OCPBUGS-74506: Remove ConsolePluginSecurityPolicy featuregate

[jhadvig]

User description

/assign @JoelSpeed

---

PR Type

Enhancement

---

Description

• Remove ConsolePluginContentSecurityPolicy feature gate

• Make CSP configuration always available for ConsolePlugin

• Move CSP tests from gated to ungated test suite

• Update feature gate manifests and documentation

---

Diagram Walkthrough

flowchart LR
  A["ConsolePluginContentSecurityPolicy<br/>Feature Gate"] -->|Remove| B["CSP Always Available"]
  C["Gated Test Suite<br/>ConsolePluginContentSecurityPolicy.yaml"] -->|Migrate| D["Ungated Test Suite<br/>AAA_ungated.yaml"]
  E["Feature Gate Definition<br/>features.go"] -->|Delete| F["No Feature Gate"]
  B -->|Update| G["CRD Manifests"]
  D -->|Add| G

Loading

File Walkthrough

	Relevant files
Enhancement	5 files types_console_plugin.go Remove feature gate annotation from CSP field                        +0/-1      features.go Delete ConsolePluginContentSecurityPolicy feature gate definition +0/-8      zz_generated.featuregated-crd-manifests.yaml Clear FeatureGates list for ConsolePlugin CRD                        +1/-2      AAA_ungated.yaml Add full CSP schema to ungated CRD manifest                            +123/-0  ConsolePluginContentSecurityPolicy.yaml Remove feature-gated CRD manifest file                                      +0/-353
Tests	2 files AAA_ungated.yaml Add comprehensive CSP validation tests to ungated suite    +186/-0  ConsolePluginContentSecurityPolicy.yaml Remove feature-gated CSP test file entirely                            +0/-194
Documentation	1 files features.md Remove ConsolePluginContentSecurityPolicy from feature matrix +0/-1
Configuration changes	8 files featureGate-Hypershift-Default.yaml Remove CSP feature gate from Hypershift Default profile    +0/-3      featureGate-Hypershift-DevPreviewNoUpgrade.yaml Remove CSP feature gate from Hypershift DevPreview profile +0/-3      featureGate-Hypershift-OKD.yaml Remove CSP feature gate from Hypershift OKD profile            +0/-3      featureGate-Hypershift-TechPreviewNoUpgrade.yaml Remove CSP feature gate from Hypershift TechPreview profile +0/-3      featureGate-SelfManagedHA-Default.yaml Remove CSP feature gate from SelfManagedHA Default profile +0/-3      featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml Remove CSP feature gate from SelfManagedHA DevPreview profile +0/-3      featureGate-SelfManagedHA-OKD.yaml Remove CSP feature gate from SelfManagedHA OKD profile      +0/-3      featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml Remove CSP feature gate from SelfManagedHA TechPreview profile +0/-3

---

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @jhadvig! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-74506, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/assign @JoelSpeed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 6dd8ec30-4117-4752-bfc7-6ff7154438e8

📥 Commits

Reviewing files that changed from the base of the PR and between 262f93d and 8715e31.

⛔ Files ignored due to path filters (2)

• console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (6)

• console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml
• console/v1/tests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml
• console/v1/types_console_plugin.go
• console/v1/zz_generated.featuregated-crd-manifests.yaml
• features.md
• features/features.go

💤 Files with no reviewable changes (3)

• features.md
• console/v1/types_console_plugin.go
• console/v1/tests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• console/v1/zz_generated.featuregated-crd-manifests.yaml
• console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml

---

📝 Walkthrough

Walkthrough

This change removes the ConsolePluginContentSecurityPolicy feature gate and ungates the functionality. The Content Security Policy validation tests are relocated from a feature-gated test file to the ungated test suite. The feature gate annotation is removed from the ConsolePluginSpec struct documentation. The feature gate declaration and registration are removed from the features module. The CRD manifest's FeatureGates list is cleared for the consoleplugins resource, and the corresponding entry is removed from the features documentation.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: removing the ConsolePluginContentSecurityPolicy feature gate. It is specific, concise, and clearly identifies the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description includes a user description section that clearly describes the intent: removing the ConsolePluginContentSecurityPolicy feature gate, making CSP configuration always available, migrating tests, and updating manifests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@jhadvig: This pull request references Jira Issue OCPBUGS-74506, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

User description

/assign @JoelSpeed

---

PR Type

Enhancement

---

Description

• Remove ConsolePluginContentSecurityPolicy feature gate

• Make CSP configuration always available for ConsolePlugin

• Move CSP tests from gated to ungated test suite

• Update feature gate manifests and documentation

---

Diagram Walkthrough

flowchart LR
 A["ConsolePluginContentSecurityPolicy<br/>Feature Gate"] -->|Remove| B["CSP Always Available"]
 C["Gated Test Suite<br/>ConsolePluginContentSecurityPolicy.yaml"] -->|Migrate| D["Ungated Test Suite<br/>AAA_ungated.yaml"]
 E["Feature Gate Definition<br/>features.go"] -->|Delete| F["No Feature Gate"]
 B -->|Update| G["CRD Manifests"]
 D -->|Add| G

Loading

File Walkthrough

	Relevant files
Enhancement	5 files types_console_plugin.go Remove feature gate annotation from CSP field                        +0/-1      features.go Delete ConsolePluginContentSecurityPolicy feature gate definition +0/-8      zz_generated.featuregated-crd-manifests.yaml Clear FeatureGates list for ConsolePlugin CRD                        +1/-2      AAA_ungated.yaml Add full CSP schema to ungated CRD manifest                            +123/-0  ConsolePluginContentSecurityPolicy.yaml Remove feature-gated CRD manifest file                                      +0/-353
Tests	2 files AAA_ungated.yaml Add comprehensive CSP validation tests to ungated suite    +186/-0  ConsolePluginContentSecurityPolicy.yaml Remove feature-gated CSP test file entirely                            +0/-194
Documentation	1 files features.md Remove ConsolePluginContentSecurityPolicy from feature matrix +0/-1
Configuration changes	8 files featureGate-Hypershift-Default.yaml Remove CSP feature gate from Hypershift Default profile    +0/-3      featureGate-Hypershift-DevPreviewNoUpgrade.yaml Remove CSP feature gate from Hypershift DevPreview profile +0/-3      featureGate-Hypershift-OKD.yaml Remove CSP feature gate from Hypershift OKD profile            +0/-3      featureGate-Hypershift-TechPreviewNoUpgrade.yaml Remove CSP feature gate from Hypershift TechPreview profile +0/-3      featureGate-SelfManagedHA-Default.yaml Remove CSP feature gate from SelfManagedHA Default profile +0/-3      featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml Remove CSP feature gate from SelfManagedHA DevPreview profile +0/-3      featureGate-SelfManagedHA-OKD.yaml Remove CSP feature gate from SelfManagedHA OKD profile      +0/-3      featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml Remove CSP feature gate from SelfManagedHA TechPreview profile +0/-3

---

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix quote detection rule Fix the CEL validation rule for detecting single quotes in CSP directive values. The current rule incorrectly matches two single quotes instead of one. Update the rule to properly escape and check for a single quote character. console/v1/zz_generated.featuregated-crd-manifests/consoleplugins.console.openshift.io/AAA_ungated.yaml [197-198] - message: CSP directive value cannot contain a quote - rule: '!self.contains("''")' + rule: '!self.contains("\'")' [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies and fixes a bug in the CRD validation rule for detecting single quotes, which is critical for ensuring proper CSP value validation.	Medium
Update

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml`:
- Around line 264-275: The test text and value are inconsistent: the test claims
a “tab” but the CSP value uses spaces; update the YAML so
spec.contentSecurityPolicy[0].values[0] contains an actual tab character (escape
it) in the URI (replace the series of spaces in the initial block value
"https://scri    pt1.com/" with a single \t where intended) or alternatively
rename the test description from “tab” to “spaces” so it accurately reflects the
current input; ensure you only modify the initial block value or the test name
and keep the expectedError unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Test description says “tab” but the value uses spaces.
Either use an actual tab (escaped) or rename the test to “spaces” to avoid confusion.

🔧 Suggested fix (use a tab escape)

-    - name: Should throw an error for invalid CSP directive values with whitespace, using tab
+    - name: Should throw an error for invalid CSP directive values with whitespace, using tab
       initial: |
         apiVersion: console.openshift.io/v1
         kind: ConsolePlugin
         spec:
           displayName: foo
           backend:
             type: Service
           contentSecurityPolicy:
           - directive: ScriptSrc
             values:
-            - https://scri    pt1.com/
+            - "https://scri\tpt1.com/"

🤖 Prompt for AI Agents

In `@console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml` around
lines 264 - 275, The test text and value are inconsistent: the test claims a
“tab” but the CSP value uses spaces; update the YAML so
spec.contentSecurityPolicy[0].values[0] contains an actual tab character (escape
it) in the URI (replace the series of spaces in the initial block value
"https://scri    pt1.com/" with a single \t where intended) or alternatively
rename the test description from “tab” to “spaces” so it accurately reflects the
current input; ensure you only modify the initial block value or the test name
and keep the expectedError unchanged.

[JoelSpeed]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[JoelSpeed]

Looking at the CI, looks like maybe the console operator is still looking for this gate? Is there a PR to remove references to this gate for the console operator that needs to merge first?

[jhadvig]

@JoelSpeed opened console and console-operator PR where I vendor these changes in order to unblock the CI

[JoelSpeed]

@jhadvig The problem is not normally vendor, but references to the gate being used in if conditions.

Check the logs from the console operator in CI

Points to https://github.com/openshift/console-operator/blob/cfd48a0fcef0db90a32288a021925739ede63eeb/pkg/console/starter/starter.go#L238

You need to remove that line and go through your console operator to remove any references to that boolean now since the answer is always true

[JoelSpeed]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[jhadvig]

/retest

[jhadvig]

/retest

[JoelSpeed]

/retest
/verified by CI

[openshift-ci-robot]

@JoelSpeed: This PR has been marked as verified by CI.

Details

In response to this:

/retest
/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD f50e695 and 2 for PR HEAD 8715e31 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD d87d63a and 1 for PR HEAD 8715e31 in total

[JoelSpeed]

/override ci/prow/e2e-aws-ovn-hypershift-conformance

Known issue with the conformance image configuration at the moment

[openshift-ci]

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/e2e-aws-ovn-hypershift-conformance

Details

In response to this:

/override ci/prow/e2e-aws-ovn-hypershift-conformance

Known issue with the conformance image configuration at the moment

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@jhadvig: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	8715e31	link	unknown	/test unit
ci/prow/build	8715e31	link	unknown	/test build
ci/prow/lint	8715e31	link	unknown	/test lint
ci/prow/verify-feature-promotion	8715e31	link	unknown	/test verify-feature-promotion
ci/prow/okd-scos-images	8715e31	link	unknown	/test okd-scos-images
ci/prow/verify-crd-schema	8715e31	link	unknown	/test verify-crd-schema
ci/prow/integration	8715e31	link	unknown	/test integration
ci/prow/verify-crdify	8715e31	link	unknown	/test verify-crdify
ci/prow/verify	8715e31	link	unknown	/test verify
ci/prow/images	8715e31	link	unknown	/test images
ci/prow/verify-deps	8715e31	link	unknown	/test verify-deps
ci/prow/verify-client-go	8715e31	link	unknown	/test verify-client-go
ci/prow/minor-images	8715e31	link	unknown	/test minor-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.