Skip to content

ROX-33465: Remove OCP 3 support, make OCP auto-sensing more reliable #19895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mclasmeier wants to merge 33 commits into
base: master
Choose a base branch
from
Draft

ROX-33465: Remove OCP 3 support, make OCP auto-sensing more reliable #19895

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
6698a7f
CHANGELOG
Mar 27, 2026
9470481
Remove openshift 3 templating
Mar 27, 2026
8dc825c
Remove openshift 3 support from roxctl
Mar 26, 2026
c103e30
Remove OpenShift 3 roxctl test
Mar 26, 2026
d8855cf
Change openshift auto-sensing in Helm chart to only check for config.…
Mar 18, 2026
23035cc
Bump helmtest to 0.0.9
Apr 8, 2026
e505f6c
Helm tests: Replace openshift-4.1.0 schema with openshift-4.12.
Apr 8, 2026
5a3993b
Helm tests: remove openshift 3 tests.
Apr 8, 2026
3afd824
Helm tests: remove kubernetes server capabilities.
Apr 8, 2026
0d877af
Helm tests: extend test case.
Apr 8, 2026
157e977
Helm tests: modify test from openshift 3 for openshift 4
Apr 8, 2026
3393522
Helm test: remove outdated test.
Apr 8, 2026
94b98fd
New roxctl test: verifying that --openshift-version=3 fails
Apr 8, 2026
56b162e
Adjust rendering unit test for centralDb.
Apr 8, 2026
6df700a
Adjust rendering unit test for secured-cluster-services bundle.
Apr 9, 2026
bbf7b68
Convert TestConvertStorageIntegrationToV2 to OpenShift4
Apr 9, 2026
990436f
Tests: Convert to OpenShift 4 test data
Apr 9, 2026
426c5e6
Convert TestListComplianceIntegrations to OpenShift 4 data
Apr 9, 2026
956374e
Remove OpenShift 3 test data
Apr 9, 2026
a59a673
Add comment.
Apr 9, 2026
c632e38
Tests: Convert to OpenShift 4 data
Apr 9, 2026
305dcbf
Tests: Remove OpenShift 3 test data
Apr 9, 2026
0a52578
Tests: Remove OpenShift 3 test data
Apr 9, 2026
84eb95c
Deprecate OPENSHIFT_CLUSTER enum value
Apr 9, 2026
f039d53
Generated protos
Apr 9, 2026
db8f144
Proto lock commit
Apr 9, 2026
07229a7
Fail validation if cluster type is OpenShift 3
Apr 9, 2026
92c95c1
Tests: Remove OpenShift 3 data
Apr 9, 2026
172826b
Tests: Remove OpenShift 3 data
Apr 9, 2026
785fde7
Make addScripts() fail for OpenShift 3 cluster types.
Apr 9, 2026
155b928
Tests: Switch to OpenShift 4 test data
Apr 9, 2026
f0d84f5
Test: Adjust for updated error message
Apr 9, 2026
86903ae
Remove more OpenShift 3 cruft from Helm/Bundle code
Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ Changes should still be described appropriately in JIRA/doc input pages, for inc

### Technical Changes

- OpenShift 3 support removed from Helm charts and roxctl manifest bundle generation.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Include the new minimum supported OpenShift version in this changelog note.

Line 33 documents OCP3 removal, but it should also state the new floor (OpenShift 4.12) so upgrade impact is explicit.

Suggested changelog tweak 
-- OpenShift 3 support removed from Helm charts and roxctl manifest bundle generation.
+- ROX-33465: OpenShift 3 support removed from Helm charts and roxctl manifest bundle generation.
+  Minimum supported OpenShift version is now 4.12.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG.md` at line 33, Update the changelog line "OpenShift 3 support
removed from Helm charts and roxctl manifest bundle generation." to explicitly
state the new minimum supported OpenShift version by appending "Minimum
supported OpenShift version: OpenShift 4.12" (or integrate that phrase into the
sentence) so the note reads clearly that OCP3 was removed and the new floor is
OpenShift 4.12.


## [4.10.0]


Expand Down
1 change: 0 additions & 1 deletion central/cluster/datastore/datastore_impl_postgres_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -977,7 +977,6 @@ func (s *ClusterPostgresDataStoreTestSuite) TestAddDefaults() {
expectedDisabledLogs bool
}{
"Kubernetes cluster": {&storage.Cluster{Type: storage.ClusterType_KUBERNETES_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint}, true},
"Openshift 3 cluster": {&storage.Cluster{Type: storage.ClusterType_OPENSHIFT_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint}, true},
"Openshift 4 cluster": {&storage.Cluster{Type: storage.ClusterType_OPENSHIFT4_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint}, false},
"Openshift 4 cluster with disabled logs": {&storage.Cluster{Type: storage.ClusterType_OPENSHIFT4_CLUSTER, MainImage: mainImage, CentralApiEndpoint: centralEndpoint,
DynamicConfig: &storage.DynamicClusterConfig{DisableAuditLogs: true}}, true},
Expand Down
2 changes: 1 addition & 1 deletion central/clusters/zip/render_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func TestRenderWithNoCollection(t *testing.T) {
cluster := &storage.Cluster{
Name: "cluster",
MainImage: "stackrox/main:abc",
Type: storage.ClusterType_OPENSHIFT_CLUSTER,
Type: storage.ClusterType_OPENSHIFT4_CLUSTER,
CollectionMethod: storage.CollectionMethod_NO_COLLECTION,
}

Expand Down
4 changes: 2 additions & 2 deletions central/complianceoperator/v2/integration/datastore/datastore_impl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ func (s *complianceIntegrationDataStoreTestSuite) TestGetComplianceIntegrationsV
// Add some clusters
_, err := s.db.DB.Exec(context.Background(), "insert into clusters (id, name, status_providermetadata_cluster_type, type) values ($1, $2, $3, $4)", testconsts.Cluster1, "cluster1", 1, 1)
s.Require().NoError(err)
_, err = s.db.DB.Exec(context.Background(), "insert into clusters (id, name, status_providermetadata_cluster_type, type) values ($1, $2, $3, $4)", testconsts.Cluster2, "cluster2", 2, 2)
_, err = s.db.DB.Exec(context.Background(), "insert into clusters (id, name, status_providermetadata_cluster_type, type) values ($1, $2, $3, $4)", testconsts.Cluster2, "cluster2", 2, 5)
s.Require().NoError(err)
_, err = s.db.DB.Exec(context.Background(), "insert into clusters (id, name, status_providermetadata_cluster_type, type) values ($1, $2, $3, $4)", testconsts.Cluster3, "cluster3", 5, 5)
s.Require().NoError(err)
Expand Down Expand Up @@ -463,7 +463,7 @@ func getDefaultTestIntegrationViews() []*IntegrationDetails {
Version: "2",
OperatorStatus: pointers.Pointer(storage.COStatus_HEALTHY),
ClusterName: "cluster2",
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT_CLUSTER),
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT4_CLUSTER),
StatusProviderMetadataClusterType: pointers.Pointer(storage.ClusterMetadata_ARO),
OperatorInstalled: pointers.Bool(true),
},
Expand Down
6 changes: 3 additions & 3 deletions central/complianceoperator/v2/integration/service/convert_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ func TestConvertStorageIntegrationToV2(t *testing.T) {
OperatorStatus: pointers.Pointer(storage.COStatus_HEALTHY),
ClusterID: fixtureconsts.Cluster1,
ClusterName: mockClusterName,
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT_CLUSTER),
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT4_CLUSTER),
StatusProviderMetadataClusterType: pointers.Pointer(storage.ClusterMetadata_OCP),
},
expected: &apiV2.ComplianceIntegration{
Expand All @@ -60,7 +60,7 @@ func TestConvertStorageIntegrationToV2(t *testing.T) {
StatusErrors: []string{"Error 1", "Error 2", "Error 3"},
OperatorInstalled: true,
Status: apiV2.COStatus_HEALTHY,
ClusterPlatformType: apiV2.ClusterPlatformType_OPENSHIFT_CLUSTER,
ClusterPlatformType: apiV2.ClusterPlatformType_OPENSHIFT4_CLUSTER,
ClusterProviderType: apiV2.ClusterProviderType_OCP,
},
clusterError: false,
Expand All @@ -81,7 +81,7 @@ func TestConvertStorageIntegrationToV2(t *testing.T) {
OperatorStatus: pointers.Pointer(storage.COStatus_HEALTHY),
ClusterID: testconsts.Cluster1,
ClusterName: mockClusterName,
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT_CLUSTER),
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT4_CLUSTER),
StatusProviderMetadataClusterType: pointers.Pointer(storage.ClusterMetadata_OCP),
},
expected: nil,
Expand Down
4 changes: 2 additions & 2 deletions central/complianceoperator/v2/integration/service/service_impl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (s *ComplianceIntegrationServiceTestSuite) TestListComplianceIntegrations()
StatusErrors: []string{"Error 1", "Error 2", "Error 3"},
OperatorInstalled: true,
Status: apiV2.COStatus_HEALTHY,
ClusterPlatformType: apiV2.ClusterPlatformType_OPENSHIFT_CLUSTER,
ClusterPlatformType: apiV2.ClusterPlatformType_OPENSHIFT4_CLUSTER,
ClusterProviderType: apiV2.ClusterProviderType_OCP,
},
},
Expand Down Expand Up @@ -209,7 +209,7 @@ func (s *ComplianceIntegrationServiceTestSuite) TestListComplianceIntegrations()
OperatorStatus: pointers.Pointer(storage.COStatus_HEALTHY),
ClusterID: fixtureconsts.Cluster1,
ClusterName: mockClusterName,
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT_CLUSTER),
Type: pointers.Pointer(storage.ClusterType_OPENSHIFT4_CLUSTER),
StatusProviderMetadataClusterType: pointers.Pointer(storage.ClusterMetadata_OCP),
},
}, nil).Times(1)
Expand Down
6 changes: 3 additions & 3 deletions central/graphql/resolvers/cluster_vulnerabilities_postgres_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,16 +403,16 @@ func (s *GraphQLClusterVulnerabilityTestSuite) TestEnvImpact() {
ctx := SetAuthorizerOverride(s.ctx, allow.Anonymous())

vuln := s.getClusterVulnerabilityResolver(ctx, "clusterCve1")

clusterCount := len(s.clusterIDs)
impact, err := vuln.EnvImpact(ctx)
s.NoError(err)
s.Equal(float64(1)/8, impact)
s.Equal(float64(1)/float64(clusterCount), impact)

vuln = s.getClusterVulnerabilityResolver(ctx, "clusterCve2")

impact, err = vuln.EnvImpact(ctx)
s.NoError(err)
s.Equal(float64(2)/8, impact)
s.Equal(float64(2)/float64(clusterCount), impact)
}

func (s *GraphQLClusterVulnerabilityTestSuite) getClusterResolver(ctx context.Context, id string) *clusterResolver {
Expand Down
12 changes: 0 additions & 12 deletions central/graphql/resolvers/test_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,18 +268,6 @@ func testCluster() []*storage.Cluster {
MainImage: mainImage,
CentralApiEndpoint: centralEndpoint,
},
{
Name: "os_cluster1",
Type: storage.ClusterType_OPENSHIFT_CLUSTER,
MainImage: mainImage,
CentralApiEndpoint: centralEndpoint,
},
{
Name: "os_cluster2",
Type: storage.ClusterType_OPENSHIFT_CLUSTER,
MainImage: mainImage,
CentralApiEndpoint: centralEndpoint,
},
{
Name: "os4_cluster1",
Type: storage.ClusterType_OPENSHIFT4_CLUSTER,
Expand Down
2 changes: 2 additions & 0 deletions central/telemetry/centralclient/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ func newCentralClient(instanceId string) *CentralClient {
func getCentralDeploymentProperties() map[string]any {
orchestrator := storage.ClusterType_KUBERNETES_CLUSTER.String()
if env.Openshift.BooleanSetting() {
// Should probably be changed to OPENSHIFT4_CLUSTER, but since this is production code, keeping it for now
// due to compatibility concerns.
orchestrator = storage.ClusterType_OPENSHIFT_CLUSTER.String()
}
Comment on lines 116 to 120
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify telemetry consumers/assertions are migrated to OPENSHIFT4_CLUSTER.
# Expected: no remaining consumer logic that only recognizes OPENSHIFT_CLUSTER for OpenShift telemetry.
rg -n -C3 --type=go --type=yaml --type=json 'Orchestrator|OPENSHIFT_CLUSTER|OPENSHIFT4_CLUSTER'

Repository: stackrox/stackrox

Length of output: 50374

🏁 Script executed:

#!/bin/bash
# Search for where Orchestrator telemetry value is consumed/filtered in queries/dashboards
# Look for patterns like filtering, comparing, or aggregating on cluster type/orchestrator
rg -n "OPENSHIFT_CLUSTER|OPENSHIFT4_CLUSTER" --type=go -C2 | grep -v "node\|namespace\|compliance" | head -100

Repository: stackrox/stackrox

Length of output: 7199

🏁 Script executed:

#!/bin/bash
# Find telemetry aggregation/dashboarding code
fd -e go -e ts -e js | xargs grep -l "telemetry.*[Oo]rchestrator\|aggregat.*cluster" 2>/dev/null | head -20

Repository: stackrox/stackrox

Length of output: 371

🏁 Script executed:

#!/bin/bash
# Search central package telemetry client specifically
fd -type f -path "*/central/*telemetry*" -name "*.go" | head -20

Repository: stackrox/stackrox

Length of output: 231

🏁 Script executed:

#!/bin/bash
# Check the actual file mentioned in the review
cat central/telemetry/centralclient/client.go | head -150

Repository: stackrox/stackrox

Length of output: 5071

🏁 Script executed:

#!/bin/bash
# Look for filters or assertions on the Orchestrator value in telemetry/metrics
rg -n "Orchestrator.*OPENSHIFT|OPENSHIFT.*Orchestrator" --type=go | head -30

Repository: stackrox/stackrox

Length of output: 43

🏁 Script executed:

#!/bin/bash
# Check if the old OPENSHIFT_CLUSTER test value needs updating
cat qa-tests-backend/helm/values.openshift.yaml

Repository: stackrox/stackrox

Length of output: 707

🏁 Script executed:

#!/bin/bash
# Search for telemetry assertions or test validations on cluster type
rg -n "OPENSHIFT_CLUSTER.*String\|String.*OPENSHIFT_CLUSTER" --type=go | head -30

Repository: stackrox/stackrox

Length of output: 43

🏁 Script executed:

#!/bin/bash
# Look for any migration notes or comments related to this change
rg -n "OPENSHIFT4_CLUSTER|OPENSHIFT_CLUSTER" -B2 -A2 --type=go | grep -i "migration\|change\|old\|new" | head -40

Repository: stackrox/stackrox

Length of output: 859

🏁 Script executed:

#!/bin/bash
# Check if test config needs updating - search for all helm test values files using this setting
fd -name "values*.yaml" | xargs grep -l "OPENSHIFT" 2>/dev/null

Repository: stackrox/stackrox

Length of output: 293

🏁 Script executed:

#!/bin/bash
# Look for where the telemetry property "Orchestrator" is documented or configured
rg -n '"Orchestrator"' --type=go | head -20

Repository: stackrox/stackrox

Length of output: 313

🏁 Script executed:

#!/bin/bash
# Check if there are any related git commits or comments about this migration
git log --oneline --all -20 -- central/telemetry/centralclient/client.go 2>/dev/null || echo "Git not available"

Repository: stackrox/stackrox

Length of output: 306

🏁 Script executed:

#!/bin/bash
# Search for documentation or migration guides
fd -name "*.md" | xargs grep -l "OPENSHIFT_CLUSTER\|telemetry.*orchestr" 2>/dev/null | head -10

Repository: stackrox/stackrox

Length of output: 291

🏁 Script executed:

#!/bin/bash
# Check the test file to see what value is expected
cat central/telemetry/centralclient/client_test.go | grep -A5 -B5 "Orchestrator"

Repository: stackrox/stackrox

Length of output: 674

🏁 Script executed:

#!/bin/bash
# Look for any GraphQL/dashboard code that might filter on this value
fd -name "*.graphql" -o -name "*dashboard*" | head -20

Repository: stackrox/stackrox

Length of output: 291

🏁 Script executed:

#!/bin/bash
# Verify the enum values in proto/storage
rg "OPENSHIFT_CLUSTER|OPENSHIFT4_CLUSTER" generated/storage/*.pb.go | head -20

Repository: stackrox/stackrox

Length of output: 658

Add test validation for the OpenShift telemetry value, and update test configuration to use OPENSHIFT4_CLUSTER.

The change to emit OPENSHIFT4_CLUSTER instead of OPENSHIFT_CLUSTER in the "Orchestrator" telemetry property is breaking for downstream aggregations that filter on the old string value. Test coverage is incomplete—there's no test case validating the env.Openshift code path, and test configuration files (qa-tests-backend/helm/values.openshift.yaml) still reference the old enum value, indicating the migration is incomplete across the codebase. Add a test case for the OpenShift scenario and ensure all configuration references are migrated to the new value.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@central/telemetry/centralclient/client.go` around lines 116 - 118, The
Orchestrator telemetry change emits storage.ClusterType_OPENSHIFT4_CLUSTER when
env.Openshift.BooleanSetting() is true but there is no test covering that path
and test config still uses the old OPENSHIFT_CLUSTER string; add a
unit/integration test that sets env.Openshift to true and asserts the emitted
orchestrator equals storage.ClusterType_OPENSHIFT4_CLUSTER.String(), update any
test fixture/config (e.g., qa-tests-backend/helm/values.openshift.yaml) to
reference OPENSHIFT4_CLUSTER, and search for other usages of the old
OPENSHIFT_CLUSTER value to migrate them so tests and aggregations validate the
new enum value (reference symbols: env.Openshift, orchestrator variable,
storage.ClusterType_OPENSHIFT4_CLUSTER, and the client.go telemetry emission
code).

// k8s apiserver is not accessible in cloud service environment.
Expand Down
49 changes: 13 additions & 36 deletions central/views/platformcve/view_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -428,21 +428,21 @@ func (s *PlatformCVEViewTestSuite) testCases() []testCase {
desc: "search one cluster",
ctx: context.Background(),
q: search.NewQueryBuilder().
AddExactMatches(search.Cluster, "openshift-1").ProtoQuery(),
AddExactMatches(search.Cluster, "openshift4-1").ProtoQuery(),
matchFilter: matchAllFilter().withClusterFilter(func(cluster *storage.Cluster) bool {
return cluster.GetName() == "openshift-1"
return cluster.GetName() == "openshift4-1"
}),
},
{
desc: "search one cve + one cluster",
ctx: context.Background(),
q: search.NewQueryBuilder().
AddExactMatches(search.CVE, "cve-2").
AddExactMatches(search.Cluster, "openshift-2").
AddExactMatches(search.Cluster, "openshift4-2").
ProtoQuery(),
matchFilter: matchAllFilter().
withClusterFilter(func(cluster *storage.Cluster) bool {
return cluster.GetName() == "openshift-2"
return cluster.GetName() == "openshift4-2"
}).
withCVEPartsFilter(func(cveParts converterV2.ClusterCVEParts) bool {
return cveParts.CVE.GetCveBaseInfo().GetCve() == "cve-2"
Expand Down Expand Up @@ -506,12 +506,12 @@ func (s *PlatformCVEViewTestSuite) testCases() []testCase {
q: search.NewQueryBuilder().
AddExactMatches(search.ClusterPlatformType,
storage.ClusterType_KUBERNETES_CLUSTER.String(),
storage.ClusterType_OPENSHIFT_CLUSTER.String(),
storage.ClusterType_OPENSHIFT4_CLUSTER.String(),
).
ProtoQuery(),
matchFilter: matchAllFilter().withClusterFilter(func(cluster *storage.Cluster) bool {
return cluster.GetType() == storage.ClusterType_KUBERNETES_CLUSTER ||
cluster.GetType() == storage.ClusterType_OPENSHIFT_CLUSTER
cluster.GetType() == storage.ClusterType_OPENSHIFT4_CLUSTER
}),
},
{
Expand Down Expand Up @@ -614,39 +614,36 @@ func (s *PlatformCVEViewTestSuite) sacTestCases(ctx context.Context) []sacTestCa
visibleClusters: set.NewStringSet(
s.clusterNameToIDMap["generic-1"], s.clusterNameToIDMap["generic-2"],
s.clusterNameToIDMap["kubernetes-1"], s.clusterNameToIDMap["kubernetes-2"],
s.clusterNameToIDMap["openshift-1"], s.clusterNameToIDMap["openshift-2"],
s.clusterNameToIDMap["openshift4-1"], s.clusterNameToIDMap["openshift4-2"],
),
},
{
desc: "generic-1, kubernetes-1, openshift-1 and openshift4-1 clusters visible",
desc: "generic-1, kubernetes-1 and openshift4-1 clusters visible",
ctx: sac.WithGlobalAccessScopeChecker(ctx,
sac.AllowFixedScopes(
sac.AccessModeScopeKeys(storage.Access_READ_ACCESS, storage.Access_READ_WRITE_ACCESS),
sac.ResourceScopeKeys(resources.Cluster),
sac.ClusterScopeKeys(
s.clusterNameToIDMap["generic-1"], s.clusterNameToIDMap["kubernetes-1"],
s.clusterNameToIDMap["openshift-1"], s.clusterNameToIDMap["openshift4-1"]))),
s.clusterNameToIDMap["openshift4-1"]))),
visibleClusters: set.NewStringSet(
s.clusterNameToIDMap["generic-1"],
s.clusterNameToIDMap["kubernetes-1"],
s.clusterNameToIDMap["openshift-1"],
s.clusterNameToIDMap["openshift4-1"],
),
},
{
desc: "generic-2, kubernetes-2, openshift-2, openshift4-2 clusters visible",
desc: "generic-2, kubernetes-2, openshift4-2 clusters visible",
ctx: sac.WithGlobalAccessScopeChecker(ctx,
sac.AllowFixedScopes(
sac.AccessModeScopeKeys(storage.Access_READ_ACCESS),
sac.ResourceScopeKeys(resources.Cluster),
sac.ClusterScopeKeys(
s.clusterNameToIDMap["generic-2"], s.clusterNameToIDMap["kubernetes-2"],
s.clusterNameToIDMap["openshift-2"], s.clusterNameToIDMap["openshift4-2"]))),
s.clusterNameToIDMap["openshift4-2"]))),
visibleClusters: set.NewStringSet(
s.clusterNameToIDMap["generic-2"],
s.clusterNameToIDMap["kubernetes-2"],
s.clusterNameToIDMap["openshift-2"],
s.clusterNameToIDMap["openshift4-2"],
),
},
Expand Down Expand Up @@ -943,26 +940,6 @@ func getTestData() (map[string]*storage.Cluster, map[storage.CVE_CVEType][]conve
})
clusterMap[kubernetes2.GetId()] = kubernetes2

openshift1 := generateTestCluster(&testClusterFields{
Name: "openshift-1",
PlatformType: storage.ClusterType_OPENSHIFT_CLUSTER,
ProviderType: storage.ClusterMetadata_OCP,
Labels: map[string]string{"platform-type": "openshift"},
K8sVersion: "8.0",
IsOpenshift: true,
})
clusterMap[openshift1.GetId()] = openshift1

openshift2 := generateTestCluster(&testClusterFields{
Name: "openshift-2",
PlatformType: storage.ClusterType_OPENSHIFT_CLUSTER,
ProviderType: storage.ClusterMetadata_OSD,
Labels: map[string]string{"platform-type": "openshift"},
K8sVersion: "8.0",
IsOpenshift: true,
})
clusterMap[openshift2.GetId()] = openshift2

openshift41 := generateTestCluster(&testClusterFields{
Name: "openshift4-1",
PlatformType: storage.ClusterType_OPENSHIFT4_CLUSTER,
Expand Down Expand Up @@ -1004,9 +981,9 @@ func getTestData() (map[string]*storage.Cluster, map[storage.CVE_CVEType][]conve
converterV2.NewClusterCVEParts(cve3Openshift, []*storage.Cluster{generic2}, ""),
converterV2.NewClusterCVEParts(cve4K8, []*storage.Cluster{kubernetes1, kubernetes2}, "9.3"),
converterV2.NewClusterCVEParts(cve5K8, []*storage.Cluster{kubernetes1, kubernetes2}, "9.2"),
converterV2.NewClusterCVEParts(cve1Openshift, []*storage.Cluster{openshift1, openshift41, openshift42}, ""),
converterV2.NewClusterCVEParts(cve2Openshift, []*storage.Cluster{openshift1, openshift2, openshift42}, "4.15"),
converterV2.NewClusterCVEParts(cve4Openshift, []*storage.Cluster{openshift2, openshift42}, "4.13"),
converterV2.NewClusterCVEParts(cve1Openshift, []*storage.Cluster{openshift41, openshift42}, ""),
converterV2.NewClusterCVEParts(cve2Openshift, []*storage.Cluster{openshift42}, "4.15"),
converterV2.NewClusterCVEParts(cve4Openshift, []*storage.Cluster{openshift42}, "4.13"),
converterV2.NewClusterCVEParts(cve5Openshift, []*storage.Cluster{openshift41, openshift42}, "4.15"),
converterV2.NewClusterCVEParts(cve1Istio, []*storage.Cluster{generic1}, ""),
converterV2.NewClusterCVEParts(cve5Istio, []*storage.Cluster{openshift41}, "4.15"),
Expand Down
7 changes: 4 additions & 3 deletions generated/storage/cluster.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ require (
github.com/spf13/viper v1.21.0
github.com/stackrox/external-network-pusher v0.0.0-20231115153210-b82d72f500a2
github.com/stackrox/hashstructure v0.0.4
github.com/stackrox/helmtest v0.0.8
github.com/stackrox/helmtest v0.0.9
github.com/stackrox/k8s-overlay-patch v0.0.0-20250224110925-13b5b47fd812
github.com/stackrox/pkcs7 v0.0.0-20240314170115-841ca6b5f88d
github.com/stackrox/scanner v0.0.0-20240830165150-d133ba942d59
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion image/embed_charts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ func (i *Image) GetSensorChart(values *charts.MetaValues, certs *sensor.Certs) (
func (i *Image) addScripts(values *charts.MetaValues) ([]*loader.BufferedFile, error) {
if values.ClusterType == storage.ClusterType_KUBERNETES_CLUSTER.String() {
return i.scripts(values, k8sScriptsFileMap)
} else if values.ClusterType == storage.ClusterType_OPENSHIFT_CLUSTER.String() || values.ClusterType == storage.ClusterType_OPENSHIFT4_CLUSTER.String() {
} else if values.ClusterType == storage.ClusterType_OPENSHIFT4_CLUSTER.String() {
return i.scripts(values, osScriptsFileMap)
}
return nil, errors.Errorf("unable to create sensor bundle, invalid cluster type for cluster %s",
Expand Down
10 changes: 3 additions & 7 deletions image/templates/helm/shared/templates/02-scanner-v4-01-security.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,9 @@

{{- if or ._rox.scannerV4._indexerEnabled ._rox.scannerV4._matcherEnabled }}
{{- if ._rox.env.openshift }}
{{- if eq ._rox.env.openshift 3 }}
{{ include "srox.warn" (list . "On OpenShift 3.x no SecurityContextConstraint will be configured for Scanner V4.") }}
{{- else }}
{{/* Use a default SCC that ships with OpenShift 4.x.
We only need to create a Role and a RoleBinding for
associating the SCC with the Scanner V4 deployment. */}}
{{/* Use a default SCC that ships with OpenShift 4.x.
We only need to create a Role and a RoleBinding for
associating the SCC with the Scanner V4 deployment. */}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand Down Expand Up @@ -47,6 +44,5 @@ subjects:
- kind: ServiceAccount
name: scanner-v4
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end }}
Loading
Loading