security(olm): Manual InstallPlan approval for ESO and VSO (FIND-010)#75
Closed
pinikomarov wants to merge 1 commit into
Closed
Conversation
d461cf5 to
d59f403
Compare
…22 / FIND-010) Switch ESO and VSO Subscriptions from Automatic to Manual install-plan approval so OLM no longer silently installs new operator versions without Git-reviewed consent. These operators hold secret-access credentials, making unreviewed upgrades a K07 (Vulnerable/Unverified Components) risk. - components/secrets/vault-secrets-operator/subscription.yaml - components/secrets/external-secrets-operator/community/subscription.yaml The openshift-gitops-operator subscription is intentionally left as Automatic: it is applied by the Ansible bootstrap before ArgoCD exists, so no GitOps Job can approve a Manual InstallPlan at that stage. Upgrade gating for that operator is handled via the openshift_gitops_deploy_git_ref pin in the automation repo. Add components/utilities/approve-installplan-generic — a lightweight Kustomize Component (Job + RBAC, sync-wave 1) that approves all pending Manual InstallPlans in openshift-operators and waits for completion. Unlike the openstack-specific approve-installplan component, this one carries no openstack CRD dependency checks. Wire it into: - components/secrets/vault-secrets-operator (subscription → wave 0) - components/secrets/external-secrets-operator/redhat (subscription → wave 0) Add Dependabot docker entry for approve-installplan-generic to track the ose-tools-rhel9 image digest weekly, matching the existing pattern. startingCSV pinning is managed manually via PR when operators are intentionally upgraded — no Renovate/Dependabot datasource exists for OLM OperatorHub CSVs. The PR review is the human gate (K07 compliant). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
d59f403 to
e046542
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses OSPRH-32422 / FIND-010: OLM Subscriptions use Automatic install-plan approval and floating channel without startingCSV.
AutomatictoManualinstall-plan approval — OLM no longer silently installs new operator versions without Git-reviewed consent. These operators hold secret-access credentials, making unreviewed upgrades a K07 (Vulnerable/Unverified Components) risk.startingCSVto currently deployed versions:openshift-external-secrets-operator.v1.1.0(viapatch-subscription-redhat.json)vault-secrets-operator.v0.10.0components/utilities/approve-installplan-generic— a lightweight Kustomize Component (Job + RBAC, sync-wave 1) that approves all pending Manual InstallPlans inopenshift-operatorsand waits for completion. Unlike the openstack-specificapprove-installplancomponent, this one carries no openstack CRD dependency checks.dockerentry forapprove-installplan-genericto track theose-tools-rhel9image digest weekly.The
openshift-gitops-operatorsubscription is intentionally left asAutomatic: it is applied by the Ansible bootstrap before ArgoCD exists, so no GitOps Job can approve a Manual InstallPlan at that stage. An inline comment explains this exception.Upgrading ESO or VSO now requires a Git PR bumping
startingCSV— the PR review is the human gate (K07 compliant). No Renovate/Dependabot datasource exists for OLM OperatorHub CSVs.Changed files
components/secrets/external-secrets-operator/community/subscription.yaml—installPlanApproval: Manualcomponents/secrets/external-secrets-operator/redhat/patch-subscription-redhat.json— addstartingCSV: openshift-external-secrets-operator.v1.1.0components/secrets/external-secrets-operator/redhat/kustomization.yaml— wire approve-installplan-generic, sync-wave patchcomponents/secrets/vault-secrets-operator/subscription.yaml—installPlanApproval: Manual,startingCSV: vault-secrets-operator.v0.10.0components/secrets/vault-secrets-operator/kustomization.yaml— wire approve-installplan-generic, sync-wave patchcomponents/utilities/approve-installplan-generic/— new generic approver component (job, rbac, kustomization)openshift-gitops.deploy/subscribe/subscription.yaml— stays Automatic with explanatory comment.github/dependabot.yml— add docker entry for approve-installplan-genericTest plan
kustomize build resources/external-secrets-operator/redhat— Subscription showsinstallPlanApproval: Manual,startingCSV: openshift-external-secrets-operator.v1.1.0, Job in sync-wave 1kustomize build resources/vault-secrets-operator— Subscription showsinstallPlanApproval: Manual,startingCSV: vault-secrets-operator.v0.10.0, Job in sync-wave 1operator-dependenciesandsubscribe-vault-secrets-operatorapps sync successfully with Manual approval🤖 Generated with Claude Code