Skip to content

[WIP] OTA-1975: add products-data container and service to service products.json if present in graph-data image#270

Open
ankitathomas wants to merge 1 commit into
openshift:masterfrom
ankitathomas:products-data
Open

[WIP] OTA-1975: add products-data container and service to service products.json if present in graph-data image#270
ankitathomas wants to merge 1 commit into
openshift:masterfrom
ankitathomas:products-data

Conversation

@ankitathomas

@ankitathomas ankitathomas commented Jul 9, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • New Features
    • Added a products data service to provide product lifecycle information.
    • The service is available on port 8082 and includes health monitoring.
    • Product lifecycle data is packaged and made available during development deployments.
  • Bug Fixes
    • Added service reconciliation to ensure the products data service is created and maintained correctly.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 9, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 9, 2026

Copy link
Copy Markdown

@ankitathomas: This pull request references OTA-1975 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 9, 2026
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Walkthrough

Adds a products-service container and ClusterIP Service, configures its deployment resources and health probes, reconciles the Service, and prepares product lifecycle data in the development image.

Changes

Products data service

Layer / File(s) Summary
Resource definitions
controllers/names.go, controllers/new.go
Adds products-data naming helpers and constructs the products-service container and port 8082 ClusterIP Service.
Deployment integration
controllers/new.go, controllers/testdata/resources/...
Adds the products-service container to the Deployment with mounts, resource limits, command arguments, and health probes, and updates the deployment fixture.
Reconciliation and image data
controllers/updateservice_controller.go, dev/Dockerfile
Reconciles the products-data Service and downloads products.json into the graph-data products directory during the image build.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant UpdateServiceReconciler
  participant KubernetesService
  participant products-service
  participant products.json
  UpdateServiceReconciler->>KubernetesService: ensure products-data Service
  KubernetesService->>products-service: route port 8082 traffic
  products-service->>products.json: read products data
Loading

Suggested reviewers: hongkailiu

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding a products-data container and service to serve products.json when present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No changed files add Ginkgo titles; the touched files are implementation/fixture code, and controller tests use static Test* names.
Test Structure And Quality ✅ Passed PR only changes production code and a fixture; repo tests are plain testing.T with no Ginkgo/Gomega or Eventually/Consistently usage.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the patch only changes controller/runtime code, a fixture YAML, and a Dockerfile, with no It/Describe/Context/When blocks.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the diff only changes controller code, a YAML fixture, and Dockerfile logic, with no multi-node assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: the new products container/service adds no nodeSelector, affinity, topologySpreadConstraints, or risky PDB; the Deployment keeps maxUnavailable at 50%.
Ote Binary Stdout Contract ✅ Passed No stdout writes were added in touched code; main/TestMain use controller-runtime loggers, which default to stderr, not stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in the diff; only controller code, a fixture YAML, and a Dockerfile changed, so the IPv4/external-connectivity check is not applicable.
No-Weak-Crypto ✅ Passed Diff only adds a sha256 checksum helper; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found.
Container-Privileges ✅ Passed No added privileged, host*, SYS_ADMIN, or allowPrivilegeEscalation settings; the new products container has no securityContext and the Dockerfile only affects build-time files.
No-Sensitive-Data-In-Logs ✅ Passed The added products-data code and Dockerfile contain no new log statements or sensitive fields; only resource/service definitions were introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ankitathomas
Once this PR has been reviewed and has the lgtm label, please assign pratikmahajan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

…resent in graph-data image

Signed-off-by: Ankita Thomas <ankithom@redhat.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
controllers/new.go (1)

1040-1133: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider avoiding repeated magic port literal and hardcoded bind address.

8082 is repeated 5 times across Args/Ports/Probes/Service, and "::" is hardcoded rather than sourced from a ConfigMap/env like ADDRESS is for policy-engine. Extracting a shared constant for the port would reduce drift risk, and aligning the address with the existing env-config pattern would improve consistency with the rest of the file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/new.go` around lines 1040 - 1133, Update
newProductsServiceContainer and newProductsService to use a shared named
constant for port 8082 across arguments, container/service ports, and probes,
and replace the hardcoded "::" bind address with the file’s established
ConfigMap or environment-based ADDRESS pattern used by policy-engine.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/new.go`:
- Line 1063: Update newProductsServiceContainer to use dedicated minimal volume
mounts instead of newGraphBuilderVolumeMounts(instance). Mount only the
cincinnati-graph-data volume at the products graph-data path needed to serve
products.json, excluding /etc/configs, pull-secret, and trusted-ca; then update
the affected deployment fixture to match.

In `@dev/Dockerfile`:
- Around line 7-10: Update the products.json setup commands so curl treats
non-2xx responses as failures and uses the existing empty-object fallback, then
remove the unconditional `|| true` from the mkdir/mv command. Ensure directory
creation and moving products.json fail the image build when placement is
unsuccessful.

---

Nitpick comments:
In `@controllers/new.go`:
- Around line 1040-1133: Update newProductsServiceContainer and
newProductsService to use a shared named constant for port 8082 across
arguments, container/service ports, and probes, and replace the hardcoded "::"
bind address with the file’s established ConfigMap or environment-based ADDRESS
pattern used by policy-engine.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3700c0d7-8643-43c6-b35b-5beb34cbac30

📥 Commits

Reviewing files that changed from the base of the PR and between 0c73b3c and 12324be.

📒 Files selected for processing (5)
  • controllers/names.go
  • controllers/new.go
  • controllers/testdata/resources/zz_fixture_Test_newKubeResources_deployment.yaml
  • controllers/updateservice_controller.go
  • dev/Dockerfile

Comment thread controllers/new.go
Protocol: corev1.ProtocolTCP,
},
},
VolumeMounts: k.newGraphBuilderVolumeMounts(instance),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Products container is over-mounted with unrelated secrets/config.

newProductsServiceContainer reuses k.newGraphBuilderVolumeMounts(instance) wholesale, which (per the fixture) mounts /etc/configs (gb.toml), pull-secret (registry credentials), and trusted-ca in addition to cincinnati-graph-data. The products-service only needs read access to /var/lib/cincinnati/graph-data/products to serve products.json; there's no evident need for registry pull-secret or trusted CA material in this container. This unnecessarily widens the container's access to sensitive data (registry credentials) for a component whose only job is serving a static JSON file.

🔒 Proposed fix: dedicated, minimal volume mounts
-		VolumeMounts: k.newGraphBuilderVolumeMounts(instance),
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				MountPath: "/var/lib/cincinnati/graph-data",
+				Name:      "cincinnati-graph-data",
+			},
+		},

Note: the fixture file controllers/testdata/resources/zz_fixture_Test_newKubeResources_deployment.yaml will need updating to match once this is fixed.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
VolumeMounts: k.newGraphBuilderVolumeMounts(instance),
VolumeMounts: []corev1.VolumeMount{
{
MountPath: "/var/lib/cincinnati/graph-data",
Name: "cincinnati-graph-data",
},
},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/new.go` at line 1063, Update newProductsServiceContainer to use
dedicated minimal volume mounts instead of
newGraphBuilderVolumeMounts(instance). Mount only the cincinnati-graph-data
volume at the products graph-data path needed to serve products.json, excluding
/etc/configs, pull-secret, and trusted-ca; then update the affected deployment
fixture to match.

Comment thread dev/Dockerfile
Comment on lines +7 to +10
RUN curl -L -o products.json https://access.redhat.com/product-life-cycles/api/v2/products || echo "{}" > products.json

RUN mkdir -p /var/lib/cincinnati-graph-data/products && mv products.json /var/lib/cincinnati-graph-data/products/ || true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Curl/mv failures are silently swallowed — build succeeds even when products.json fetch/placement fails.

  • Line 7: curl lacks -f/--fail, so a non-2xx HTTP response (e.g. API outage, 404/500) still exits 0 and its body gets written into products.json instead of triggering the {} fallback.
  • Line 9: || true swallows any mkdir/mv failure, so the build succeeds even if products.json never ends up under /products/, leaving products-service without data at runtime with no build-time signal.
🛠️ Proposed fix
-RUN curl -L -o products.json https://access.redhat.com/product-life-cycles/api/v2/products || echo "{}" > products.json
+RUN curl -f -L -o products.json https://access.redhat.com/product-life-cycles/api/v2/products || echo "{}" > products.json

-RUN mkdir -p /var/lib/cincinnati-graph-data/products && mv products.json /var/lib/cincinnati-graph-data/products/ || true
+RUN mkdir -p /var/lib/cincinnati-graph-data/products && mv products.json /var/lib/cincinnati-graph-data/products/
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN curl -L -o products.json https://access.redhat.com/product-life-cycles/api/v2/products || echo "{}" > products.json
RUN mkdir -p /var/lib/cincinnati-graph-data/products && mv products.json /var/lib/cincinnati-graph-data/products/ || true
RUN curl -f -L -o products.json https://access.redhat.com/product-life-cycles/api/v2/products || echo "{}" > products.json
RUN mkdir -p /var/lib/cincinnati-graph-data/products && mv products.json /var/lib/cincinnati-graph-data/products/
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dev/Dockerfile` around lines 7 - 10, Update the products.json setup commands
so curl treats non-2xx responses as failures and uses the existing empty-object
fallback, then remove the unconditional `|| true` from the mkdir/mv command.
Ensure directory creation and moving products.json fail the image build when
placement is unsuccessful.

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@ankitathomas: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/operator-e2e-old-ocp-published-graph-data 12324be link true /test operator-e2e-old-ocp-published-graph-data
ci/prow/operator-e2e-hypershift-local-graph-data 12324be link true /test operator-e2e-hypershift-local-graph-data
ci/prow/operator-e2e-new-ocp-published-graph-data 12324be link true /test operator-e2e-new-ocp-published-graph-data
ci/prow/operator-e2e-new-ocp-published-graph-data-fips 12324be link true /test operator-e2e-new-ocp-published-graph-data-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants