Skip to content

Sync with main #1093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jan--f merged 12 commits into from
May 19, 2026
Merged

Sync with main #1093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
42e6053
fix: update tls log to omit length of ciphers array (#1074)
zhuje Apr 30, 2026
9396944
build(deps): bump github.com/operator-framework/api (#1059)
dependabot[bot] Apr 30, 2026
9bd5e3a
chore: update obo-prom-op to v0.90.1 (#1077)
jan--f May 5, 2026
3fea7a4
build(deps): bump github.com/prometheus-operator/prometheus-operator/…
dependabot[bot] May 7, 2026
504736c
feat: update perses operand image (#1085)
jgbernalp May 7, 2026
cd67068
feat: coo 1.5 image tag and compat. matrix update (#1075)
zhuje May 8, 2026
d0283f1
fix: add 'create tokenreview' to korrel8r RBAC (#1073)
alanconway May 11, 2026
687b0c2
fix: remove ui plugin finalizers in favor of k8s garbage collection (…
jgbernalp May 12, 2026
5ec787a
NO-JIRA: remove SupportsTLSProfile (#1089)
zhuje May 12, 2026
fad3bee
chore: unpin github.com/openshift/api (#1090)
simonpasquier May 13, 2026
587f9dc
fix: use pointer-to-struct for fields with json omitempty (#1063)
alanconway May 14, 2026
d0bde27
fix: escape reserved words from perses cel validation expressions (#1…
jgbernalp May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 14 additions & 37 deletions DEPENDENCY_CONSTRAINTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
# Dependency Constraints

This document describes the constraints and pinned dependencies in this project.
This document describes how we manage dependencies for this project.

## Pinned Dependencies
## Forked OpenShift API (`github.com/openshift/api`)

### OpenShift API (`github.com/openshift/api`)
This project depends on 2 versions of `github.com/openshift/api`:
* The [canonical version](https://github.com/openshift/api).
* A [forked version](https://github.com/rhobs/openshift-api).

**Current Version:** `v0.0.0-20240404200104-96ed2d49b255`

**Why Pinned:** The observability-operator needs to support both OpenShift console API `v1` and `v1alpha1` for backward compatibility:
- OpenShift >= 4.17 uses `console/v1` API
**Why Forked:** The observability-operator needs to support both OpenShift console API `v1` and `v1alpha1` for backward compatibility:
- OpenShift >= 4.17 uses `console/v1` API
- OpenShift < 4.17 uses `console/v1alpha1` API

Newer versions of `github.com/openshift/api` (after April 2024) have removed the `console/v1alpha1` API, breaking compatibility with older OpenShift versions.
Newer versions of `github.com/openshift/api` (after April 2024) have removed the `console/v1alpha1` API, breaking compatibility with older OpenShift versions. To continue supporting older versions, we forked the library under (https://github.com/rhobs/openshift-api) using the last commit including the `v1alpha1` API and renaming the Go module in `go.mod` to `github.com/rhobs/openshift-api`.

**Impact:** The codebase maintains dual API support with runtime version detection to create the appropriate Console Plugin resources.

Expand All @@ -23,37 +23,14 @@ Newer versions of `github.com/openshift/api` (after April 2024) have removed the
- `pkg/operator/scheme.go` - API scheme registration
- All uiplugin package files using `osv1alpha1` imports

## Safe to Update Dependencies

The following dependencies can be safely updated:
- Kubernetes API packages (`k8s.io/*`)
- Controller Runtime (`sigs.k8s.io/controller-runtime`)
- Prometheus packages (`github.com/prometheus/*`)
- RHOBS Prometheus Operator (`github.com/rhobs/obo-prometheus-operator`)
- Go standard library extensions (`golang.org/x/*`)
- Utility libraries (`github.com/go-logr/logr`, `github.com/google/go-cmp`, etc.)

## Updating Dependencies

To update dependencies safely:

1. **Individual updates:** Update specific packages excluding openshift/api:
```bash
go get -u k8s.io/api k8s.io/apimachinery k8s.io/client-go
go get -u sigs.k8s.io/controller-runtime
go get -u github.com/rhobs/obo-prometheus-operator@v0.83.0-rhobs1
```

2. **Avoid bulk updates:** Don't use `go get -u ./...` as it will try to update openshift/api

3. **Always test:** Run `make test-unit` and `make build` after each update

4. **Fix go.sum:** Run `go mod tidy` after updates to fix missing entries
Dependabot takes care of dependency updates, the configuration is located at `.github/dependabot.yml`.

## Future Considerations

When OpenShift < 4.17 support is no longer needed:
1. Remove `console/v1alpha1` API usage
2. Unpin `github.com/openshift/api`
3. Remove dual API support code
4. Update this document
When OpenShift &lt; 4.17 support is no longer needed, we can:
1. Remove `console/v1alpha1` API usage.
2. Remove dual API support code.
3. Remove dependency on `github.com/rhobs/openshift-api`
4. Update this document
3 changes: 3 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ CATALOG_TEMP := $(shell mktemp -d)

## Development

.PHONY: all
all: lint test-unit operator-image bundle-image

.PHONY: test-unit
test-unit:
go test -cover ./cmd/... ./pkg/...
Expand Down
17 changes: 16 additions & 1 deletion bundle/manifests/monitoring.rhobs_alertmanagerconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
observability.openshift.io/api-support: TechPreview
operator.prometheus.io/version: 0.89.0-rhobs1
operator.prometheus.io/version: 0.90.1-rhobs1
creationTimestamp: null
labels:
app.kubernetes.io/part-of: observability-operator
Expand Down Expand Up @@ -1085,6 +1085,14 @@ spec:
This is used for SMTP AUTH when the server requires authentication.
minLength: 1
type: string
forceImplicitTLS:
description: |-
forceImplicitTLS defines whether to force use of implicit TLS (direct TLS connection) for better security.
true: force use of implicit TLS (direct TLS connection on any port)
false: force disable implicit TLS (use explicit TLS/STARTTLS if required)
nil (default): auto-detect based on port (465=implicit, other=explicit) for backward compatibility
It requires Alertmanager >= v0.31.0.
type: boolean
from:
description: |-
from defines the sender address for email notifications.
Expand Down Expand Up @@ -7292,6 +7300,13 @@ spec:
linkNames enables automatic linking of channel names and usernames in the message.
When true, @channel and @username will be converted to clickable links.
type: boolean
messageText:
description: |-
messageText defines text content of the Slack message.
If set, this is sent as the top-level 'text' field in the Slack payload.
It requires Alertmanager >= v0.31.0.
minLength: 1
type: string
mrkdwnIn:
description: |-
mrkdwnIn defines which fields should be parsed as Slack markdown.
Expand Down
104 changes: 74 additions & 30 deletions bundle/manifests/monitoring.rhobs_alertmanagers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
observability.openshift.io/api-support: Experimental-SSA
operator.prometheus.io/version: 0.89.0-rhobs1
operator.prometheus.io/version: 0.90.1-rhobs1
creationTimestamp: null
labels:
app.kubernetes.io/part-of: observability-operator
Expand Down Expand Up @@ -2073,6 +2073,14 @@ spec:
LOGIN and PLAIN. If empty, Alertmanager doesn't authenticate
to the SMTP server.
type: string
forceImplicitTLS:
description: |-
forceImplicitTLS defines whether to force use of implicit TLS (direct TLS connection) for better security.
true: force use of implicit TLS (direct TLS connection on any port)
false: force disable implicit TLS (use explicit TLS/STARTTLS if required)
nil (default): auto-detect based on port (465=implicit, other=explicit) for backward compatibility
It requires Alertmanager >= v0.31.0.
type: boolean
from:
description: from defines the default SMTP From header
field.
Expand Down Expand Up @@ -2890,14 +2898,20 @@ spec:
type: string
containers:
description: |-
containers allows injecting additional containers. This is meant to
allow adding an authentication proxy to an Alertmanager pod.
Containers described here modify an operator generated container if they
share the same name and modifications are done via a strategic merge
patch. The current container names are: `alertmanager` and
`config-reloader`. Overriding containers is entirely outside the scope
of what the maintainers will support and by doing so, you accept that
this behaviour may break at any time without notice.
containers allows injecting additional containers or modifying operator
generated containers. This can be used to allow adding an authentication
proxy to the Pods or to change the behavior of an operator generated
container. Containers described here modify an operator generated
container if they share the same name and modifications are done via a
strategic merge patch.

The names of containers managed by the operator are:
* `alertmanager`
* `config-reloader`
* `thanos-sidecar`

Overriding containers which are managed by the operator require careful
testing, especially when upgrading to a new version of the operator.
items:
description: A single application container that you want to run
within a pod.
Expand Down Expand Up @@ -3765,7 +3779,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize
policy for the container.
Expand Down Expand Up @@ -4581,15 +4597,21 @@ spec:
type: array
initContainers:
description: |-
initContainers allows adding initContainers to the pod definition. Those can be used to e.g.
fetch secrets for injection into the Alertmanager configuration from external sources. Any
errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
InitContainers described here modify an operator
generated init containers if they share the same name and modifications are
done via a strategic merge patch. The current init container name is:
`init-config-reloader`. Overriding init containers is entirely outside the
scope of what the maintainers will support and by doing so, you accept that
this behaviour may break at any time without notice.
initContainers allows injecting initContainers to the Pod definition. Those
can be used to e.g. fetch secrets for injection into the Prometheus
configuration from external sources. Any errors during the execution of
an initContainer will lead to a restart of the Pod. More info:
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
InitContainers described here modify an operator generated init
containers if they share the same name and modifications are done via a
strategic merge patch.

The names of init container name managed by the operator are:
* `init-config-reloader`.

Overriding init containers which are managed by the operator require
careful testing, especially when upgrading to a new version of the
operator.
items:
description: A single application container that you want to run
within a pod.
Expand Down Expand Up @@ -5457,7 +5479,9 @@ spec:
type: integer
type: object
resizePolicy:
description: Resources resize policy for the container.
description: |-
Resources resize policy for the container.
This field cannot be set on ephemeral containers.
items:
description: ContainerResizePolicy represents resource resize
policy for the container.
Expand Down Expand Up @@ -6347,6 +6371,11 @@ spec:
and the actual ExternalURL is still true, but the server serves requests
under a different route prefix. For example for use with `kubectl proxy`.
type: string
schedulerName:
description: schedulerName defines the scheduler to use for Pod scheduling.
If not specified, the default scheduler is used.
minLength: 1
type: string
secrets:
description: |-
secrets is a list of Secrets in the same namespace as the Alertmanager
Expand Down Expand Up @@ -6782,7 +6811,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
Expand Down Expand Up @@ -7037,7 +7066,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
Expand Down Expand Up @@ -7193,9 +7222,7 @@ spec:
ignore the update for the purpose it was designed. For
example - a controller that\nonly is responsible for
resizing capacity of the volume, should ignore PVC updates
that change other valid\nresources associated with PVC.\n\nThis
is an alpha field and requires enabling RecoverVolumeExpansionFailure
feature."
that change other valid\nresources associated with PVC."
type: object
x-kubernetes-map-type: granular
allocatedResources:
Expand Down Expand Up @@ -7227,9 +7254,7 @@ spec:
ignore the update for the purpose it was designed. For
example - a controller that\nonly is responsible for
resizing capacity of the volume, should ignore PVC updates
that change other valid\nresources associated with PVC.\n\nThis
is an alpha field and requires enabling RecoverVolumeExpansionFailure
feature."
that change other valid\nresources associated with PVC."
type: object
capacity:
additionalProperties:
Expand Down Expand Up @@ -7362,9 +7387,10 @@ spec:
operator:
description: |-
Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal.
Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod can
tolerate all taints of a particular category.
Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
type: string
tolerationSeconds:
description: |-
Expand Down Expand Up @@ -8256,7 +8282,7 @@ spec:
resources:
description: |-
resources represents the minimum resources the volume should have.
If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
Users are allowed to specify resource requirements
that are lower than previous value but must still be higher than capacity recorded in the
status field of the claim.
More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
Expand Down Expand Up @@ -9135,6 +9161,24 @@ spec:
description: Kubelet's generated CSRs will be
addressed to this signer.
type: string
userAnnotations:
additionalProperties:
type: string
description: |-
userAnnotations allow pod authors to pass additional information to
the signer implementation. Kubernetes does not restrict or validate this
metadata in any way.

These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
the PodCertificateRequest objects that Kubelet creates.

Entries are subject to the same validation as object metadata annotations,
with the addition that all keys must be domain-prefixed. No restrictions
are placed on values, except an overall size limitation on the entire field.

Signers should document the keys and values they support. Signers should
deny requests that contain keys they do not recognize.
type: object
required:
- keyType
- signerName
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/monitoring.rhobs_podmonitors.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
observability.openshift.io/api-support: TechPreview
operator.prometheus.io/version: 0.89.0-rhobs1
operator.prometheus.io/version: 0.90.1-rhobs1
creationTimestamp: null
labels:
app.kubernetes.io/part-of: observability-operator
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/monitoring.rhobs_probes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
observability.openshift.io/api-support: TechPreview
operator.prometheus.io/version: 0.89.0-rhobs1
operator.prometheus.io/version: 0.90.1-rhobs1
creationTimestamp: null
labels:
app.kubernetes.io/part-of: observability-operator
Expand Down
Loading
Loading