Skip to content

OLS-3520: Grant operator RBAC to create alerts adapter proposals ClusterRole#1803

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
blublinsky:proposal-role
Jul 10, 2026
Merged

OLS-3520: Grant operator RBAC to create alerts adapter proposals ClusterRole#1803
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
blublinsky:proposal-role

Conversation

@blublinsky

@blublinsky blublinsky commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Description

Summary

This PR fixes alerts adapter Phase 1 reconciliation failing to create the alerts adapter ClusterRole due to RBAC escalation, and renames alerts-adapter operand RBAC from Proposal / proposals to AgenticRun / agenticruns to align with upstream API changes.

RBAC escalation fix (OLS-3520)

When spec.ols.deployment.alertsAdapter.configMapRef is set, the operator creates a ClusterRole granting the alerts adapter SA get, list, and create on agentic.openshift.io/agenticruns. The operator SA must hold those same permissions before it can create that ClusterRole.

  • Add kubebuilder RBAC marker on OLSConfigReconciler for agentic.openshift.io/agenticruns (get, list, create)
  • Regenerate config/rbac/role.yaml and bundle CSV clusterPermissions

Root cause: OLS-3348 added operand RBAC in alertsadapter.GenerateAgenticRunsClusterRole but did not add the matching operator permission marker. Reconcile fails with a forbidden clusterroles create; Phase 2 deployment is skipped because Phase 1 returns an error.

Proposal → AgenticRun rename (OLS-3475)

Aligns with lightspeed-agentic-operator #285 and lightspeed-agentic-alerts-adapter #54:

Before After
agentic.openshift.io/proposals agentic.openshift.io/agenticruns
lightspeed-agentic-alerts-adapter-proposals lightspeed-agentic-alerts-adapter-agenticruns
GenerateProposalsClusterRole GenerateAgenticRunsClusterRole
  • Rename alerts-adapter ClusterRole/ClusterRoleBinding, constants, errors, and reconcile helpers
  • removeLegacyProposalsClusterRBAC deletes the old …-proposals cluster RBAC on upgrade
  • Update operator RBAC marker, role.yaml, bundle CSV, tests, and docs/specs

Intentionally unchanged (console/product UI terms; separate console PR): /lightspeed/proposals route and "proposals" UI copy in AGENTS.md.

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up dependent library

Related Tickets & Documents

Closes https://redhat.atlassian.net/browse/OLS-3520

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • make test
  • make lint
  • Deploy with spec.ols.deployment.alertsAdapter.configMapRef set; verify Phase 1 creates lightspeed-agentic-alerts-adapter-agenticruns ClusterRole/ClusterRoleBinding with agenticruns permissions
  • Upgrade from a cluster with legacy …-proposals cluster RBAC; verify legacy resources are removed

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 9, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 9, 2026

Copy link
Copy Markdown

@blublinsky: This pull request references OLS-3520 which is a valid jira issue.

Details

In response to this:

Description

Summary
Fixes alerts adapter Phase 1 reconciliation failing to create lightspeed-agentic-alerts-adapter-proposals ClusterRole due to RBAC escalation.
When spec.ols.deployment.alertsAdapter.configMapRef is set, the operator creates a ClusterRole granting the alerts adapter SA get, list, and create on agentic.openshift.io/proposals. The operator SA must hold those same permissions before it can create that ClusterRole.

  • Add kubebuilder RBAC marker on OLSConfigReconciler for agentic.openshift.io/proposals (get, list, create)
  • Regenerate config/rbac/role.yaml and bundle CSV clusterPermissions

Root cause
OLS-3348 added operand RBAC in alertsadapter.GenerateProposalsClusterRole but did not add the matching operator permission marker. Reconcile fails with a forbidden clusterroles create; Phase 2 deployment is skipped because Phase 1 returns an error.

Type of change

  • Refactor
  • New feature
  • [x ] Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up dependent library

Related Tickets & Documents

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Please provide detailed steps to perform tests related to this code change.
  • How were the fix/results from this change verified? Please provide relevant screenshots or results.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 9, 2026
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@blublinsky, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 43 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b5502af9-21c4-4354-956a-2c4f5b2eafec

📥 Commits

Reviewing files that changed from the base of the PR and between 2a39d66 and ef0fd1c.

⛔ Files ignored due to path filters (1)
  • config/rbac/role.yaml is excluded by !config/rbac/role.yaml
📒 Files selected for processing (13)
  • .ai/spec/how/project-structure.md
  • .ai/spec/how/reconciliation.md
  • .ai/spec/what/bundle-composition.md
  • .ai/spec/what/reconciliation.md
  • ARCHITECTURE.md
  • bundle/manifests/lightspeed-operator.clusterserviceversion.yaml
  • internal/controller/alertsadapter/assets.go
  • internal/controller/alertsadapter/assets_test.go
  • internal/controller/alertsadapter/reconciler.go
  • internal/controller/alertsadapter/reconciler_test.go
  • internal/controller/olsconfig_controller.go
  • internal/controller/utils/constants.go
  • internal/controller/utils/errors.go
📝 Walkthrough

Walkthrough

This PR grants the operator's controller and its ClusterServiceVersion clusterPermissions additional RBAC access (get, list, create) on proposals.agentic.openshift.io resources. It also updates the bundle CSV's createdAt timestamp and minor formatting in a TLS secret description field.

Changes

Proposals RBAC Permissions

Layer / File(s) Summary
Controller RBAC annotation
internal/controller/olsconfig_controller.go
Added a Kubebuilder RBAC comment granting get, list, create verbs on proposals.agentic.openshift.io resources.
Bundle CSV clusterPermissions and metadata
bundle/manifests/lightspeed-operator.clusterserviceversion.yaml
Added matching clusterPermissions rule for proposals.agentic.openshift.io, updated createdAt annotation timestamp, and adjusted line-break formatting in the TLS certificate secret ca.crt description.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

Suggested reviewers: bparees, xrajesh

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: granting operator RBAC to create the alerts adapter proposals ClusterRole.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from bparees and xrajesh July 9, 2026 09:24
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 9, 2026

@vimalk78 vimalk78 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Review — OLS-3520 + OLS-3475 (operator portion)

Score: 97/100 — PASS

Adherence

# Criterion Status
1 Operator SA has RBAC matching the ClusterRole it creates for alerts adapter PASS
2 Operator-side Proposal→AgenticRun rename (constants, functions, errors, logs) PASS
3 Legacy proposals ClusterRole/ClusterRoleBinding cleaned up on reconcile PASS
4 Tests updated for rename PASS
5 Documentation updated for rename PASS

Code Quality

One nice-to-have observation:

  • removeLegacyProposalsClusterRBAC runs during reconciliation but not during RemoveAlertsAdapter (finalization/disable path). If the operator upgrades and the CR is deleted before any reconciliation occurs, legacy ClusterRole/ClusterRoleBinding would be orphaned. Practically harmless — orphaned RBAC with no bound SA has no effect, and the scenario requires a narrow race.

Notes

  • RBAC marker verbs (get;list;create) correctly match the operand ClusterRole — least privilege, no unnecessary delete
  • Legacy constant AlertsAdapterLegacyProposalsClusterRoleName reused for both CR and CRB lookups is correct — K8s distinguishes by GVK, and both old resources shared the same name
  • Clean, well-scoped PR

🤖 Generated with Claude Code

@vimalk78

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2026
@blublinsky

Copy link
Copy Markdown
Contributor Author

/approve

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2026
@blublinsky

Copy link
Copy Markdown
Contributor Author

/approve

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: blublinsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 912ea22 and 2 for PR HEAD ef0fd1c in total

@blublinsky

Copy link
Copy Markdown
Contributor Author

/override ci/prow/bundle-e2e-4-21

images mismatch

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

@blublinsky: Overrode contexts on behalf of blublinsky: ci/prow/bundle-e2e-4-21

Details

In response to this:

/override ci/prow/bundle-e2e-4-21

images mismatch

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

@blublinsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 79db18e into openshift:main Jul 10, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants