utils

package
v0.0.0-...-224a2a6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2026 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Overview

Package utils provides shared utility functions, types, and constants used across the OpenShift Lightspeed operator components.

This package contains:

  • Constants for resource names, labels, and annotations
  • Error constants for consistent error handling
  • Helper functions for Kubernetes resource operations
  • Status condition utilities
  • TLS certificate validation
  • OpenShift version detection
  • Configuration data structures for OLS components

The utilities in this package are designed to be reusable across all operator components (`appserver`, `postgres`, `console`) and promote consistency in resource naming, labeling, and error handling throughout the codebase.

Index

Constants

View Source
const (
	/*** Volume Permissions ***/
	// VolumeDefaultMode is the default permission for mounted volumes (0644 - read/write for owner, read-only for group/others)
	VolumeDefaultMode = int32(420)
	// VolumeRestrictedMode is for sensitive volumes like secrets (0600 - read/write for owner only)
	VolumeRestrictedMode = int32(0600)

	/*** Operator Settings ***/
	// OLSConfigName is the name of the OLSConfig Custom Resource
	OLSConfigName = "cluster"
	// OLSConfigKind is the Kind of the OLSConfig Custom Resource
	OLSConfigKind = "OLSConfig"
	// OLSConfigAPIVersion is the APIVersion of the OLSConfig Custom Resource
	OLSConfigAPIVersion = "ols.openshift.io/v1alpha1"
	// OLSConfigFinalizer is the finalizer for OLSConfig CR to ensure proper cleanup
	OLSConfigFinalizer = "ols.openshift.io/finalizer"
	// OperatorCertDirDefault is the default directory for storing the operator certificate
	OperatorCertDirDefault = "/etc/tls/private"
	// OperatorCertNameDefault is the default name of the operator certificate
	OperatorCertNameDefault = "tls.crt"
	// OperatorKeyNameDefault is the default name of the operator key
	OperatorKeyNameDefault = "tls.key"
	// OperatorCACertPathDefault is the default path to the CA certificate
	OperatorCACertPathDefault = "/etc/tls/private/ca.crt"
	// ClientCACmName is the name of the client CA configmap
	ClientCACmName = "metrics-client-ca"
	// ClientCACmNamespace is the namespace of the client CA configmap
	ClientCACmNamespace = "openshift-monitoring"
	// ClientCACertKey is the key of the client CA certificate in the configmap
	ClientCACertKey = "client-ca.crt"
	// ResourceCreationTimeout is the maximum time in seconds operator waiting for creating resources
	ResourceCreationTimeout = 60 * time.Second
	// EnvTestCRDInstallMaxTime is the envtest CRD install wait budget for unit-test suites.
	// CI runs package tests in parallel; the default envtest deadline is too tight.
	EnvTestCRDInstallMaxTime = 3 * time.Minute

	/*** application server configuration file ***/
	// OLSConfigName is the name of the OLSConfig configmap
	OLSConfigCmName = "olsconfig"
	// OLSCAConfigMap is the name of the OLS TLS ca certificate configmap
	OLSCAConfigMap = "openshift-service-ca.crt"
	// OLSNamespaceDefault is the default namespace for OLS
	OLSNamespaceDefault = "openshift-lightspeed"
	// OLSAppServerServiceAccountName is the name of service account running the application server
	OLSAppServerServiceAccountName = "lightspeed-app-server"
	// OLSAppServerSARRoleName is the name of the SAR role for the service account running the application server
	OLSAppServerSARRoleName = OLSAppServerServiceAccountName + "-sar-role"
	// OLSAppServerSARRoleBindingName is the name of the SAR role binding for the service account running the application server
	OLSAppServerSARRoleBindingName = OLSAppServerSARRoleName + "-binding"
	// OLSAppServerDeploymentName is the name of the OLS application server deployment
	OLSAppServerDeploymentName = "lightspeed-app-server"
	// APIKeyMountRoot is the directory hosting the API key file in the container
	APIKeyMountRoot = "/etc/apikeys" // #nosec G101
	// CredentialsMountRoot is the directory hosting the credential files in the container
	CredentialsMountRoot = "/etc/credentials"
	// OLSAppCertsMountRoot is the directory hosting the cert files in the container
	OLSAppCertsMountRoot = "/etc/certs"
	// OLSConfigMountRoot is the directory hosting the OLS configuration files in the container
	OLSConfigMountRoot = "/etc/ols"
	// OLSComponentPasswordFileName is the generic name of the password file for each of its components
	OLSComponentPasswordFileName = "password"
	// OLSConfigFilename is the name of the application server configuration file
	OLSConfigFilename = "olsconfig.yaml"
	// AppServerServiceMonitorName is the name of the service monitor for the OLS application server
	AppServerServiceMonitorName = "lightspeed-app-server-monitor"
	// AppServerPrometheusRuleName is the name of the prometheus rules for the OLS application server
	AppServerPrometheusRuleName = "lightspeed-app-server-prometheus-rule"
	// AppServerMetricsPath is the path of the metrics endpoint of the OLS application server
	AppServerMetricsPath = "/metrics"
	// AppAdditionalCACertDir is the directory for storing additional CA certificates in the app server container under OLSAppCertsMountRoot
	AppAdditionalCACertDir = "ols-additional-ca"
	// UserCACertDir is the directory for storing additional CA certificates in the app server container under OLSAppCertsMountRoot
	UserCACertDir = "ols-user-ca"
	// OpenShiftCAVolumeName is the name of the volume for OpenShift CA certificates
	OpenShiftCAVolumeName = "openshift-ca"
	// AdditionalCAVolumeName is the name of the volume for additional CA certificates provided by the user
	AdditionalCAVolumeName = "additional-ca"
	// CertBundleVolumeName is the name of the volume for the certificate bundle
	CertBundleVolumeName = "cert-bundle"
	// ProxyCACertFileName is the name of the proxy CA certificate file
	ProxyCACertFileName = "proxy-ca.crt"
	// ProxyCACertVolumeName is the name of the volume for the proxy CA certificate
	ProxyCACertVolumeName = "proxy-ca"
	// RAGVolumeName is the name of the volume hosting customized RAG content
	RAGVolumeName = "rag"
	// RAGVolumeMountPath is the path of the volume hosting customized RAG content
	RAGVolumeMountPath = "/rag-data"
	// OLSAppServerNetworkPolicyName is the name of the network policy for the OLS application server
	OLSAppServerNetworkPolicyName = "lightspeed-app-server"
	// FeatureGateMCPServer is the feature gate flag activating the MCP server
	FeatureGateMCPServer = "MCPServer"
	// FeatureGateToolFiltering is the feature gate flag activating tool filtering
	FeatureGateToolFiltering = "ToolFiltering"
	// OLSConfigHashKey is the key of the hash value of the OLSConfig configmap
	OLSConfigHashKey = "hash/olsconfig"
	// LLMProviderHashKey is the key of the hash value of OLS LLM provider credentials consolidated
	// #nosec G101
	LLMProviderHashKey = "hash/llmprovider"
	// OLSAppTLSHashKey is the key of the hash value of the OLS App TLS certificates
	OLSAppTLSHashKey = "hash/olstls"
	// OLSConsoleTLSHashKey is the key of the hash value of the OLS Console TLS certificates
	OLSConsoleTLSHashKey = "hash/olsconsoletls"
	// AdditionalCAHashKey is the key of the hash value of the additional CA certificates in the deployment annotations
	AdditionalCAHashKey = "hash/additionalca"
	// ProxyCACertHashAnnotation is the annotation key for tracking Proxy CA certificate content hash.
	ProxyCACertHashAnnotation = "ols.openshift.io/proxy-ca-configmap-hash"
	// OLSAppServerContainerPort is the port number of the lightspeed-service-api container exposes
	OLSAppServerContainerPort = 8443
	// OLSAppServerServicePort is the port number for OLS application server service.
	OLSAppServerServicePort = 8443
	// OLSAppServerServiceName is the name of the OLS application server service
	OLSAppServerServiceName = "lightspeed-app-server"
	// OLSCertsSecretName is the name of the TLS secret for OLS.
	OLSCertsSecretName = "lightspeed-tls" // #nosec G101
	// Annotation key for serving certificate secret name
	// #nosec G101
	ServingCertSecretAnnotationKey = "service.beta.openshift.io/serving-cert-secret-name"
	// DefaultCredentialKey is the default secret key name for provider credentials
	DefaultCredentialKey = "apitoken"
	// BedrockAccessKeyIDKey is the secret key for AWS access key ID (Bedrock IAM auth)
	BedrockAccessKeyIDKey = "aws_access_key_id"
	// BedrockSecretAccessKeyKey is the secret key for AWS secret access key (Bedrock IAM auth)
	BedrockSecretAccessKeyKey = "aws_secret_access_key" // #nosec G101
	// BedrockRoleARNKey is the optional secret key for STS role ARN (Bedrock IAM auth)
	BedrockRoleARNKey = "role_arn"
	// AzureOpenAIType is the name of the Azure OpenAI provider type
	AzureOpenAIType = "azure_openai"
	// FakeProviderType is the name of the fake provider type used for testing
	FakeProviderType = "fake_provider"
	// GoogleVertexType is the name of the Google Vertex generic provider type
	GoogleVertexType = "google_vertex"
	// GoogleVertexAnthropicType is the name of the Google Vertex Anthropic provider type
	GoogleVertexAnthropicType = "google_vertex_anthropic"
	// BedrockType is the name of the AWS Bedrock provider type
	BedrockType = "bedrock"
	// DeploymentInProgress message
	DeploymentInProgress = "In Progress"
	// OLSSystemPromptFileName is the filename for the system prompt
	OLSSystemPromptFileName = "system_prompt"
	// BYOK image stream annotation on the app server deployment
	OLSAppServerImageStreamTriggerAnnotation = "image.openshift.io/triggers"

	/*** console UI plugin ***/
	// ConsoleUIConfigMapName is the name of the console UI nginx configmap
	ConsoleUIConfigMapName = "lightspeed-console-plugin"
	// ConsoleUIServiceCertSecretName is the name of the console UI service certificate secret
	ConsoleUIServiceCertSecretName = "lightspeed-console-plugin-cert"
	// ConsoleUIServiceName is the name of the console UI service
	ConsoleUIServiceName = "lightspeed-console-plugin"
	// ConsoleUIDeploymentName is the name of the console UI deployment
	ConsoleUIDeploymentName = "lightspeed-console-plugin"
	// ConsoleUIHTTPSPort is the port number of the console UI service
	ConsoleUIHTTPSPort = 9443
	// ConsoleUIPluginName is the name of the console UI plugin
	ConsoleUIPluginName = "lightspeed-console-plugin"
	// ConsoleUIPluginDisplayName is the display name of the console UI plugin
	ConsoleUIPluginDisplayName = "Lightspeed Console"
	// ConsoleUIServiceAccountName is the name of the service account for the console UI plugin
	ConsoleUIServiceAccountName = "lightspeed-console-plugin"
	// ConsoleCRName is the name of the console custom resource
	ConsoleCRName = "cluster"
	// ConsoleProxyAlias is the alias of the console proxy
	// The console backend exposes following proxy endpoint: /api/proxy/plugin/<plugin-name>/<proxy-alias>/<request-path>?<optional-query-parameters>
	ConsoleProxyAlias = "ols"
	// ConsoleUINetworkPolicyName is the name of the network policy for the console UI plugin
	ConsoleUINetworkPolicyName = "lightspeed-console-plugin"

	/*** agentic console UI plugin ***/
	// AgenticConsoleUIConfigMapName is the name of the agentic console UI nginx configmap
	AgenticConsoleUIConfigMapName = "lightspeed-agentic-console-plugin"
	// AgenticConsoleUIServiceCertSecretName is the name of the agentic console UI service certificate secret
	AgenticConsoleUIServiceCertSecretName = "lightspeed-agentic-console-plugin-cert"
	// AgenticConsoleUIServiceName is the name of the agentic console UI service
	AgenticConsoleUIServiceName = "lightspeed-agentic-console-plugin"
	// AgenticConsoleUIDeploymentName is the name of the agentic console UI deployment
	AgenticConsoleUIDeploymentName = "lightspeed-agentic-console-plugin"
	// AgenticConsoleUIHTTPSPort is the port number of the agentic console UI service
	AgenticConsoleUIHTTPSPort = 9443
	// AgenticConsoleUIPluginName is the name of the agentic console UI plugin
	AgenticConsoleUIPluginName = "lightspeed-agentic-console-plugin"
	// AgenticConsoleUIPluginDisplayName is the display name of the agentic console UI plugin
	AgenticConsoleUIPluginDisplayName = "OpenShift Lightspeed Agentic Console Plugin"
	// AgenticConsoleUIServiceAccountName is the name of the service account for the agentic console UI plugin
	AgenticConsoleUIServiceAccountName = "lightspeed-agentic-console-plugin"
	// AgenticConsoleUINetworkPolicyName is the name of the network policy for the agentic console UI plugin
	AgenticConsoleUINetworkPolicyName = "lightspeed-agentic-console-plugin"
	// AgenticConsoleUIContainerName is the name of the agentic console UI container
	AgenticConsoleUIContainerName = "console"
	/*** watchers ***/
	// Watcher Annotation key
	WatcherAnnotationKey = "ols.openshift.io/watcher"
	// ConfigMap with default openshift certificates
	DefaultOpenShiftCerts = "kube-root-ca.crt"
	// Force reload annotation key
	ForceReloadAnnotationKey = "ols.openshift.io/force-reload"
	/*** Postgres Constants ***/
	// PostgresCAVolume is the name of the OLS Postgres TLS ca certificate volume name
	PostgresCAVolume = "cm-olspostgresca"
	// PostgresDeploymentName is the name of OLS application Postgres deployment
	PostgresDeploymentName = "lightspeed-postgres-server"
	// PostgresWaitInitContainerName is the name of the init container that waits for Postgres to accept connections
	PostgresWaitInitContainerName = "wait-for-postgres"
	// PostgresSecretKeyName is the name of the key holding Postgres server secret
	PostgresSecretKeyName = "password"
	// PostgresDefaultUser is the default user name for postgres
	PostgresDefaultUser = "postgres"
	// PostgresDefaultDbName is the default db name for Postgres
	PostgresDefaultDbName = "postgres"
	// PostgresConfigHashKey is the key of the hash value of the OLS's Postgres config
	PostgresConfigHashKey = "hash/olspostgresconfig"
	// PostgresSecretHashKey is the key of the hash value of OLS Postgres secret
	// #nosec G101
	PostgresSecretHashKey = "hash/postgres-secret"
	// PostgresConfigMapResourceVersionAnnotation is the annotation key for tracking ConfigMap ResourceVersion
	PostgresConfigMapResourceVersionAnnotation = "ols.openshift.io/postgres-configmap-version"
	// PostgresSecretResourceVersionAnnotation is the annotation key for tracking Secret ResourceVersion
	//nolint:gosec // G101: This is an annotation key name, not a credential
	PostgresSecretResourceVersionAnnotation = "ols.openshift.io/postgres-secret-version"
	// PostgresServiceName is the name of OLS application Postgres server service
	PostgresServiceName = "lightspeed-postgres-server"
	// OtelCollectorServiceName is the in-cluster OTEL Collector Service for OTLP from OLS.
	OtelCollectorServiceName = "lightspeed-otel-collector"
	// OtelCollectorGRPCPort is the OTLP gRPC port exposed by the OTEL Collector Service.
	OtelCollectorGRPCPort = 4317
	// PostgresSecretName is the name of OLS application Postgres secret
	PostgresSecretName = "lightspeed-postgres-secret"
	// PostgresCertsSecretName is the name of the Postgres certs secret
	PostgresCertsSecretName = "lightspeed-postgres-certs"
	// PostgresBootstrapSecretName is the name of the Postgres bootstrap secret
	// #nosec G101
	PostgresBootstrapSecretName = "lightspeed-postgres-bootstrap"
	// PostgresBootstrapVolumeMountPath is the path of bootstrap volume mount
	PostgresBootstrapVolumeMountPath = "/usr/share/container-scripts/postgresql/start/create-extensions.sh"
	// PostgresExtensionScript is the name of the Postgres extensions script
	PostgresExtensionScript = "create-extensions.sh"
	// PostgresConfigMap is the name of the Postgres config map
	PostgresConfigMap = "lightspeed-postgres-conf"
	// PostgresConfigVolumeMountPath is the path of Postgres configuration volume mount
	PostgresConfigVolumeMountPath = "/usr/share/pgsql/postgresql.conf.sample"
	// PostgresConfig is the name of Postgres configuration used to start the server
	PostgresConfig = "postgresql.conf.sample"
	// PostgresDataVolume is the name of Postgres data volume
	PostgresDataVolume = "postgres-data"
	// PostgresDataVolumeMountPath is the path of Postgres data volume mount
	PostgresDataVolumeMountPath = "/var/lib/pgsql"
	// PostgreVarRunVolumeName is the data volume name for the /var/run/postgresql writable mount
	PostgresVarRunVolumeName = "lightspeed-postgres-var-run"
	// PostgresVarRunVolumeMountPath is the path of Postgres data volume mount
	PostgresVarRunVolumeMountPath = "/var/run/postgresql"
	// PostgresServicePort is the port number of the OLS Postgres server service
	PostgresServicePort = 5432
	// PostgresSharedBuffers is the share buffers value for Postgres cache
	PostgresSharedBuffers = "256MB"
	// PostgresMaxConnections is the max connections values for Postgres cache
	PostgresMaxConnections = 2000
	// PostgresDefaultSSLMode is the default ssl mode for postgres
	PostgresDefaultSSLMode = "require"
	// PostgresBootStrapScriptContent is the postgres's bootstrap script content
	PostgresBootStrapScriptContent = `` /* 609-byte string literal not displayed */

	// PostgresConfigMapContent is the postgres's config content
	PostgresConfigMapContent = `` /* 159-byte string literal not displayed */

	// PostgresNetworkPolicyName is the name of the network policy for the OLS postgres server
	PostgresNetworkPolicyName = "lightspeed-postgres-server"

	/*** Alerts Adapter Constants ***/
	// AlertsAdapterDeploymentName is the name of the agentic alerts adapter deployment
	AlertsAdapterDeploymentName = "lightspeed-agentic-alerts-adapter"
	// AlertsAdapterServiceAccountName is the name of the alerts adapter service account
	AlertsAdapterServiceAccountName = "lightspeed-agentic-alerts-adapter"
	// AlertsAdapterContainerName is the name of the alerts adapter container
	AlertsAdapterContainerName = "adapter"
	// AlertsAdapterNetworkPolicyName is the name of the network policy for the alerts adapter
	AlertsAdapterNetworkPolicyName = "lightspeed-agentic-alerts-adapter"
	// AlertsAdapterAgenticRunsClusterRoleName is the cluster role granting AgenticRun create/list/get
	AlertsAdapterAgenticRunsClusterRoleName = "lightspeed-agentic-alerts-adapter-agenticruns"
	// AlertsAdapterAgenticRunsClusterRoleBindingName binds the AgenticRun ClusterRole to the alerts adapter SA
	AlertsAdapterAgenticRunsClusterRoleBindingName = "lightspeed-agentic-alerts-adapter-agenticruns"
	// AlertsAdapterLegacyProposalsClusterRoleName is the pre-OLS-3475 ClusterRole name removed on reconcile
	AlertsAdapterLegacyProposalsClusterRoleName = "lightspeed-agentic-alerts-adapter-proposals"
	// AlertsAdapterAlertmanagerRoleBindingName is the RoleBinding in openshift-monitoring for Alertmanager read access
	AlertsAdapterAlertmanagerRoleBindingName = "lightspeed-agentic-alerts-adapter-alertmanager"
	// AlertsAdapterConfigMapName is the ConfigMap holding runtime adapter settings (poll interval, cooldown, tools)
	AlertsAdapterConfigMapName = "alerts-adapter-config"
	// AlertsAdapterConfigMapDataKey is the key within AlertsAdapterConfigMapName for adapter YAML config
	AlertsAdapterConfigMapDataKey = "config.yaml"
	// AlertsAdapterConfigVolumeName is the pod volume name for the mounted runtime config ConfigMap
	AlertsAdapterConfigVolumeName = "config"
	// AlertsAdapterConfigVolumeMountPath is where the adapter reads mounted config.yaml
	AlertsAdapterConfigVolumeMountPath = "/etc/alerts-adapter"
	// AlertsAdapterConfigRoleName is the legacy Role name removed after config moved to a volume mount
	AlertsAdapterConfigRoleName = "lightspeed-agentic-alerts-adapter-config"
	// AlertsAdapterConfigRoleBindingName is the legacy RoleBinding name removed after config moved to a volume mount
	AlertsAdapterConfigRoleBindingName = "lightspeed-agentic-alerts-adapter-config"
	// MonitoringAlertmanagerViewRoleName is the OpenShift monitoring Role for read-only Alertmanager API access
	MonitoringAlertmanagerViewRoleName = "monitoring-alertmanager-view"
	// OpenShiftMonitoringNamespace is the namespace for platform monitoring RBAC and services
	OpenShiftMonitoringNamespace = "openshift-monitoring"
	// AlertsAdapterAlertmanagerURL is the in-cluster Alertmanager API base URL
	AlertsAdapterAlertmanagerURL = "https://alertmanager-main.openshift-monitoring.svc:9094"
	// AlertsAdapterAlertmanagerURLEnvVar is the deployment env var for the Alertmanager URL
	AlertsAdapterAlertmanagerURLEnvVar = "ALERTMANAGER_URL"
	// AlertsAdapterComponentLabel is the app.kubernetes.io/component label value for alerts adapter resources
	AlertsAdapterComponentLabel = "alerts-adapter"

	// PostgresPVCName is the name of the PVC for the OLS Postgres server
	PostgresPVCName = "lightspeed-postgres-pvc"

	// PostgresDefaultPVCSize is the default size of the PVC for the OLS Postgres server
	PostgresDefaultPVCSize = "1Gi"

	// PostgreServiceAccountName is the name of the service account for the OLS Postgres server
	PostgreServiceAccountName = "lightspeed-postgres-server"

	// TmpVolume is the data volume name for the /tmp writable mount
	TmpVolumeName = "tmp-writable-volume"
	// TmpVolumeMountPath is the path of the /tmp writable mount
	TmpVolumeMountPath = "/tmp"

	// TelemetryPullSecretNamespace "openshift-config" contains the telemetry pull secret to determine the enablement of telemetry
	// #nosec G101
	TelemetryPullSecretNamespace = "openshift-config"
	// TelemetryPullSecretName is the name of the secret containing the telemetry pull secret
	TelemetryPullSecretName = "pull-secret"

	/*** operator resources ***/
	// OperatorServiceMonitorName is the name of the service monitor for scraping the operator metrics
	OperatorServiceMonitorName = "controller-manager-metrics-monitor"
	// OperatorDeploymentName is the name of the operator deployment
	OperatorDeploymentName = "lightspeed-operator-controller-manager"
	OLSDefaultCacheType    = "postgres"
	// OperatorNetworkPolicyName is the name of the network policy for the operator
	OperatorNetworkPolicyName = "lightspeed-operator"
	// OperatorMetricsPort is the port number of the operator metrics endpoint
	OperatorMetricsPort = 8443
	// MetricsReaderServiceAccountTokenSecretName is the name of the secret containing the service account token for the metrics reader
	MetricsReaderServiceAccountTokenSecretName = "metrics-reader-token" // #nosec G101
	// MetricsReaderServiceAccountName is the name of the service account for the metrics reader
	MetricsReaderServiceAccountName = "lightspeed-operator-metrics-reader"
	// MCP server URL
	OpenShiftMCPServerURL = "http://localhost:%d/mcp"
	// MCP server port.
	OpenShiftMCPServerPort = 8080
	// RHOOKPHTTPPort is the Solr HTTP proxy port for the RH OKP sidecar (remapped from image default 8080).
	RHOOKPHTTPPort = 9080
	// RHOOKPHTTPSPort is the RH OKP Apache HTTPS port (remapped from image default 8443; OLS uses 8443).
	RHOOKPHTTPSPort = 9443
	// OCPClusterVersionEnvVar is read by lightspeed-service to resolve Solr chunk_filter_query at startup.
	OCPClusterVersionEnvVar = "OCP_CLUSTER_VERSION"
	// OLSRosaProductEnvVar is read by lightspeed-service to scope OKP retrieval on ROSA clusters.
	OLSRosaProductEnvVar = "OLS_ROSA_PRODUCT"
	// RosaOKPProductHCP is the OKP product identifier for ROSA hosted control planes.
	RosaOKPProductHCP = "red_hat_openshift_service_on_aws"
	// RosaOKPProductClassic is the OKP product identifier for ROSA classic architecture.
	RosaOKPProductClassic = "red_hat_openshift_service_on_aws_classic_architecture"
	// RHOOKPSolrCollection is the Solr core served by RHOKP (matches lightspeed-service portal-rag client).
	RHOOKPSolrCollection = "portal-rag"
	// RHOOKPReadinessHTTPPath hits the portal-rag core admin ping (Apache / alone is not Solr-ready).
	RHOOKPReadinessHTTPPath = "/solr/" + RHOOKPSolrCollection + "/admin/ping"
	// RHOKP startup probe: Solr can take several minutes on cold start (portal-rag core load).
	RHOOKPStartupProbeInitialDelaySeconds = 20
	RHOOKPStartupProbePeriodSeconds       = 10
	RHOOKPStartupProbeFailureThreshold    = 34 // 20s delay + 34*10s = 6 min before startup fails
	RHOOKPProbePeriodSeconds              = 10
	RHOOKPProbeTimeoutSeconds             = 5
	RHOOKPProbeFailureThreshold           = 3
	RHOOKPAccessKeySecretName             = "rhokp-access-key" // #nosec G101 -- user-created secret for RHOKP portal access
	RHOOKPAccessKeySecretKey              = "ACCESS_KEY"
	// RHOKP image Apache config paths (Listen directives remapped before mel start).
	RHOOKPHTTPDConfPath       = "/etc/httpd/conf/httpd.conf"
	RHOOKPHTTPDSSLConfPath    = "/etc/httpd/conf.d/ssl.conf"
	RHOOKPImageHTTPPort       = 8080
	RHOOKPImageHTTPSPort      = 8443
	RHOOKPContainerEntrypoint = "/usr/bin/container-entrypoint"
	RHOOKPMainCommand         = "/usr/local/bin/mel"
	// Solr hybrid defaults written to the OLS config file (not exposed on OLSConfig CR).
	SolrHybridMaxResultsDefault         = 5
	SolrHybridVectorBoostDefault        = 8.0
	SolrHybridPoolDocsDefault           = 100
	SolrHybridScoreThresholdDefault     = 0.0
	SolrHybridSolrTimeoutSecondsDefault = 60.0
	// MCP server timeout, sec
	OpenShiftMCPServerTimeout = 60
	// MCP server SSE read timeout, sec
	OpenShiftMCPServerHTTPReadTimeout = 30
	// Tools approval timeout default, sec (must match +kubebuilder:default in ToolsApprovalConfig)
	ToolsApprovalDefaultTimeout = 600
	// Authorization header for OpenShift MCP server
	K8S_AUTH_HEADER = "Authorization"
	// Constant, defining usage of kubernetes token
	KUBERNETES_PLACEHOLDER = "kubernetes"
	// Constant, defining usage of client token passthrough
	CLIENT_PLACEHOLDER = "client"
	// MCPHeadersMountRoot is the directory hosting MCP headers in the container
	MCPHeadersMountRoot = "/etc/mcp/headers"
	// OpenShiftMCPServerConfigCmName is the name of the ConfigMap for openshift-mcp-server configuration
	OpenShiftMCPServerConfigCmName = "openshift-mcp-server-config"
	// OpenShiftMCPServerConfigFilename is the filename for the openshift-mcp-server TOML config
	OpenShiftMCPServerConfigFilename = "config.toml"
	// OpenShiftMCPServerConfigMountPath is the directory where the MCP server config is mounted
	OpenShiftMCPServerConfigMountPath = "/etc/mcp-server"
	// OpenShiftMCPServerConfigVolumeName is the volume name for the MCP server config
	OpenShiftMCPServerConfigVolumeName = "mcp-server-config"
	// Header Secret Data Path
	MCPSECRETDATAPATH = "header"
	/*** Data Exporter Constants ***/
	// ExporterConfigCmName is the name of the exporter configmap
	ExporterConfigCmName = "lightspeed-exporter-config"
	// ExporterConfigVolumeName is the name of the volume for exporter configuration
	ExporterConfigVolumeName = "exporter-config"
	// ExporterConfigMountPath is the path where exporter config is mounted
	ExporterConfigMountPath = "/etc/config"
	// ExporterConfigFilename is the name of the exporter configuration file
	ExporterConfigFilename = "config.yaml"
	// OLSUserDataMountPath is the path where user data is mounted in the app server container
	OLSUserDataMountPath = "/app-root/ols-user-data"
	// ServiceIDOLS is the service ID used by the data exporter
	ServiceIDOLS = "ols"
	// RHOSOLightspeedOwnerIDLabel is the label used to identify RHOSO Lightspeed deployment
	RHOSOLightspeedOwnerIDLabel = "openstack.org/lightspeed-owner-id"
	// ServiceIDRHOSO is the service ID used by the data exporter when RHOSO Lightspeed is deployed
	ServiceIDRHOSO = "rhos-lightspeed"

	/*** Container Names (used for testing) ***/
	// OLSAppServerContainerName is the name of the OLS application server container
	OLSAppServerContainerName = "lightspeed-service-api"
	// DataverseExporterContainerName is the name of the dataverse exporter container
	DataverseExporterContainerName = "lightspeed-to-dataverse-exporter"
	// ConsoleUIContainerName is the name of the console UI container
	ConsoleUIContainerName = "lightspeed-console-plugin"
	// PostgresContainerName is the name of the postgres container
	PostgresContainerName = "lightspeed-postgres-server"
	// OpenShiftMCPServerContainerName is the name of the OpenShift MCP server container
	OpenShiftMCPServerContainerName = "openshift-mcp-server"
	// RHOOKPContainerName is the RH Offline Knowledge Portal (Solr) sidecar container name.
	RHOOKPContainerName = "rhokp"
	// OLSConfigMapResourceVersionAnnotation is the annotation key for tracking OLS ConfigMap ResourceVersion
	OLSConfigMapResourceVersionAnnotation = "ols.openshift.io/olsconfig-configmap-version"
	// OpenShiftMCPServerConfigMapResourceVersionAnnotation is the annotation key for tracking MCP Server ConfigMap ResourceVersion
	OpenShiftMCPServerConfigMapResourceVersionAnnotation = "ols.openshift.io/mcp-server-configmap-version"

	/*** Environment Variable Suffixes ***/
	// EnvVarSuffixAPIKey is the environment variable suffix for API key credentials
	EnvVarSuffixAPIKey = "_API_KEY"
	// EnvVarSuffixClientID is the environment variable suffix for client ID credentials
	EnvVarSuffixClientID = "_CLIENT_ID"
	// EnvVarSuffixTenantID is the environment variable suffix for tenant ID credentials
	EnvVarSuffixTenantID = "_TENANT_ID"
	// EnvVarSuffixClientSecret is the environment variable suffix for client secret credentials
	EnvVarSuffixClientSecret = "_CLIENT_SECRET"
)
View Source
const (
	ErrCheckLLMCredentials                 = "failed to validate LLM provider credential settings"
	ErrCreateAdditionalCACM                = "failed to create additional CA configmap"
	ErrCreateAPIConfigmap                  = "failed to create OLS configmap"
	ErrCreateAPIDeployment                 = "failed to create OLS deployment"
	ErrCreateAPIService                    = "failed to create OLS service"
	ErrCreateAPIServiceAccount             = "failed to create OLS service account"
	ErrCreateAppServerNetworkPolicy        = "failed to create AppServer network policy"
	ErrCreateConsolePlugin                 = "failed to create Console Plugin"
	ErrCreateConsolePluginConfigMap        = "failed to create Console Plugin configmap"
	ErrCreateConsolePluginDeployment       = "failed to create Console Plugin deployment"
	ErrCreateConsolePluginService          = "failed to create Console Plugin service"
	ErrCreateConsolePluginServiceAccount   = "failed to create Console Plugin service account"
	ErrCreateConsolePluginNetworkPolicy    = "failed to create Console Plugin network policy"
	ErrCreateSARClusterRole                = "failed to create SAR cluster role"
	ErrCreateSARClusterRoleBinding         = "failed to create SAR cluster role binding"
	ErrCreateServiceMonitor                = "failed to create ServiceMonitor"
	ErrCreateMetricsReaderSecret           = "failed to create metrics reader secret"
	ErrCreateOperatorNetworkPolicy         = "failed to create operator network policy"
	ErrCreatePrometheusRule                = "failed to create PrometheusRule"
	ErrCreatePostgresSecret                = "failed to create OLS Postgres secret"
	ErrCreatePostgresBootstrapSecret       = "failed to create OLS Postgres bootstrap secret"
	ErrCreatePostgresConfigMap             = "failed to create OLS Postgres configmap"
	ErrCreatePostgresService               = "failed to create OLS Postgres service"
	ErrCreatePostgresPVC                   = "failed to create OLS Postgres PVC"
	ErrCreatePostgresDeployment            = "failed to create OLS Postgres deployment"
	ErrCreatePostgresNetworkPolicy         = "failed to create OLS Postgres network policy"
	ErrCreatePostgresServiceAccount        = "failed to create OLS Postgres service account"
	ErrDeleteConsolePlugin                 = "failed to delete Console Plugin"
	ErrDeleteAdditionalCACM                = "failed to delete additional CA configmap"
	ErrGenerateAdditionalCACM              = "failed to generate additional CA configmap"
	ErrGenerateAPIConfigmap                = "failed to generate OLS configmap"
	ErrGenerateAPIDeployment               = "failed to generate OLS deployment"
	ErrGenerateAPIService                  = "failed to generate OLS service"
	ErrGenerateAPIServiceAccount           = "failed to generate OLS service account"
	ErrGenerateAppServerNetworkPolicy      = "failed to generate AppServer network policy"
	ErrGenerateConsolePlugin               = "failed to generate Console Plugin"
	ErrGenerateConsolePluginConfigMap      = "failed to generate Console Plugin configmap"
	ErrGenerateConsolePluginDeployment     = "failed to generate Console Plugin deployment"
	ErrGenerateConsolePluginNetworkPolicy  = "failed to generate Console Plugin network policy"
	ErrGenerateConsolePluginService        = "failed to generate Console Plugin service"
	ErrGenerateConsolePluginServiceAccount = "failed to generate Console Plugin service account"
	ErrGenerateOperatorNetworkPolicy       = "failed to generate operator network policy"
	ErrGenerateSARClusterRole              = "failed to generate SAR cluster role"
	ErrGenerateSARClusterRoleBinding       = "failed to generate SAR cluster role binding"
	ErrGenerateServiceMonitor              = "failed to generate ServiceMonitor"
	ErrGenerateMetricsReaderSecret         = "failed to generate metrics reader secret"
	ErrGeneratePrometheusRule              = "failed to generate PrometheusRule"
	ErrGetAdditionalCACM                   = "failed to get additional CA configmap"
	ErrGetProxyCACM                        = "failed to get proxy CA configmap"
	ErrGeneratePostgresSecret              = "failed to generate OLS Postgres secret"
	ErrGeneratePostgresBootstrapSecret     = "failed to generate OLS Postgres bootstrap secret"
	ErrGeneratePostgresConfigMap           = "failed to generate OLS Postgres configmap"
	ErrGeneratePostgresPVC                 = "failed to generate OLS Postgres PVC"
	ErrGeneratePostgresService             = "failed to generate OLS Postgres service"
	ErrGeneratePostgresDeployment          = "failed to generate OLS Postgres deployment"
	ErrGeneratePostgresNetworkPolicy       = "failed to generate OLS Postgres network policy"
	ErrGeneratePostgresServiceAccount      = "failed to generate OLS Postgres service account"
	ErrGetAPIConfigmap                     = "failed to get OLS configmap"
	ErrGetAPIDeployment                    = "failed to get OLS deployment"
	ErrGetAPIService                       = "failed to get OLS service"
	ErrGetAPIServiceAccount                = "failed to get OLS service account"
	ErrGetAppServerNetworkPolicy           = "failed to get AppServer network policy"
	ErrGetConsole                          = "failed to get Console"
	ErrGetConsolePlugin                    = "failed to get Console Plugin"
	ErrGetConsolePluginConfigMap           = "failed to get Console Plugin configmap"
	ErrGetConsolePluginDeployment          = "failed to get Console Plugin deployment"
	ErrGetConsolePluginNetworkPolicy       = "failed to get Console Plugin network policy"
	ErrGetConsolePluginService             = "failed to get Console Plugin service"
	ErrGetConsolePluginServiceAccount      = "failed to get Console Plugin service account"
	ErrGetLLMSecret                        = "failed to get LLM provider secret" // #nosec G101
	ErrGetOperatorNetworkPolicy            = "failed to get operator network policy"
	ErrGetPostgresNetworkPolicy            = "failed to get OLS Postgres network policy"
	ErrGetPostgresServiceAccount           = "failed to get OLS Postgres service account"
	ErrGetTLSSecret                        = "failed to get TLS secret" // #nosec G101
	ErrGetSARClusterRole                   = "failed to get SAR cluster role"
	ErrGetSARClusterRoleBinding            = "failed to get SAR cluster role binding"
	ErrGetServiceMonitor                   = "failed to get ServiceMonitor"
	ErrGetMetricsReaderSecret              = "failed to get metrics reader secret"
	ErrGetPrometheusRule                   = "failed to get PrometheusRule"
	ErrUpdateAPIConfigmap                  = "failed to update OLS configmap"
	ErrUpdateAPIDeployment                 = "failed to update OLS deployment"
	ErrUpdateAPIService                    = "failed to update OLS service"
	ErrUpdateAppServerNetworkPolicy        = "failed to update AppServer network policy"
	ErrUpdateAdditionalCACM                = "failed to update additional CA configmap"
	ErrUpdateConsole                       = "failed to update Console"
	ErrUpdateConsolePlugin                 = "failed to update Console Plugin"
	ErrUpdateConsolePluginConfigMap        = "failed to update Console Plugin configmap"
	ErrUpdateConsolePluginDeployment       = "failed to update Console Plugin deployment"
	ErrUpdateConsolePluginNetworkPolicy    = "failed to update Console Plugin network policy"
	ErrUpdateConsolePluginService          = "failed to update Console Plugin service"
	ErrUpdateCRStatusCondition             = "failed to update OLSConfig CR status condition"
	ErrUpdateOperatorNetworkPolicy         = "failed to update operator network policy"
	ErrUpdatePostgresNetworkPolicy         = "failed to update OLS Postgres network policy"
	ErrUpdatePostgresServiceAccount        = "failed to update OLS Postgres service account"
	ErrUpdateServiceMonitor                = "failed to update ServiceMonitor"
	ErrUpdateMetricsReaderSecret           = "failed to update metrics reader secret"
	ErrUpdatePrometheusRule                = "failed to update PrometheusRule"
	ErrUpdateProxyCACM                     = "failed to update proxy CA configmap"
	// #nosec G101
	ErrGetPostgresSecret = "failed to get OLS Postgres secret"
	// #nosec G101
	ErrGetPostgresBootstrapSecret = "failed to get OLS Postgres bootstrap secret"
	ErrGetPostgresConfigMap       = "failed to get OLS Postgres configmap"
	ErrGetPostgresService         = "failed to get OLS Postgres service"
	ErrGetPostgresPVC             = "failed to get OLS Postgres PVC"
	ErrGetPostgresDeployment      = "failed to get OLS Postgres deployment"
	ErrUpdateProviderSecret       = "failed to update provider secret"
	ErrUpdatePostgresSecret       = "failed to update OLS Postgres secret"
	ErrUpdatePostgresDeployment   = "failed to update OLS Postgres deployment"
	ErrListOldPostgresSecrets     = "failed to list old OLS Postgres secrets"
	ErrDeleteOldPostgresSecrets   = "failed to delete old OLS Postgres secret"

	// Alerts adapter errors
	ErrCreateAlertsAdapterDeployment                      = "failed to create alerts adapter deployment"
	ErrCreateAlertsAdapterNetworkPolicy                   = "failed to create alerts adapter network policy"
	ErrCreateAlertsAdapterServiceAccount                  = "failed to create alerts adapter service account"
	ErrCreateAlertsAdapterAgenticRunsClusterRole          = "failed to create alerts adapter agenticruns cluster role"
	ErrCreateAlertsAdapterAgenticRunsClusterRoleBinding   = "failed to create alerts adapter agenticruns cluster role binding"
	ErrCreateAlertsAdapterAlertmanagerRoleBinding         = "failed to create alerts adapter alertmanager role binding"
	ErrCreateAlertsAdapterConfigMap                       = "failed to create alerts adapter configmap"
	ErrGenerateAlertsAdapterDeployment                    = "failed to generate alerts adapter deployment"
	ErrSetAlertsAdapterDeploymentOwnerReference           = "failed to set alerts adapter deployment owner reference"
	ErrGenerateAlertsAdapterNetworkPolicy                 = "failed to generate alerts adapter network policy"
	ErrGenerateAlertsAdapterServiceAccount                = "failed to generate alerts adapter service account"
	ErrGenerateAlertsAdapterConfigMap                     = "failed to generate alerts adapter configmap"
	ErrGenerateAlertsAdapterAgenticRunsClusterRole        = "failed to generate alerts adapter agenticruns cluster role"
	ErrGenerateAlertsAdapterAgenticRunsClusterRoleBinding = "failed to generate alerts adapter agenticruns cluster role binding"
	ErrGenerateAlertsAdapterAlertmanagerRoleBinding       = "failed to generate alerts adapter alertmanager role binding"
	ErrGetAlertsAdapterDeployment                         = "failed to get alerts adapter deployment"
	ErrGetAlertsAdapterNetworkPolicy                      = "failed to get alerts adapter network policy"
	ErrGetAlertsAdapterServiceAccount                     = "failed to get alerts adapter service account"
	ErrGetAlertsAdapterAgenticRunsClusterRole             = "failed to get alerts adapter agenticruns cluster role"
	ErrGetAlertsAdapterAgenticRunsClusterRoleBinding      = "failed to get alerts adapter agenticruns cluster role binding"
	ErrGetAlertsAdapterAlertmanagerRoleBinding            = "failed to get alerts adapter alertmanager role binding"
	ErrGetAlertsAdapterConfigMap                          = "failed to get alerts adapter configmap"
	ErrGetAlertsAdapterConfigRole                         = "failed to get alerts adapter config role"
	ErrGetAlertsAdapterConfigRoleBinding                  = "failed to get alerts adapter config role binding"
	ErrUpdateAlertsAdapterDeployment                      = "failed to update alerts adapter deployment"
	ErrUpdateAlertsAdapterNetworkPolicy                   = "failed to update alerts adapter network policy"

	// OpenShift MCP server config errors
	ErrCreateMCPServerConfigMap = "failed to create MCP server config configmap"
	ErrDeleteMCPServerConfigMap = "failed to delete MCP server config configmap"
	ErrGetMCPServerConfigMap    = "failed to get MCP server config configmap"
	ErrUpdateMCPServerConfigMap = "failed to update MCP server config configmap"
)
View Source
const (
	TypeApiReady                  = "ApiReady"
	TypeCacheReady                = "CacheReady"
	TypeConsolePluginReady        = "ConsolePluginReady"
	TypeAgenticConsolePluginReady = "AgenticConsolePluginReady"
	TypeAlertsAdapterReady        = "AlertsAdapterReady"
	TypeCRReconciled              = "Reconciled"
)

Definitions to manage status conditions

View Source
const OpenShiftMCPServerConfigTOML = `` /* 748-byte string literal not displayed */

OpenShiftMCPServerConfigTOML is the TOML configuration for the shipped openshift-mcp-server sidecar. It denies access to Secret resources at the server level so secret data never reaches the LLM. Other sensitive resource types (RBAC) are also denied as defense in depth. Toolsets are listed explicitly so upstream default changes do not affect OLS; the metrics toolset uses in-cluster Thanos Querier and Alertmanager endpoints.

View Source
const PostgresWaitMaxSeconds = 300

PostgresWaitMaxSeconds is the maximum time the wait init container will run before exiting with an error.

View Source
const TestCACert = `` /* 1513-byte string literal not displayed */

Variables

View Source
var (
	OLSAppServerImageDefault       = relatedimages.GetDefaultImage("lightspeed-service-api")
	ConsoleUIImageDefault          = relatedimages.GetDefaultImage("lightspeed-console-plugin")
	PostgresServerImageDefault     = relatedimages.GetDefaultImage("lightspeed-postgresql")
	OpenShiftMCPServerImageDefault = relatedimages.GetDefaultImage("openshift-mcp-server")
	DataverseExporterImageDefault  = relatedimages.GetDefaultImage("lightspeed-to-dataverse-exporter")
	AgenticConsoleUIImageDefault   = imageDefaultOr("lightspeed-agentic-console-plugin", agenticConsoleUIImageFallback)
	AlertsAdapterImageDefault      = imageDefaultOr("lightspeed-agentic-alerts-adapter", alertsAdapterImageFallback)
	OtelCollectorImageDefault      = imageDefaultOr("lightspeed-otel-collector", otelCollectorImageFallback)
	RHOOKPImageDefault             = imageDefaultOr("rhokp", rhokpImageFallback)
)

Default images from related_images.json (see internal/relatedimages). Used for flags and tests.

Functions

func ActivateConsolePlugin

func ActivateConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error

ActivateConsolePlugin adds a plugin name to the cluster Console CR.

func AlertsAdapterConfigMapRef

func AlertsAdapterConfigMapRef(cr *olsv1alpha1.OLSConfig) (name string, ok bool)

AlertsAdapterConfigMapRef returns the referenced ConfigMap name when the alerts adapter is enabled (configMapRef set with a non-empty name). The bool is false when disabled.

func AnnotateConfigMapWatcher

func AnnotateConfigMapWatcher(cm *corev1.ConfigMap)

AnnotateConfigMapWatcher adds the watcher annotation to a configmap

func AnnotateSecretWatcher

func AnnotateSecretWatcher(secret *corev1.Secret)

AnnotateSecretWatcher adds the watcher annotation to a secret

func ApplyPodDeploymentConfig

func ApplyPodDeploymentConfig(deployment *appsv1.Deployment, config olsv1alpha1.Config, applyReplicas bool)

ApplyPodDeploymentConfig applies PodDeploymentConfig settings to a Deployment. This centralizes the logic for applying pod-level configurations (NodeSelector, Tolerations, etc.) to avoid code duplication across different deployment generators.

Parameters:

  • deployment: The deployment to modify
  • config: The PodDeploymentConfig containing the desired settings
  • applyReplicas: Whether to apply the Replicas field (only true for appserver)

Usage:

// For console/postgres (replicas always 1):
utils.ApplyPodDeploymentConfig(deployment, cr.Spec.OLSConfig.DeploymentConfig.ConsoleContainer, false)

// For appserver (replicas configurable):
utils.ApplyPodDeploymentConfig(deployment, cr.Spec.OLSConfig.DeploymentConfig.APIContainer, true)

func BoolDeref

func BoolDeref(p *bool, def bool) bool

BoolDeref returns *p when non-nil; otherwise def.

func BoolPtr

func BoolPtr(b bool) *bool

BoolPtr returns a pointer to b (for optional API fields).

func ConfigMapEqual

func ConfigMapEqual(a, b *corev1.ConfigMap) bool

deploymentSpecEqual compares two appsv1.DeploymentSpec and returns true if they are equal. ConfigMapEqual compares two ConfigMaps for equality, checking Data and BinaryData

func ContainerSpecEqual

func ContainerSpecEqual(a, b *corev1.Container) bool

containerSpecEqual compares two corev1.Container and returns true if they are equal. checks performed on limited fields

func ContainersEqual

func ContainersEqual(a, b []corev1.Container) bool

containerEqual compares two container arrays and returns true if they are equal.

func CreateTelemetryPullSecret

func CreateTelemetryPullSecret(ctx context.Context, k8sClient client.Client, withToken bool)

CreateTelemetryPullSecret creates a pull-secret in openshift-config namespace for testing telemetry/data collection features. If withToken is true, creates a secret with cloud.openshift.com auth. If withToken is false, creates a secret without telemetry token (for negative tests). This function is idempotent - ignores "already exists" errors.

func DeactivateConsolePlugin

func DeactivateConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error

DeactivateConsolePlugin removes a plugin name from the cluster Console CR.

func DefaultConsolePluginResourceRequirements

func DefaultConsolePluginResourceRequirements() *corev1.ResourceRequirements

DefaultConsolePluginResourceRequirements returns default resource requirements for console plugin containers.

func DeleteConsolePluginCR

func DeleteConsolePluginCR(r reconciler.Reconciler, ctx context.Context, pluginName string) error

DeleteConsolePluginCR deletes a ConsolePlugin CR.

func DeleteTelemetryPullSecret

func DeleteTelemetryPullSecret(ctx context.Context, k8sClient client.Client)

DeleteTelemetryPullSecret removes the pull-secret from openshift-config namespace. This function is idempotent - ignores "not found" errors.

func DeploymentSpecEqual

func DeploymentSpecEqual(a, b *appsv1.DeploymentSpec, compareInitContainers bool) bool

func EnvEqual

func EnvEqual(a, b []corev1.EnvVar) bool

EnvEqual compares two EnvVar slices ignoring order

func ForEachExternalConfigMap

func ForEachExternalConfigMap(cr *olsv1alpha1.OLSConfig, fn func(name string, source string) error) error

ForEachExternalConfigMap calls fn for each external configmap referenced in the OLSConfig CR. The callback function receives:

  • name: the configmap name
  • source: a descriptive identifier of where the configmap is used (e.g., "additional-ca", "proxy-ca")

If fn returns an error, iteration stops immediately and that error is returned. Returns nil if all iterations complete successfully.

Example usage:

err := ForEachExternalConfigMap(cr, func(name, source string) error {
    return validateConfigMap(name)
})

func ForEachExternalSecret

func ForEachExternalSecret(cr *olsv1alpha1.OLSConfig, fn func(name string, source string) error) error

The callback function receives:

  • name: the secret name
  • source: a descriptive identifier of where the secret is used (e.g., "llm-provider-openai", "tls", "mcp-myserver")

If fn returns an error, iteration stops immediately and that error is returned. Returns nil if all iterations complete successfully.

Example usage:

err := ForEachExternalSecret(cr, func(name, source string) error {
    return validateSecret(name)
})

func GenerateAlertsAdapterSelectorLabels

func GenerateAlertsAdapterSelectorLabels() map[string]string

GenerateAlertsAdapterSelectorLabels returns selector labels for the alerts adapter.

func GenerateAppServerSelectorLabels

func GenerateAppServerSelectorLabels() map[string]string

GenerateAppServerSelectorLabels returns selector labels for Application Server components

func GenerateConsolePluginDeployment

func GenerateConsolePluginDeployment(
	r reconciler.Reconciler,
	cr *olsv1alpha1.OLSConfig,
	opts ConsolePluginDeploymentOptions,
) (*appsv1.Deployment, error)

GenerateConsolePluginDeployment generates a Deployment for an nginx-served console plugin.

func GenerateConsolePluginNetworkPolicy

func GenerateConsolePluginNetworkPolicy(
	r reconciler.Reconciler,
	cr *olsv1alpha1.OLSConfig,
	name string,
	labels map[string]string,
	port int32,
) (*networkingv1.NetworkPolicy, error)

GenerateConsolePluginNetworkPolicy generates a network policy allowing ingress from OpenShift Console pods.

func GenerateConsolePluginNginxConfigMap

func GenerateConsolePluginNginxConfigMap(
	r reconciler.Reconciler,
	cr *olsv1alpha1.OLSConfig,
	name string,
	labels map[string]string,
	nginxConfig string,
) (*corev1.ConfigMap, error)

GenerateConsolePluginNginxConfigMap generates a ConfigMap containing nginx.conf for a console plugin.

func GenerateOpenShiftMCPServerConfigMap

func GenerateOpenShiftMCPServerConfigMap(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, labels map[string]string) (*corev1.ConfigMap, error)

GenerateOpenShiftMCPServerConfigMap generates the ConfigMap containing the TOML configuration for the openshift-mcp-server sidecar. This ConfigMap is mounted into the sidecar container and referenced via the --config flag.

func GeneratePostgresSelectorLabels

func GeneratePostgresSelectorLabels() map[string]string

GeneratePostgresSelectorLabels returns selector labels for Postgres components

func GeneratePostgresWaitInitContainer

func GeneratePostgresWaitInitContainer(image string) corev1.Container

GeneratePostgresWaitInitContainer returns an init container that waits until the Postgres database is accepting connections before the main container starts.

Uses pg_isready to probe the database directly, which is more reliable than checking Kubernetes deployment replica counts. The container uses the postgres image since pg_isready is bundled with it.

Connection parameters are configured via environment variables (PGHOST, PGPORT, PGUSER, PGDATABASE) with sensible defaults. Retries with exponential backoff up to PostgresWaitMaxSeconds.

func GenerateRandomConfigMap

func GenerateRandomConfigMap() (*corev1.ConfigMap, error)

GenerateRandomConfigMap creates a test ConfigMap with sample data. This is useful for testing ConfigMap-dependent functionality without collision.

func GenerateRandomSecret

func GenerateRandomSecret() (*corev1.Secret, error)

GenerateRandomSecret creates a test secret with a random API token. This is useful for testing secret-dependent functionality without collision.

func GenerateRandomTLSSecret

func GenerateRandomTLSSecret() (*corev1.Secret, error)

GenerateRandomTLSSecret creates a test TLS secret with random key and cert. This is useful for testing TLS-dependent functionality without collision.

func GenerateServiceAccount

func GenerateServiceAccount(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string) (*corev1.ServiceAccount, error)

GenerateServiceAccount generates a service account with the given name in the operator namespace

func GetCAFromSecret

func GetCAFromSecret(rclient client.Client, ctx context.Context, namespace, secretName string) (string, error)

GetCAFromSecret retrieves CA certificate content from a Secret. It looks for the "ca.crt" key in the Secret's Data field. Returns empty string if the key doesn't exist (not an error - CA is optional).

func GetConfigMapResourceVersion

func GetConfigMapResourceVersion(r reconciler.Reconciler, ctx context.Context, configMapName string) (string, error)

GetConfigMapResourceVersion returns the ResourceVersion of a ConfigMap.

func GetDefaultOLSConfigCR

func GetDefaultOLSConfigCR() *olsv1alpha1.OLSConfig

GetDefaultOLSConfigCR creates an OLSConfig CR with fully configured specs. This is the most commonly used fixture for testing full functionality.

func GetEmptyOLSConfigCR

func GetEmptyOLSConfigCR() *olsv1alpha1.OLSConfig

GetEmptyOLSConfigCR creates an OLSConfig CR with no fields set in its specs. This is useful for testing default values and validation.

func GetNoCacheCR

func GetNoCacheCR() *olsv1alpha1.OLSConfig

GetNoCacheCR creates an OLSConfig CR with no cache configuration. This is useful for testing in-memory cache scenarios.

func GetOLSConfigWithCacheCR

func GetOLSConfigWithCacheCR() *olsv1alpha1.OLSConfig

GetOLSConfigWithCacheCR creates an OLSConfig CR with only cache configuration. This is useful for testing cache-specific functionality.

func GetOpenShiftMCPServerConfigPath

func GetOpenShiftMCPServerConfigPath() string

GetOpenShiftMCPServerConfigPath returns the full path to the MCP server config file inside the container.

func GetOpenShiftMCPServerConfigVolumeAndMount

func GetOpenShiftMCPServerConfigVolumeAndMount() (corev1.Volume, corev1.VolumeMount)

GetOpenShiftMCPServerConfigVolumeAndMount returns the Volume and VolumeMount for the openshift-mcp-server TOML configuration. The config file is mounted as a subPath so the sidecar can reference it via --config.

func GetOpenshiftVersion

func GetOpenshiftVersion(k8sClient client.Client, ctx context.Context) (string, string, error)

Get Openshift version

func GetPostgresCAConfigVolume

func GetPostgresCAConfigVolume() corev1.Volume

GetPostgresCAConfigVolume returns the CA certificate volume for postgres TLS verification.

func GetPostgresCAVolumeMount

func GetPostgresCAVolumeMount(mountPath string) corev1.VolumeMount

GetPostgresCAVolumeMount returns the CA certificate volume mount for postgres.

func GetProxyCACertConfigMapName

func GetProxyCACertConfigMapName(proxyCACertRef *olsv1alpha1.ProxyCACertConfigMapRef) string

GetProxyCACertConfigMapName returns the ConfigMap name for the proxy CA certificate. Returns empty string if the reference is nil.

func GetProxyCACertHash

func GetProxyCACertHash(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) (string, error)

GetProxyCACertHash returns a SHA256 hash of the proxy CA certificate content if proxy CA is configured. This ensures deployments only restart when the certificate content actually changes, not just when the ConfigMap ResourceVersion changes (which can happen frequently for service-ca managed ConfigMaps). Returns empty string and nil error if proxy is not configured.

func GetProxyCACertKey

func GetProxyCACertKey(proxyCACertRef *olsv1alpha1.ProxyCACertConfigMapRef) string

GetProxyCACertKey returns the ConfigMap key for the proxy CA certificate. If not specified, defaults to ProxyCACertFileName for backward compatibility.

func GetProxyEnvVars

func GetProxyEnvVars() []corev1.EnvVar

func GetResourcesOrDefault

func GetResourcesOrDefault(customResources *corev1.ResourceRequirements, defaultResources *corev1.ResourceRequirements) *corev1.ResourceRequirements

GetResourcesOrDefault returns custom resources from CR if specified, otherwise returns defaults. This is a common pattern used across all component resource getters to avoid repetitive null-checking logic. It provides a consistent way to handle user-configurable container resources with sensible defaults.

Example usage:

return GetResourcesOrDefault(
    cr.Spec.OLSConfig.DeploymentConfig.APIContainer.Resources,
    &corev1.ResourceRequirements{
        Limits:   corev1.ResourceList{corev1.ResourceMemory: resource.MustParse("4Gi")},
        Requests: corev1.ResourceList{corev1.ResourceCPU: resource.MustParse("500m")},
    },
)

func GetSecretContent

func GetSecretContent(rclient client.Client, ctx context.Context, secretName string, namespace string, secretFields []string, foundSecret *corev1.Secret) (map[string]string, error)

func ImageStreamEqual

func ImageStreamEqual(a *imagev1.ImageStream, b *imagev1.ImageStream) bool

ImageStreamEqual compares the fields that the controller owns on two imagev1.ImageStreams. Used to decide if an existing ImageStream needs an Update. All managed fields must be listed here so reconciliation does not miss changes.

func ImageStreamNameFor

func ImageStreamNameFor(image string) string

ImageStreamNameFor converts a container image reference (e.g. "quay.io/org/my-image:v1.0") into a Kubernetes-compatible name suitable for an ImageStream. Kubernetes names that are used as DNS subdomain labels must follow RFC 1123: a single label can be at most 63 characters (DNS label max). The final name is slug + "-" + suffix, so:

ImageStreamSlugMaxLength (55) + 1 (hyphen) + 6 (suffix) ≤ 63.

It lowercases the string, replaces "/", ":", and "@" with underscores, replaces any character that is not [a-z0-9-] with a hyphen, trims and truncates to ImageStreamSlugMaxLength characters, then appends a 6-char SHA1 suffix of the original image so that different images still produce unique names while fitting within typical length limits (e.g. DNS subdomain labels).

func IsPrometheusOperatorAvailable

func IsPrometheusOperatorAvailable(ctx context.Context, c client.Client) bool

IsPrometheusOperatorAvailable checks if Prometheus Operator CRDs are available on the cluster. It attempts to list ServiceMonitor and PrometheusRule resources to determine availability. Returns true if both CRDs are present, false otherwise.

func NetworkPolicyEqual

func NetworkPolicyEqual(a *networkingv1.NetworkPolicy, b *networkingv1.NetworkPolicy) bool

networkPolicyEqual compares two networkingv1.NetworkPolicy and returns true if they are equal.

func PodVolumeEqual

func PodVolumeEqual(a, b []corev1.Volume) bool

podVolumEqual compares two slices of corev1.Volume and returns true if they are equal. covers 3 volume types: Secret, ConfigMap, EmptyDir

func ProbeEqual

func ProbeEqual(a, b *corev1.Probe) bool

func PrometheusRuleEqual

func PrometheusRuleEqual(a *monv1.PrometheusRule, b *monv1.PrometheusRule) bool

prometheusRuleEqual compares two monv1.PrometheusRule and returns true if they are equal.

func RHOOKPContainerSecurityContext

func RHOOKPContainerSecurityContext() *corev1.SecurityContext

RHOOKPContainerSecurityContext is restricted PSS except readOnlyRootFilesystem: the RHOKP image writes Solr pid files, logs, and httpd config patches at startup.

func ReconcileConsolePluginCR

func ReconcileConsolePluginCR(r reconciler.Reconciler, ctx context.Context, desired *consolev1.ConsolePlugin) error

ReconcileConsolePluginCR creates or updates a ConsolePlugin CR.

func ReconcileConsolePluginConfigMap

func ReconcileConsolePluginConfigMap(r reconciler.Reconciler, ctx context.Context, desired *corev1.ConfigMap) error

ReconcileConsolePluginConfigMap creates or updates a console plugin nginx ConfigMap.

func ReconcileConsolePluginDeployment

func ReconcileConsolePluginDeployment(
	r reconciler.Reconciler,
	ctx context.Context,
	desired *appsv1.Deployment,
	restart func(reconciler.Reconciler, context.Context, ...*appsv1.Deployment) error,
) error

ReconcileConsolePluginDeployment creates or updates a console plugin Deployment.

func ReconcileConsolePluginNetworkPolicy

func ReconcileConsolePluginNetworkPolicy(r reconciler.Reconciler, ctx context.Context, desired *networkingv1.NetworkPolicy) error

ReconcileConsolePluginNetworkPolicy creates or updates a console plugin NetworkPolicy.

func ReconcileConsolePluginService

func ReconcileConsolePluginService(r reconciler.Reconciler, ctx context.Context, desired *corev1.Service) error

ReconcileConsolePluginService creates or updates a console plugin Service.

func ReconcileConsolePluginServiceAccount

func ReconcileConsolePluginServiceAccount(r reconciler.Reconciler, ctx context.Context, desired *corev1.ServiceAccount) error

ReconcileConsolePluginServiceAccount creates a console plugin ServiceAccount if missing.

func ReconcileOLSAdditionalCAConfigMap

func ReconcileOLSAdditionalCAConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error

ReconcileOLSAdditionalCAConfigMap validates that the externally referenced Additional CA ConfigMap exists. Annotation handling is managed by the main controller.

func ReconcileOpenShiftMCPServerConfigMap

func ReconcileOpenShiftMCPServerConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig, labels map[string]string) error

ReconcileOpenShiftMCPServerConfigMap reconciles the ConfigMap for the openshift-mcp-server. When introspection is enabled, the ConfigMap is created/updated. When introspection is disabled, the ConfigMap is deleted if it exists.

func ReconcileProxyCAConfigMap

func ReconcileProxyCAConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error

ReconcileProxyCAConfigMap validates that the externally referenced Proxy CA ConfigMap exists. Annotation handling is managed by the main controller.

func RemoveConsolePlugin

func RemoveConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error

RemoveConsolePlugin deactivates and deletes a console plugin from the OpenShift Console.

func RestartConsolePluginDeployment

func RestartConsolePluginDeployment(r reconciler.Reconciler, ctx context.Context, deploymentName string, deployment ...*appsv1.Deployment) error

RestartConsolePluginDeployment triggers a rolling restart of a console plugin deployment.

func RestrictedContainerSecurityContext

func RestrictedContainerSecurityContext() *corev1.SecurityContext

RestrictedContainerSecurityContext returns a SecurityContext that conforms to the Pod Security "restricted" profile. Use this for all operator-managed containers.

func RosaOKPProductEnv

func RosaOKPProductEnv(k8sClient client.Client, ctx context.Context, log logr.Logger) (*corev1.EnvVar, error)

RosaOKPProductEnv returns the OLS_ROSA_PRODUCT env var for ROSA clusters, or nil when the cluster is not ROSA. On ROSA, External topology maps to HCP; all other topologies map to Classic (OLS-1894).

func RunDeleteTasks

func RunDeleteTasks(r reconciler.Reconciler, ctx context.Context, phase string, tasks []DeleteTask) error

RunDeleteTasks runs delete tasks and fails fast on the first error.

func RunReconcileTasks

func RunReconcileTasks(
	r reconciler.Reconciler,
	ctx context.Context,
	cr *olsv1alpha1.OLSConfig,
	phase string,
	tasks []ReconcileTask,
	continueOnError bool,
) error

RunReconcileTasks runs reconcile tasks. When continueOnError is true, all tasks run and failures are aggregated.

func ServiceEqual

func ServiceEqual(a *corev1.Service, b *corev1.Service) bool

serviceEqual compares two v1.Service and returns true if they are equal.

func ServiceMonitorEqual

func ServiceMonitorEqual(a *monv1.ServiceMonitor, b *monv1.ServiceMonitor) bool

serviceMonitorEqual compares two monv1.ServiceMonitor and returns true if they are equal.

func SetDefaults_Deployment

func SetDefaults_Deployment(obj *appsv1.Deployment)

This is copied from https://github.com/kubernetes/kubernetes/blob/v1.29.2/pkg/apis/apps/v1/defaults.go#L38 to avoid importing the whole k8s.io/kubernetes package. SetDefaults_Deployment sets additional defaults compared to its counterpart in extensions. These addons are: - MaxUnavailable during rolling update set to 25% (1 in extensions) - MaxSurge value during rolling update set to 25% (1 in extensions) - RevisionHistoryLimit set to 10 (not set in extensions) - ProgressDeadlineSeconds set to 600s (not set in extensions)

func StatusHasCondition

func StatusHasCondition(status olsv1alpha1.OLSConfigStatus, condition metav1.Condition) bool

StatusHasCondition checks if an OLSConfig status contains a specific condition. It ignores ObservedGeneration and LastTransitionTime when comparing.

func ValidateCertificateFormat

func ValidateCertificateFormat(cert []byte) error

validate the x509 certificate syntax

func ValidateLLMCredentials

func ValidateLLMCredentials(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error

ValidateLLMCredentials validates that all LLM provider credentials are present and usable. For each provider it requires credentialsSecretRef, loads the secret, then checks Data keys: Azure OpenAI accepts the default credential key or client_id/tenant_id/client_secret; Google Vertex (and Anthropic) use credentialKey when set, otherwise the default key; Bedrock accepts either the default credential key (Bearer token) or AWS IAM keys; all other supported types require the default credential key

func ValidateTLSSecret

func ValidateTLSSecret(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error

ValidateTLSSecret validates that the custom TLS secret exists and contains required keys. It checks that the secret contains 'tls.crt' and 'tls.key'. The 'ca.crt' key is optional. This function should only be called when TLSConfig.KeyCertSecretRef is configured.

func VolumeMountsEqual

func VolumeMountsEqual(a, b []corev1.VolumeMount) bool

VolumeMountsEqual compares two VolumeMount slices ignoring order

func WaitForConsolePluginTLSSecret

func WaitForConsolePluginTLSSecret(r reconciler.Reconciler, ctx context.Context, secretName string) error

WaitForConsolePluginTLSSecret waits for the service-ca TLS secret for a console plugin.

func WithAzureOpenAIProvider

func WithAzureOpenAIProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig

WithAzureOpenAIProvider configures the first LLM provider as Azure OpenAI. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.

func WithBedrockProvider

func WithBedrockProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig

WithBedrockProvider configures the first LLM provider as AWS Bedrock. Auth mode (Bearer apitoken vs IAM keys) is determined by the referenced secret, not the CR. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.

func WithGoogleVertexAnthropicProvider

func WithGoogleVertexAnthropicProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig

WithGoogleVertexAnthropicProvider configures the first LLM provider as Google Vertex Anthropic. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.

func WithGoogleVertexProvider

func WithGoogleVertexProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig

WithGoogleVertexProvider configures the first LLM provider as Google Vertex. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.

Types

type AppSrvConfigFile

type AppSrvConfigFile struct {
	LLMProviders            []ProviderConfig        `json:"llm_providers"`
	OLSConfig               OLSConfig               `json:"ols_config,omitempty"`
	UserDataCollectorConfig UserDataCollectorConfig `json:"user_data_collector_config,omitempty"`
	MCPServers              []MCPServerConfig       `json:"mcp_servers,omitempty"`
}

** application server configuration file ** root of the app server configuration file

type AuditYAMLConfig

type AuditYAMLConfig struct {
	Logging string          `json:"logging"`
	OTEL    *OTELYAMLConfig `json:"otel,omitempty"`
}

type AzureOpenAIConfig

type AzureOpenAIConfig struct {
	// Azure OpenAI API URL
	URL string `json:"url,omitempty"`
	// Path where Azure OpenAI accesstoken or credentials are stored
	CredentialsPath string `json:"credentials_path"`
	// Azure deployment name
	AzureDeploymentName string `json:"deployment_name,omitempty"`
}

type ConfigMapWatcherConfig

type ConfigMapWatcherConfig struct {
	SystemResources []SystemConfigMap
}

ConfigMapWatcherConfig contains configuration for watching configmaps

type ConsolePluginDeploymentOptions

type ConsolePluginDeploymentOptions struct {
	Name                string
	Labels              map[string]string
	SelectorLabels      map[string]string
	ServiceAccountName  string
	ContainerName       string
	Image               string
	Port                int32
	PortName            string
	CertVolumeName      string
	CertSecretName      string
	NginxVolumeName     string
	NginxConfigMapName  string
	NginxTempVolumeName string
	Resources           *corev1.ResourceRequirements
	Env                 []corev1.EnvVar
	DeploymentConfig    olsv1alpha1.Config
}

ConsolePluginDeploymentOptions configures nginx-based console plugin Deployments.

type ConversationCacheConfig

type ConversationCacheConfig struct {
	// Type of cache to use. Default: "postgres"
	Type string `json:"type" default:"postgres"`
	// Postgres cache configuration
	Postgres PostgresCacheConfig `json:"postgres,omitempty"`
}

type DeleteFunc

type DeleteFunc func(reconciler.Reconciler, context.Context) error

type DeleteTask

type DeleteTask struct {
	Name string
	Task DeleteFunc
}

type FakeProviderConfig

type FakeProviderConfig struct {
	// URL of the fake provider server to send requests
	URL string `json:"url,omitempty" default:"http://example.com"`
	// Whether the fake provider should stream responses in chunks
	Stream bool `json:"stream" default:"false"`
	// Flag to enable mcp tool call in fake provider
	MCPToolCall bool `json:"mcp_tool_call" default:"false"`
	// The full response to return when Stream is false, or the base response to chunk when Stream is true
	Response string `json:"response,omitempty"`
	// The number of chunks to split the response into when Stream is true
	Chunks int `json:"chunks,omitempty" default:"30"`
	// The amount of time in seconds to sleep between sending each chunk when Stream is true
	Sleep float64 `json:"sleep,omitempty" default:"0.1"`
}

type GoogleVertexAnthropicConfig

type GoogleVertexAnthropicConfig = GoogleVertexConfig

type GoogleVertexConfig

type GoogleVertexConfig struct {
	// Google Cloud project ID
	Project string `json:"project,omitempty"`
	// Server region location
	Location string `json:"location,omitempty"`
}

type LimiterConfig

type LimiterConfig struct {
	// Name of the limiter
	Name string `json:"name"`
	// Type of the limiter
	Type string `json:"type"`
	// Initial value of the token quota
	InitialQuota int `json:"initial_quota"`
	// Token quota increase step
	QuotaIncrease int `json:"quota_increase"`
	// Period of time the token quota is for
	Period string `json:"period"`
}

LimiterConfig defines settings for a token quota limiter

type LoggingConfig

type LoggingConfig struct {
	// Application log level
	AppLogLevel string `json:"app_log_level" default:"info"`
	// Library log level
	LibLogLevel string `json:"lib_log_level" default:"warning"`
	// Uvicorn log level
	UvicornLogLevel string `json:"uvicorn_log_level" default:"info"`
}

type MCPServerConfig

type MCPServerConfig struct {
	// MCP server name
	Name string `json:"name"`
	// MCP server URL
	URL string `json:"url"`
	// Headers (map of header name to file path or placeholder)
	Headers map[string]string `json:"headers,omitempty"`
	// Timeout in seconds
	Timeout int `json:"timeout,omitempty"`
}

type MCPTransport

type MCPTransport string
const (
	SSE            MCPTransport = "sse"
	Stdio          MCPTransport = "stdio"
	StreamableHTTP MCPTransport = "streamable_http"
)

type MemoryCacheConfig

type MemoryCacheConfig struct {
	// Maximum number of cache entries. Default: "1000"
	MaxEntries int `json:"max_entries,omitempty" default:"1000"`
}

type ModelConfig

type ModelConfig struct {
	// Model name
	Name string `json:"name"`
	// Model API URL
	URL string `json:"url,omitempty"`
	// Model context window size
	ContextWindowSize uint `json:"context_window_size,omitempty"`
	// Model parameters
	Parameters ModelParameters `json:"parameters,omitempty"`
}

ModelSpec defines the desired state of in-memory cache.

type ModelParameters

type ModelParameters struct {
	// Maximum number of tokens for the input text. Default: 1024
	MaxTokensForResponse int `json:"max_tokens_for_response,omitempty"`
	// Ratio of context window size allocated for tool token budget
	ToolBudgetRatio float64 `json:"tool_budget_ratio"`
}

ModelParameters defines the parameters for a model.

type OLSConfig

type OLSConfig struct {
	// Default model for usage
	DefaultModel string `json:"default_model,omitempty"`
	// Default provider for usage
	DefaultProvider string `json:"default_provider,omitempty"`
	// Maximum number of iterations for agent execution
	MaxIterations int `json:"max_iterations,omitempty"`
	// Logging config
	Logging LoggingConfig `json:"logging_config,omitempty"`
	// Conversation cache
	ConversationCache ConversationCacheConfig `json:"conversation_cache,omitempty"`
	// TLS configuration
	TLSConfig TLSConfig `json:"tls_config,omitempty"`
	// TLS security profile for service endpoint
	TLSSecurityProfile *TLSSecurityProfileConfig `json:"tlsSecurityProfile,omitempty"`
	// Query filters
	QueryFilters []QueryFilters `json:"query_filters,omitempty"`
	// Reference content for BYOK RAG vector indexes; omitted when spec.ols.rag is empty.
	ReferenceContent *ReferenceContent `json:"reference_content,omitempty"`
	// User data collection configuration
	UserDataCollection UserDataCollectionConfig `json:"user_data_collection,omitempty"`
	// List of Paths to files containing additional CA certificates in the app server container.
	ExtraCAs []string `json:"extra_ca,omitempty"`
	// Path to the directory containing the certificates bundle in the app server container.
	CertificateDirectory string `json:"certificate_directory,omitempty"`
	// Proxy settings
	ProxyConfig *ProxyConfig `json:"proxy_config,omitempty"`
	// LLM Token Quota Configuration
	QuotaHandlersConfig *QuotaHandlersConfig `json:"quota_handlers,omitempty"`
	// User specified system prompt
	SystemPromptPath string `json:"system_prompt_path,omitempty"`
	// Tool filtering configuration for hybrid RAG retrieval
	ToolFiltering *ToolFilteringConfig `json:"tool_filtering,omitempty"`
	// Tool execution approval configuration
	ToolsApproval *ToolsApprovalConfig `json:"tools_approval,omitempty"`
	// Audit logging and tracing configuration
	Audit *AuditYAMLConfig `json:"audit,omitempty"`
	// Solr hybrid RAG (portal-rag /hybrid-search); mirrors lightspeed-service solr_hybrid
	SolrHybrid *SolrHybridSettings `json:"solr_hybrid,omitempty"`
}

type OLSConfigReconcilerOptions

type OLSConfigReconcilerOptions struct {
	OpenShiftMajor                 string
	OpenshiftMinor                 string
	LightspeedServiceImage         string
	LightspeedServicePostgresImage string
	ConsoleUIImage                 string
	AgenticConsoleUIImage          string
	AlertsAdapterImage             string
	OtelCollectorImage             string
	DataverseExporterImage         string
	OpenShiftMCPServerImage        string
	RHOOKPImage                    string
	RosaOKPProductEnv              *corev1.EnvVar
	Namespace                      string
	PrometheusAvailable            bool
}

type OTELYAMLConfig

type OTELYAMLConfig struct {
	Endpoint string `json:"endpoint,omitempty"`
	TLSMode  string `json:"tls_mode,omitempty"`
}

type OperatorReconcileFuncs

type OperatorReconcileFuncs struct {
	Name string
	Fn   func(context.Context) error
}

type PostgresCacheConfig

type PostgresCacheConfig struct {
	// Postgres host
	Host string `json:"host,omitempty" default:"lightspeed-postgres-server.openshift-lightspeed.svc"`
	// Postgres port
	Port int `json:"port,omitempty" default:"5432"`
	// Postgres user
	User string `json:"user,omitempty" default:"postgres"`
	// Postgres dbname
	DbName string `json:"dbname,omitempty" default:"postgres"`
	// Path to the file containing postgres credentials in the app server container
	PasswordPath string `json:"password_path,omitempty"`
	// SSLMode is the preferred ssl mode to connect with postgres
	SSLMode string `json:"ssl_mode,omitempty" default:"require"`
	// Postgres CA certificate path
	CACertPath string `json:"ca_cert_path,omitempty"`
}

type ProviderConfig

type ProviderConfig struct {
	// Provider name
	Name string `json:"name"`
	// Provider API URL
	URL string `json:"url,omitempty"`
	// Path to the file containing API provider credentials in the app server container.
	// default to "bam_api_key.txt"
	CredentialsPath string `json:"credentials_path,omitempty" default:"bam_api_key.txt"`
	// List of models from the provider
	Models []ModelConfig `json:"models,omitempty"`
	// Provider type
	Type string `json:"type,omitempty"`
	// Watsonx Project ID
	WatsonProjectID string `json:"project_id,omitempty"`
	// API Version for Azure OpenAI provider
	APIVersion string `json:"api_version,omitempty"`
	// Azure OpenAI Config
	AzureOpenAIConfig *AzureOpenAIConfig `json:"azure_openai_config,omitempty"`
	// Fake Provider Config for testing
	FakeProviderConfig *FakeProviderConfig `json:"fake_provider_config,omitempty"`
	// Google Vertex Config
	GoogleVertexConfig *GoogleVertexConfig `json:"google_vertex_config,omitempty"`
	// Google Vertex Anthropic Config
	GoogleVertexAnthropicConfig *GoogleVertexAnthropicConfig `json:"google_vertex_anthropic_config,omitempty"`
}

type ProxyConfig

type ProxyConfig struct {
	// Proxy URL
	ProxyURL string `json:"proxy_url,omitempty"`
	// ProxyCACertPath is the path to the CA certificate for the proxy server
	ProxyCACertPath string `json:"proxy_ca_cert_path,omitempty"`
}

type QueryFilters

type QueryFilters struct {
	// Filter name.
	Name string `json:"name,omitempty"`
	// Filter pattern.
	Pattern string `json:"pattern,omitempty"`
	// Replacement for the matched pattern.
	ReplaceWith string `json:"replace_with,omitempty"`
}

type QuotaHandlersConfig

type QuotaHandlersConfig struct {
	// Postgres connection details
	Storage PostgresCacheConfig `json:"storage,omitempty"`
	// Quota scheduler settings
	Scheduler SchedulerConfig `json:"scheduler,omitempty"`
	// Token quota limiters
	LimitersConfig []LimiterConfig `json:"limiters,omitempty"`
	// Enable token history
	EnableTokenHistory bool `json:"enable_token_history,omitempty"`
}

QuotaHandlersConfig defines the token quota configuration

type ReconcileFunc

** controller internal **

type ReconcileSteps

type ReconcileSteps struct {
	Name          string
	Fn            func(context.Context, *olsv1alpha1.OLSConfig) error
	ConditionType string
	Deployment    string
}

type ReconcileTask

type ReconcileTask struct {
	Name string
	Task ReconcileFunc
}

type ReferenceContent

type ReferenceContent struct {
	// Path to the file containing the product docs embeddings model in the app server container.
	EmbeddingsModelPath string `json:"embeddings_model_path,omitempty"`
	// List of reference indexes.
	Indexes []ReferenceIndex `json:"indexes,omitempty"`
}

type ReferenceIndex

type ReferenceIndex struct {
	// Path to the file containing the product docs index in the app server container.
	ProductDocsIndexPath string `json:"product_docs_index_path,omitempty"`
	// Name of the index to load.
	ProductDocsIndexId string `json:"product_docs_index_id,omitempty"`
	// Where the database was copied from, i.e. BYOK image name.
	ProductDocsOrigin string `json:"product_docs_origin,omitempty"`
}

type SchedulerConfig

type SchedulerConfig struct {
	// How often token quota is checked, sec
	Period int `json:"period,omitempty"`
}

Scheduler configuration

type SecretWatcherConfig

type SecretWatcherConfig struct {
	SystemResources []SystemSecret
}

SecretWatcherConfig contains configuration for watching secrets

type SolrHybridSettings

type SolrHybridSettings struct {
	SolrHTTPBase             string  `json:"solr_http_base,omitempty"`
	MaxResults               int     `json:"max_results,omitempty"`
	ChunkFilterQuery         string  `json:"chunk_filter_query,omitempty"`
	HybridVectorBoost        float64 `json:"hybrid_vector_boost,omitempty"`
	HybridPoolDocs           int     `json:"hybrid_pool_docs,omitempty"`
	HybridScoreThreshold     float64 `json:"hybrid_score_threshold,omitempty"`
	HybridSolrTimeoutSeconds float64 `json:"hybrid_solr_timeout_s,omitempty"`
}

SolrHybridSettings configures Solr hybrid RAG retrieval for the OLS application config file.

type StdioTransportConfig

type StdioTransportConfig struct {
	// Command to run
	Command string `json:"command,omitempty"`
	// Command-line parameters for the command
	Args []string `json:"args,omitempty"`
	// Environment variables for the command
	Env map[string]string `json:"env,omitempty"`
	// The working directory for the command
	Cwd string `json:"cwd,omitempty"`
	// Encoding for the text exchanged with the command
	Encoding string `json:"encoding,omitempty"`
}

type StreamableHTTPTransportConfig

type StreamableHTTPTransportConfig struct {
	// URL of the MCP server
	URL string `json:"url,omitempty"`
	// Overall timeout for the MCP server
	Timeout int `json:"timeout,omitempty"`
	// SSE read timeout for the MCP server
	SSEReadTimeout int `json:"sse_read_timeout,omitempty"`
	// Headers to send to the MCP server
	Headers map[string]string `json:"headers,omitempty"`
}

type SystemConfigMap

type SystemConfigMap struct {
	Name                string
	Namespace           string
	Description         string
	AffectedDeployments []string
}

SystemConfigMap represents a configmap managed by Kubernetes or other applications that the operator needs to watch for changes

type SystemSecret

type SystemSecret struct {
	Name                string
	Namespace           string
	Description         string
	AffectedDeployments []string
}

SystemSecret represents a secret managed by Kubernetes or other applications that the operator needs to watch for changes

type TLSConfig

type TLSConfig struct {
	TLSCertificatePath string `json:"tls_certificate_path,omitempty"`
	TLSKeyPath         string `json:"tls_key_path,omitempty"`
}

type TLSSecurityProfileConfig

type TLSSecurityProfileConfig struct {
	// Profile type expected by the service (OldType, IntermediateType, ModernType, Custom)
	ProfileType string `json:"type,omitempty"`
	// Minimum TLS protocol version (VersionTLS12, VersionTLS13, ...)
	MinTLSVersion string `json:"minTLSVersion,omitempty"`
	// Allowed ciphers in OpenSSL format
	Ciphers []string `json:"ciphers,omitempty"`
}

type TestReconciler

type TestReconciler struct {
	client.Client

	PostgresImage       string
	ConsoleImage        string
	AgenticConsoleImage string
	AlertsAdapterImage  string
	OtelCollectorImage  string
	AppServerImage      string
	McpServerImage      string
	DataverseExporter   string
	RhokpImage          string

	PrometheusAvailable bool
	// contains filtered or unexported fields
}

TestReconciler is a test implementation of the reconciler.Reconciler interface used across controller test suites

func NewTestReconciler

func NewTestReconciler(
	client client.Client,
	logger logr.Logger,
	scheme *runtime.Scheme,
	namespace string,
) *TestReconciler

NewTestReconciler creates a new TestReconciler instance with the provided parameters

func (*TestReconciler) GetAgenticConsoleImage

func (r *TestReconciler) GetAgenticConsoleImage() string

func (*TestReconciler) GetAlertsAdapterImage

func (r *TestReconciler) GetAlertsAdapterImage() string

func (*TestReconciler) GetAppServerImage

func (r *TestReconciler) GetAppServerImage() string

func (*TestReconciler) GetConsoleUIImage

func (r *TestReconciler) GetConsoleUIImage() string

func (*TestReconciler) GetDataverseExporterImage

func (r *TestReconciler) GetDataverseExporterImage() string

func (*TestReconciler) GetLogger

func (r *TestReconciler) GetLogger() logr.Logger

func (*TestReconciler) GetNamespace

func (r *TestReconciler) GetNamespace() string

func (*TestReconciler) GetOpenShiftMCPServerImage

func (r *TestReconciler) GetOpenShiftMCPServerImage() string

func (*TestReconciler) GetOpenShiftMajor

func (r *TestReconciler) GetOpenShiftMajor() string

func (*TestReconciler) GetOpenshiftMinor

func (r *TestReconciler) GetOpenshiftMinor() string

func (*TestReconciler) GetOtelCollectorImage

func (r *TestReconciler) GetOtelCollectorImage() string

func (*TestReconciler) GetPostgresImage

func (r *TestReconciler) GetPostgresImage() string

func (*TestReconciler) GetRHOOKPImage

func (r *TestReconciler) GetRHOOKPImage() string

func (*TestReconciler) GetRosaOKPProductEnv

func (r *TestReconciler) GetRosaOKPProductEnv() *corev1.EnvVar

func (*TestReconciler) GetScheme

func (r *TestReconciler) GetScheme() *runtime.Scheme

func (*TestReconciler) GetWatcherConfig

func (r *TestReconciler) GetWatcherConfig() interface{}

func (*TestReconciler) IsPrometheusAvailable

func (r *TestReconciler) IsPrometheusAvailable() bool

func (*TestReconciler) SetRosaOKPProductEnv

func (r *TestReconciler) SetRosaOKPProductEnv(env *corev1.EnvVar)

func (*TestReconciler) SetWatcherConfig

func (r *TestReconciler) SetWatcherConfig(config interface{})

type ToolFilteringConfig

type ToolFilteringConfig struct {
	// Weight for dense vs sparse retrieval (1.0 = full dense, 0.0 = full sparse)
	Alpha float64 `json:"alpha,omitempty"`
	// Number of tools to retrieve
	TopK int `json:"top_k,omitempty"`
	// Minimum similarity threshold for filtering results
	Threshold float64 `json:"threshold,omitempty"`
}

ToolFilteringConfig defines configuration for tool filtering using hybrid RAG retrieval The embedding model is not exposed as it's handled by the container image

type ToolsApprovalConfig

type ToolsApprovalConfig struct {
	// Approval strategy for tool execution
	ApprovalType string `json:"approval_type,omitempty"`
	// Timeout in seconds for waiting for user approval
	ApprovalTimeout int `json:"approval_timeout,omitempty"`
}

ToolsApprovalConfig defines configuration for tool execution approval Controls whether tool calls require user approval before execution

type UserDataCollectionConfig

type UserDataCollectionConfig struct {
	FeedbackDisabled    bool   `json:"feedback_disabled" default:"false"`
	FeedbackStorage     string `json:"feedback_storage,omitempty"`
	TranscriptsDisabled bool   `json:"transcripts_disabled" default:"false"`
	TranscriptsStorage  string `json:"transcripts_storage,omitempty"`
}

type UserDataCollectorConfig

type UserDataCollectorConfig struct {
	// Path to dir where ols user data (feedback and transcripts) are stored
	DataStorage string `json:"data_storage,omitempty"`
	// Collector logging level
	LogLevel string `json:"log_level,omitempty"`
}

type WatcherConfig

type WatcherConfig struct {
	Secrets                   SecretWatcherConfig
	ConfigMaps                ConfigMapWatcherConfig
	AnnotatedSecretMapping    map[string][]string
	AnnotatedConfigMapMapping map[string][]string
}

WatcherConfig contains all watcher configuration

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL