Skip to content

NETOBSERV-2841: Refactor bundling for vendoring#2822

Open
jotak wants to merge 7 commits into
netobserv:mainfrom
jotak:vendoring
Open

NETOBSERV-2841: Refactor bundling for vendoring#2822
jotak wants to merge 7 commits into
netobserv:mainfrom
jotak:vendoring

Conversation

@jotak

@jotak jotak commented Jun 25, 2026

Copy link
Copy Markdown
Member

Description

Replace the "is downstream" flag with a "vendor" parameter, which is more neutral and makes place for more than openshift.

Use only env-based arguments instead of env + command line. Hardcode the vendor-based logic for plugin variant detection (makes code simpler; this didn't look like something people would override anyway)

Refactor kustomize configs:

  • Clearer vendoring with "BUNDLE_TARGET=OpenShift"
  • All possible targets (2 currently) are now created when running "make update-bundle"
  • Better separation OpenShift vs Vanilla in OLM config: there's now config/k8s[/olm] on one side and config/openshift[/olm] on the other
  • Remove a few openshift-specific annotations that were still left in the generic configs
  • Helm chart is now generated from the k8s bundle, not the openshift one
  • Avoid creating temporary files here and there; more pipes

Dependencies

Checklist

  • Does the changes in PR need specific configuration or environment set up for testing?
    • if so please describe it in PR description.
  • I have added thorough unit tests for the change.
  • QE requirements (check 1 from the list):
    • Standard QE validation, with pre-merge tests unless stated otherwise.
    • Regression tests only (e.g. refactoring with no user-facing change).
    • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Summary by CodeRabbit

  • New Features
    • Adds FlowCollectorSlice and FlowMetric OpenShift resources, plus new/updated metrics, webhook, and metrics-exposure Services and RBAC.
  • Bug Fixes
    • Updates console image handling to use web console images (including PF variants) and aligns downstream/vendor behavior to an OpenShift_Downstream model.
    • Improves ServiceMonitor/Webhook/TLS wiring for the current bundle layout.
  • Documentation
    • Refreshes setup/development guidance and updates console image environment-variable references to RELATED_IMAGE_WEB_CONSOLE.
  • Chores
    • Regenerates bundle and Helm artifacts to match the new bundle structure and manifest paths.

@openshift-ci-robot

openshift-ci-robot commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

@jotak: This pull request references NETOBSERV-2554 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "5.0." or "openshift-5.0.", but it targets "netobserv-2.0" instead.

Details

In response to this:

Description

Replace the "is downstream" flag with a "vendor" parameter, which is more neutral and makes place for more than openshift.

Use only env-based arguments instead of env + command line. Hardcode the vendor-based logic for plugin variant detection (makes code simpler; this didn't look like something people would override anyway)

Refactor kustomize configs:

  • Clearer vendoring with "BUNDLE_TARGET=OpenShift"
  • All possible targets (2 currently) are now created when running "make update-bundle"
  • Better separation OpenShift vs Vanilla in OLM config: there's now config/k8s[/olm] on one side and config/openshift[/olm] on the other
  • Remove a few openshift-specific annotations that were still left in the generic configs
  • Helm chart is now generated from the k8s bundle, not the openshift one
  • Avoid creating temporary files here and there; more pipes

Dependencies

n/a

Checklist

  • Does the changes in PR need specific configuration or environment set up for testing?
    • if so please describe it in PR description.
  • I have added thorough unit tests for the change.
  • QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Configuration, controllers, build targets, and generated manifests switch from downstream booleans and console-plugin images to vendor-aware web-console image wiring. Bundle inputs and Helm/OpenShift outputs are regenerated for the new bundle layout and related images.

Changes

Vendor-aware web-console and bundle regeneration

Layer / File(s) Summary
Config contract and startup
internal/controller/constants/constants.go, internal/pkg/manager/config.go, internal/pkg/manager/config_test.go, internal/pkg/test/envtest.go, main.go
Vendor and web-console image fields replace the console-plugin/downstream config path, and startup/tests load the new env-based config shape.
Reconciler image wiring
internal/controller/reconcilers/common.go, internal/controller/flowcollector_controller.go, internal/controller/static/static_controller.go, internal/controller/flp/*
Common now carries Vendor, and FlowCollector/static/FLP reconcilers resolve the web-console image instead of the console-plugin image.
Monitoring and network policy
internal/pkg/helper/monitoring.go, internal/controller/ebpf/*, internal/controller/monitoring/*, internal/controller/networkpolicy/*
ServiceMonitor TLS, namespace labels, and network policy selection now branch on Vendor, with matching test and helper updates.
Developer targets and bundle scripts
.mk/development.mk, Makefile, bundle.Dockerfile, AGENTS.md, DEVELOPMENT.md, hack/crd2csvSpecDesc.sh, hack/helm-update.sh, hack/update_fbc.sh
Build targets, docs, and helper scripts switch to web-console image names and the bundles/ layout.
CSV and overlay inputs
config/csv/*, config/k8s/olm/*, config/manager/*, config/openshift/common/*, config/openshift/olm/*, config/openshift/kustomization.yaml, config/webhook/service.yaml
CSV bases, manager manifests, and OpenShift overlays are rewritten for the new bundle layout, namespace handling, and patch structure.
Kubernetes bundle outputs
bundles/k8s/manifests/*, bundles/k8s/metadata/*
The Kubernetes bundle output adds the webhook service, bundle annotations, and updated CSV env and related image content.
OpenShift bundle manifests
bundles/openshift/manifests/*
The OpenShift bundle adds the FlowCollectorSlice and FlowMetric CRDs, the operator CSV, RBAC resources, the manager ConfigMap, token-review role, and the webhook service label change.
Helm outputs
helm/crds/*, helm/templates/*
Helm CRD and template outputs are regenerated with auto-generated headers and the new web-console and service metadata.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The PR description follows the template with Description, Dependencies, and Checklist sections and includes relevant details and regression-only testing.
Title check ✅ Passed The title is concise and accurately summarizes the main change: refactoring bundling for vendor support.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@jotak

jotak commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

/hold
Seeing a couple of issues

jpinsonneau
jpinsonneau previously approved these changes Jun 25, 2026

@jpinsonneau jpinsonneau left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in terms of code 👌

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jpinsonneau. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jotak

jotak commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

/unhold

@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
helm/templates/deployment.yaml (1)

34-41: 🎯 Functional Correctness | 🟡 Minor

Add RELATED_IMAGE_EBPF_BYTECODE to the Helm deployment environment.

The operator expects RELATED_IMAGE_EBPF_BYTECODE with a code-level fallback. To align with the guideline "Never hardcode container image references" and allow overrides consistent with EBPF_AGENT and others, pass this variable in the Helm template.

Suggestion
- name: RELATED_IMAGE_EBPF_BYTECODE
  value: '{{ .Values.ebpfAgent.bytecodeImage }}'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helm/templates/deployment.yaml` around lines 34 - 41, The Helm deployment
environment is missing RELATED_IMAGE_EBPF_BYTECODE, which the operator expects
with a configurable fallback. Update the deployment template alongside the other
RELATED_IMAGE_* entries to pass this variable from values, using the
ebpfAgent-related setting so it can be overridden consistently with
RELATED_IMAGE_EBPF_AGENT and the other image env vars.
🧹 Nitpick comments (5)
hack/helm-update.sh (1)

36-39: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Quote the glob variable.

Per static analysis (SC2046/SC2086), $f and $(basename $f) are unquoted, so a path with spaces/globs would word-split. Cheap to harden.

♻️ Proposed fix
 for f in bundles/k8s/manifests/*_rbac.authorization.k8s.io_v1_clusterrole.yaml; do
   cp "$f" helm/templates/
-  sed -i '1s/^/# Auto-generated from helm-update.sh\n/' helm/templates/$(basename $f)
+  sed -i '1s/^/# Auto-generated from helm-update.sh\n/' "helm/templates/$(basename "$f")"
 done
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/helm-update.sh` around lines 36 - 39, The loop in helm-update.sh uses
unquoted shell expansions, which can word-split or glob-expand unexpectedly.
Update the copy and basename usage in the for-loop so the iterated path variable
and the generated destination filename are properly quoted, and keep the change
localized around the bundle-to-helm template copy logic.

Source: Linters/SAST tools

Makefile (1)

434-441: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use $(YQ) consistently.

Line 436 invokes $(YQ) but line 437 calls bare yq. If $(YQ) resolves to a pinned/downloaded binary, the bare call may pick up a different (or missing) yq, producing inconsistent output between the two filters in the same pipe.

♻️ Proposed fix
 		($(KUSTOMIZE) build config/csv \
 			| $(YQ) '.metadata.annotations.containerImage = "$(IMAGE)"' \
-			| yq '.spec.description = load_str("$(BUNDLE_CONFIG)/description.md")' \
+			| $(YQ) '.spec.description = load_str("$(BUNDLE_CONFIG)/description.md")' \
 		); \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 434 - 441, The bundle generation pipeline is mixing
`$(YQ)` with a bare `yq`, which can make the second filter use a different
binary or fail entirely. Update the `generate bundle` recipe so both YAML
transformations in the same pipe invoke the same `$(YQ)` variable, keeping
behavior consistent with the existing `KUSTOMIZE` and `OPSDK` usage.
config/k8s/olm/description.md (1)

1-1: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Grammar nit: "consisting in" → "consisting of".

This line feeds the generated CSV .spec.description, so it's user-facing in OLM.

📝 Suggested wording
-The NetObserv Operator is a Kubernetes operator for network observability. It deploys a monitoring pipeline consisting in:
+The NetObserv Operator is a Kubernetes operator for network observability. It deploys a monitoring pipeline consisting of:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/k8s/olm/description.md` at line 1, The operator description text has a
grammar issue in the opening sentence. Update the wording in the description
content used for the OLM CSV .spec.description by changing the phrase in the
sentence handled by the markdown source from “consisting in” to “consisting of”;
keep the rest of the NetObserv Operator description unchanged.
config/openshift/common/patch.yaml (1)

28-40: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove or explain the commented-out CRD block.

Lines 28-40 are commented-out CRD inject-cabundle patches. If they're a deliberate placeholder, add a short note why; otherwise drop them to avoid leaving dead config behind.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/openshift/common/patch.yaml` around lines 28 - 40, The commented-out
CRD inject-cabundle block in the OpenShift patch should either be removed or
documented with a brief explanation if it is intentionally kept as a
placeholder. Update the patch content around the CRD entries for
flowcollectors.flows.netobserv.io and flowmetrics.flows.netobserv.io so the
intent is clear and there is no dead configuration left behind.
config/k8s/olm/kustomization.yaml (1)

1-7: 📐 Maintainability & Code Quality | 🔵 Trivial

Consolidate Kustomization bases into resources

File config/k8s/olm/kustomization.yaml contains both resources and the deprecated bases field. Move the bases entries (../../crd, ../../rbac, ../../manager, ../../webhook, ../../certmanager) into the resources list.

resources:
- ../../csv
- ../../crd
- ../../rbac
- ../../manager
- ../../webhook
- ../../certmanager

Run make update-bundle after the change.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/k8s/olm/kustomization.yaml` around lines 1 - 7, Consolidate the
Kustomization configuration by moving all deprecated bases entries into the
existing resources list in kustomization.yaml. Update the Kustomization manifest
so the resources field includes ../../csv, ../../crd, ../../rbac, ../../manager,
../../webhook, and ../../certmanager, and remove any separate bases usage. After
adjusting the Kustomization entry, run make update-bundle to regenerate the
bundle manifests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.mk/development.mk:
- Around line 184-189: The set-vendor target is using different namespaces for
the same deployment, which can make the update and rollout checks target
different resources. Update the kubectl set env call in set-vendor to use
$(OPERATOR_NS) consistently, matching the rollout status and wait commands, so
all deployment interactions reference netobserv-controller-manager in the same
namespace.

In `@bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml`:
- Around line 1007-1008: The RELATED_IMAGE_EBPF_BYTECODE entry is still using
the mutable main tag, unlike the other pinned image references in the CSV
manifest. Update the value in the netobserv-operator.clusterserviceversion
manifest so it matches the versioned ebpf-bytecode image, using the
RELATED_IMAGE_EBPF_BYTECODE symbol to locate it, and replace main with
v1.11.5-community.

In
`@bundles/openshift/manifests/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml`:
- Around line 7-12: The ClusterRole rule for metrics.k8s.io currently grants
create on pods instead of read access; update the RBAC entry in
netobserv-metrics-reader to use the read verbs get, list, and watch so the
metrics API can be queried properly. Locate the rule by its apiGroups
metrics.k8s.io and resources pods fields, and replace the existing verb set
accordingly.

In `@bundles/openshift/manifests/netobserv-operator.clusterserviceversion.yaml`:
- Around line 356-361: The x-descriptor for consolePlugin.imagePullPolicy has a
stray trailing double-quote that breaks the URN and prevents the console widget
from rendering. Fix the descriptor in the source CSV template (the
netobserv-operator.clusterserviceversion YAML under config/csv/bases) by
removing the extra quote from the imagePullPolicy x-descriptor, then regenerate
the OpenShift bundle so the generated manifest matches the corrected descriptor
format.

In `@config/csv/bases/transformed-csv.yaml`:
- Around line 274-279: The consolePlugin.imagePullPolicy x-descriptor has a
stray trailing quote, so remove the extra quote from the urn:alm descriptor
entry in the transformed-csv.yaml block for consolePlugin.imagePullPolicy. Keep
the descriptor consistent with the other imagePullPolicy entries elsewhere in
the file so OLM can recognize the widget correctly.

In `@config/openshift/common/monitor.yaml`:
- Line 18: The `serverName` value in `monitor.yaml` is hardcoded, so the
`Makefile` namespace substitution never applies. Update the OpenShift
configuration by moving this field into a Kustomize patch under
`config/openshift` and make it derive the namespace dynamically, so `serverName`
stays aligned with the deployment namespace for both OLM and manual installs.
Use the existing `monitor.yaml`/OpenShift kustomization flow to locate and
replace the hardcoded `serverName` entry.

In `@internal/controller/flp/flp_common_objects.go`:
- Around line 340-342: The ServiceMonitor TLS setup in serviceMonitor should
treat VendorOpenShiftDownstream the same as VendorOpenShift. Update the call
path around helper.GetServiceMonitorTLSConfig so the OpenShift TLS branch is
selected for both vendor values, likely by adjusting the vendor check in
GetServiceMonitorTLSConfig or normalizing the vendor before calling it. Use the
serviceMonitor function and GetServiceMonitorTLSConfig symbols to locate the
change.

In `@internal/pkg/helper/monitoring.go`:
- Around line 32-55: GetServiceMonitorTLSConfig currently treats only
constants.VendorOpenShift as the OpenShift case, so downstream OpenShift falls
into the CAFile branch instead of the Secret-based TLS config. Update the vendor
check in GetServiceMonitorTLSConfig to include
constants.VendorOpenShiftDownstream as well, matching the handling already used
in config.go and monitoring_objects.go, so both OpenShift variants use the same
service-ca configuration.

In `@internal/pkg/manager/config.go`:
- Around line 57-88: `Config.Validate` only checks `WebConsoleImage`, but
`ResolveWebConsoleImage` can return `WebConsolePF5Image` or `WebConsolePF4Image`
for OpenShift vendors. Update the `Validate` method to require the PF4/PF5 image
fields as well, or otherwise gate validation by the same vendor/version logic
used in `ResolveWebConsoleImage`, so empty variant images are caught before
reconciliation.

---

Outside diff comments:
In `@helm/templates/deployment.yaml`:
- Around line 34-41: The Helm deployment environment is missing
RELATED_IMAGE_EBPF_BYTECODE, which the operator expects with a configurable
fallback. Update the deployment template alongside the other RELATED_IMAGE_*
entries to pass this variable from values, using the ebpfAgent-related setting
so it can be overridden consistently with RELATED_IMAGE_EBPF_AGENT and the other
image env vars.

---

Nitpick comments:
In `@config/k8s/olm/description.md`:
- Line 1: The operator description text has a grammar issue in the opening
sentence. Update the wording in the description content used for the OLM CSV
.spec.description by changing the phrase in the sentence handled by the markdown
source from “consisting in” to “consisting of”; keep the rest of the NetObserv
Operator description unchanged.

In `@config/k8s/olm/kustomization.yaml`:
- Around line 1-7: Consolidate the Kustomization configuration by moving all
deprecated bases entries into the existing resources list in kustomization.yaml.
Update the Kustomization manifest so the resources field includes ../../csv,
../../crd, ../../rbac, ../../manager, ../../webhook, and ../../certmanager, and
remove any separate bases usage. After adjusting the Kustomization entry, run
make update-bundle to regenerate the bundle manifests.

In `@config/openshift/common/patch.yaml`:
- Around line 28-40: The commented-out CRD inject-cabundle block in the
OpenShift patch should either be removed or documented with a brief explanation
if it is intentionally kept as a placeholder. Update the patch content around
the CRD entries for flowcollectors.flows.netobserv.io and
flowmetrics.flows.netobserv.io so the intent is clear and there is no dead
configuration left behind.

In `@hack/helm-update.sh`:
- Around line 36-39: The loop in helm-update.sh uses unquoted shell expansions,
which can word-split or glob-expand unexpectedly. Update the copy and basename
usage in the for-loop so the iterated path variable and the generated
destination filename are properly quoted, and keep the change localized around
the bundle-to-helm template copy logic.

In `@Makefile`:
- Around line 434-441: The bundle generation pipeline is mixing `$(YQ)` with a
bare `yq`, which can make the second filter use a different binary or fail
entirely. Update the `generate bundle` recipe so both YAML transformations in
the same pipe invoke the same `$(YQ)` variable, keeping behavior consistent with
the existing `KUSTOMIZE` and `OPSDK` usage.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a671dbe0-333f-4885-85cd-427622fd05d9

📥 Commits

Reviewing files that changed from the base of the PR and between 4890497 and fdb2f79.

📒 Files selected for processing (119)
  • .mk/development.mk
  • AGENTS.md
  • DEVELOPMENT.md
  • Makefile
  • bundle.Dockerfile
  • bundles/k8s/manifests/flows.netobserv.io_flowcollectors.yaml
  • bundles/k8s/manifests/flows.netobserv.io_flowcollectorslices.yaml
  • bundles/k8s/manifests/flows.netobserv.io_flowmetrics.yaml
  • bundles/k8s/manifests/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-manager-config_v1_configmap.yaml
  • bundles/k8s/manifests/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-metrics-service_v1_service.yaml
  • bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml
  • bundles/k8s/manifests/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-webhook-service_v1_service.yaml
  • bundles/k8s/metadata/annotations.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowcollectors.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowcollectorslices.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowmetrics.yaml
  • bundles/openshift/manifests/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-manager-config_v1_configmap.yaml
  • bundles/openshift/manifests/netobserv-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
  • bundles/openshift/manifests/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-metrics-service_v1_service.yaml
  • bundles/openshift/manifests/netobserv-operator-prometheus_rbac.authorization.k8s.io_v1_role.yaml
  • bundles/openshift/manifests/netobserv-operator-prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml
  • bundles/openshift/manifests/netobserv-operator.clusterserviceversion.yaml
  • bundles/openshift/manifests/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-webhook-service_v1_service.yaml
  • bundles/openshift/metadata/annotations.yaml
  • bundles/openshift/tests/scorecard/config.yaml
  • config/csv/bases/netobserv-operator.clusterserviceversion.yaml
  • config/csv/bases/transformed-csv.yaml
  • config/csv/kustomization.yaml
  • config/k8s-olm/kustomization.yaml
  • config/k8s/olm/cainjection_in_flowcollectors.yaml
  • config/k8s/olm/cainjection_in_flowmetrics.yaml
  • config/k8s/olm/description.md
  • config/k8s/olm/kustomization.yaml
  • config/k8s/olm/manager_webhook_patch.yaml
  • config/k8s/olm/webhookcainjection_patch.yaml
  • config/kind/kind.config.yaml
  • config/manager/kustomization.yaml
  • config/manager/manager.yaml
  • config/manager/metrics_service.yaml
  • config/manager/namespace.yaml
  • config/openshift-olm/default/patch.yaml
  • config/openshift-olm/kustomization.yaml
  • config/openshift/common/kustomization.yaml
  • config/openshift/common/manager-patch.yaml
  • config/openshift/common/monitor.yaml
  • config/openshift/common/patch.yaml
  • config/openshift/kustomization.yaml
  • config/openshift/monitor.yaml
  • config/openshift/monitoring-patch.yaml
  • config/openshift/olm/description.md
  • config/openshift/olm/kustomization.yaml
  • config/openshift/olm/tls-servername-patch.yaml
  • config/openshift/patch.yaml
  • config/webhook/service.yaml
  • hack/crd2csvSpecDesc.sh
  • hack/helm-update.sh
  • hack/nudging/OWNERS
  • hack/nudging/container_digest.sh
  • hack/patch_csv.py
  • hack/update-build.sh
  • helm/crds/flows.netobserv.io_flowcollectors.yaml
  • helm/crds/flows.netobserv.io_flowcollectorslices.yaml
  • helm/crds/flows.netobserv.io_flowmetrics.yaml
  • helm/templates/certificates.yaml
  • helm/templates/clusterrole.yaml
  • helm/templates/clusterrolebinding.yaml
  • helm/templates/deployment.yaml
  • helm/templates/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-manager-config_v1_configmap.yaml
  • helm/templates/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-metrics-service_v1_service.yaml
  • helm/templates/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-webhook-service_v1_service.yaml
  • helm/templates/role.yaml
  • helm/templates/rolebinding.yaml
  • helm/templates/serviceaccount.yaml
  • internal/controller/constants/constants.go
  • internal/controller/ebpf/agent_metrics.go
  • internal/controller/ebpf/internal/permissions/permissions.go
  • internal/controller/flowcollector_controller.go
  • internal/controller/flp/flp_common_objects.go
  • internal/controller/flp/flp_controller.go
  • internal/controller/flp/flp_monolith_objects.go
  • internal/controller/flp/flp_transfo_objects.go
  • internal/controller/monitoring/monitoring_controller.go
  • internal/controller/monitoring/monitoring_objects.go
  • internal/controller/networkpolicy/np_objects.go
  • internal/controller/networkpolicy/np_test.go
  • internal/controller/reconcilers/common.go
  • internal/controller/static/static_controller.go
  • internal/pkg/helper/monitoring.go
  • internal/pkg/manager/config.go
  • internal/pkg/manager/config_test.go
  • internal/pkg/test/envtest.go
  • main.go
💤 Files with no reviewable changes (15)
  • config/openshift-olm/kustomization.yaml
  • config/openshift/monitor.yaml
  • config/openshift/patch.yaml
  • config/openshift/monitoring-patch.yaml
  • config/openshift/common/kustomization.yaml
  • config/k8s-olm/kustomization.yaml
  • config/webhook/service.yaml
  • hack/patch_csv.py
  • config/manager/metrics_service.yaml
  • hack/nudging/container_digest.sh
  • config/openshift-olm/default/patch.yaml
  • bundles/openshift/manifests/netobserv-webhook-service_v1_service.yaml
  • config/kind/kind.config.yaml
  • hack/update-build.sh
  • hack/nudging/OWNERS

Comment thread .mk/development.mk
Comment thread bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml Outdated
Comment thread config/csv/bases/transformed-csv.yaml
Comment thread config/openshift/common/monitor.yaml
Comment thread internal/controller/flp/flp_common_objects.go Outdated
Comment thread internal/pkg/helper/monitoring.go Outdated
Comment on lines 32 to 55
func GetServiceMonitorTLSConfig(tls *flowslatest.ServerTLS, serverName string, vendor constants.Vendor) (monitoringv1.Scheme, *monitoringv1.TLSConfig) {
if tls.Type == flowslatest.TLSAuto {
if isDownstream {
if vendor == constants.VendorOpenShift {
// Upstream prometheus disallows CAFile
return "https", &monitoringv1.TLSConfig{
SafeTLSConfig: monitoringv1.SafeTLSConfig{
ServerName: ptr.To(serverName),
CA: monitoringv1.SecretOrConfigMap{
ConfigMap: &corev1.ConfigMapKeySelector{
Key: "service-ca.crt",
LocalObjectReference: corev1.LocalObjectReference{
Name: "openshift-service-ca.crt",
},
},
},
},
CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",
}
}
// Upstream prometheus disallows CAFile
return "https", &monitoringv1.TLSConfig{
SafeTLSConfig: monitoringv1.SafeTLSConfig{
ServerName: ptr.To(serverName),
CA: monitoringv1.SecretOrConfigMap{
ConfigMap: &corev1.ConfigMapKeySelector{
Key: "service-ca.crt",
LocalObjectReference: corev1.LocalObjectReference{
Name: "openshift-service-ca.crt",
},
},
},
},
CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Enumerate Vendor constants and any OpenShift helper, plus all comparison sites.
fd -t f 'constants.go' internal/controller/constants -x cat -n {}
echo '--- Vendor comparisons ---'
rg -nP 'Vendor(OpenShift\w*)?\b' internal/ -g '!*_test.go' -C1
echo '--- IsOpenShift-style helpers on Vendor ---'
rg -nP 'func .*Vendor.*\) (Is|IsOpenShift)' internal/

Repository: netobserv/netobserv-operator

Length of output: 10953


Incorrect vendor check excludes downstream OpenShift TLS configuration

GetServiceMonitorTLSConfig at internal/pkg/helper/monitoring.go:L34 checks only vendor == constants.VendorOpenShift. Downstream deployments use constants.VendorOpenShiftDownstream, causing them to fall through to the file-based CAFile path which likely does not contain the required CA or behave differently than the Secret-based approach used for upstream.

Other critical paths consistently handle both variants (e.g., config.go:L44, monitoring_objects.go:L28). Update the check to include VendorOpenShiftDownstream to ensure downstream ServiceMonitors use the correct Secret reference:

if vendor == constants.VendorOpenShift || vendor == constants.VendorOpenShiftDownstream {
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/helper/monitoring.go` around lines 32 - 55,
GetServiceMonitorTLSConfig currently treats only constants.VendorOpenShift as
the OpenShift case, so downstream OpenShift falls into the CAFile branch instead
of the Secret-based TLS config. Update the vendor check in
GetServiceMonitorTLSConfig to include constants.VendorOpenShiftDownstream as
well, matching the handling already used in config.go and monitoring_objects.go,
so both OpenShift variants use the same service-ca configuration.

Comment thread internal/pkg/manager/config.go
@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml (1)

1004-1020: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Restore the eBPF bytecode related image wiring.

EBPFByteCodeImage still exists in the manager config contract, but this CSV no longer provides RELATED_IMAGE_EBPF_BYTECODE or a matching relatedImages entry. That breaks OLM mirroring/reproducibility for the bytecode image and can leave the manager with an empty/default image.

Proposed fix
                 - name: RELATED_IMAGE_DEMO_LOKI
                   value: grafana/loki:3.5.0
+                - name: RELATED_IMAGE_EBPF_BYTECODE
+                  value: quay.io/netobserv/ebpf-bytecode:v1.11.5-community
                 - name: NAMESPACE
                   valueFrom:
                     fieldRef:
                       fieldPath: metadata.namespace
   - image: grafana/loki:3.5.0
     name: demo-loki
+  - image: quay.io/netobserv/ebpf-bytecode:v1.11.5-community
+    name: ebpf-bytecode
#!/bin/bash
# Verify the manager config field, env var, and bundle related image stay in sync.
rg -nP 'EBPFByteCodeImage|RELATED_IMAGE_EBPF_BYTECODE|ebpf-bytecode' internal bundles config helm

Also applies to: 1141-1153

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml` around
lines 1004 - 1020, Restore the eBPF bytecode image wiring in the CSV so it stays
aligned with the manager config contract: add back the
RELATED_IMAGE_EBPF_BYTECODE environment variable in the relatedImages/env block
and ensure the matching relatedImages entry is present for the bytecode image.
Update the bundle manifest sections that define RELATED_IMAGE_EBPF_AGENT and the
other RELATED_IMAGE_* values so EBPFByteCodeImage has a corresponding image
source and the manager does not fall back to an empty/default image.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 414-417: The deploy target is mixing OpenShift manifests with
whatever CSV happens to be in $(BUNDLE_OUT), so make deploy can accidentally
apply the non-OpenShift bundle into an OpenShift install. Update the deploy
recipe to explicitly use the OpenShift bundle output path or OpenShift-specific
CSV source, keeping the existing config/openshift apply and
openshift-netobserv-operator namespace creation aligned with the same OpenShift
bundle flow. Use the deploy target and the
$(BUNDLE_OUT)/manifests/netobserv-operator.clusterserviceversion.yaml reference
as the key places to pin this to OpenShift.

---

Duplicate comments:
In `@bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml`:
- Around line 1004-1020: Restore the eBPF bytecode image wiring in the CSV so it
stays aligned with the manager config contract: add back the
RELATED_IMAGE_EBPF_BYTECODE environment variable in the relatedImages/env block
and ensure the matching relatedImages entry is present for the bytecode image.
Update the bundle manifest sections that define RELATED_IMAGE_EBPF_AGENT and the
other RELATED_IMAGE_* values so EBPFByteCodeImage has a corresponding image
source and the manager does not fall back to an empty/default image.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c792ea1b-724f-43dc-b693-ab2226deef13

📥 Commits

Reviewing files that changed from the base of the PR and between fdb2f79 and 76b42a7.

📒 Files selected for processing (9)
  • .mk/development.mk
  • Makefile
  • bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml
  • bundles/openshift/manifests/netobserv-operator.clusterserviceversion.yaml
  • config/csv/bases/netobserv-operator.clusterserviceversion.yaml
  • config/csv/bases/transformed-csv.yaml
  • config/manager/manager.yaml
  • internal/pkg/helper/monitoring.go
  • main.go
💤 Files with no reviewable changes (2)
  • config/manager/manager.yaml
  • internal/pkg/helper/monitoring.go
✅ Files skipped from review due to trivial changes (1)
  • config/csv/bases/transformed-csv.yaml
🚧 Files skipped from review as they are similar to previous changes (4)
  • config/csv/bases/netobserv-operator.clusterserviceversion.yaml
  • .mk/development.mk
  • main.go
  • bundles/openshift/manifests/netobserv-operator.clusterserviceversion.yaml

Comment thread Makefile
@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
jotak added 6 commits June 25, 2026 15:41
Replace the "is downstream" flag with a "vendor" parameter, which is more
neutral and makes place for more than openshift.

Use only env-based arguments instead of env + command line.
Hardcode the vendor-based logic for plugin variant detection (makes code
simpler; this didn't look like something people would override
anyway)

Refactor kustomize configs:

- Clearer vendoring with "BUNDLE_TARGET=OpenShift"
- All possible targets (2 currently) are now created when running "make
  update-bundle"
- Better separation OpenShift vs Vanilla in OLM config: there's now
  config/k8s[/olm] on one side and config/openshift[/olm] on the other
- Remove a few openshift-specific annotations that were still left in
  the generic configs
- Helm chart is now generated from the k8s bundle, not the openshift one
- Avoid creating temporary files here and there; more pipes
@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026
@github-actions

Copy link
Copy Markdown

New images:

quay.io/netobserv/network-observability-operator:8a3b2b83
quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-8a3b2b83
quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-8a3b2b83

They will expire in two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:8a3b2b83 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-8a3b2b83

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-8a3b2b83
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@github-actions github-actions Bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 25, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/pkg/helper/monitoring.go`:
- Around line 31-37: The TLSAuto handling in GetServiceMonitorTLSConfig is now
hardcoded to a downstream OpenShift CAFile path, which breaks upstream FLP and
eBPF scrapes. Restore the vendor-aware split in GetServiceMonitorTLSConfig by
preserving the upstream SafeTLSConfig.CA branch and only using the OpenShift
CAFile path for downstream cases, or move that vendor-specific logic back to the
callers that build the ServiceMonitor config.

In `@Makefile`:
- Around line 68-78: `BUNDLE_STORED_DATE` is being evaluated too late, so the
`grep` can read the regenerated CSV instead of the pre-existing `createdAt`
value. Update the Makefile assignment in the bundle date restore logic to use
immediate expansion in the `BUNDLE_STORED_DATE` definition, so the value is
captured before any later bundle generation step runs.
- Around line 447-449: The Makefile validation step in the bundle validation
recipe is only checking the captured text for “warning” and can miss real
failures; update the validation flow around the VALIDATION_OUTPUT assignment so
it also stops on a non-zero exit from the opsdk bundle validate command. Use the
existing bundle validation command and the surrounding shell block to capture
the command status explicitly, then fail the recipe whenever validation returns
an error, not just when the output contains warning text.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bf7d8443-c153-4e86-8e65-15cc603c05c7

📥 Commits

Reviewing files that changed from the base of the PR and between 1abf1bb and c809645.

📒 Files selected for processing (121)
  • .github/workflows/build_image_pr.yml
  • .mk/development.mk
  • AGENTS.md
  • DEVELOPMENT.md
  • Makefile
  • bundle.Dockerfile
  • bundles/k8s/manifests/flows.netobserv.io_flowcollectors.yaml
  • bundles/k8s/manifests/flows.netobserv.io_flowcollectorslices.yaml
  • bundles/k8s/manifests/flows.netobserv.io_flowmetrics.yaml
  • bundles/k8s/manifests/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-manager-config_v1_configmap.yaml
  • bundles/k8s/manifests/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-metrics-service_v1_service.yaml
  • bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml
  • bundles/k8s/manifests/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-webhook-service_v1_service.yaml
  • bundles/k8s/metadata/annotations.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowcollectors.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowcollectorslices.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowmetrics.yaml
  • bundles/openshift/manifests/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-manager-config_v1_configmap.yaml
  • bundles/openshift/manifests/netobserv-metrics-monitor_monitoring.coreos.com_v1_servicemonitor.yaml
  • bundles/openshift/manifests/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-metrics-service_v1_service.yaml
  • bundles/openshift/manifests/netobserv-operator-prometheus_rbac.authorization.k8s.io_v1_role.yaml
  • bundles/openshift/manifests/netobserv-operator-prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml
  • bundles/openshift/manifests/netobserv-operator.clusterserviceversion.yaml
  • bundles/openshift/manifests/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-webhook-service_v1_service.yaml
  • bundles/openshift/metadata/annotations.yaml
  • bundles/openshift/tests/scorecard/config.yaml
  • config/csv/bases/netobserv-operator.clusterserviceversion.yaml
  • config/csv/bases/transformed-csv.yaml
  • config/csv/kustomization.yaml
  • config/k8s-olm/kustomization.yaml
  • config/k8s/olm/cainjection_in_flowcollectors.yaml
  • config/k8s/olm/cainjection_in_flowmetrics.yaml
  • config/k8s/olm/description.md
  • config/k8s/olm/kustomization.yaml
  • config/k8s/olm/manager_webhook_patch.yaml
  • config/k8s/olm/webhookcainjection_patch.yaml
  • config/kind/kind.config.yaml
  • config/manager/kustomization.yaml
  • config/manager/manager.yaml
  • config/manager/metrics_service.yaml
  • config/manager/namespace.yaml
  • config/openshift-olm/default/patch.yaml
  • config/openshift-olm/kustomization.yaml
  • config/openshift/common/kustomization.yaml
  • config/openshift/common/manager-patch.yaml
  • config/openshift/common/monitor.yaml
  • config/openshift/common/patch.yaml
  • config/openshift/kustomization.yaml
  • config/openshift/monitor.yaml
  • config/openshift/monitoring-patch.yaml
  • config/openshift/olm/description.md
  • config/openshift/olm/kustomization.yaml
  • config/openshift/olm/tls-servername-patch.yaml
  • config/openshift/patch.yaml
  • config/webhook/service.yaml
  • hack/crd2csvSpecDesc.sh
  • hack/helm-update.sh
  • hack/nudging/OWNERS
  • hack/nudging/container_digest.sh
  • hack/patch_csv.py
  • hack/update-build.sh
  • hack/update_fbc.sh
  • helm/crds/flows.netobserv.io_flowcollectors.yaml
  • helm/crds/flows.netobserv.io_flowcollectorslices.yaml
  • helm/crds/flows.netobserv.io_flowmetrics.yaml
  • helm/templates/certificates.yaml
  • helm/templates/clusterrole.yaml
  • helm/templates/clusterrolebinding.yaml
  • helm/templates/deployment.yaml
  • helm/templates/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-manager-config_v1_configmap.yaml
  • helm/templates/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-metrics-service_v1_service.yaml
  • helm/templates/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-webhook-service_v1_service.yaml
  • helm/templates/role.yaml
  • helm/templates/rolebinding.yaml
  • helm/templates/serviceaccount.yaml
  • internal/controller/constants/constants.go
  • internal/controller/ebpf/agent_metrics.go
  • internal/controller/ebpf/internal/permissions/permissions.go
  • internal/controller/flowcollector_controller.go
  • internal/controller/flp/flp_common_objects.go
  • internal/controller/flp/flp_controller.go
  • internal/controller/flp/flp_monolith_objects.go
  • internal/controller/flp/flp_transfo_objects.go
  • internal/controller/monitoring/monitoring_controller.go
  • internal/controller/monitoring/monitoring_objects.go
  • internal/controller/networkpolicy/np_objects.go
  • internal/controller/networkpolicy/np_test.go
  • internal/controller/reconcilers/common.go
  • internal/controller/static/static_controller.go
  • internal/pkg/helper/monitoring.go
  • internal/pkg/manager/config.go
  • internal/pkg/manager/config_test.go
  • internal/pkg/test/envtest.go
  • main.go
💤 Files with no reviewable changes (17)
  • config/openshift/common/kustomization.yaml
  • config/openshift/monitoring-patch.yaml
  • config/k8s-olm/kustomization.yaml
  • config/webhook/service.yaml
  • internal/controller/flp/flp_transfo_objects.go
  • hack/nudging/OWNERS
  • config/manager/metrics_service.yaml
  • config/openshift-olm/default/patch.yaml
  • config/openshift/patch.yaml
  • config/openshift-olm/kustomization.yaml
  • config/openshift/monitor.yaml
  • config/kind/kind.config.yaml
  • bundles/openshift/manifests/netobserv-webhook-service_v1_service.yaml
  • hack/nudging/container_digest.sh
  • hack/update-build.sh
  • hack/patch_csv.py
  • internal/controller/flp/flp_monolith_objects.go
✅ Files skipped from review due to trivial changes (39)
  • helm/templates/serviceaccount.yaml
  • config/manager/namespace.yaml
  • helm/templates/clusterrole.yaml
  • helm/templates/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/crds/flows.netobserv.io_flowcollectorslices.yaml
  • helm/templates/role.yaml
  • helm/templates/netobserv-webhook-service_v1_service.yaml
  • bundles/openshift/manifests/netobserv-manager-config_v1_configmap.yaml
  • helm/templates/netobserv-metrics-service_v1_service.yaml
  • bundles/k8s/manifests/netobserv-webhook-service_v1_service.yaml
  • helm/crds/flows.netobserv.io_flowmetrics.yaml
  • helm/templates/rolebinding.yaml
  • bundle.Dockerfile
  • helm/templates/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/clusterrolebinding.yaml
  • helm/templates/certificates.yaml
  • config/openshift/olm/tls-servername-patch.yaml
  • bundles/openshift/manifests/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • config/openshift/common/patch.yaml
  • helm/templates/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-manager-config_v1_configmap.yaml
  • config/openshift/common/manager-patch.yaml
  • AGENTS.md
  • config/manager/kustomization.yaml
  • config/k8s/olm/description.md
  • helm/templates/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/k8s/manifests/netobserv-metrics-service_v1_service.yaml
  • helm/templates/netobserv-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/crds/flows.netobserv.io_flowcollectors.yaml
  • bundles/openshift/manifests/netobserv-loki-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • helm/templates/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • internal/controller/monitoring/monitoring_controller.go
  • config/csv/bases/transformed-csv.yaml
  • DEVELOPMENT.md
  • bundles/openshift/manifests/netobserv-config-watcher_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-operator-prometheus_rbac.authorization.k8s.io_v1_rolebinding.yaml
🚧 Files skipped from review as they are similar to previous changes (36)
  • config/openshift/olm/kustomization.yaml
  • bundles/openshift/manifests/netobserv-loki-writer_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • internal/controller/flowcollector_controller.go
  • bundles/openshift/manifests/netobserv-operator-prometheus_rbac.authorization.k8s.io_v1_role.yaml
  • bundles/openshift/manifests/netobserv-expose-metrics_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-flowcollector-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • internal/controller/reconcilers/common.go
  • hack/update_fbc.sh
  • hack/crd2csvSpecDesc.sh
  • internal/controller/networkpolicy/np_test.go
  • internal/controller/ebpf/agent_metrics.go
  • config/csv/kustomization.yaml
  • config/openshift/common/monitor.yaml
  • config/csv/bases/netobserv-operator.clusterserviceversion.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowcollectorslices.yaml
  • config/k8s/olm/kustomization.yaml
  • bundles/openshift/manifests/netobserv-token-review_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • bundles/openshift/manifests/netobserv-hostnetwork_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • internal/controller/static/static_controller.go
  • internal/controller/flp/flp_controller.go
  • internal/controller/constants/constants.go
  • helm/templates/deployment.yaml
  • bundles/openshift/manifests/netobserv-informers_rbac.authorization.k8s.io_v1_clusterrole.yaml
  • config/openshift/kustomization.yaml
  • bundles/openshift/manifests/flows.netobserv.io_flowmetrics.yaml
  • internal/controller/monitoring/monitoring_objects.go
  • bundles/k8s/metadata/annotations.yaml
  • config/manager/manager.yaml
  • .mk/development.mk
  • internal/pkg/manager/config_test.go
  • internal/pkg/test/envtest.go
  • internal/controller/ebpf/internal/permissions/permissions.go
  • internal/pkg/manager/config.go
  • main.go
  • bundles/openshift/manifests/netobserv-operator.clusterserviceversion.yaml
  • bundles/k8s/manifests/netobserv-operator.clusterserviceversion.yaml

Comment on lines +31 to +37
func GetServiceMonitorTLSConfig(tls *flowslatest.ServerTLS, serverName string) (monitoringv1.Scheme, *monitoringv1.TLSConfig) {
if tls.Type == flowslatest.TLSAuto {
if isDownstream {
return "https", &monitoringv1.TLSConfig{
SafeTLSConfig: monitoringv1.SafeTLSConfig{
ServerName: ptr.To(serverName),
},
CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",
}
}
// Upstream prometheus disallows CAFile
return "https", &monitoringv1.TLSConfig{
SafeTLSConfig: monitoringv1.SafeTLSConfig{
ServerName: ptr.To(serverName),
CA: monitoringv1.SecretOrConfigMap{
ConfigMap: &corev1.ConfigMapKeySelector{
Key: "service-ca.crt",
LocalObjectReference: corev1.LocalObjectReference{
Name: "openshift-service-ca.crt",
},
},
},
},
CAFile: "/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Restore vendor-aware TLSAuto handling.

This now emits the downstream OpenShift CAFile path for every TLSAuto ServiceMonitor. The upstream SafeTLSConfig.CA branch is gone, so FLP and eBPF auto-TLS scrapes can break outside downstream OpenShift. Keep the vendor split here, or restore it at the callers, instead of hardcoding a single CA source.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/pkg/helper/monitoring.go` around lines 31 - 37, The TLSAuto handling
in GetServiceMonitorTLSConfig is now hardcoded to a downstream OpenShift CAFile
path, which breaks upstream FLP and eBPF scrapes. Restore the vendor-aware split
in GetServiceMonitorTLSConfig by preserving the upstream SafeTLSConfig.CA branch
and only using the OpenShift CAFile path for downstream cases, or move that
vendor-specific logic back to the callers that build the ServiceMonitor config.

Comment thread Makefile
Comment on lines +68 to +78
ifeq ("$(BUNDLE_TARGET)", "OpenShift")
BUNDLE_CONFIG = config/openshift/olm
BUNDLE_OUT = bundles/openshift
else
BUNDLE_CONFIG = config/k8s/olm
BUNDLE_OUT = bundles/k8s
endif

# If we don't want to set bundle date (upon bundle update call), store current date
ifneq ("$(BUNDLE_SET_DATE)", "true")
BUNDLE_STORED_DATE = $(shell grep "createdAt:" bundle/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')
BUNDLE_STORED_DATE = $(shell grep "createdAt:" $(BUNDLE_OUT)/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Capture createdAt before regenerating the bundle.

BUNDLE_STORED_DATE is recursively expanded, so the grep can run when Line 444 restores the date, after the new CSV has already been generated. Use immediate assignment to preserve the pre-existing value.

Proposed fix
-	BUNDLE_STORED_DATE = $(shell grep "createdAt:" $(BUNDLE_OUT)/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')
+	BUNDLE_STORED_DATE := $(shell grep "createdAt:" $(BUNDLE_OUT)/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ifeq ("$(BUNDLE_TARGET)", "OpenShift")
BUNDLE_CONFIG = config/openshift/olm
BUNDLE_OUT = bundles/openshift
else
BUNDLE_CONFIG = config/k8s/olm
BUNDLE_OUT = bundles/k8s
endif
# If we don't want to set bundle date (upon bundle update call), store current date
ifneq ("$(BUNDLE_SET_DATE)", "true")
BUNDLE_STORED_DATE = $(shell grep "createdAt:" bundle/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')
BUNDLE_STORED_DATE = $(shell grep "createdAt:" $(BUNDLE_OUT)/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')
ifeq ("$(BUNDLE_TARGET)", "OpenShift")
BUNDLE_CONFIG = config/openshift/olm
BUNDLE_OUT = bundles/openshift
else
BUNDLE_CONFIG = config/k8s/olm
BUNDLE_OUT = bundles/k8s
endif
# If we don't want to set bundle date (upon bundle update call), store current date
ifneq ("$(BUNDLE_SET_DATE)", "true")
BUNDLE_STORED_DATE := $(shell grep "createdAt:" $(BUNDLE_OUT)/manifests/netobserv-operator.clusterserviceversion.yaml | sed -r 's/^.*createdAt:[ ]*(.*)/\1/')
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 68 - 78, `BUNDLE_STORED_DATE` is being evaluated too
late, so the `grep` can read the regenerated CSV instead of the pre-existing
`createdAt` value. Update the Makefile assignment in the bundle date restore
logic to use immediate expansion in the `BUNDLE_STORED_DATE` definition, so the
value is captured before any later bundle generation step runs.

Comment thread Makefile
Comment on lines +447 to 449
VALIDATION_OUTPUT=$$($(OPSDK) bundle validate $(BUNDLE_OUT) --select-optional suite=operatorframework); \
echo $${VALIDATION_OUTPUT}; \
if [ $$(echo $${VALIDATION_OUTPUT} | grep -i 'warning' | wc -c) -gt 0 ]; then echo "please correct warnings and errors first"; exit -1 ; fi \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Fail when bundle validation exits non-zero.

VALIDATION_OUTPUT=$$(...) captures the validation output, but the recipe then continues and only fails if the text contains warning. Validation errors without that word can pass.

Proposed fix
-	VALIDATION_OUTPUT=$$($(OPSDK) bundle validate $(BUNDLE_OUT) --select-optional suite=operatorframework); \
-	echo $${VALIDATION_OUTPUT}; \
-	if [ $$(echo $${VALIDATION_OUTPUT} | grep -i 'warning' | wc -c) -gt 0 ]; then echo "please correct warnings and errors first"; exit -1 ; fi \
+	VALIDATION_OUTPUT=$$($(OPSDK) bundle validate $(BUNDLE_OUT) --select-optional suite=operatorframework 2>&1); \
+	VALIDATION_STATUS=$$?; \
+	echo "$${VALIDATION_OUTPUT}"; \
+	if [ $${VALIDATION_STATUS} -ne 0 ] || echo "$${VALIDATION_OUTPUT}" | grep -iq 'warning'; then echo "please correct warnings and errors first"; exit 1 ; fi \
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
VALIDATION_OUTPUT=$$($(OPSDK) bundle validate $(BUNDLE_OUT) --select-optional suite=operatorframework); \
echo $${VALIDATION_OUTPUT}; \
if [ $$(echo $${VALIDATION_OUTPUT} | grep -i 'warning' | wc -c) -gt 0 ]; then echo "please correct warnings and errors first"; exit -1 ; fi \
VALIDATION_OUTPUT=$$($(OPSDK) bundle validate $(BUNDLE_OUT) --select-optional suite=operatorframework 2>&1); \
VALIDATION_STATUS=$$?; \
echo "$${VALIDATION_OUTPUT}"; \
if [ $${VALIDATION_STATUS} -ne 0 ] || echo "$${VALIDATION_OUTPUT}" | grep -iq 'warning'; then echo "please correct warnings and errors first"; exit 1 ; fi \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 447 - 449, The Makefile validation step in the bundle
validation recipe is only checking the captured text for “warning” and can miss
real failures; update the validation flow around the VALIDATION_OUTPUT
assignment so it also stops on a non-zero exit from the opsdk bundle validate
command. Use the existing bundle validation command and the surrounding shell
block to capture the command status explicitly, then fail the recipe whenever
validation returns an error, not just when the output contains warning text.

@memodi memodi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

much of our testing like nightly perf test and daily testing uses upstream bundle v0.0.0-main , could you summarize how that bundle would be impacted with changes here?

at minimum for env vars update, we'd need to update some of our scripts:

for perf tests https://github.com/netobserv/netobserv-perf-tests/blob/main/scripts/netobserv.sh#L105-L133
https://gitlab.cee.redhat.com/netobserv-qe/netobserv-qe-scripts/-/blob/main/patch_netobserv.sh?ref_type=heads

how does metrics publishing now will be controlled in upstream bundle tag with v0.0.0-sha-main?

it seems now with upstream bundle operator bundle will be installed in system ns, true? if so, we'd need to change perf tests metrics collection for this.

@jotak

jotak commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

much of our testing like nightly perf test and daily testing uses upstream bundle v0.0.0-main , could you summarize how that bundle would be impacted with changes here?

Nothing should change, we'll continue to generate a v0.0.0-main bundle+catalog; the only difference should be that it will be "downstream-ready" ie. you won't have to patch it for collecting metrics via cluster monitoring.

at minimum for env vars update, we'd need to update some of our scripts:

for perf tests https://github.com/netobserv/netobserv-perf-tests/blob/main/scripts/netobserv.sh#L105-L133 https://gitlab.cee.redhat.com/netobserv-qe/netobserv-qe-scripts/-/blob/main/patch_netobserv.sh?ref_type=heads

I see, yes that will have to change, similar to what I did on openshift/release

how does metrics publishing now will be controlled in upstream bundle tag with v0.0.0-sha-main?

"will be controlled" => do you mean that you want to turn it on and off? It doesn't have to be always on?
If so => the previous DOWNSTREAM_DEPLOYMENT var is changed for "VENDOR". In the test bundles, it's directly set to "OpenShift_Downstream". If for some reason you want to turn it of, you can set it to just "OpenShift".

it seems now with upstream bundle operator bundle will be installed in system ns, true? if so, we'd need to change perf tests metrics collection for this.

No no, "system" is the default that operator-sdk uses when bootstrapping the project, but it's a placeholder. I've set it in some places to "system" just for consistency (it was confusing to see different names for placeholders). At the end of the day, it should stay the same as before in the bundle.

@memodi

memodi commented Jun 25, 2026

Copy link
Copy Markdown
Member

"will be controlled" => do you mean that you want to turn it on and off? It doesn't have to be always on?

always on is definitely good if that's how it's going to be. We should definitely run some tests when this is ready on the newer bundles from this PR. cc @Amoghrd @kapjain-rh

@jotak jotak added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Jun 26, 2026
@jotak jotak changed the title NETOBSERV-2554: Refactor bundling for vendoring NETOBSERV-2841: Refactor bundling for vendoring Jun 26, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

@jotak: This pull request references NETOBSERV-2841 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Description

Replace the "is downstream" flag with a "vendor" parameter, which is more neutral and makes place for more than openshift.

Use only env-based arguments instead of env + command line. Hardcode the vendor-based logic for plugin variant detection (makes code simpler; this didn't look like something people would override anyway)

Refactor kustomize configs:

  • Clearer vendoring with "BUNDLE_TARGET=OpenShift"
  • All possible targets (2 currently) are now created when running "make update-bundle"
  • Better separation OpenShift vs Vanilla in OLM config: there's now config/k8s[/olm] on one side and config/openshift[/olm] on the other
  • Remove a few openshift-specific annotations that were still left in the generic configs
  • Helm chart is now generated from the k8s bundle, not the openshift one
  • Avoid creating temporary files here and there; more pipes

Dependencies

Checklist

  • Does the changes in PR need specific configuration or environment set up for testing?
    • if so please describe it in PR description.
  • I have added thorough unit tests for the change.
  • QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Summary by CodeRabbit

  • New Features
  • Adds FlowCollectorSlice and FlowMetric OpenShift resources, plus new/updated metrics, webhook, and metrics-exposure Services and RBAC.
  • Bug Fixes
  • Updates console image handling to use web console images (including PF variants) and aligns downstream/vendor behavior to an OpenShift_Downstream model.
  • Improves ServiceMonitor/Webhook/TLS wiring for the current bundle layout.
  • Documentation
  • Refreshes setup/development guidance and updates console image environment-variable references to RELATED_IMAGE_WEB_CONSOLE.
  • Chores
  • Regenerates bundle and Helm artifacts to match the new bundle structure and manifest paths.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@github-actions

Copy link
Copy Markdown

New images:

quay.io/netobserv/network-observability-operator:c8096456
quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-c8096456
quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-c8096456

They will expire in two weeks.

To deploy this build:

# Direct deployment, from operator repo
IMAGE=quay.io/netobserv/network-observability-operator:c8096456 make deploy

# Or using operator-sdk
operator-sdk run bundle quay.io/netobserv/network-observability-operator-bundle:v0.0.0-sha-c8096456

Or as a Catalog Source:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: netobserv-dev
  namespace: openshift-marketplace
spec:
  sourceType: grpc
  image: quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-c8096456
  displayName: NetObserv development catalog
  publisher: Me
  updateStrategy:
    registryPoll:
      interval: 1m

@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

@jotak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-operator c809645 link false /test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jotak

jotak commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

@memodi it's fine to be reviewed - I ran some smoke tests with the image above (quay.io/netobserv/network-observability-operator-catalog:v0.0.0-sha-c8096456) and it seems fine to me

@memodi

memodi commented Jun 29, 2026

Copy link
Copy Markdown
Member

/lgtm

(verified metrics publish and install works well)

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference needs-rebase ok-to-test To set manually when a PR is safe to test. Triggers image build on PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants