Add support for operator environment variables#215
Conversation
Allow overriding environment variables on the operator deployment, useful for setting RELATED_IMAGE_* vars to test with custom-built component images. Supports both non-OLM (direct injection into the manager container) and OLM (via Subscription spec.config.env) paths. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughA new ChangesOperator Env Var Injection
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
@coderabitai review |
|
|
||
| // operatorEnvVarsToSortedList converts a map of env vars to a sorted list of | ||
| // {name, value} maps suitable for use in Kubernetes container or OLM Subscription specs. | ||
| func operatorEnvVarsToSortedList(envVars map[string]string) []interface{} { |
There was a problem hiding this comment.
This is actually not "operator env vars" specific, right?
Currently it receives d.config.Operator.EnvVars, so it could just be named envVarsToSortedList or something?
| // ParseOperatorEnvVars parses a slice of operator environment variable strings. | ||
| // Each string can contain one or more comma-separated KEY=VALUE pairs. | ||
| // Values may contain '=' characters (only the first '=' is used as the separator). | ||
| func ParseOperatorEnvVars(envExprs []string) (map[string]string, error) { |
There was a problem hiding this comment.
Noticed that we are only using len==1 slices in non-testing code.
🤷
There was a problem hiding this comment.
Good point, simplified.
| d.logger.Dim(fmt.Sprintf(" • ServiceAccount: %s", serviceAccountName)) | ||
| d.logger.Dim(fmt.Sprintf(" • Setting up pull secrets: %v", d.useOperatorPullSecrets)) | ||
| if len(d.config.Operator.EnvVars) > 0 { | ||
| d.logger.Dim(fmt.Sprintf(" • Custom operator env vars: %d", len(d.config.Operator.EnvVars))) |
| d.logger.Dim(fmt.Sprintf(" • Custom operator env vars: %d", len(d.config.Operator.EnvVars))) | ||
| for _, envVar := range operatorEnvVarsToSortedList(d.config.Operator.EnvVars) { | ||
| ev := envVar.(map[string]interface{}) | ||
| d.logger.Dim(fmt.Sprintf(" %s=%s", ev["name"], ev["value"])) |
| if !found { | ||
| return nil, fmt.Errorf("invalid operator env var %q: expected KEY=VALUE format", part) | ||
| } | ||
| key = strings.TrimSpace(key) |
There was a problem hiding this comment.
Q: Doing deliberately no space-trimming for the value?
There was a problem hiding this comment.
Ater thinking about it, dropping the trimming and comma-splitting as they would make it hard to impossible to use them in the value on purpose.
| } | ||
| return | ||
| } | ||
| if err != nil { |
There was a problem hiding this comment.
I kind of like the conciseness of something like
require.NotNil(t, err, "...")
What's the advantage of the more verbose
if err != nil {
t.Fatalf(...)
}
?
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
| if !reflect.DeepEqual(result, tt.expected) { |
There was a problem hiding this comment.
Similarly, could do
assert.True(reflect.DeepEqual(...), ...)
Maybe (haven't checked) we could even use
assert.Equal(....)
directly.
| t.Run(tt.name, func(t *testing.T) { | ||
| result, err := ParseOperatorEnvVars(tt.input) | ||
| if tt.expectError { | ||
| if err == nil { |
There was a problem hiding this comment.
require.Nil(...)
for conciseness?
- Rename operatorEnvVarsToSortedList to envVarsToSortedList - Simplify ParseOperatorEnvVars to ParseOperatorEnvVar taking a single KEY=VALUE string (no comma splitting or space trimming) - Use Dimf instead of Dim(fmt.Sprintf(...)) - Switch tests to use testify require/assert Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
internal/deployer/operator.go (1)
541-545: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winSurface when env injection is skipped due to missing
managercontainer.When env vars are configured but no
name: managercontainer exists, injection silently no-ops. Emit a signal (bool/error + log) so misconfiguration is visible.🔧 Suggested fix
- if containers, ok := podSpec["containers"].([]interface{}); ok { - d.injectEnvVarsIntoManagerContainer(containers) + if containers, ok := podSpec["containers"].([]interface{}); ok { + if !d.injectEnvVarsIntoManagerContainer(containers) { + d.logger.Infof("Custom operator env vars configured, but container %q was not found; skipping injection", managerContainerName) + } } } } } @@ -func (d *Deployer) injectEnvVarsIntoManagerContainer(containers []interface{}) { +func (d *Deployer) injectEnvVarsIntoManagerContainer(containers []interface{}) bool { for _, c := range containers { container, ok := c.(map[string]interface{}) if !ok { continue } @@ container["env"] = envList - return + return true } + return false }Also applies to: 568-600
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@internal/deployer/operator.go` around lines 541 - 545, The injectEnvVarsIntoManagerContainer method silently skips injection if the manager container is not found, which masks misconfiguration. Modify the injectEnvVarsIntoManagerContainer method to return a bool or error indicating whether the manager container was successfully found and updated. In the code block where injectEnvVarsIntoManagerContainer is called (around line 541), check the return value and log a warning if the manager container was not found, ensuring that misconfigured setups become visible rather than silently no-oping. Apply the same fix to all other locations where injectEnvVarsIntoManagerContainer is called as mentioned in the comment range 568-600.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/deploy_test.go`:
- Around line 156-162: The test case "operator-env comma separated" expects
comma-separated environment variables to be parsed into separate map entries,
but the ParseOperatorEnvVar function only splits on the first equals sign and
does not implement comma-splitting logic. Either remove this test case entirely
if comma-separated values are not a supported feature, or implement
comma-splitting logic in the apply function that handles the --operator-env flag
to split the value on commas before individually parsing each key-value pair
into the EnvVars map.
In `@internal/deployer/operator_env_test.go`:
- Around line 74-75: The TestEnvVarsToSortedList function has an extra blank
line before it, causing a gofmt formatting violation. Remove the extra blank
line that appears immediately before the TestEnvVarsToSortedList function
declaration to comply with Go formatting standards and resolve the CI formatting
drift.
In `@internal/deployer/operator.go`:
- Around line 327-332: The logging of operator environment variables in
operator.go is exposing raw values which can leak sensitive secrets or tokens
into deploy logs. In the loop that iterates over
envVarsToSortedList(d.config.Operator.EnvVars), modify the logger.Dimf call to
only log the environment variable names by removing the value part from the
format string and arguments. Apply the identical fix to operator_olm.go at lines
36-41 where the same pattern exists.
---
Nitpick comments:
In `@internal/deployer/operator.go`:
- Around line 541-545: The injectEnvVarsIntoManagerContainer method silently
skips injection if the manager container is not found, which masks
misconfiguration. Modify the injectEnvVarsIntoManagerContainer method to return
a bool or error indicating whether the manager container was successfully found
and updated. In the code block where injectEnvVarsIntoManagerContainer is called
(around line 541), check the return value and log a warning if the manager
container was not found, ensuring that misconfigured setups become visible
rather than silently no-oping. Apply the same fix to all other locations where
injectEnvVarsIntoManagerContainer is called as mentioned in the comment range
568-600.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Enterprise
Run ID: af74d7fd-907a-4995-a9bb-e8be86dbfb67
📒 Files selected for processing (7)
cmd/deploy.gocmd/deploy_test.gointernal/deployer/config.gointernal/deployer/operator.gointernal/deployer/operator_env.gointernal/deployer/operator_env_test.gointernal/deployer/operator_olm.go
| name: "operator-env comma separated", | ||
| args: []string{"--operator-env", "FOO=bar,BAZ=qux"}, | ||
| assert: func(t *testing.T, cfg deployer.Config) { | ||
| require.NotNil(t, cfg.Operator.EnvVars, "Operator.EnvVars should be set") | ||
| assert.Equal(t, "bar", cfg.Operator.EnvVars["FOO"]) | ||
| assert.Equal(t, "qux", cfg.Operator.EnvVars["BAZ"]) | ||
| }, |
There was a problem hiding this comment.
🎯 Functional Correctness | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Locate the flag plumbing implementation and confirm comma tokenization behavior.
rg -n --type=go 'func registerFlag|func withApplyFn|StringSlice|StringArray|pflag\.' cmd internal
# Show operator-env usage and related tests.
rg -n --type=go 'operator-env|ParseOperatorEnvVar|comma separated' cmd/deploy.go cmd/deploy_test.go internal/deployer/operator_env.goRepository: stackrox/roxie
Length of output: 1705
🏁 Script executed:
# Read the operator-env flag registration
sed -n '195,215p' cmd/deploy.go
# Read the withApplyFn implementation
sed -n '48,65p' cmd/flags.go
# Read the ParseOperatorEnvVar implementation
cat -n internal/deployer/operator_env.goRepository: stackrox/roxie
Length of output: 2960
🏁 Script executed:
# Read the full registerFlag implementation
sed -n '83,120p' cmd/flags.goRepository: stackrox/roxie
Length of output: 565
🏁 Script executed:
# Read the cliFlag type definition and its Set/String/Type methods
sed -n '1,80p' cmd/flags.goRepository: stackrox/roxie
Length of output: 2021
Remove or fix the comma-separated test—comma-splitting is not implemented.
The flag plumbing does not split comma-separated values before invoking the apply function. When --operator-env "FOO=bar,BAZ=qux" is parsed:
Set()is called once with the full string"FOO=bar,BAZ=qux"ParseOperatorEnvVar()splits only on the first=, returning key="FOO", value="bar,BAZ=qux"- The map receives
EnvVars["FOO"] = "bar,BAZ=qux", not separateFOOandBAZentries
The test assertion assert.Equal(t, "qux", cfg.Operator.EnvVars["BAZ"]) will fail because the BAZ key is never created. Either remove this test case or add comma-splitting logic to the apply function if that behavior is intended.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@cmd/deploy_test.go` around lines 156 - 162, The test case "operator-env comma
separated" expects comma-separated environment variables to be parsed into
separate map entries, but the ParseOperatorEnvVar function only splits on the
first equals sign and does not implement comma-splitting logic. Either remove
this test case entirely if comma-separated values are not a supported feature,
or implement comma-splitting logic in the apply function that handles the
--operator-env flag to split the value on commas before individually parsing
each key-value pair into the EnvVars map.
|
|
||
| func TestEnvVarsToSortedList(t *testing.T) { |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Fix gofmt violation before merge.
CI reports formatting drift at Line 71 (extra blank line before TestEnvVarsToSortedList).
Proposed fix
}
-
func TestEnvVarsToSortedList(t *testing.T) {🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@internal/deployer/operator_env_test.go` around lines 74 - 75, The
TestEnvVarsToSortedList function has an extra blank line before it, causing a
gofmt formatting violation. Remove the extra blank line that appears immediately
before the TestEnvVarsToSortedList function declaration to comply with Go
formatting standards and resolve the CI formatting drift.
Source: Pipeline failures
| if len(d.config.Operator.EnvVars) > 0 { | ||
| d.logger.Dimf(" • Custom operator env vars: %d", len(d.config.Operator.EnvVars)) | ||
| for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) { | ||
| ev := envVar.(map[string]interface{}) | ||
| d.logger.Dimf(" %s=%s", ev["name"], ev["value"]) | ||
| } |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Avoid logging raw operator env var values.
This prints user-supplied env values directly, which can leak secrets/tokens into deploy logs. Log names only (or redact values). The same pattern should be fixed in internal/deployer/operator_olm.go Line 36-41.
🔧 Suggested fix
- for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
- ev := envVar.(map[string]interface{})
- d.logger.Dimf(" %s=%s", ev["name"], ev["value"])
- }
+ for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
+ ev := envVar.(map[string]interface{})
+ d.logger.Dimf(" %s=<redacted>", ev["name"])
+ }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@internal/deployer/operator.go` around lines 327 - 332, The logging of
operator environment variables in operator.go is exposing raw values which can
leak sensitive secrets or tokens into deploy logs. In the loop that iterates
over envVarsToSortedList(d.config.Operator.EnvVars), modify the logger.Dimf call
to only log the environment variable names by removing the value part from the
format string and arguments. Apply the identical fix to operator_olm.go at lines
36-41 where the same pattern exists.
Make env var injection fail loudly instead of silently succeeding when the manager container is not found in the deployment spec. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
porridge
left a comment
porridge
left a comment
There was a problem hiding this comment.
Feedback addressed, I also added a change to complain loudly if injection was requested and did not happen (in case the manager deployment structure evolved behind our back).
PTAL.
| if !found { | ||
| return nil, fmt.Errorf("invalid operator env var %q: expected KEY=VALUE format", part) | ||
| } | ||
| key = strings.TrimSpace(key) |
There was a problem hiding this comment.
Ater thinking about it, dropping the trimming and comma-splitting as they would make it hard to impossible to use them in the value on purpose.
| // ParseOperatorEnvVars parses a slice of operator environment variable strings. | ||
| // Each string can contain one or more comma-separated KEY=VALUE pairs. | ||
| // Values may contain '=' characters (only the first '=' is used as the separator). | ||
| func ParseOperatorEnvVars(envExprs []string) (map[string]string, error) { |
There was a problem hiding this comment.
Good point, simplified.
3 participants
Summary
--operator-env KEY=VALUECLI flag for setting env vars on the operator deploymentoperator.envVarsmapmanagercontainer of the CSV-derived deploymentspec.config.envon the Subscription so OLM propagates to the deploymentRELATED_IMAGE_*variables to test with custom-built component images, in particular to support custom images in stackrox "infra" service.Usage
Test plan
ParseOperatorEnvVar— valid pairs, values with=/commas/spaces, missing=, empty keyenvVarsToSortedList— sort orderoperator.envVarsmapgo build ./...,go test ./...,go vet ./...all pass🤖 Generated with Claude Code
Summary by CodeRabbit
--operator-env, including singleKEY=VALUE, comma-separated lists, and repeated flags.operator.envVars.--operator-envexpressions.