Documentation
¶
Overview ¶
Package utils provides shared utility functions, types, and constants used across the OpenShift Lightspeed operator components.
This package contains:
- Constants for resource names, labels, and annotations
- Error constants for consistent error handling
- Helper functions for Kubernetes resource operations
- Status condition utilities
- TLS certificate validation
- OpenShift version detection
- Configuration data structures for OLS components
The utilities in this package are designed to be reusable across all operator components (`appserver`, `postgres`, `console`) and promote consistency in resource naming, labeling, and error handling throughout the codebase.
Index ¶
- Constants
- Variables
- func ActivateConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error
- func AlertsAdapterConfigMapRef(cr *olsv1alpha1.OLSConfig) (name string, ok bool)
- func AnnotateConfigMapWatcher(cm *corev1.ConfigMap)
- func AnnotateSecretWatcher(secret *corev1.Secret)
- func ApplyPodDeploymentConfig(deployment *appsv1.Deployment, config olsv1alpha1.Config, applyReplicas bool)
- func BoolDeref(p *bool, def bool) bool
- func BoolPtr(b bool) *bool
- func ConfigMapEqual(a, b *corev1.ConfigMap) bool
- func ContainerSpecEqual(a, b *corev1.Container) bool
- func ContainersEqual(a, b []corev1.Container) bool
- func CreateTelemetryPullSecret(ctx context.Context, k8sClient client.Client, withToken bool)
- func DeactivateConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error
- func DefaultConsolePluginResourceRequirements() *corev1.ResourceRequirements
- func DeleteConsolePluginCR(r reconciler.Reconciler, ctx context.Context, pluginName string) error
- func DeleteTelemetryPullSecret(ctx context.Context, k8sClient client.Client)
- func DeploymentSpecEqual(a, b *appsv1.DeploymentSpec, compareInitContainers bool) bool
- func EnvEqual(a, b []corev1.EnvVar) bool
- func ForEachExternalConfigMap(cr *olsv1alpha1.OLSConfig, fn func(name string, source string) error) error
- func ForEachExternalSecret(cr *olsv1alpha1.OLSConfig, fn func(name string, source string) error) error
- func GenerateAlertsAdapterSelectorLabels() map[string]string
- func GenerateAppServerSelectorLabels() map[string]string
- func GenerateConsolePluginDeployment(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, ...) (*appsv1.Deployment, error)
- func GenerateConsolePluginNetworkPolicy(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string, ...) (*networkingv1.NetworkPolicy, error)
- func GenerateConsolePluginNginxConfigMap(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string, ...) (*corev1.ConfigMap, error)
- func GenerateOpenShiftMCPServerConfigMap(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, labels map[string]string) (*corev1.ConfigMap, error)
- func GeneratePostgresSelectorLabels() map[string]string
- func GeneratePostgresWaitInitContainer(image string) corev1.Container
- func GenerateRandomConfigMap() (*corev1.ConfigMap, error)
- func GenerateRandomSecret() (*corev1.Secret, error)
- func GenerateRandomTLSSecret() (*corev1.Secret, error)
- func GenerateServiceAccount(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string) (*corev1.ServiceAccount, error)
- func GetCAFromSecret(rclient client.Client, ctx context.Context, namespace, secretName string) (string, error)
- func GetConfigMapResourceVersion(r reconciler.Reconciler, ctx context.Context, configMapName string) (string, error)
- func GetDefaultOLSConfigCR() *olsv1alpha1.OLSConfig
- func GetEmptyOLSConfigCR() *olsv1alpha1.OLSConfig
- func GetNoCacheCR() *olsv1alpha1.OLSConfig
- func GetOLSConfigWithCacheCR() *olsv1alpha1.OLSConfig
- func GetOpenShiftMCPServerConfigPath() string
- func GetOpenShiftMCPServerConfigVolumeAndMount() (corev1.Volume, corev1.VolumeMount)
- func GetOpenshiftVersion(k8sClient client.Client, ctx context.Context) (string, string, error)
- func GetPostgresCAConfigVolume() corev1.Volume
- func GetPostgresCAVolumeMount(mountPath string) corev1.VolumeMount
- func GetProxyCACertConfigMapName(proxyCACertRef *olsv1alpha1.ProxyCACertConfigMapRef) string
- func GetProxyCACertHash(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) (string, error)
- func GetProxyCACertKey(proxyCACertRef *olsv1alpha1.ProxyCACertConfigMapRef) string
- func GetProxyEnvVars() []corev1.EnvVar
- func GetResourcesOrDefault(customResources *corev1.ResourceRequirements, ...) *corev1.ResourceRequirements
- func GetSecretContent(rclient client.Client, ctx context.Context, secretName string, ...) (map[string]string, error)
- func ImageStreamEqual(a *imagev1.ImageStream, b *imagev1.ImageStream) bool
- func ImageStreamNameFor(image string) string
- func IsPrometheusOperatorAvailable(ctx context.Context, c client.Client) bool
- func NetworkPolicyEqual(a *networkingv1.NetworkPolicy, b *networkingv1.NetworkPolicy) bool
- func PodVolumeEqual(a, b []corev1.Volume) bool
- func ProbeEqual(a, b *corev1.Probe) bool
- func PrometheusRuleEqual(a *monv1.PrometheusRule, b *monv1.PrometheusRule) bool
- func RHOOKPContainerSecurityContext() *corev1.SecurityContext
- func ReconcileConsolePluginCR(r reconciler.Reconciler, ctx context.Context, desired *consolev1.ConsolePlugin) error
- func ReconcileConsolePluginConfigMap(r reconciler.Reconciler, ctx context.Context, desired *corev1.ConfigMap) error
- func ReconcileConsolePluginDeployment(r reconciler.Reconciler, ctx context.Context, desired *appsv1.Deployment, ...) error
- func ReconcileConsolePluginNetworkPolicy(r reconciler.Reconciler, ctx context.Context, ...) error
- func ReconcileConsolePluginService(r reconciler.Reconciler, ctx context.Context, desired *corev1.Service) error
- func ReconcileConsolePluginServiceAccount(r reconciler.Reconciler, ctx context.Context, desired *corev1.ServiceAccount) error
- func ReconcileOLSAdditionalCAConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
- func ReconcileOpenShiftMCPServerConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig, ...) error
- func ReconcileProxyCAConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
- func RemoveConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error
- func RestartConsolePluginDeployment(r reconciler.Reconciler, ctx context.Context, deploymentName string, ...) error
- func RestrictedContainerSecurityContext() *corev1.SecurityContext
- func RosaOKPProductEnv(k8sClient client.Client, ctx context.Context, log logr.Logger) (*corev1.EnvVar, error)
- func RunDeleteTasks(r reconciler.Reconciler, ctx context.Context, phase string, tasks []DeleteTask) error
- func RunReconcileTasks(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig, ...) error
- func ServiceEqual(a *corev1.Service, b *corev1.Service) bool
- func ServiceMonitorEqual(a *monv1.ServiceMonitor, b *monv1.ServiceMonitor) bool
- func SetDefaults_Deployment(obj *appsv1.Deployment)
- func StatusHasCondition(status olsv1alpha1.OLSConfigStatus, condition metav1.Condition) bool
- func ValidateCertificateFormat(cert []byte) error
- func ValidateLLMCredentials(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
- func ValidateTLSSecret(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
- func VolumeMountsEqual(a, b []corev1.VolumeMount) bool
- func WaitForConsolePluginTLSSecret(r reconciler.Reconciler, ctx context.Context, secretName string) error
- func WithAzureOpenAIProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
- func WithBedrockProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
- func WithGoogleVertexAnthropicProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
- func WithGoogleVertexProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
- type AppSrvConfigFile
- type AuditYAMLConfig
- type AzureOpenAIConfig
- type ConfigMapWatcherConfig
- type ConsolePluginDeploymentOptions
- type ConversationCacheConfig
- type DeleteFunc
- type DeleteTask
- type FakeProviderConfig
- type GoogleVertexAnthropicConfig
- type GoogleVertexConfig
- type LimiterConfig
- type LoggingConfig
- type MCPServerConfig
- type MCPTransport
- type MemoryCacheConfig
- type ModelConfig
- type ModelParameters
- type OLSConfig
- type OLSConfigReconcilerOptions
- type OTELYAMLConfig
- type OperatorReconcileFuncs
- type PostgresCacheConfig
- type ProviderConfig
- type ProxyConfig
- type QueryFilters
- type QuotaHandlersConfig
- type ReconcileFunc
- type ReconcileSteps
- type ReconcileTask
- type ReferenceContent
- type ReferenceIndex
- type SchedulerConfig
- type SecretWatcherConfig
- type SolrHybridSettings
- type StdioTransportConfig
- type StreamableHTTPTransportConfig
- type SystemConfigMap
- type SystemSecret
- type TLSConfig
- type TLSSecurityProfileConfig
- type TestReconciler
- func (r *TestReconciler) GetAgenticConsoleImage() string
- func (r *TestReconciler) GetAlertsAdapterImage() string
- func (r *TestReconciler) GetAppServerImage() string
- func (r *TestReconciler) GetConsoleUIImage() string
- func (r *TestReconciler) GetDataverseExporterImage() string
- func (r *TestReconciler) GetLogger() logr.Logger
- func (r *TestReconciler) GetNamespace() string
- func (r *TestReconciler) GetOpenShiftMCPServerImage() string
- func (r *TestReconciler) GetOpenShiftMajor() string
- func (r *TestReconciler) GetOpenshiftMinor() string
- func (r *TestReconciler) GetOtelCollectorImage() string
- func (r *TestReconciler) GetPostgresImage() string
- func (r *TestReconciler) GetRHOOKPImage() string
- func (r *TestReconciler) GetRosaOKPProductEnv() *corev1.EnvVar
- func (r *TestReconciler) GetScheme() *runtime.Scheme
- func (r *TestReconciler) GetWatcherConfig() interface{}
- func (r *TestReconciler) IsPrometheusAvailable() bool
- func (r *TestReconciler) SetRosaOKPProductEnv(env *corev1.EnvVar)
- func (r *TestReconciler) SetWatcherConfig(config interface{})
- type ToolFilteringConfig
- type ToolsApprovalConfig
- type UserDataCollectionConfig
- type UserDataCollectorConfig
- type WatcherConfig
Constants ¶
const ( /*** Volume Permissions ***/ // VolumeDefaultMode is the default permission for mounted volumes (0644 - read/write for owner, read-only for group/others) VolumeDefaultMode = int32(420) // VolumeRestrictedMode is for sensitive volumes like secrets (0600 - read/write for owner only) VolumeRestrictedMode = int32(0600) /*** Operator Settings ***/ // OLSConfigName is the name of the OLSConfig Custom Resource OLSConfigName = "cluster" // OLSConfigKind is the Kind of the OLSConfig Custom Resource OLSConfigKind = "OLSConfig" // OLSConfigAPIVersion is the APIVersion of the OLSConfig Custom Resource OLSConfigAPIVersion = "ols.openshift.io/v1alpha1" // OLSConfigFinalizer is the finalizer for OLSConfig CR to ensure proper cleanup OLSConfigFinalizer = "ols.openshift.io/finalizer" // OperatorCertDirDefault is the default directory for storing the operator certificate OperatorCertDirDefault = "/etc/tls/private" // OperatorCertNameDefault is the default name of the operator certificate OperatorCertNameDefault = "tls.crt" // OperatorKeyNameDefault is the default name of the operator key OperatorKeyNameDefault = "tls.key" // OperatorCACertPathDefault is the default path to the CA certificate OperatorCACertPathDefault = "/etc/tls/private/ca.crt" // ClientCACmName is the name of the client CA configmap ClientCACmName = "metrics-client-ca" // ClientCACmNamespace is the namespace of the client CA configmap ClientCACmNamespace = "openshift-monitoring" // ClientCACertKey is the key of the client CA certificate in the configmap ClientCACertKey = "client-ca.crt" // ResourceCreationTimeout is the maximum time in seconds operator waiting for creating resources ResourceCreationTimeout = 60 * time.Second // EnvTestCRDInstallMaxTime is the envtest CRD install wait budget for unit-test suites. // CI runs package tests in parallel; the default envtest deadline is too tight. EnvTestCRDInstallMaxTime = 3 * time.Minute /*** application server configuration file ***/ // OLSConfigName is the name of the OLSConfig configmap OLSConfigCmName = "olsconfig" // OLSCAConfigMap is the name of the OLS TLS ca certificate configmap OLSCAConfigMap = "openshift-service-ca.crt" // OLSNamespaceDefault is the default namespace for OLS OLSNamespaceDefault = "openshift-lightspeed" // OLSAppServerServiceAccountName is the name of service account running the application server OLSAppServerServiceAccountName = "lightspeed-app-server" // OLSAppServerSARRoleName is the name of the SAR role for the service account running the application server OLSAppServerSARRoleName = OLSAppServerServiceAccountName + "-sar-role" // OLSAppServerSARRoleBindingName is the name of the SAR role binding for the service account running the application server OLSAppServerSARRoleBindingName = OLSAppServerSARRoleName + "-binding" // OLSAppServerDeploymentName is the name of the OLS application server deployment OLSAppServerDeploymentName = "lightspeed-app-server" // APIKeyMountRoot is the directory hosting the API key file in the container APIKeyMountRoot = "/etc/apikeys" // #nosec G101 // CredentialsMountRoot is the directory hosting the credential files in the container CredentialsMountRoot = "/etc/credentials" // OLSAppCertsMountRoot is the directory hosting the cert files in the container OLSAppCertsMountRoot = "/etc/certs" // OLSConfigMountRoot is the directory hosting the OLS configuration files in the container OLSConfigMountRoot = "/etc/ols" // OLSComponentPasswordFileName is the generic name of the password file for each of its components OLSComponentPasswordFileName = "password" // OLSConfigFilename is the name of the application server configuration file OLSConfigFilename = "olsconfig.yaml" // AppServerServiceMonitorName is the name of the service monitor for the OLS application server AppServerServiceMonitorName = "lightspeed-app-server-monitor" // AppServerPrometheusRuleName is the name of the prometheus rules for the OLS application server AppServerPrometheusRuleName = "lightspeed-app-server-prometheus-rule" // AppServerMetricsPath is the path of the metrics endpoint of the OLS application server AppServerMetricsPath = "/metrics" // AppAdditionalCACertDir is the directory for storing additional CA certificates in the app server container under OLSAppCertsMountRoot AppAdditionalCACertDir = "ols-additional-ca" // UserCACertDir is the directory for storing additional CA certificates in the app server container under OLSAppCertsMountRoot UserCACertDir = "ols-user-ca" // OpenShiftCAVolumeName is the name of the volume for OpenShift CA certificates OpenShiftCAVolumeName = "openshift-ca" // AdditionalCAVolumeName is the name of the volume for additional CA certificates provided by the user AdditionalCAVolumeName = "additional-ca" // CertBundleVolumeName is the name of the volume for the certificate bundle CertBundleVolumeName = "cert-bundle" // ProxyCACertFileName is the name of the proxy CA certificate file ProxyCACertFileName = "proxy-ca.crt" // ProxyCACertVolumeName is the name of the volume for the proxy CA certificate ProxyCACertVolumeName = "proxy-ca" // RAGVolumeName is the name of the volume hosting customized RAG content RAGVolumeName = "rag" // RAGVolumeMountPath is the path of the volume hosting customized RAG content RAGVolumeMountPath = "/rag-data" // OLSAppServerNetworkPolicyName is the name of the network policy for the OLS application server OLSAppServerNetworkPolicyName = "lightspeed-app-server" // FeatureGateMCPServer is the feature gate flag activating the MCP server FeatureGateMCPServer = "MCPServer" // FeatureGateToolFiltering is the feature gate flag activating tool filtering FeatureGateToolFiltering = "ToolFiltering" // OLSConfigHashKey is the key of the hash value of the OLSConfig configmap OLSConfigHashKey = "hash/olsconfig" // LLMProviderHashKey is the key of the hash value of OLS LLM provider credentials consolidated // #nosec G101 LLMProviderHashKey = "hash/llmprovider" // OLSAppTLSHashKey is the key of the hash value of the OLS App TLS certificates OLSAppTLSHashKey = "hash/olstls" // OLSConsoleTLSHashKey is the key of the hash value of the OLS Console TLS certificates OLSConsoleTLSHashKey = "hash/olsconsoletls" // AdditionalCAHashKey is the key of the hash value of the additional CA certificates in the deployment annotations AdditionalCAHashKey = "hash/additionalca" // ProxyCACertHashAnnotation is the annotation key for tracking Proxy CA certificate content hash. ProxyCACertHashAnnotation = "ols.openshift.io/proxy-ca-configmap-hash" // OLSAppServerContainerPort is the port number of the lightspeed-service-api container exposes OLSAppServerContainerPort = 8443 // OLSAppServerServicePort is the port number for OLS application server service. OLSAppServerServicePort = 8443 // OLSAppServerServiceName is the name of the OLS application server service OLSAppServerServiceName = "lightspeed-app-server" // OLSCertsSecretName is the name of the TLS secret for OLS. OLSCertsSecretName = "lightspeed-tls" // #nosec G101 // Annotation key for serving certificate secret name // #nosec G101 ServingCertSecretAnnotationKey = "service.beta.openshift.io/serving-cert-secret-name" // DefaultCredentialKey is the default secret key name for provider credentials DefaultCredentialKey = "apitoken" // BedrockAccessKeyIDKey is the secret key for AWS access key ID (Bedrock IAM auth) BedrockAccessKeyIDKey = "aws_access_key_id" // BedrockSecretAccessKeyKey is the secret key for AWS secret access key (Bedrock IAM auth) BedrockSecretAccessKeyKey = "aws_secret_access_key" // #nosec G101 // BedrockRoleARNKey is the optional secret key for STS role ARN (Bedrock IAM auth) BedrockRoleARNKey = "role_arn" // AzureOpenAIType is the name of the Azure OpenAI provider type AzureOpenAIType = "azure_openai" // FakeProviderType is the name of the fake provider type used for testing FakeProviderType = "fake_provider" // GoogleVertexType is the name of the Google Vertex generic provider type GoogleVertexType = "google_vertex" // GoogleVertexAnthropicType is the name of the Google Vertex Anthropic provider type GoogleVertexAnthropicType = "google_vertex_anthropic" // BedrockType is the name of the AWS Bedrock provider type BedrockType = "bedrock" // DeploymentInProgress message DeploymentInProgress = "In Progress" // OLSSystemPromptFileName is the filename for the system prompt OLSSystemPromptFileName = "system_prompt" // BYOK image stream annotation on the app server deployment OLSAppServerImageStreamTriggerAnnotation = "image.openshift.io/triggers" /*** console UI plugin ***/ // ConsoleUIConfigMapName is the name of the console UI nginx configmap ConsoleUIConfigMapName = "lightspeed-console-plugin" // ConsoleUIServiceCertSecretName is the name of the console UI service certificate secret ConsoleUIServiceCertSecretName = "lightspeed-console-plugin-cert" // ConsoleUIServiceName is the name of the console UI service ConsoleUIServiceName = "lightspeed-console-plugin" // ConsoleUIDeploymentName is the name of the console UI deployment ConsoleUIDeploymentName = "lightspeed-console-plugin" // ConsoleUIHTTPSPort is the port number of the console UI service ConsoleUIHTTPSPort = 9443 // ConsoleUIPluginName is the name of the console UI plugin ConsoleUIPluginName = "lightspeed-console-plugin" // ConsoleUIPluginDisplayName is the display name of the console UI plugin ConsoleUIPluginDisplayName = "Lightspeed Console" // ConsoleUIServiceAccountName is the name of the service account for the console UI plugin ConsoleUIServiceAccountName = "lightspeed-console-plugin" // ConsoleCRName is the name of the console custom resource ConsoleCRName = "cluster" // ConsoleProxyAlias is the alias of the console proxy // The console backend exposes following proxy endpoint: /api/proxy/plugin/<plugin-name>/<proxy-alias>/<request-path>?<optional-query-parameters> ConsoleProxyAlias = "ols" // ConsoleUINetworkPolicyName is the name of the network policy for the console UI plugin ConsoleUINetworkPolicyName = "lightspeed-console-plugin" /*** agentic console UI plugin ***/ // AgenticConsoleUIConfigMapName is the name of the agentic console UI nginx configmap AgenticConsoleUIConfigMapName = "lightspeed-agentic-console-plugin" // AgenticConsoleUIServiceCertSecretName is the name of the agentic console UI service certificate secret AgenticConsoleUIServiceCertSecretName = "lightspeed-agentic-console-plugin-cert" // AgenticConsoleUIServiceName is the name of the agentic console UI service AgenticConsoleUIServiceName = "lightspeed-agentic-console-plugin" // AgenticConsoleUIDeploymentName is the name of the agentic console UI deployment AgenticConsoleUIDeploymentName = "lightspeed-agentic-console-plugin" // AgenticConsoleUIHTTPSPort is the port number of the agentic console UI service AgenticConsoleUIHTTPSPort = 9443 // AgenticConsoleUIPluginName is the name of the agentic console UI plugin AgenticConsoleUIPluginName = "lightspeed-agentic-console-plugin" // AgenticConsoleUIPluginDisplayName is the display name of the agentic console UI plugin AgenticConsoleUIPluginDisplayName = "OpenShift Lightspeed Agentic Console Plugin" // AgenticConsoleUIServiceAccountName is the name of the service account for the agentic console UI plugin AgenticConsoleUIServiceAccountName = "lightspeed-agentic-console-plugin" // AgenticConsoleUINetworkPolicyName is the name of the network policy for the agentic console UI plugin AgenticConsoleUINetworkPolicyName = "lightspeed-agentic-console-plugin" // AgenticConsoleUIContainerName is the name of the agentic console UI container AgenticConsoleUIContainerName = "console" /*** watchers ***/ // Watcher Annotation key WatcherAnnotationKey = "ols.openshift.io/watcher" // ConfigMap with default openshift certificates DefaultOpenShiftCerts = "kube-root-ca.crt" // Force reload annotation key ForceReloadAnnotationKey = "ols.openshift.io/force-reload" /*** Postgres Constants ***/ // PostgresCAVolume is the name of the OLS Postgres TLS ca certificate volume name PostgresCAVolume = "cm-olspostgresca" // PostgresDeploymentName is the name of OLS application Postgres deployment PostgresDeploymentName = "lightspeed-postgres-server" // PostgresWaitInitContainerName is the name of the init container that waits for Postgres to accept connections PostgresWaitInitContainerName = "wait-for-postgres" // PostgresSecretKeyName is the name of the key holding Postgres server secret PostgresSecretKeyName = "password" // PostgresDefaultUser is the default user name for postgres PostgresDefaultUser = "postgres" // PostgresDefaultDbName is the default db name for Postgres PostgresDefaultDbName = "postgres" // PostgresConfigHashKey is the key of the hash value of the OLS's Postgres config PostgresConfigHashKey = "hash/olspostgresconfig" // PostgresSecretHashKey is the key of the hash value of OLS Postgres secret // #nosec G101 PostgresSecretHashKey = "hash/postgres-secret" // PostgresConfigMapResourceVersionAnnotation is the annotation key for tracking ConfigMap ResourceVersion PostgresConfigMapResourceVersionAnnotation = "ols.openshift.io/postgres-configmap-version" // PostgresSecretResourceVersionAnnotation is the annotation key for tracking Secret ResourceVersion //nolint:gosec // G101: This is an annotation key name, not a credential PostgresSecretResourceVersionAnnotation = "ols.openshift.io/postgres-secret-version" // PostgresServiceName is the name of OLS application Postgres server service PostgresServiceName = "lightspeed-postgres-server" // OtelCollectorServiceName is the in-cluster OTEL Collector Service for OTLP from OLS. OtelCollectorServiceName = "lightspeed-otel-collector" // OtelCollectorGRPCPort is the OTLP gRPC port exposed by the OTEL Collector Service. OtelCollectorGRPCPort = 4317 // PostgresSecretName is the name of OLS application Postgres secret PostgresSecretName = "lightspeed-postgres-secret" // PostgresCertsSecretName is the name of the Postgres certs secret PostgresCertsSecretName = "lightspeed-postgres-certs" // PostgresBootstrapSecretName is the name of the Postgres bootstrap secret // #nosec G101 PostgresBootstrapSecretName = "lightspeed-postgres-bootstrap" // PostgresBootstrapVolumeMountPath is the path of bootstrap volume mount PostgresBootstrapVolumeMountPath = "/usr/share/container-scripts/postgresql/start/create-extensions.sh" // PostgresExtensionScript is the name of the Postgres extensions script PostgresExtensionScript = "create-extensions.sh" // PostgresConfigMap is the name of the Postgres config map PostgresConfigMap = "lightspeed-postgres-conf" // PostgresConfigVolumeMountPath is the path of Postgres configuration volume mount PostgresConfigVolumeMountPath = "/usr/share/pgsql/postgresql.conf.sample" // PostgresConfig is the name of Postgres configuration used to start the server PostgresConfig = "postgresql.conf.sample" // PostgresDataVolume is the name of Postgres data volume PostgresDataVolume = "postgres-data" // PostgresDataVolumeMountPath is the path of Postgres data volume mount PostgresDataVolumeMountPath = "/var/lib/pgsql" // PostgreVarRunVolumeName is the data volume name for the /var/run/postgresql writable mount PostgresVarRunVolumeName = "lightspeed-postgres-var-run" // PostgresVarRunVolumeMountPath is the path of Postgres data volume mount PostgresVarRunVolumeMountPath = "/var/run/postgresql" // PostgresServicePort is the port number of the OLS Postgres server service PostgresServicePort = 5432 PostgresSharedBuffers = "256MB" // PostgresMaxConnections is the max connections values for Postgres cache PostgresMaxConnections = 2000 // PostgresDefaultSSLMode is the default ssl mode for postgres PostgresDefaultSSLMode = "require" // PostgresBootStrapScriptContent is the postgres's bootstrap script content PostgresBootStrapScriptContent = `` /* 609-byte string literal not displayed */ // PostgresConfigMapContent is the postgres's config content PostgresConfigMapContent = `` /* 159-byte string literal not displayed */ // PostgresNetworkPolicyName is the name of the network policy for the OLS postgres server PostgresNetworkPolicyName = "lightspeed-postgres-server" /*** Alerts Adapter Constants ***/ // AlertsAdapterDeploymentName is the name of the agentic alerts adapter deployment AlertsAdapterDeploymentName = "lightspeed-agentic-alerts-adapter" // AlertsAdapterServiceAccountName is the name of the alerts adapter service account AlertsAdapterServiceAccountName = "lightspeed-agentic-alerts-adapter" // AlertsAdapterContainerName is the name of the alerts adapter container AlertsAdapterContainerName = "adapter" // AlertsAdapterNetworkPolicyName is the name of the network policy for the alerts adapter AlertsAdapterNetworkPolicyName = "lightspeed-agentic-alerts-adapter" // AlertsAdapterAgenticRunsClusterRoleName is the cluster role granting AgenticRun create/list/get AlertsAdapterAgenticRunsClusterRoleName = "lightspeed-agentic-alerts-adapter-agenticruns" // AlertsAdapterAgenticRunsClusterRoleBindingName binds the AgenticRun ClusterRole to the alerts adapter SA AlertsAdapterAgenticRunsClusterRoleBindingName = "lightspeed-agentic-alerts-adapter-agenticruns" // AlertsAdapterLegacyProposalsClusterRoleName is the pre-OLS-3475 ClusterRole name removed on reconcile AlertsAdapterLegacyProposalsClusterRoleName = "lightspeed-agentic-alerts-adapter-proposals" // AlertsAdapterAlertmanagerRoleBindingName is the RoleBinding in openshift-monitoring for Alertmanager read access AlertsAdapterAlertmanagerRoleBindingName = "lightspeed-agentic-alerts-adapter-alertmanager" // AlertsAdapterConfigMapName is the ConfigMap holding runtime adapter settings (poll interval, cooldown, tools) AlertsAdapterConfigMapName = "alerts-adapter-config" // AlertsAdapterConfigMapDataKey is the key within AlertsAdapterConfigMapName for adapter YAML config AlertsAdapterConfigMapDataKey = "config.yaml" // AlertsAdapterConfigVolumeName is the pod volume name for the mounted runtime config ConfigMap AlertsAdapterConfigVolumeName = "config" // AlertsAdapterConfigVolumeMountPath is where the adapter reads mounted config.yaml AlertsAdapterConfigVolumeMountPath = "/etc/alerts-adapter" // AlertsAdapterConfigRoleName is the legacy Role name removed after config moved to a volume mount AlertsAdapterConfigRoleName = "lightspeed-agentic-alerts-adapter-config" // AlertsAdapterConfigRoleBindingName is the legacy RoleBinding name removed after config moved to a volume mount AlertsAdapterConfigRoleBindingName = "lightspeed-agentic-alerts-adapter-config" // MonitoringAlertmanagerViewRoleName is the OpenShift monitoring Role for read-only Alertmanager API access MonitoringAlertmanagerViewRoleName = "monitoring-alertmanager-view" // OpenShiftMonitoringNamespace is the namespace for platform monitoring RBAC and services OpenShiftMonitoringNamespace = "openshift-monitoring" // AlertsAdapterAlertmanagerURL is the in-cluster Alertmanager API base URL AlertsAdapterAlertmanagerURL = "https://alertmanager-main.openshift-monitoring.svc:9094" // AlertsAdapterAlertmanagerURLEnvVar is the deployment env var for the Alertmanager URL AlertsAdapterAlertmanagerURLEnvVar = "ALERTMANAGER_URL" // AlertsAdapterComponentLabel is the app.kubernetes.io/component label value for alerts adapter resources AlertsAdapterComponentLabel = "alerts-adapter" // PostgresPVCName is the name of the PVC for the OLS Postgres server PostgresPVCName = "lightspeed-postgres-pvc" // PostgresDefaultPVCSize is the default size of the PVC for the OLS Postgres server PostgresDefaultPVCSize = "1Gi" // PostgreServiceAccountName is the name of the service account for the OLS Postgres server PostgreServiceAccountName = "lightspeed-postgres-server" // TmpVolume is the data volume name for the /tmp writable mount TmpVolumeName = "tmp-writable-volume" // TmpVolumeMountPath is the path of the /tmp writable mount TmpVolumeMountPath = "/tmp" // TelemetryPullSecretNamespace "openshift-config" contains the telemetry pull secret to determine the enablement of telemetry // #nosec G101 TelemetryPullSecretNamespace = "openshift-config" // TelemetryPullSecretName is the name of the secret containing the telemetry pull secret TelemetryPullSecretName = "pull-secret" /*** operator resources ***/ // OperatorServiceMonitorName is the name of the service monitor for scraping the operator metrics OperatorServiceMonitorName = "controller-manager-metrics-monitor" // OperatorDeploymentName is the name of the operator deployment OperatorDeploymentName = "lightspeed-operator-controller-manager" OLSDefaultCacheType = "postgres" // OperatorNetworkPolicyName is the name of the network policy for the operator OperatorNetworkPolicyName = "lightspeed-operator" // OperatorMetricsPort is the port number of the operator metrics endpoint OperatorMetricsPort = 8443 // MetricsReaderServiceAccountTokenSecretName is the name of the secret containing the service account token for the metrics reader MetricsReaderServiceAccountTokenSecretName = "metrics-reader-token" // #nosec G101 // MetricsReaderServiceAccountName is the name of the service account for the metrics reader MetricsReaderServiceAccountName = "lightspeed-operator-metrics-reader" // MCP server URL OpenShiftMCPServerURL = "http://localhost:%d/mcp" // MCP server port. OpenShiftMCPServerPort = 8080 // RHOOKPHTTPPort is the Solr HTTP proxy port for the RH OKP sidecar (remapped from image default 8080). RHOOKPHTTPPort = 9080 // RHOOKPHTTPSPort is the RH OKP Apache HTTPS port (remapped from image default 8443; OLS uses 8443). RHOOKPHTTPSPort = 9443 // OCPClusterVersionEnvVar is read by lightspeed-service to resolve Solr chunk_filter_query at startup. OCPClusterVersionEnvVar = "OCP_CLUSTER_VERSION" // OLSRosaProductEnvVar is read by lightspeed-service to scope OKP retrieval on ROSA clusters. OLSRosaProductEnvVar = "OLS_ROSA_PRODUCT" // RosaOKPProductHCP is the OKP product identifier for ROSA hosted control planes. RosaOKPProductHCP = "red_hat_openshift_service_on_aws" // RosaOKPProductClassic is the OKP product identifier for ROSA classic architecture. RosaOKPProductClassic = "red_hat_openshift_service_on_aws_classic_architecture" // RHOOKPSolrCollection is the Solr core served by RHOKP (matches lightspeed-service portal-rag client). RHOOKPSolrCollection = "portal-rag" // RHOOKPReadinessHTTPPath hits the portal-rag core admin ping (Apache / alone is not Solr-ready). RHOOKPReadinessHTTPPath = "/solr/" + RHOOKPSolrCollection + "/admin/ping" // RHOKP startup probe: Solr can take several minutes on cold start (portal-rag core load). RHOOKPStartupProbeInitialDelaySeconds = 20 RHOOKPStartupProbePeriodSeconds = 10 RHOOKPStartupProbeFailureThreshold = 34 // 20s delay + 34*10s = 6 min before startup fails RHOOKPProbePeriodSeconds = 10 RHOOKPProbeTimeoutSeconds = 5 RHOOKPProbeFailureThreshold = 3 RHOOKPAccessKeySecretName = "rhokp-access-key" // #nosec G101 -- user-created secret for RHOKP portal access RHOOKPAccessKeySecretKey = "ACCESS_KEY" // RHOKP image Apache config paths (Listen directives remapped before mel start). RHOOKPHTTPDConfPath = "/etc/httpd/conf/httpd.conf" RHOOKPHTTPDSSLConfPath = "/etc/httpd/conf.d/ssl.conf" RHOOKPImageHTTPPort = 8080 RHOOKPImageHTTPSPort = 8443 RHOOKPContainerEntrypoint = "/usr/bin/container-entrypoint" RHOOKPMainCommand = "/usr/local/bin/mel" // Solr hybrid defaults written to the OLS config file (not exposed on OLSConfig CR). SolrHybridMaxResultsDefault = 5 SolrHybridVectorBoostDefault = 8.0 SolrHybridPoolDocsDefault = 100 SolrHybridScoreThresholdDefault = 0.0 SolrHybridSolrTimeoutSecondsDefault = 60.0 // MCP server timeout, sec OpenShiftMCPServerTimeout = 60 // MCP server SSE read timeout, sec OpenShiftMCPServerHTTPReadTimeout = 30 // Tools approval timeout default, sec (must match +kubebuilder:default in ToolsApprovalConfig) ToolsApprovalDefaultTimeout = 600 // Authorization header for OpenShift MCP server K8S_AUTH_HEADER = "Authorization" // Constant, defining usage of kubernetes token KUBERNETES_PLACEHOLDER = "kubernetes" // Constant, defining usage of client token passthrough CLIENT_PLACEHOLDER = "client" // MCPHeadersMountRoot is the directory hosting MCP headers in the container MCPHeadersMountRoot = "/etc/mcp/headers" // OpenShiftMCPServerConfigCmName is the name of the ConfigMap for openshift-mcp-server configuration OpenShiftMCPServerConfigCmName = "openshift-mcp-server-config" // OpenShiftMCPServerConfigFilename is the filename for the openshift-mcp-server TOML config OpenShiftMCPServerConfigFilename = "config.toml" // OpenShiftMCPServerConfigMountPath is the directory where the MCP server config is mounted OpenShiftMCPServerConfigMountPath = "/etc/mcp-server" // OpenShiftMCPServerConfigVolumeName is the volume name for the MCP server config OpenShiftMCPServerConfigVolumeName = "mcp-server-config" // Header Secret Data Path MCPSECRETDATAPATH = "header" /*** Data Exporter Constants ***/ // ExporterConfigCmName is the name of the exporter configmap ExporterConfigCmName = "lightspeed-exporter-config" // ExporterConfigVolumeName is the name of the volume for exporter configuration ExporterConfigVolumeName = "exporter-config" // ExporterConfigMountPath is the path where exporter config is mounted ExporterConfigMountPath = "/etc/config" // ExporterConfigFilename is the name of the exporter configuration file ExporterConfigFilename = "config.yaml" // OLSUserDataMountPath is the path where user data is mounted in the app server container OLSUserDataMountPath = "/app-root/ols-user-data" // ServiceIDOLS is the service ID used by the data exporter ServiceIDOLS = "ols" // RHOSOLightspeedOwnerIDLabel is the label used to identify RHOSO Lightspeed deployment RHOSOLightspeedOwnerIDLabel = "openstack.org/lightspeed-owner-id" // ServiceIDRHOSO is the service ID used by the data exporter when RHOSO Lightspeed is deployed ServiceIDRHOSO = "rhos-lightspeed" /*** Container Names (used for testing) ***/ // OLSAppServerContainerName is the name of the OLS application server container OLSAppServerContainerName = "lightspeed-service-api" // DataverseExporterContainerName is the name of the dataverse exporter container DataverseExporterContainerName = "lightspeed-to-dataverse-exporter" // ConsoleUIContainerName is the name of the console UI container ConsoleUIContainerName = "lightspeed-console-plugin" // PostgresContainerName is the name of the postgres container PostgresContainerName = "lightspeed-postgres-server" // OpenShiftMCPServerContainerName is the name of the OpenShift MCP server container OpenShiftMCPServerContainerName = "openshift-mcp-server" // RHOOKPContainerName is the RH Offline Knowledge Portal (Solr) sidecar container name. RHOOKPContainerName = "rhokp" // OLSConfigMapResourceVersionAnnotation is the annotation key for tracking OLS ConfigMap ResourceVersion OLSConfigMapResourceVersionAnnotation = "ols.openshift.io/olsconfig-configmap-version" // OpenShiftMCPServerConfigMapResourceVersionAnnotation is the annotation key for tracking MCP Server ConfigMap ResourceVersion OpenShiftMCPServerConfigMapResourceVersionAnnotation = "ols.openshift.io/mcp-server-configmap-version" /*** Environment Variable Suffixes ***/ // EnvVarSuffixAPIKey is the environment variable suffix for API key credentials EnvVarSuffixAPIKey = "_API_KEY" // EnvVarSuffixClientID is the environment variable suffix for client ID credentials EnvVarSuffixClientID = "_CLIENT_ID" // EnvVarSuffixTenantID is the environment variable suffix for tenant ID credentials EnvVarSuffixTenantID = "_TENANT_ID" // EnvVarSuffixClientSecret is the environment variable suffix for client secret credentials EnvVarSuffixClientSecret = "_CLIENT_SECRET" )
const ( ErrCheckLLMCredentials = "failed to validate LLM provider credential settings" ErrCreateAdditionalCACM = "failed to create additional CA configmap" ErrCreateAPIConfigmap = "failed to create OLS configmap" ErrCreateAPIDeployment = "failed to create OLS deployment" ErrCreateAPIService = "failed to create OLS service" ErrCreateAPIServiceAccount = "failed to create OLS service account" ErrCreateAppServerNetworkPolicy = "failed to create AppServer network policy" ErrCreateConsolePlugin = "failed to create Console Plugin" ErrCreateConsolePluginConfigMap = "failed to create Console Plugin configmap" ErrCreateConsolePluginDeployment = "failed to create Console Plugin deployment" ErrCreateConsolePluginService = "failed to create Console Plugin service" ErrCreateConsolePluginServiceAccount = "failed to create Console Plugin service account" ErrCreateConsolePluginNetworkPolicy = "failed to create Console Plugin network policy" ErrCreateSARClusterRole = "failed to create SAR cluster role" ErrCreateSARClusterRoleBinding = "failed to create SAR cluster role binding" ErrCreateServiceMonitor = "failed to create ServiceMonitor" ErrCreateMetricsReaderSecret = "failed to create metrics reader secret" ErrCreateOperatorNetworkPolicy = "failed to create operator network policy" ErrCreatePrometheusRule = "failed to create PrometheusRule" ErrCreatePostgresSecret = "failed to create OLS Postgres secret" ErrCreatePostgresBootstrapSecret = "failed to create OLS Postgres bootstrap secret" ErrCreatePostgresConfigMap = "failed to create OLS Postgres configmap" ErrCreatePostgresService = "failed to create OLS Postgres service" ErrCreatePostgresPVC = "failed to create OLS Postgres PVC" ErrCreatePostgresDeployment = "failed to create OLS Postgres deployment" ErrCreatePostgresNetworkPolicy = "failed to create OLS Postgres network policy" ErrCreatePostgresServiceAccount = "failed to create OLS Postgres service account" ErrDeleteConsolePlugin = "failed to delete Console Plugin" ErrDeleteAdditionalCACM = "failed to delete additional CA configmap" ErrGenerateAdditionalCACM = "failed to generate additional CA configmap" ErrGenerateAPIConfigmap = "failed to generate OLS configmap" ErrGenerateAPIDeployment = "failed to generate OLS deployment" ErrGenerateAPIService = "failed to generate OLS service" ErrGenerateAPIServiceAccount = "failed to generate OLS service account" ErrGenerateAppServerNetworkPolicy = "failed to generate AppServer network policy" ErrGenerateConsolePlugin = "failed to generate Console Plugin" ErrGenerateConsolePluginConfigMap = "failed to generate Console Plugin configmap" ErrGenerateConsolePluginDeployment = "failed to generate Console Plugin deployment" ErrGenerateConsolePluginNetworkPolicy = "failed to generate Console Plugin network policy" ErrGenerateConsolePluginService = "failed to generate Console Plugin service" ErrGenerateConsolePluginServiceAccount = "failed to generate Console Plugin service account" ErrGenerateOperatorNetworkPolicy = "failed to generate operator network policy" ErrGenerateSARClusterRole = "failed to generate SAR cluster role" ErrGenerateSARClusterRoleBinding = "failed to generate SAR cluster role binding" ErrGenerateServiceMonitor = "failed to generate ServiceMonitor" ErrGenerateMetricsReaderSecret = "failed to generate metrics reader secret" ErrGeneratePrometheusRule = "failed to generate PrometheusRule" ErrGetAdditionalCACM = "failed to get additional CA configmap" ErrGetProxyCACM = "failed to get proxy CA configmap" ErrGeneratePostgresSecret = "failed to generate OLS Postgres secret" ErrGeneratePostgresBootstrapSecret = "failed to generate OLS Postgres bootstrap secret" ErrGeneratePostgresConfigMap = "failed to generate OLS Postgres configmap" ErrGeneratePostgresPVC = "failed to generate OLS Postgres PVC" ErrGeneratePostgresService = "failed to generate OLS Postgres service" ErrGeneratePostgresDeployment = "failed to generate OLS Postgres deployment" ErrGeneratePostgresNetworkPolicy = "failed to generate OLS Postgres network policy" ErrGeneratePostgresServiceAccount = "failed to generate OLS Postgres service account" ErrGetAPIConfigmap = "failed to get OLS configmap" ErrGetAPIDeployment = "failed to get OLS deployment" ErrGetAPIService = "failed to get OLS service" ErrGetAPIServiceAccount = "failed to get OLS service account" ErrGetAppServerNetworkPolicy = "failed to get AppServer network policy" ErrGetConsole = "failed to get Console" ErrGetConsolePlugin = "failed to get Console Plugin" ErrGetConsolePluginConfigMap = "failed to get Console Plugin configmap" ErrGetConsolePluginDeployment = "failed to get Console Plugin deployment" ErrGetConsolePluginNetworkPolicy = "failed to get Console Plugin network policy" ErrGetConsolePluginService = "failed to get Console Plugin service" ErrGetConsolePluginServiceAccount = "failed to get Console Plugin service account" ErrGetLLMSecret = "failed to get LLM provider secret" // #nosec G101 ErrGetOperatorNetworkPolicy = "failed to get operator network policy" ErrGetPostgresNetworkPolicy = "failed to get OLS Postgres network policy" ErrGetPostgresServiceAccount = "failed to get OLS Postgres service account" ErrGetTLSSecret = "failed to get TLS secret" // #nosec G101 ErrGetSARClusterRole = "failed to get SAR cluster role" ErrGetSARClusterRoleBinding = "failed to get SAR cluster role binding" ErrGetServiceMonitor = "failed to get ServiceMonitor" ErrGetMetricsReaderSecret = "failed to get metrics reader secret" ErrGetPrometheusRule = "failed to get PrometheusRule" ErrUpdateAPIConfigmap = "failed to update OLS configmap" ErrUpdateAPIDeployment = "failed to update OLS deployment" ErrUpdateAPIService = "failed to update OLS service" ErrUpdateAppServerNetworkPolicy = "failed to update AppServer network policy" ErrUpdateAdditionalCACM = "failed to update additional CA configmap" ErrUpdateConsole = "failed to update Console" ErrUpdateConsolePlugin = "failed to update Console Plugin" ErrUpdateConsolePluginConfigMap = "failed to update Console Plugin configmap" ErrUpdateConsolePluginDeployment = "failed to update Console Plugin deployment" ErrUpdateConsolePluginNetworkPolicy = "failed to update Console Plugin network policy" ErrUpdateConsolePluginService = "failed to update Console Plugin service" ErrUpdateCRStatusCondition = "failed to update OLSConfig CR status condition" ErrUpdateOperatorNetworkPolicy = "failed to update operator network policy" ErrUpdatePostgresNetworkPolicy = "failed to update OLS Postgres network policy" ErrUpdatePostgresServiceAccount = "failed to update OLS Postgres service account" ErrUpdateServiceMonitor = "failed to update ServiceMonitor" ErrUpdateMetricsReaderSecret = "failed to update metrics reader secret" ErrUpdatePrometheusRule = "failed to update PrometheusRule" ErrUpdateProxyCACM = "failed to update proxy CA configmap" // #nosec G101 ErrGetPostgresSecret = "failed to get OLS Postgres secret" // #nosec G101 ErrGetPostgresBootstrapSecret = "failed to get OLS Postgres bootstrap secret" ErrGetPostgresConfigMap = "failed to get OLS Postgres configmap" ErrGetPostgresService = "failed to get OLS Postgres service" ErrGetPostgresPVC = "failed to get OLS Postgres PVC" ErrGetPostgresDeployment = "failed to get OLS Postgres deployment" ErrUpdateProviderSecret = "failed to update provider secret" ErrUpdatePostgresSecret = "failed to update OLS Postgres secret" ErrUpdatePostgresDeployment = "failed to update OLS Postgres deployment" ErrListOldPostgresSecrets = "failed to list old OLS Postgres secrets" ErrDeleteOldPostgresSecrets = "failed to delete old OLS Postgres secret" // Alerts adapter errors ErrCreateAlertsAdapterDeployment = "failed to create alerts adapter deployment" ErrCreateAlertsAdapterNetworkPolicy = "failed to create alerts adapter network policy" ErrCreateAlertsAdapterServiceAccount = "failed to create alerts adapter service account" ErrCreateAlertsAdapterAgenticRunsClusterRole = "failed to create alerts adapter agenticruns cluster role" ErrCreateAlertsAdapterAgenticRunsClusterRoleBinding = "failed to create alerts adapter agenticruns cluster role binding" ErrCreateAlertsAdapterAlertmanagerRoleBinding = "failed to create alerts adapter alertmanager role binding" ErrCreateAlertsAdapterConfigMap = "failed to create alerts adapter configmap" ErrGenerateAlertsAdapterDeployment = "failed to generate alerts adapter deployment" ErrSetAlertsAdapterDeploymentOwnerReference = "failed to set alerts adapter deployment owner reference" ErrGenerateAlertsAdapterNetworkPolicy = "failed to generate alerts adapter network policy" ErrGenerateAlertsAdapterServiceAccount = "failed to generate alerts adapter service account" ErrGenerateAlertsAdapterConfigMap = "failed to generate alerts adapter configmap" ErrGenerateAlertsAdapterAgenticRunsClusterRole = "failed to generate alerts adapter agenticruns cluster role" ErrGenerateAlertsAdapterAgenticRunsClusterRoleBinding = "failed to generate alerts adapter agenticruns cluster role binding" ErrGenerateAlertsAdapterAlertmanagerRoleBinding = "failed to generate alerts adapter alertmanager role binding" ErrGetAlertsAdapterDeployment = "failed to get alerts adapter deployment" ErrGetAlertsAdapterNetworkPolicy = "failed to get alerts adapter network policy" ErrGetAlertsAdapterServiceAccount = "failed to get alerts adapter service account" ErrGetAlertsAdapterAgenticRunsClusterRole = "failed to get alerts adapter agenticruns cluster role" ErrGetAlertsAdapterAgenticRunsClusterRoleBinding = "failed to get alerts adapter agenticruns cluster role binding" ErrGetAlertsAdapterAlertmanagerRoleBinding = "failed to get alerts adapter alertmanager role binding" ErrGetAlertsAdapterConfigMap = "failed to get alerts adapter configmap" ErrGetAlertsAdapterConfigRole = "failed to get alerts adapter config role" ErrGetAlertsAdapterConfigRoleBinding = "failed to get alerts adapter config role binding" ErrUpdateAlertsAdapterDeployment = "failed to update alerts adapter deployment" ErrUpdateAlertsAdapterNetworkPolicy = "failed to update alerts adapter network policy" // OpenShift MCP server config errors ErrCreateMCPServerConfigMap = "failed to create MCP server config configmap" ErrDeleteMCPServerConfigMap = "failed to delete MCP server config configmap" ErrGetMCPServerConfigMap = "failed to get MCP server config configmap" ErrUpdateMCPServerConfigMap = "failed to update MCP server config configmap" )
const ( TypeApiReady = "ApiReady" TypeCacheReady = "CacheReady" TypeConsolePluginReady = "ConsolePluginReady" TypeAgenticConsolePluginReady = "AgenticConsolePluginReady" TypeAlertsAdapterReady = "AlertsAdapterReady" TypeCRReconciled = "Reconciled" )
Definitions to manage status conditions
const OpenShiftMCPServerConfigTOML = `` /* 748-byte string literal not displayed */
OpenShiftMCPServerConfigTOML is the TOML configuration for the shipped openshift-mcp-server sidecar. It denies access to Secret resources at the server level so secret data never reaches the LLM. Other sensitive resource types (RBAC) are also denied as defense in depth. Toolsets are listed explicitly so upstream default changes do not affect OLS; the metrics toolset uses in-cluster Thanos Querier and Alertmanager endpoints.
const PostgresWaitMaxSeconds = 300
PostgresWaitMaxSeconds is the maximum time the wait init container will run before exiting with an error.
const TestCACert = `` /* 1513-byte string literal not displayed */
Variables ¶
var ( OLSAppServerImageDefault = relatedimages.GetDefaultImage("lightspeed-service-api") ConsoleUIImageDefault = relatedimages.GetDefaultImage("lightspeed-console-plugin") PostgresServerImageDefault = relatedimages.GetDefaultImage("lightspeed-postgresql") OpenShiftMCPServerImageDefault = relatedimages.GetDefaultImage("openshift-mcp-server") DataverseExporterImageDefault = relatedimages.GetDefaultImage("lightspeed-to-dataverse-exporter") AgenticConsoleUIImageDefault = imageDefaultOr("lightspeed-agentic-console-plugin", agenticConsoleUIImageFallback) AlertsAdapterImageDefault = imageDefaultOr("lightspeed-agentic-alerts-adapter", alertsAdapterImageFallback) OtelCollectorImageDefault = imageDefaultOr("lightspeed-otel-collector", otelCollectorImageFallback) RHOOKPImageDefault = imageDefaultOr("rhokp", rhokpImageFallback) )
Default images from related_images.json (see internal/relatedimages). Used for flags and tests.
Functions ¶
func ActivateConsolePlugin ¶
func ActivateConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error
ActivateConsolePlugin adds a plugin name to the cluster Console CR.
func AlertsAdapterConfigMapRef ¶
func AlertsAdapterConfigMapRef(cr *olsv1alpha1.OLSConfig) (name string, ok bool)
AlertsAdapterConfigMapRef returns the referenced ConfigMap name when the alerts adapter is enabled (configMapRef set with a non-empty name). The bool is false when disabled.
func AnnotateConfigMapWatcher ¶
AnnotateConfigMapWatcher adds the watcher annotation to a configmap
func AnnotateSecretWatcher ¶
AnnotateSecretWatcher adds the watcher annotation to a secret
func ApplyPodDeploymentConfig ¶
func ApplyPodDeploymentConfig(deployment *appsv1.Deployment, config olsv1alpha1.Config, applyReplicas bool)
ApplyPodDeploymentConfig applies PodDeploymentConfig settings to a Deployment. This centralizes the logic for applying pod-level configurations (NodeSelector, Tolerations, etc.) to avoid code duplication across different deployment generators.
Parameters:
- deployment: The deployment to modify
- config: The PodDeploymentConfig containing the desired settings
- applyReplicas: Whether to apply the Replicas field (only true for appserver)
Usage:
// For console/postgres (replicas always 1): utils.ApplyPodDeploymentConfig(deployment, cr.Spec.OLSConfig.DeploymentConfig.ConsoleContainer, false) // For appserver (replicas configurable): utils.ApplyPodDeploymentConfig(deployment, cr.Spec.OLSConfig.DeploymentConfig.APIContainer, true)
func ConfigMapEqual ¶
deploymentSpecEqual compares two appsv1.DeploymentSpec and returns true if they are equal. ConfigMapEqual compares two ConfigMaps for equality, checking Data and BinaryData
func ContainerSpecEqual ¶
containerSpecEqual compares two corev1.Container and returns true if they are equal. checks performed on limited fields
func ContainersEqual ¶
containerEqual compares two container arrays and returns true if they are equal.
func CreateTelemetryPullSecret ¶
CreateTelemetryPullSecret creates a pull-secret in openshift-config namespace for testing telemetry/data collection features. If withToken is true, creates a secret with cloud.openshift.com auth. If withToken is false, creates a secret without telemetry token (for negative tests). This function is idempotent - ignores "already exists" errors.
func DeactivateConsolePlugin ¶
func DeactivateConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error
DeactivateConsolePlugin removes a plugin name from the cluster Console CR.
func DefaultConsolePluginResourceRequirements ¶
func DefaultConsolePluginResourceRequirements() *corev1.ResourceRequirements
DefaultConsolePluginResourceRequirements returns default resource requirements for console plugin containers.
func DeleteConsolePluginCR ¶
func DeleteConsolePluginCR(r reconciler.Reconciler, ctx context.Context, pluginName string) error
DeleteConsolePluginCR deletes a ConsolePlugin CR.
func DeleteTelemetryPullSecret ¶
DeleteTelemetryPullSecret removes the pull-secret from openshift-config namespace. This function is idempotent - ignores "not found" errors.
func DeploymentSpecEqual ¶
func DeploymentSpecEqual(a, b *appsv1.DeploymentSpec, compareInitContainers bool) bool
func ForEachExternalConfigMap ¶
func ForEachExternalConfigMap(cr *olsv1alpha1.OLSConfig, fn func(name string, source string) error) error
ForEachExternalConfigMap calls fn for each external configmap referenced in the OLSConfig CR. The callback function receives:
- name: the configmap name
- source: a descriptive identifier of where the configmap is used (e.g., "additional-ca", "proxy-ca")
If fn returns an error, iteration stops immediately and that error is returned. Returns nil if all iterations complete successfully.
Example usage:
err := ForEachExternalConfigMap(cr, func(name, source string) error {
return validateConfigMap(name)
})
func ForEachExternalSecret ¶
func ForEachExternalSecret(cr *olsv1alpha1.OLSConfig, fn func(name string, source string) error) error
The callback function receives:
- name: the secret name
- source: a descriptive identifier of where the secret is used (e.g., "llm-provider-openai", "tls", "mcp-myserver")
If fn returns an error, iteration stops immediately and that error is returned. Returns nil if all iterations complete successfully.
Example usage:
err := ForEachExternalSecret(cr, func(name, source string) error {
return validateSecret(name)
})
func GenerateAlertsAdapterSelectorLabels ¶
GenerateAlertsAdapterSelectorLabels returns selector labels for the alerts adapter.
func GenerateAppServerSelectorLabels ¶
GenerateAppServerSelectorLabels returns selector labels for Application Server components
func GenerateConsolePluginDeployment ¶
func GenerateConsolePluginDeployment( r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, opts ConsolePluginDeploymentOptions, ) (*appsv1.Deployment, error)
GenerateConsolePluginDeployment generates a Deployment for an nginx-served console plugin.
func GenerateConsolePluginNetworkPolicy ¶
func GenerateConsolePluginNetworkPolicy( r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string, labels map[string]string, port int32, ) (*networkingv1.NetworkPolicy, error)
GenerateConsolePluginNetworkPolicy generates a network policy allowing ingress from OpenShift Console pods.
func GenerateConsolePluginNginxConfigMap ¶
func GenerateConsolePluginNginxConfigMap( r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string, labels map[string]string, nginxConfig string, ) (*corev1.ConfigMap, error)
GenerateConsolePluginNginxConfigMap generates a ConfigMap containing nginx.conf for a console plugin.
func GenerateOpenShiftMCPServerConfigMap ¶
func GenerateOpenShiftMCPServerConfigMap(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, labels map[string]string) (*corev1.ConfigMap, error)
GenerateOpenShiftMCPServerConfigMap generates the ConfigMap containing the TOML configuration for the openshift-mcp-server sidecar. This ConfigMap is mounted into the sidecar container and referenced via the --config flag.
func GeneratePostgresSelectorLabels ¶
GeneratePostgresSelectorLabels returns selector labels for Postgres components
func GeneratePostgresWaitInitContainer ¶
GeneratePostgresWaitInitContainer returns an init container that waits until the Postgres database is accepting connections before the main container starts.
Uses pg_isready to probe the database directly, which is more reliable than checking Kubernetes deployment replica counts. The container uses the postgres image since pg_isready is bundled with it.
Connection parameters are configured via environment variables (PGHOST, PGPORT, PGUSER, PGDATABASE) with sensible defaults. Retries with exponential backoff up to PostgresWaitMaxSeconds.
func GenerateRandomConfigMap ¶
GenerateRandomConfigMap creates a test ConfigMap with sample data. This is useful for testing ConfigMap-dependent functionality without collision.
func GenerateRandomSecret ¶
GenerateRandomSecret creates a test secret with a random API token. This is useful for testing secret-dependent functionality without collision.
func GenerateRandomTLSSecret ¶
GenerateRandomTLSSecret creates a test TLS secret with random key and cert. This is useful for testing TLS-dependent functionality without collision.
func GenerateServiceAccount ¶
func GenerateServiceAccount(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig, name string) (*corev1.ServiceAccount, error)
GenerateServiceAccount generates a service account with the given name in the operator namespace
func GetCAFromSecret ¶
func GetCAFromSecret(rclient client.Client, ctx context.Context, namespace, secretName string) (string, error)
GetCAFromSecret retrieves CA certificate content from a Secret. It looks for the "ca.crt" key in the Secret's Data field. Returns empty string if the key doesn't exist (not an error - CA is optional).
func GetConfigMapResourceVersion ¶
func GetConfigMapResourceVersion(r reconciler.Reconciler, ctx context.Context, configMapName string) (string, error)
GetConfigMapResourceVersion returns the ResourceVersion of a ConfigMap.
func GetDefaultOLSConfigCR ¶
func GetDefaultOLSConfigCR() *olsv1alpha1.OLSConfig
GetDefaultOLSConfigCR creates an OLSConfig CR with fully configured specs. This is the most commonly used fixture for testing full functionality.
func GetEmptyOLSConfigCR ¶
func GetEmptyOLSConfigCR() *olsv1alpha1.OLSConfig
GetEmptyOLSConfigCR creates an OLSConfig CR with no fields set in its specs. This is useful for testing default values and validation.
func GetNoCacheCR ¶
func GetNoCacheCR() *olsv1alpha1.OLSConfig
GetNoCacheCR creates an OLSConfig CR with no cache configuration. This is useful for testing in-memory cache scenarios.
func GetOLSConfigWithCacheCR ¶
func GetOLSConfigWithCacheCR() *olsv1alpha1.OLSConfig
GetOLSConfigWithCacheCR creates an OLSConfig CR with only cache configuration. This is useful for testing cache-specific functionality.
func GetOpenShiftMCPServerConfigPath ¶
func GetOpenShiftMCPServerConfigPath() string
GetOpenShiftMCPServerConfigPath returns the full path to the MCP server config file inside the container.
func GetOpenShiftMCPServerConfigVolumeAndMount ¶
func GetOpenShiftMCPServerConfigVolumeAndMount() (corev1.Volume, corev1.VolumeMount)
GetOpenShiftMCPServerConfigVolumeAndMount returns the Volume and VolumeMount for the openshift-mcp-server TOML configuration. The config file is mounted as a subPath so the sidecar can reference it via --config.
func GetOpenshiftVersion ¶
Get Openshift version
func GetPostgresCAConfigVolume ¶
GetPostgresCAConfigVolume returns the CA certificate volume for postgres TLS verification.
func GetPostgresCAVolumeMount ¶
func GetPostgresCAVolumeMount(mountPath string) corev1.VolumeMount
GetPostgresCAVolumeMount returns the CA certificate volume mount for postgres.
func GetProxyCACertConfigMapName ¶
func GetProxyCACertConfigMapName(proxyCACertRef *olsv1alpha1.ProxyCACertConfigMapRef) string
GetProxyCACertConfigMapName returns the ConfigMap name for the proxy CA certificate. Returns empty string if the reference is nil.
func GetProxyCACertHash ¶
func GetProxyCACertHash(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) (string, error)
GetProxyCACertHash returns a SHA256 hash of the proxy CA certificate content if proxy CA is configured. This ensures deployments only restart when the certificate content actually changes, not just when the ConfigMap ResourceVersion changes (which can happen frequently for service-ca managed ConfigMaps). Returns empty string and nil error if proxy is not configured.
func GetProxyCACertKey ¶
func GetProxyCACertKey(proxyCACertRef *olsv1alpha1.ProxyCACertConfigMapRef) string
GetProxyCACertKey returns the ConfigMap key for the proxy CA certificate. If not specified, defaults to ProxyCACertFileName for backward compatibility.
func GetProxyEnvVars ¶
func GetResourcesOrDefault ¶
func GetResourcesOrDefault(customResources *corev1.ResourceRequirements, defaultResources *corev1.ResourceRequirements) *corev1.ResourceRequirements
GetResourcesOrDefault returns custom resources from CR if specified, otherwise returns defaults. This is a common pattern used across all component resource getters to avoid repetitive null-checking logic. It provides a consistent way to handle user-configurable container resources with sensible defaults.
Example usage:
return GetResourcesOrDefault(
cr.Spec.OLSConfig.DeploymentConfig.APIContainer.Resources,
&corev1.ResourceRequirements{
Limits: corev1.ResourceList{corev1.ResourceMemory: resource.MustParse("4Gi")},
Requests: corev1.ResourceList{corev1.ResourceCPU: resource.MustParse("500m")},
},
)
func GetSecretContent ¶
func ImageStreamEqual ¶
func ImageStreamEqual(a *imagev1.ImageStream, b *imagev1.ImageStream) bool
ImageStreamEqual compares the fields that the controller owns on two imagev1.ImageStreams. Used to decide if an existing ImageStream needs an Update. All managed fields must be listed here so reconciliation does not miss changes.
func ImageStreamNameFor ¶
ImageStreamNameFor converts a container image reference (e.g. "quay.io/org/my-image:v1.0") into a Kubernetes-compatible name suitable for an ImageStream. Kubernetes names that are used as DNS subdomain labels must follow RFC 1123: a single label can be at most 63 characters (DNS label max). The final name is slug + "-" + suffix, so:
ImageStreamSlugMaxLength (55) + 1 (hyphen) + 6 (suffix) ≤ 63.
It lowercases the string, replaces "/", ":", and "@" with underscores, replaces any character that is not [a-z0-9-] with a hyphen, trims and truncates to ImageStreamSlugMaxLength characters, then appends a 6-char SHA1 suffix of the original image so that different images still produce unique names while fitting within typical length limits (e.g. DNS subdomain labels).
func IsPrometheusOperatorAvailable ¶
IsPrometheusOperatorAvailable checks if Prometheus Operator CRDs are available on the cluster. It attempts to list ServiceMonitor and PrometheusRule resources to determine availability. Returns true if both CRDs are present, false otherwise.
func NetworkPolicyEqual ¶
func NetworkPolicyEqual(a *networkingv1.NetworkPolicy, b *networkingv1.NetworkPolicy) bool
networkPolicyEqual compares two networkingv1.NetworkPolicy and returns true if they are equal.
func PodVolumeEqual ¶
podVolumEqual compares two slices of corev1.Volume and returns true if they are equal. covers 3 volume types: Secret, ConfigMap, EmptyDir
func ProbeEqual ¶
func PrometheusRuleEqual ¶
func PrometheusRuleEqual(a *monv1.PrometheusRule, b *monv1.PrometheusRule) bool
prometheusRuleEqual compares two monv1.PrometheusRule and returns true if they are equal.
func RHOOKPContainerSecurityContext ¶
func RHOOKPContainerSecurityContext() *corev1.SecurityContext
RHOOKPContainerSecurityContext is restricted PSS except readOnlyRootFilesystem: the RHOKP image writes Solr pid files, logs, and httpd config patches at startup.
func ReconcileConsolePluginCR ¶
func ReconcileConsolePluginCR(r reconciler.Reconciler, ctx context.Context, desired *consolev1.ConsolePlugin) error
ReconcileConsolePluginCR creates or updates a ConsolePlugin CR.
func ReconcileConsolePluginConfigMap ¶
func ReconcileConsolePluginConfigMap(r reconciler.Reconciler, ctx context.Context, desired *corev1.ConfigMap) error
ReconcileConsolePluginConfigMap creates or updates a console plugin nginx ConfigMap.
func ReconcileConsolePluginDeployment ¶
func ReconcileConsolePluginDeployment( r reconciler.Reconciler, ctx context.Context, desired *appsv1.Deployment, restart func(reconciler.Reconciler, context.Context, ...*appsv1.Deployment) error, ) error
ReconcileConsolePluginDeployment creates or updates a console plugin Deployment.
func ReconcileConsolePluginNetworkPolicy ¶
func ReconcileConsolePluginNetworkPolicy(r reconciler.Reconciler, ctx context.Context, desired *networkingv1.NetworkPolicy) error
ReconcileConsolePluginNetworkPolicy creates or updates a console plugin NetworkPolicy.
func ReconcileConsolePluginService ¶
func ReconcileConsolePluginService(r reconciler.Reconciler, ctx context.Context, desired *corev1.Service) error
ReconcileConsolePluginService creates or updates a console plugin Service.
func ReconcileConsolePluginServiceAccount ¶
func ReconcileConsolePluginServiceAccount(r reconciler.Reconciler, ctx context.Context, desired *corev1.ServiceAccount) error
ReconcileConsolePluginServiceAccount creates a console plugin ServiceAccount if missing.
func ReconcileOLSAdditionalCAConfigMap ¶
func ReconcileOLSAdditionalCAConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
ReconcileOLSAdditionalCAConfigMap validates that the externally referenced Additional CA ConfigMap exists. Annotation handling is managed by the main controller.
func ReconcileOpenShiftMCPServerConfigMap ¶
func ReconcileOpenShiftMCPServerConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig, labels map[string]string) error
ReconcileOpenShiftMCPServerConfigMap reconciles the ConfigMap for the openshift-mcp-server. When introspection is enabled, the ConfigMap is created/updated. When introspection is disabled, the ConfigMap is deleted if it exists.
func ReconcileProxyCAConfigMap ¶
func ReconcileProxyCAConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
ReconcileProxyCAConfigMap validates that the externally referenced Proxy CA ConfigMap exists. Annotation handling is managed by the main controller.
func RemoveConsolePlugin ¶
func RemoveConsolePlugin(r reconciler.Reconciler, ctx context.Context, pluginName string) error
RemoveConsolePlugin deactivates and deletes a console plugin from the OpenShift Console.
func RestartConsolePluginDeployment ¶
func RestartConsolePluginDeployment(r reconciler.Reconciler, ctx context.Context, deploymentName string, deployment ...*appsv1.Deployment) error
RestartConsolePluginDeployment triggers a rolling restart of a console plugin deployment.
func RestrictedContainerSecurityContext ¶
func RestrictedContainerSecurityContext() *corev1.SecurityContext
RestrictedContainerSecurityContext returns a SecurityContext that conforms to the Pod Security "restricted" profile. Use this for all operator-managed containers.
func RosaOKPProductEnv ¶
func RosaOKPProductEnv(k8sClient client.Client, ctx context.Context, log logr.Logger) (*corev1.EnvVar, error)
RosaOKPProductEnv returns the OLS_ROSA_PRODUCT env var for ROSA clusters, or nil when the cluster is not ROSA. On ROSA, External topology maps to HCP; all other topologies map to Classic (OLS-1894).
func RunDeleteTasks ¶
func RunDeleteTasks(r reconciler.Reconciler, ctx context.Context, phase string, tasks []DeleteTask) error
RunDeleteTasks runs delete tasks and fails fast on the first error.
func RunReconcileTasks ¶
func RunReconcileTasks( r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig, phase string, tasks []ReconcileTask, continueOnError bool, ) error
RunReconcileTasks runs reconcile tasks. When continueOnError is true, all tasks run and failures are aggregated.
func ServiceEqual ¶
serviceEqual compares two v1.Service and returns true if they are equal.
func ServiceMonitorEqual ¶
func ServiceMonitorEqual(a *monv1.ServiceMonitor, b *monv1.ServiceMonitor) bool
serviceMonitorEqual compares two monv1.ServiceMonitor and returns true if they are equal.
func SetDefaults_Deployment ¶
func SetDefaults_Deployment(obj *appsv1.Deployment)
This is copied from https://github.com/kubernetes/kubernetes/blob/v1.29.2/pkg/apis/apps/v1/defaults.go#L38 to avoid importing the whole k8s.io/kubernetes package. SetDefaults_Deployment sets additional defaults compared to its counterpart in extensions. These addons are: - MaxUnavailable during rolling update set to 25% (1 in extensions) - MaxSurge value during rolling update set to 25% (1 in extensions) - RevisionHistoryLimit set to 10 (not set in extensions) - ProgressDeadlineSeconds set to 600s (not set in extensions)
func StatusHasCondition ¶
func StatusHasCondition(status olsv1alpha1.OLSConfigStatus, condition metav1.Condition) bool
StatusHasCondition checks if an OLSConfig status contains a specific condition. It ignores ObservedGeneration and LastTransitionTime when comparing.
func ValidateCertificateFormat ¶
validate the x509 certificate syntax
func ValidateLLMCredentials ¶
func ValidateLLMCredentials(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
ValidateLLMCredentials validates that all LLM provider credentials are present and usable. For each provider it requires credentialsSecretRef, loads the secret, then checks Data keys: Azure OpenAI accepts the default credential key or client_id/tenant_id/client_secret; Google Vertex (and Anthropic) use credentialKey when set, otherwise the default key; Bedrock accepts either the default credential key (Bearer token) or AWS IAM keys; all other supported types require the default credential key
func ValidateTLSSecret ¶
func ValidateTLSSecret(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha1.OLSConfig) error
ValidateTLSSecret validates that the custom TLS secret exists and contains required keys. It checks that the secret contains 'tls.crt' and 'tls.key'. The 'ca.crt' key is optional. This function should only be called when TLSConfig.KeyCertSecretRef is configured.
func VolumeMountsEqual ¶
func VolumeMountsEqual(a, b []corev1.VolumeMount) bool
VolumeMountsEqual compares two VolumeMount slices ignoring order
func WaitForConsolePluginTLSSecret ¶
func WaitForConsolePluginTLSSecret(r reconciler.Reconciler, ctx context.Context, secretName string) error
WaitForConsolePluginTLSSecret waits for the service-ca TLS secret for a console plugin.
func WithAzureOpenAIProvider ¶
func WithAzureOpenAIProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
WithAzureOpenAIProvider configures the first LLM provider as Azure OpenAI. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.
func WithBedrockProvider ¶
func WithBedrockProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
WithBedrockProvider configures the first LLM provider as AWS Bedrock. Auth mode (Bearer apitoken vs IAM keys) is determined by the referenced secret, not the CR. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.
func WithGoogleVertexAnthropicProvider ¶
func WithGoogleVertexAnthropicProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
WithGoogleVertexAnthropicProvider configures the first LLM provider as Google Vertex Anthropic. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.
func WithGoogleVertexProvider ¶
func WithGoogleVertexProvider(cr *olsv1alpha1.OLSConfig) *olsv1alpha1.OLSConfig
WithGoogleVertexProvider configures the first LLM provider as Google Vertex. This modifies the CR in place and returns it for chaining. Requires that Providers[0] already exists.
Types ¶
type AppSrvConfigFile ¶
type AppSrvConfigFile struct {
LLMProviders []ProviderConfig `json:"llm_providers"`
OLSConfig OLSConfig `json:"ols_config,omitempty"`
UserDataCollectorConfig UserDataCollectorConfig `json:"user_data_collector_config,omitempty"`
MCPServers []MCPServerConfig `json:"mcp_servers,omitempty"`
}
** application server configuration file ** root of the app server configuration file
type AuditYAMLConfig ¶
type AuditYAMLConfig struct {
Logging string `json:"logging"`
OTEL *OTELYAMLConfig `json:"otel,omitempty"`
}
type AzureOpenAIConfig ¶
type ConfigMapWatcherConfig ¶
type ConfigMapWatcherConfig struct {
SystemResources []SystemConfigMap
}
ConfigMapWatcherConfig contains configuration for watching configmaps
type ConsolePluginDeploymentOptions ¶
type ConsolePluginDeploymentOptions struct {
Name string
Labels map[string]string
SelectorLabels map[string]string
ServiceAccountName string
ContainerName string
Image string
Port int32
PortName string
CertVolumeName string
CertSecretName string
NginxVolumeName string
NginxConfigMapName string
NginxTempVolumeName string
Resources *corev1.ResourceRequirements
Env []corev1.EnvVar
DeploymentConfig olsv1alpha1.Config
}
ConsolePluginDeploymentOptions configures nginx-based console plugin Deployments.
type ConversationCacheConfig ¶
type ConversationCacheConfig struct {
// Type of cache to use. Default: "postgres"
Type string `json:"type" default:"postgres"`
// Postgres cache configuration
Postgres PostgresCacheConfig `json:"postgres,omitempty"`
}
type DeleteFunc ¶
type DeleteFunc func(reconciler.Reconciler, context.Context) error
type DeleteTask ¶
type DeleteTask struct {
Name string
Task DeleteFunc
}
type FakeProviderConfig ¶
type FakeProviderConfig struct {
// URL of the fake provider server to send requests
URL string `json:"url,omitempty" default:"http://example.com"`
// Whether the fake provider should stream responses in chunks
Stream bool `json:"stream" default:"false"`
// Flag to enable mcp tool call in fake provider
MCPToolCall bool `json:"mcp_tool_call" default:"false"`
// The full response to return when Stream is false, or the base response to chunk when Stream is true
Response string `json:"response,omitempty"`
// The number of chunks to split the response into when Stream is true
Chunks int `json:"chunks,omitempty" default:"30"`
// The amount of time in seconds to sleep between sending each chunk when Stream is true
Sleep float64 `json:"sleep,omitempty" default:"0.1"`
}
type GoogleVertexAnthropicConfig ¶
type GoogleVertexAnthropicConfig = GoogleVertexConfig
type GoogleVertexConfig ¶
type LimiterConfig ¶
type LimiterConfig struct {
// Name of the limiter
Name string `json:"name"`
// Type of the limiter
Type string `json:"type"`
// Initial value of the token quota
InitialQuota int `json:"initial_quota"`
// Token quota increase step
QuotaIncrease int `json:"quota_increase"`
// Period of time the token quota is for
Period string `json:"period"`
}
LimiterConfig defines settings for a token quota limiter
type LoggingConfig ¶
type MCPServerConfig ¶
type MCPTransport ¶
type MCPTransport string
const ( SSE MCPTransport = "sse" Stdio MCPTransport = "stdio" StreamableHTTP MCPTransport = "streamable_http" )
type MemoryCacheConfig ¶
type MemoryCacheConfig struct {
// Maximum number of cache entries. Default: "1000"
MaxEntries int `json:"max_entries,omitempty" default:"1000"`
}
type ModelConfig ¶
type ModelConfig struct {
// Model name
Name string `json:"name"`
// Model API URL
URL string `json:"url,omitempty"`
// Model context window size
ContextWindowSize uint `json:"context_window_size,omitempty"`
// Model parameters
Parameters ModelParameters `json:"parameters,omitempty"`
}
ModelSpec defines the desired state of in-memory cache.
type ModelParameters ¶
type ModelParameters struct {
// Maximum number of tokens for the input text. Default: 1024
MaxTokensForResponse int `json:"max_tokens_for_response,omitempty"`
// Ratio of context window size allocated for tool token budget
ToolBudgetRatio float64 `json:"tool_budget_ratio"`
}
ModelParameters defines the parameters for a model.
type OLSConfig ¶
type OLSConfig struct {
// Default model for usage
DefaultModel string `json:"default_model,omitempty"`
// Default provider for usage
DefaultProvider string `json:"default_provider,omitempty"`
// Maximum number of iterations for agent execution
MaxIterations int `json:"max_iterations,omitempty"`
// Logging config
Logging LoggingConfig `json:"logging_config,omitempty"`
// Conversation cache
ConversationCache ConversationCacheConfig `json:"conversation_cache,omitempty"`
// TLS configuration
TLSConfig TLSConfig `json:"tls_config,omitempty"`
// TLS security profile for service endpoint
TLSSecurityProfile *TLSSecurityProfileConfig `json:"tlsSecurityProfile,omitempty"`
// Query filters
QueryFilters []QueryFilters `json:"query_filters,omitempty"`
// Reference content for BYOK RAG vector indexes; omitted when spec.ols.rag is empty.
ReferenceContent *ReferenceContent `json:"reference_content,omitempty"`
// User data collection configuration
UserDataCollection UserDataCollectionConfig `json:"user_data_collection,omitempty"`
// List of Paths to files containing additional CA certificates in the app server container.
ExtraCAs []string `json:"extra_ca,omitempty"`
// Path to the directory containing the certificates bundle in the app server container.
CertificateDirectory string `json:"certificate_directory,omitempty"`
// Proxy settings
ProxyConfig *ProxyConfig `json:"proxy_config,omitempty"`
// LLM Token Quota Configuration
QuotaHandlersConfig *QuotaHandlersConfig `json:"quota_handlers,omitempty"`
// User specified system prompt
SystemPromptPath string `json:"system_prompt_path,omitempty"`
// Tool filtering configuration for hybrid RAG retrieval
ToolFiltering *ToolFilteringConfig `json:"tool_filtering,omitempty"`
// Tool execution approval configuration
ToolsApproval *ToolsApprovalConfig `json:"tools_approval,omitempty"`
// Audit logging and tracing configuration
Audit *AuditYAMLConfig `json:"audit,omitempty"`
// Solr hybrid RAG (portal-rag /hybrid-search); mirrors lightspeed-service solr_hybrid
SolrHybrid *SolrHybridSettings `json:"solr_hybrid,omitempty"`
}
type OLSConfigReconcilerOptions ¶
type OLSConfigReconcilerOptions struct {
OpenShiftMajor string
OpenshiftMinor string
LightspeedServiceImage string
LightspeedServicePostgresImage string
ConsoleUIImage string
AgenticConsoleUIImage string
AlertsAdapterImage string
OtelCollectorImage string
DataverseExporterImage string
OpenShiftMCPServerImage string
RHOOKPImage string
RosaOKPProductEnv *corev1.EnvVar
Namespace string
PrometheusAvailable bool
}
type OTELYAMLConfig ¶
type OperatorReconcileFuncs ¶
type PostgresCacheConfig ¶
type PostgresCacheConfig struct {
// Postgres host
Host string `json:"host,omitempty" default:"lightspeed-postgres-server.openshift-lightspeed.svc"`
// Postgres port
Port int `json:"port,omitempty" default:"5432"`
// Postgres user
User string `json:"user,omitempty" default:"postgres"`
// Postgres dbname
DbName string `json:"dbname,omitempty" default:"postgres"`
// Path to the file containing postgres credentials in the app server container
PasswordPath string `json:"password_path,omitempty"`
// SSLMode is the preferred ssl mode to connect with postgres
SSLMode string `json:"ssl_mode,omitempty" default:"require"`
// Postgres CA certificate path
CACertPath string `json:"ca_cert_path,omitempty"`
}
type ProviderConfig ¶
type ProviderConfig struct {
// Provider name
Name string `json:"name"`
// Provider API URL
URL string `json:"url,omitempty"`
// Path to the file containing API provider credentials in the app server container.
// default to "bam_api_key.txt"
CredentialsPath string `json:"credentials_path,omitempty" default:"bam_api_key.txt"`
// List of models from the provider
Models []ModelConfig `json:"models,omitempty"`
// Provider type
Type string `json:"type,omitempty"`
// Watsonx Project ID
WatsonProjectID string `json:"project_id,omitempty"`
// API Version for Azure OpenAI provider
APIVersion string `json:"api_version,omitempty"`
// Azure OpenAI Config
AzureOpenAIConfig *AzureOpenAIConfig `json:"azure_openai_config,omitempty"`
// Fake Provider Config for testing
FakeProviderConfig *FakeProviderConfig `json:"fake_provider_config,omitempty"`
// Google Vertex Config
GoogleVertexConfig *GoogleVertexConfig `json:"google_vertex_config,omitempty"`
// Google Vertex Anthropic Config
GoogleVertexAnthropicConfig *GoogleVertexAnthropicConfig `json:"google_vertex_anthropic_config,omitempty"`
}
type ProxyConfig ¶
type QueryFilters ¶
type QuotaHandlersConfig ¶
type QuotaHandlersConfig struct {
// Postgres connection details
Storage PostgresCacheConfig `json:"storage,omitempty"`
// Quota scheduler settings
Scheduler SchedulerConfig `json:"scheduler,omitempty"`
// Token quota limiters
LimitersConfig []LimiterConfig `json:"limiters,omitempty"`
// Enable token history
EnableTokenHistory bool `json:"enable_token_history,omitempty"`
}
QuotaHandlersConfig defines the token quota configuration
type ReconcileFunc ¶
type ReconcileFunc func(reconciler.Reconciler, context.Context, *olsv1alpha1.OLSConfig) error
** controller internal **
type ReconcileSteps ¶
type ReconcileTask ¶
type ReconcileTask struct {
Name string
Task ReconcileFunc
}
type ReferenceContent ¶
type ReferenceContent struct {
// Path to the file containing the product docs embeddings model in the app server container.
EmbeddingsModelPath string `json:"embeddings_model_path,omitempty"`
// List of reference indexes.
Indexes []ReferenceIndex `json:"indexes,omitempty"`
}
type ReferenceIndex ¶
type ReferenceIndex struct {
// Path to the file containing the product docs index in the app server container.
ProductDocsIndexPath string `json:"product_docs_index_path,omitempty"`
// Name of the index to load.
ProductDocsIndexId string `json:"product_docs_index_id,omitempty"`
// Where the database was copied from, i.e. BYOK image name.
ProductDocsOrigin string `json:"product_docs_origin,omitempty"`
}
type SchedulerConfig ¶
type SchedulerConfig struct {
// How often token quota is checked, sec
Period int `json:"period,omitempty"`
}
Scheduler configuration
type SecretWatcherConfig ¶
type SecretWatcherConfig struct {
SystemResources []SystemSecret
}
SecretWatcherConfig contains configuration for watching secrets
type SolrHybridSettings ¶
type SolrHybridSettings struct {
SolrHTTPBase string `json:"solr_http_base,omitempty"`
MaxResults int `json:"max_results,omitempty"`
ChunkFilterQuery string `json:"chunk_filter_query,omitempty"`
HybridVectorBoost float64 `json:"hybrid_vector_boost,omitempty"`
HybridPoolDocs int `json:"hybrid_pool_docs,omitempty"`
HybridScoreThreshold float64 `json:"hybrid_score_threshold,omitempty"`
HybridSolrTimeoutSeconds float64 `json:"hybrid_solr_timeout_s,omitempty"`
}
SolrHybridSettings configures Solr hybrid RAG retrieval for the OLS application config file.
type StdioTransportConfig ¶
type StdioTransportConfig struct {
// Command to run
Command string `json:"command,omitempty"`
// Command-line parameters for the command
Args []string `json:"args,omitempty"`
// Environment variables for the command
Env map[string]string `json:"env,omitempty"`
// The working directory for the command
Cwd string `json:"cwd,omitempty"`
// Encoding for the text exchanged with the command
Encoding string `json:"encoding,omitempty"`
}
type StreamableHTTPTransportConfig ¶
type StreamableHTTPTransportConfig struct {
// URL of the MCP server
URL string `json:"url,omitempty"`
// Overall timeout for the MCP server
Timeout int `json:"timeout,omitempty"`
// SSE read timeout for the MCP server
SSEReadTimeout int `json:"sse_read_timeout,omitempty"`
// Headers to send to the MCP server
Headers map[string]string `json:"headers,omitempty"`
}
type SystemConfigMap ¶
type SystemConfigMap struct {
Name string
Namespace string
Description string
AffectedDeployments []string
}
SystemConfigMap represents a configmap managed by Kubernetes or other applications that the operator needs to watch for changes
type SystemSecret ¶
type SystemSecret struct {
Name string
Namespace string
Description string
AffectedDeployments []string
}
SystemSecret represents a secret managed by Kubernetes or other applications that the operator needs to watch for changes
type TLSSecurityProfileConfig ¶
type TLSSecurityProfileConfig struct {
// Profile type expected by the service (OldType, IntermediateType, ModernType, Custom)
ProfileType string `json:"type,omitempty"`
// Minimum TLS protocol version (VersionTLS12, VersionTLS13, ...)
MinTLSVersion string `json:"minTLSVersion,omitempty"`
// Allowed ciphers in OpenSSL format
Ciphers []string `json:"ciphers,omitempty"`
}
type TestReconciler ¶
type TestReconciler struct {
client.Client
PostgresImage string
ConsoleImage string
AgenticConsoleImage string
AlertsAdapterImage string
OtelCollectorImage string
AppServerImage string
McpServerImage string
DataverseExporter string
RhokpImage string
PrometheusAvailable bool
// contains filtered or unexported fields
}
TestReconciler is a test implementation of the reconciler.Reconciler interface used across controller test suites
func NewTestReconciler ¶
func NewTestReconciler( client client.Client, logger logr.Logger, scheme *runtime.Scheme, namespace string, ) *TestReconciler
NewTestReconciler creates a new TestReconciler instance with the provided parameters
func (*TestReconciler) GetAgenticConsoleImage ¶
func (r *TestReconciler) GetAgenticConsoleImage() string
func (*TestReconciler) GetAlertsAdapterImage ¶
func (r *TestReconciler) GetAlertsAdapterImage() string
func (*TestReconciler) GetAppServerImage ¶
func (r *TestReconciler) GetAppServerImage() string
func (*TestReconciler) GetConsoleUIImage ¶
func (r *TestReconciler) GetConsoleUIImage() string
func (*TestReconciler) GetDataverseExporterImage ¶
func (r *TestReconciler) GetDataverseExporterImage() string
func (*TestReconciler) GetLogger ¶
func (r *TestReconciler) GetLogger() logr.Logger
func (*TestReconciler) GetNamespace ¶
func (r *TestReconciler) GetNamespace() string
func (*TestReconciler) GetOpenShiftMCPServerImage ¶
func (r *TestReconciler) GetOpenShiftMCPServerImage() string
func (*TestReconciler) GetOpenShiftMajor ¶
func (r *TestReconciler) GetOpenShiftMajor() string
func (*TestReconciler) GetOpenshiftMinor ¶
func (r *TestReconciler) GetOpenshiftMinor() string
func (*TestReconciler) GetOtelCollectorImage ¶
func (r *TestReconciler) GetOtelCollectorImage() string
func (*TestReconciler) GetPostgresImage ¶
func (r *TestReconciler) GetPostgresImage() string
func (*TestReconciler) GetRHOOKPImage ¶
func (r *TestReconciler) GetRHOOKPImage() string
func (*TestReconciler) GetRosaOKPProductEnv ¶
func (r *TestReconciler) GetRosaOKPProductEnv() *corev1.EnvVar
func (*TestReconciler) GetScheme ¶
func (r *TestReconciler) GetScheme() *runtime.Scheme
func (*TestReconciler) GetWatcherConfig ¶
func (r *TestReconciler) GetWatcherConfig() interface{}
func (*TestReconciler) IsPrometheusAvailable ¶
func (r *TestReconciler) IsPrometheusAvailable() bool
func (*TestReconciler) SetRosaOKPProductEnv ¶
func (r *TestReconciler) SetRosaOKPProductEnv(env *corev1.EnvVar)
func (*TestReconciler) SetWatcherConfig ¶
func (r *TestReconciler) SetWatcherConfig(config interface{})
type ToolFilteringConfig ¶
type ToolFilteringConfig struct {
// Weight for dense vs sparse retrieval (1.0 = full dense, 0.0 = full sparse)
Alpha float64 `json:"alpha,omitempty"`
// Number of tools to retrieve
TopK int `json:"top_k,omitempty"`
// Minimum similarity threshold for filtering results
Threshold float64 `json:"threshold,omitempty"`
}
ToolFilteringConfig defines configuration for tool filtering using hybrid RAG retrieval The embedding model is not exposed as it's handled by the container image
type ToolsApprovalConfig ¶
type ToolsApprovalConfig struct {
// Approval strategy for tool execution
ApprovalType string `json:"approval_type,omitempty"`
// Timeout in seconds for waiting for user approval
ApprovalTimeout int `json:"approval_timeout,omitempty"`
}
ToolsApprovalConfig defines configuration for tool execution approval Controls whether tool calls require user approval before execution
type UserDataCollectionConfig ¶
type UserDataCollectionConfig struct {
FeedbackDisabled bool `json:"feedback_disabled" default:"false"`
FeedbackStorage string `json:"feedback_storage,omitempty"`
TranscriptsDisabled bool `json:"transcripts_disabled" default:"false"`
TranscriptsStorage string `json:"transcripts_storage,omitempty"`
}
type UserDataCollectorConfig ¶
type WatcherConfig ¶
type WatcherConfig struct {
Secrets SecretWatcherConfig
ConfigMaps ConfigMapWatcherConfig
AnnotatedSecretMapping map[string][]string
AnnotatedConfigMapMapping map[string][]string
}
WatcherConfig contains all watcher configuration