openshift
OCPBUGS-48791: Add missing CSP directives
Manual backport of https://github.com/openshift/api/pull/2163
/assign @spadgett @JoelSpeed
@jhadvig: This pull request references Jira Issue OCPBUGS-48740, which is invalid:
- expected the bug to target either version "4.18." or "openshift-4.18.", but it targets "4.19.0" instead
- expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead
- release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
- expected Jira Issue OCPBUGS-48740 to depend on a bug targeting a version in 4.19.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
In response to this:
Manual backport of https://github.com/openshift/api/pull/2163
/assign @spadgett @JoelSpeed
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
Hello @jhadvig! Some important instructions when contributing to openshift/api: API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Have the 4.19 changes hit the payload yet? Can we make sure that the 4.19 bug is verified before we move forward here please
@JoelSpeed yes, both PR should be already part of the payload. 1 . https://github.com/openshift/api/pull/2163#issuecomment-2608499935 2. https://github.com/openshift/api/pull/2176#issuecomment-2622626429
spinning a 4.19 techpreview cluster for confirmation.
Hmm, although the both PRs are merged in the master, I dont see the added ObjectSrc directive type in the ConsolePlugin spec, using 4.19.0-0.nightly-2025-02-10-202838 with TechPreview
Has the operator had its deps bumped to include the latest version of o/api?
@JoelSpeed checked the API definition on a 4.19 cluster with techPreview enabled and the ConnectSrc directive is there.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/1186
api.openshift.io/merged-by-featuregates: "true"
capability.openshift.io/name: Console
description: Extension for configuring openshift web console plugins.
displayName: ConsolePlugin
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/feature-set: TechPreviewNoUpgrade
service.beta.openshift.io/inject-cabundle: "true"
creationTimestamp: "2025-03-04T08:26:06Z"
generation: 1
name: consoleplugins.console.openshift.io
ownerReferences:
- apiVersion: config.openshift.io/v1
controller: true
kind: ClusterVersion
name: version
uid: c52a6894-fba3-462d-8a31-56b6f48fc91f
resourceVersion: "22008"
uid: 3d7f8011-7bf2-4971-8e1b-786971e817b0
spec:
conversion:
strategy: None
group: console.openshift.io
names:
kind: ConsolePlugin
listKind: ConsolePluginList
plural: consoleplugins
singular: consoleplugin
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: |-
ConsolePlugin is an extension for customizing OpenShift web console by
dynamically loading code from another service running on the cluster.
Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec contains the desired configuration for the console plugin.
properties:
backend:
description: backend holds the configuration of backend which is serving
console's plugin .
properties:
service:
description: |-
service is a Kubernetes Service that exposes the plugin using a
deployment with an HTTP server. The Service must use HTTPS and
Service serving certificate. The console backend will proxy the
plugins assets from the Service using the service CA bundle.
properties:
basePath:
default: /
description: |-
basePath is the path to the plugin's assets. The primary asset it the
manifest file called `plugin-manifest.json`, which is a JSON document
that contains metadata about the plugin and the extensions.
maxLength: 256
minLength: 1
pattern: ^[a-zA-Z0-9.\-_~!$&'()*+,;=:@\/]*$
type: string
name:
description: name of Service that is serving the plugin assets.
maxLength: 128
minLength: 1
type: string
namespace:
description: namespace of Service that is serving the plugin
assets.
maxLength: 128
minLength: 1
type: string
port:
description: port on which the Service that is serving the
plugin is listening to.
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- name
- namespace
- port
type: object
type:
description: |
type is the backend type which servers the console's plugin. Currently only "Service" is supported.
enum:
- Service
type: string
required:
- type
type: object
contentSecurityPolicy:
description: |-
contentSecurityPolicy is a list of Content-Security-Policy (CSP) directives for the plugin.
....
policy string that is sent to the browser via `Content-Security-Policy` HTTP response header.
Example:
ConsolePlugin A directives:
script-src: https://script1.com/, https://script2.com/
font-src: https://font1.com/
ConsolePlugin B directives:
script-src: https://script2.com/, https://script3.com/
font-src: https://font2.com/
img-src: https://img1.com/
Unified set of CSP directives, passed to the OpenShift web console server:
script-src: https://script1.com/, https://script2.com/, https://script3.com/
font-src: https://font1.com/, https://font2.com/
img-src: https://img1.com/
OpenShift web console server CSP response header:
Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none'
items:
description: ConsolePluginCSP holds configuration for a specific
CSP directive
properties:
directive:
description: |-
directive specifies which Content-Security-Policy directive to configure.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
DefaultSrc directive serves as a fallback for the other CSP fetch directives.
For more information about the DefaultSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
ScriptSrc directive specifies valid sources for JavaScript.
For more information about the ScriptSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
StyleSrc directive specifies valid sources for stylesheets.
For more information about the StyleSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
ImgSrc directive specifies a valid sources of images and favicons.
For more information about the ImgSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
FontSrc directive specifies valid sources for fonts loaded using @font-face.
For more information about the FontSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
For more information about the ConnectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
enum:
- DefaultSrc
- ScriptSrc
- StyleSrc
- ImgSrc
- FontSrc
- ConnectSrc
type: string
values:
description: |-
.....
@jhadvig: This pull request references Jira Issue OCPBUGS-48791, which is invalid:
- expected Jira Issue OCPBUGS-48791 to depend on a bug targeting a version in 4.19.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
In response to this:
Manual backport of https://github.com/openshift/api/pull/2163
/assign @spadgett @JoelSpeed
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@JoelSpeed: This pull request references Jira Issue OCPBUGS-48791, which is invalid:
- expected Jira Issue OCPBUGS-48791 to depend on a bug targeting a version in 4.19.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
In response to this:
/jira refresh
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@jhadvig Could you please sort out the bug chain for this backport, once we can see that the 4.19 version of this is verified we can move forward with the backport to 4.18
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
@jhadvig: An error was encountered removing this pull request from the external tracker bugs for bug OCPBUGS-48791 on the Jira server at https://issues.redhat.com/. No known errors were detected, please see the full error message for details.
Full error message.
request failed. Please analyze the request body for more details. Status code: 403: {"errorMessages":["No Link Issue Permission for issue 'OCPBUGS-48791'."],"errors":{}}
Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.
In response to this:
Manual backport of https://github.com/openshift/api/pull/2163
/assign @spadgett @JoelSpeed
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@openshift-bot: Closed this PR.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen. Mark the issue as fresh by commenting/remove-lifecycle rotten. Exclude this issue from closing again by commenting/lifecycle frozen./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@jhadvig: Reopened this PR.
In response to this:
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@jhadvig: This pull request references Jira Issue OCPBUGS-48791, which is invalid:
- expected Jira Issue OCPBUGS-48791 to depend on a bug targeting a version in 4.19.0, 4.19.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found
Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
In response to this:
Manual backport of https://github.com/openshift/api/pull/2163
/assign @spadgett @JoelSpeed
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@jhadvig: all tests passed!
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: JoelSpeed
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [JoelSpeed]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
@openshift-bot: Closed this PR.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen. Mark the issue as fresh by commenting/remove-lifecycle rotten. Exclude this issue from closing again by commenting/lifecycle frozen./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@jhadvig: This pull request references Jira Issue OCPBUGS-48791. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.
In response to this:
Manual backport of https://github.com/openshift/api/pull/2163
/assign @spadgett @JoelSpeed
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.