env.openshift 0) (ne $env.openshift 4) -}}
{{- include "srox.fail" (printf "You have specified OpenShift version %d.x, but only version 4.x is currently supported." $env.openshift) -}}
{{- end -}}

{{ end }}
2 changes: 1 addition & 1 deletion image/templates/helm/stackrox-secured-cluster/internal/cluster-config.yaml.tpl.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ clusterConfig:
{{- if not ._rox.env.openshift }}
type: KUBERNETES_CLUSTER
{{- else }}
type: {{ if eq (int ._rox.env.openshift) 4 -}} OPENSHIFT4_CLUSTER {{- else -}} OPENSHIFT_CLUSTER {{ end }}
type: OPENSHIFT4_CLUSTER
{{- end }}
Comment on lines 7 to 11
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Do not silently coerce deprecated OpenShift 3 input to OpenShift 4.

At Line 10, any truthy ._rox.env.openshift becomes OPENSHIFT4_CLUSTER. That lets env.openshift: 3 bypass the OpenShift 3 rejection (pkg/cluster/validation.go, Lines 64-66), which weakens the deprecation enforcement path.

Proposed fix 
     {{- if not ._rox.env.openshift }}
     type: KUBERNETES_CLUSTER
-    {{- else }}
+    {{- else if eq (._rox.env.openshift | int) 3 }}
+    {{- fail "OpenShift 3.x is not supported anymore" }}
+    {{- else }}
     type: OPENSHIFT4_CLUSTER
     {{- end }}

Please also add one helmtest case asserting env.openshift: 3 errors, to prevent regressions.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{- if not ._rox.env.openshift }}
type: KUBERNETES_CLUSTER
{{- else }}
type: {{ if eq (int ._rox.env.openshift) 4 -}} OPENSHIFT4_CLUSTER {{- else -}} OPENSHIFT_CLUSTER {{ end }}
type: OPENSHIFT4_CLUSTER
{{- end }}
{{- if not ._rox.env.openshift }}
type: KUBERNETES_CLUSTER
{{- else if eq (._rox.env.openshift | int) 3 }}
{{- fail "OpenShift 3.x is not supported anymore" }}
{{- else }}
type: OPENSHIFT4_CLUSTER
{{- end }}

mainImage: {{ coalesce ._rox.image.main._abbrevImageRef ._rox.image.main.fullRef }}
collectorImage: {{ coalesce ._rox.image.collector._abbrevImageRef ._rox.image.collector.fullRef }}
Expand Down
2 changes: 1 addition & 1 deletion image/templates/helm/stackrox-secured-cluster/internal/compatibility-translation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ cluster:
clusterName: {{ .value }}
type: |
env:
openshift: {{ if eq .rawValue "OPENSHIFT4_CLUSTER" }} 4 {{ else }} {{ eq .rawValue "OPENSHIFT_CLUSTER" }} {{ end }}
openshift: {{ eq .rawValue "OPENSHIFT4_CLUSTER" }}

endpoint:
central: |
Expand Down
6 changes: 0 additions & 6 deletions image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,13 +60,7 @@ admissionControl:
[<- if .FeatureFlags.ROX_ADMISSION_CONTROLLER_CONFIG >]
listenOnCreates: true
listenOnUpdates: true
{{/* At this point, when defaults are applied, we can expect env.openshift to be false or a major version number (3, 4). */}}
{{- if or (not ._rox.env.openshift) (gt ._rox.env.openshift 3) }}
listenOnEvents: true
{{- else }}
{{/* OpenShift 3.x does not support this. */}}
listenOnEvents: false
{{- end }}
[<- else >]
listenOnCreates: false
listenOnUpdates: false
Expand Down
2 changes: 1 addition & 1 deletion image/templates/helm/stackrox-secured-cluster/sensor-chart-upgrade.md.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ Here is the list of old and new configuration options:
|Old configuration option |New configuration option |
|-------------------------|-------------------------|
| `cluster.name` | `clusterName` |
| `cluster.type` | Set `env.openshift` to `true` for `cluster.type=OPENSHIFT_CLUSTER` and `false` for `cluster.type=KUBERNETES_CLUSTER`. Leave unset to automatically detect (recommended). |
| `cluster.type` | Set `env.openshift` to `true` for `cluster.type=OPENSHIFT4_CLUSTER` and `false` for `cluster.type=KUBERNETES_CLUSTER`. Leave unset to automatically detect (recommended). |
| `endpoint.central` | `centralEndpoint` |
| `endpoint.advertised` | `sensor.endpoint` |
| `image.repository.main` | `image.main.name` |
Expand Down
6 changes: 0 additions & 6 deletions image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,12 +210,6 @@
{{ include "srox.warn" (list $ "Incompatible settings: 'admissionControl.dynamic.enforceOnUpdates' is set to true, while `admissionControl.listenOnUpdates` is set to false. For the feature to be active, enable both settings by setting them to true.") }}
{{ end }}

[<- if not .FeatureFlags.ROX_ADMISSION_CONTROLLER_CONFIG >]
{{ if and (eq $._rox.env.openshift 3) $._rox.admissionControl.listenOnEvents }}
{{ include "srox.fail" "'admissionControl.listenOnEvents' is set to true, but the chart is being deployed in OpenShift 3.x compatibility mode, which does not work with this feature. Set 'env.openshift' to '4' in order to enable OpenShift 4.x features." }}
{{ end }}
[<- end >]

{{ if $._rox.collector.slimMode }}
{{ include "srox.warn" (list $ "collector.slimMode is set to true, but it has been removed in 4.7 after being deprecated since 4.5. This setting will be ignored.") }}
{{ end }}
Expand Down
10 changes: 1 addition & 9 deletions image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
{{- include "srox.podLabels" (list . "deployment" "admission-control") | nindent 8 }}
annotations:
{{- $annotations := dict "traffic.sidecar.istio.io/excludeInboundPorts" "8443" -}}
{{- if eq ._rox.env.openshift 4 }}
{{- if ._rox.env.openshift }}
{{- $_ := set $annotations "openshift.io/required-scc" "restricted-v2" -}}
{{- end }}
{{- include "srox.podAnnotations" (list . "deployment" "admission-control" $annotations) | nindent 8 }}
Expand Down Expand Up @@ -215,11 +215,7 @@ spec:
type: ClusterIP
sessionAffinity: None
---
{{- if ne ._rox.env.openshift 3 }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
kind: ValidatingWebhookConfiguration
metadata:
name: stackrox
Expand All @@ -231,11 +227,9 @@ metadata:
webhooks:
{{- if or ._rox.admissionControl.dynamic.enforceOnCreates ._rox.admissionControl.dynamic.enforceOnUpdates }}
- name: policyeval.stackrox.io
{{- if ne ._rox.env.openshift 3 }}
sideEffects: NoneOnDryRun
admissionReviewVersions: [ "v1", "v1beta1" ]
timeoutSeconds: {{ add 2 ._rox.admissionControl.dynamic.timeout }}
{{- end }}
rules:
- apiGroups:
- '*'
Expand Down Expand Up @@ -280,11 +274,9 @@ webhooks:
{{- end}}
{{- if ._rox.admissionControl.listenOnEvents }}
- name: k8sevents.stackrox.io
{{- if ne ._rox.env.openshift 3 }}
sideEffects: NoneOnDryRun
admissionReviewVersions: [ "v1", "v1beta1" ]
timeoutSeconds: {{ add 2 ._rox.admissionControl.dynamic.timeout }}
{{- end }}
rules:
- apiGroups:
- '*'
Expand Down
Loading
Loading