Skip to content

security(olm): Manual InstallPlan approval for ESO and VSO (FIND-010)#75

Closed
pinikomarov wants to merge 1 commit into
openstack-k8s-operators:mainfrom
pinikomarov:glasswing/find-010-manual-subscriptions
Closed

security(olm): Manual InstallPlan approval for ESO and VSO (FIND-010)#75
pinikomarov wants to merge 1 commit into
openstack-k8s-operators:mainfrom
pinikomarov:glasswing/find-010-manual-subscriptions

Conversation

@pinikomarov

Copy link
Copy Markdown
Contributor

Summary

Addresses OSPRH-32422 / FIND-010: OLM Subscriptions use Automatic install-plan approval and floating channel without startingCSV.

  • Switch ESO and VSO Subscriptions from Automatic to Manual install-plan approval — OLM no longer silently installs new operator versions without Git-reviewed consent. These operators hold secret-access credentials, making unreviewed upgrades a K07 (Vulnerable/Unverified Components) risk.
  • Pin startingCSV to currently deployed versions:
    • ESO (Red Hat): openshift-external-secrets-operator.v1.1.0 (via patch-subscription-redhat.json)
    • VSO: vault-secrets-operator.v0.10.0
  • Add components/utilities/approve-installplan-generic — a lightweight Kustomize Component (Job + RBAC, sync-wave 1) that approves all pending Manual InstallPlans in openshift-operators and waits for completion. Unlike the openstack-specific approve-installplan component, this one carries no openstack CRD dependency checks.
  • Wire the generic approver into both ESO (redhat) and VSO components with sync-wave 0 on their Subscriptions.
  • Add Dependabot docker entry for approve-installplan-generic to track the ose-tools-rhel9 image digest weekly.

The openshift-gitops-operator subscription is intentionally left as Automatic: it is applied by the Ansible bootstrap before ArgoCD exists, so no GitOps Job can approve a Manual InstallPlan at that stage. An inline comment explains this exception.

Upgrading ESO or VSO now requires a Git PR bumping startingCSV — the PR review is the human gate (K07 compliant). No Renovate/Dependabot datasource exists for OLM OperatorHub CSVs.

Changed files

  • components/secrets/external-secrets-operator/community/subscription.yamlinstallPlanApproval: Manual
  • components/secrets/external-secrets-operator/redhat/patch-subscription-redhat.json — add startingCSV: openshift-external-secrets-operator.v1.1.0
  • components/secrets/external-secrets-operator/redhat/kustomization.yaml — wire approve-installplan-generic, sync-wave patch
  • components/secrets/vault-secrets-operator/subscription.yamlinstallPlanApproval: Manual, startingCSV: vault-secrets-operator.v0.10.0
  • components/secrets/vault-secrets-operator/kustomization.yaml — wire approve-installplan-generic, sync-wave patch
  • components/utilities/approve-installplan-generic/ — new generic approver component (job, rbac, kustomization)
  • openshift-gitops.deploy/subscribe/subscription.yaml — stays Automatic with explanatory comment
  • .github/dependabot.yml — add docker entry for approve-installplan-generic

Test plan

  • kustomize build resources/external-secrets-operator/redhat — Subscription shows installPlanApproval: Manual, startingCSV: openshift-external-secrets-operator.v1.1.0, Job in sync-wave 1
  • kustomize build resources/vault-secrets-operator — Subscription shows installPlanApproval: Manual, startingCSV: vault-secrets-operator.v0.10.0, Job in sync-wave 1
  • CI pipeline: operator-dependencies and subscribe-vault-secrets-operator apps sync successfully with Manual approval

🤖 Generated with Claude Code

@pinikomarov pinikomarov force-pushed the glasswing/find-010-manual-subscriptions branch 7 times, most recently from d461cf5 to d59f403 Compare July 9, 2026 14:03
…22 / FIND-010)

Switch ESO and VSO Subscriptions from Automatic to Manual install-plan
approval so OLM no longer silently installs new operator versions without
Git-reviewed consent. These operators hold secret-access credentials,
making unreviewed upgrades a K07 (Vulnerable/Unverified Components) risk.

  - components/secrets/vault-secrets-operator/subscription.yaml
  - components/secrets/external-secrets-operator/community/subscription.yaml

The openshift-gitops-operator subscription is intentionally left as
Automatic: it is applied by the Ansible bootstrap before ArgoCD exists,
so no GitOps Job can approve a Manual InstallPlan at that stage. Upgrade
gating for that operator is handled via the openshift_gitops_deploy_git_ref
pin in the automation repo.

Add components/utilities/approve-installplan-generic — a lightweight
Kustomize Component (Job + RBAC, sync-wave 1) that approves all pending
Manual InstallPlans in openshift-operators and waits for completion.
Unlike the openstack-specific approve-installplan component, this one
carries no openstack CRD dependency checks. Wire it into:
  - components/secrets/vault-secrets-operator (subscription → wave 0)
  - components/secrets/external-secrets-operator/redhat (subscription → wave 0)

Add Dependabot docker entry for approve-installplan-generic to track the
ose-tools-rhel9 image digest weekly, matching the existing pattern.

startingCSV pinning is managed manually via PR when operators are
intentionally upgraded — no Renovate/Dependabot datasource exists for
OLM OperatorHub CSVs. The PR review is the human gate (K07 compliant).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@pinikomarov pinikomarov force-pushed the glasswing/find-010-manual-subscriptions branch from d59f403 to e046542 Compare July 9, 2026 19:51
@pinikomarov pinikomarov closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant