Skip to content

Add support for operator environment variables #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
porridge wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add support for operator environment variables #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
69eaa82
Add support for operator environment variables
porridge Jun 22, 2026
dfbad9a
Address review feedback for operator env vars
porridge Jun 23, 2026
d59ebd5
Return error from injectEnvVarsIntoManagerContainer on failure
porridge Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions cmd/deploy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,20 @@ Examples:
}),
)

registerFlag(cmd, settings, "operator-env", "Operator environment variables (e.g., RELATED_IMAGE_MAIN=quay.io/...)",
withApplyFn("env-var", func(config *deployer.Config, envExpr string) error {
key, value, err := deployer.ParseOperatorEnvVar(envExpr)
if err != nil {
return fmt.Errorf("parsing operator env var: %w", err)
}
if config.Operator.EnvVars == nil {
config.Operator.EnvVars = make(map[string]string)
}
config.Operator.EnvVars[key] = value
return nil
}),
)

registerFlag(cmd, settings, "features", "Feature flag settings (e.g., +ROX_FOO,-ROX_BAR,ROX_BAZ=true)",
withApplyFn("feature-flags", func(config *deployer.Config, featureFlagExpr string) error {
featureFlags, err := deployer.ParseFeatureFlags([]string{featureFlagExpr})
Expand Down
42 changes: 42 additions & 0 deletions cmd/deploy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,32 @@ func TestNewDeployCmd_Flags(t *testing.T) {
assert.Equal(t, types.ResourceProfileSmall, cfg.Central.ResourceProfile, "Central.ResourceProfile mismatch")
},
},
{
name: "operator-env single",
args: []string{"--operator-env", "RELATED_IMAGE_MAIN=quay.io/main:4.7.0"},
assert: func(t *testing.T, cfg deployer.Config) {
require.NotNil(t, cfg.Operator.EnvVars, "Operator.EnvVars should be set")
assert.Equal(t, "quay.io/main:4.7.0", cfg.Operator.EnvVars["RELATED_IMAGE_MAIN"])
},
},
{
name: "operator-env comma separated",
args: []string{"--operator-env", "FOO=bar,BAZ=qux"},
assert: func(t *testing.T, cfg deployer.Config) {
require.NotNil(t, cfg.Operator.EnvVars, "Operator.EnvVars should be set")
assert.Equal(t, "bar", cfg.Operator.EnvVars["FOO"])
assert.Equal(t, "qux", cfg.Operator.EnvVars["BAZ"])
},
Comment on lines +156 to +162

@coderabbitai coderabbitai Bot Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Locate the flag plumbing implementation and confirm comma tokenization behavior.
rg -n --type=go 'func registerFlag|func withApplyFn|StringSlice|StringArray|pflag\.' cmd internal

# Show operator-env usage and related tests.
rg -n --type=go 'operator-env|ParseOperatorEnvVar|comma separated' cmd/deploy.go cmd/deploy_test.go internal/deployer/operator_env.go

Repository: stackrox/roxie

Length of output: 1705

🏁 Script executed:

# Read the operator-env flag registration
sed -n '195,215p' cmd/deploy.go

# Read the withApplyFn implementation
sed -n '48,65p' cmd/flags.go

# Read the ParseOperatorEnvVar implementation
cat -n internal/deployer/operator_env.go

Repository: stackrox/roxie

Length of output: 2960

🏁 Script executed:

# Read the full registerFlag implementation
sed -n '83,120p' cmd/flags.go

Repository: stackrox/roxie

Length of output: 565

🏁 Script executed:

# Read the cliFlag type definition and its Set/String/Type methods
sed -n '1,80p' cmd/flags.go

Repository: stackrox/roxie

Length of output: 2021

Remove or fix the comma-separated test—comma-splitting is not implemented.

The flag plumbing does not split comma-separated values before invoking the apply function. When --operator-env "FOO=bar,BAZ=qux" is parsed:

  1. Set() is called once with the full string "FOO=bar,BAZ=qux"
  2. ParseOperatorEnvVar() splits only on the first =, returning key="FOO", value="bar,BAZ=qux"
  3. The map receives EnvVars["FOO"] = "bar,BAZ=qux", not separate FOO and BAZ entries

The test assertion assert.Equal(t, "qux", cfg.Operator.EnvVars["BAZ"]) will fail because the BAZ key is never created. Either remove this test case or add comma-splitting logic to the apply function if that behavior is intended.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/deploy_test.go` around lines 156 - 162, The test case "operator-env comma
separated" expects comma-separated environment variables to be parsed into
separate map entries, but the ParseOperatorEnvVar function only splits on the
first equals sign and does not implement comma-splitting logic. Either remove
this test case entirely if comma-separated values are not a supported feature,
or implement comma-splitting logic in the apply function that handles the
--operator-env flag to split the value on commas before individually parsing
each key-value pair into the EnvVars map.

@mclasmeier mclasmeier Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, this test is currently broken

@coderabbitai coderabbitai Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mclasmeier, thanks for confirming. The cleanest fix is to remove the "operator-env comma separated" test case, since comma-splitting is not implemented and would actually conflict with values that legitimately contain commas (which ParseOperatorEnvVar already supports, per the tests in operator_env_test.go).

-		{
-			name: "operator-env comma separated",
-			args: []string{"--operator-env", "FOO=bar,BAZ=qux"},
-			assert: func(t *testing.T, cfg deployer.Config) {
-				require.NotNil(t, cfg.Operator.EnvVars, "Operator.EnvVars should be set")
-				assert.Equal(t, "bar", cfg.Operator.EnvVars["FOO"])
-				assert.Equal(t, "qux", cfg.Operator.EnvVars["BAZ"])
-			},
-		},

The two other test cases ("operator-env single" and "operator-env multiple flags") correctly cover the intended usage patterns and can remain as-is.

If comma-separated syntax is a deliberate feature you'd like to support, it would need comma-splitting logic added in the apply function in cmd/deploy.go — but note that would break values like FOO=bar,baz (a value containing a comma). The --operator-env KEY=VALUE --operator-env KEY2=VALUE2 pattern is the unambiguous way to pass multiple variables.

},
{
name: "operator-env multiple flags",
args: []string{"--operator-env", "FOO=bar", "--operator-env", "BAZ=qux"},
assert: func(t *testing.T, cfg deployer.Config) {
require.NotNil(t, cfg.Operator.EnvVars, "Operator.EnvVars should be set")
assert.Equal(t, "bar", cfg.Operator.EnvVars["FOO"])
assert.Equal(t, "qux", cfg.Operator.EnvVars["BAZ"])
},
},
{
name: "config file can be used",
config: `
Expand All @@ -166,6 +192,22 @@ securedCluster:
},
},

{
name: "config file with operator env vars",
config: `
operator:
envVars:
RELATED_IMAGE_MAIN: quay.io/rhacs-eng/main:4.7.0
RELATED_IMAGE_SCANNER: quay.io/rhacs-eng/scanner:4.7.0
`,
args: []string{"--config", configFilePath},
assert: func(t *testing.T, cfg deployer.Config) {
require.NotNil(t, cfg.Operator.EnvVars, "Operator.EnvVars should be set")
assert.Equal(t, "quay.io/rhacs-eng/main:4.7.0", cfg.Operator.EnvVars["RELATED_IMAGE_MAIN"])
assert.Equal(t, "quay.io/rhacs-eng/scanner:4.7.0", cfg.Operator.EnvVars["RELATED_IMAGE_SCANNER"])
},
},

{
name: "config file can disable early-readiness",
config: `
Expand Down
7 changes: 4 additions & 3 deletions internal/deployer/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,10 @@ func NewRoxieConfig() RoxieConfig {

// OperatorConfig controls how the ACS operator is deployed.
type OperatorConfig struct {
SkipDeployment *bool `yaml:"skipDeployment,omitempty"`
DeployViaOlm *bool `yaml:"deployViaOlm,omitempty"`
Version string `yaml:"version,omitempty"`
SkipDeployment *bool `yaml:"skipDeployment,omitempty"`
DeployViaOlm *bool `yaml:"deployViaOlm,omitempty"`
Version string `yaml:"version,omitempty"`
EnvVars map[string]string `yaml:"envVars,omitempty"`
}

func (c *OperatorConfig) SkipDeploymentSet() bool {
Expand Down
62 changes: 59 additions & 3 deletions internal/deployer/operator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,9 +321,16 @@ func (d *Deployer) deployOperatorFromCSV(ctx context.Context, bundleDir string)
d.useOperatorPullSecrets = d.config.Roxie.KonfluxImagesEnabled() && d.config.Roxie.ClusterType.NeedsPullSecrets()

d.logger.Info("📋 Operator deployment plan:")
d.logger.Dim(fmt.Sprintf(" • Namespace: %s", operatorNamespace))
d.logger.Dim(fmt.Sprintf(" • ServiceAccount: %s", serviceAccountName))
d.logger.Dim(fmt.Sprintf(" • Setting up pull secrets: %v", d.useOperatorPullSecrets))
d.logger.Dimf(" • Namespace: %s", operatorNamespace)
d.logger.Dimf(" • ServiceAccount: %s", serviceAccountName)
d.logger.Dimf(" • Setting up pull secrets: %v", d.useOperatorPullSecrets)
if len(d.config.Operator.EnvVars) > 0 {
d.logger.Dimf(" • Custom operator env vars: %d", len(d.config.Operator.EnvVars))
for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
ev := envVar.(map[string]interface{})
d.logger.Dimf(" %s=%s", ev["name"], ev["value"])
}
Comment on lines +327 to +332

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Avoid logging raw operator env var values.

This prints user-supplied env values directly, which can leak secrets/tokens into deploy logs. Log names only (or redact values). The same pattern should be fixed in internal/deployer/operator_olm.go Line 36-41.

🔧 Suggested fix 
-		for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
-			ev := envVar.(map[string]interface{})
-			d.logger.Dimf("    %s=%s", ev["name"], ev["value"])
-		}
+		for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
+			ev := envVar.(map[string]interface{})
+			d.logger.Dimf("    %s=<redacted>", ev["name"])
+		}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/deployer/operator.go` around lines 327 - 332, The logging of
operator environment variables in operator.go is exposing raw values which can
leak sensitive secrets or tokens into deploy logs. In the loop that iterates
over envVarsToSortedList(d.config.Operator.EnvVars), modify the logger.Dimf call
to only log the environment variable names by removing the value part from the
format string and arguments. Apply the identical fix to operator_olm.go at lines
36-41 where the same pattern exists.

}

if err := d.prepareNamespace(ctx, operatorNamespace, d.useOperatorPullSecrets); err != nil {
return err
Expand Down Expand Up @@ -530,6 +537,16 @@ func (d *Deployer) createDeploymentFromCSV(ctx context.Context, namespace string
if template, ok := spec["template"].(map[string]interface{}); ok {
if podSpec, ok := template["spec"].(map[string]interface{}); ok {
podSpec["serviceAccountName"] = deploymentSpec["service_account"]

if len(d.config.Operator.EnvVars) > 0 {
containers, ok := podSpec["containers"].([]interface{})
if !ok {
return errors.New("no containers found in deployment pod spec")
}
if err := d.injectEnvVarsIntoManagerContainer(containers); err != nil {
return fmt.Errorf("failed to inject operator env vars: %w", err)
}
}
}
}

Expand All @@ -548,6 +565,45 @@ func (d *Deployer) createDeploymentFromCSV(ctx context.Context, namespace string
return nil
}

const managerContainerName = "manager"

// injectEnvVarsIntoManagerContainer merges configured operator env vars into
// the manager container, overriding any existing env vars with the same name.
func (d *Deployer) injectEnvVarsIntoManagerContainer(containers []interface{}) error {
for _, c := range containers {
container, ok := c.(map[string]interface{})
if !ok {
continue
}
if container["name"] != managerContainerName {
continue
}

existing := make(map[string]int)
envList, _ := container["env"].([]interface{})
for i, item := range envList {
if envVar, ok := item.(map[string]interface{}); ok {
if name, ok := envVar["name"].(string); ok {
existing[name] = i
}
}
}

for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
name := envVar.(map[string]interface{})["name"].(string)
if idx, found := existing[name]; found {
envList[idx] = envVar
} else {
envList = append(envList, envVar)
}
}

container["env"] = envList
return nil
}
return fmt.Errorf("container %q not found in deployment", managerContainerName)
}

func (d *Deployer) applyBundleServiceResources(ctx context.Context, bundleDir, namespace string) error {
serviceFile := filepath.Join(bundleDir, "rhacs-operator-controller-manager-metrics-service_v1_service.yaml")
if _, err := os.Stat(serviceFile); err == nil {
Expand Down
37 changes: 37 additions & 0 deletions internal/deployer/operator_env.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
package deployer

import (
"fmt"
"sort"
"strings"
)

// ParseOperatorEnvVar parses a single KEY=VALUE environment variable string.
// Values may contain '=' characters (only the first '=' is used as the separator).
func ParseOperatorEnvVar(envExpr string) (string, string, error) {
key, value, found := strings.Cut(envExpr, "=")
if !found {
return "", "", fmt.Errorf("invalid operator env var %q: expected KEY=VALUE format", envExpr)
}
if key == "" {
return "", "", fmt.Errorf("invalid operator env var %q: empty key", envExpr)
}
return key, value, nil
}

// envVarsToSortedList converts a map of env vars to a sorted list of
// {name, value} maps suitable for use in Kubernetes container or OLM Subscription specs.
func envVarsToSortedList(envVars map[string]string) []interface{} {
result := make([]interface{}, 0, len(envVars))
for name, value := range envVars {
result = append(result, map[string]interface{}{
"name": name,
"value": value,
})
}
sort.Slice(result, func(i, j int) bool {
return result[i].(map[string]interface{})["name"].(string) <
result[j].(map[string]interface{})["name"].(string)
})
return result
}
90 changes: 90 additions & 0 deletions internal/deployer/operator_env_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
package deployer

import (
"testing"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

func TestParseOperatorEnvVar(t *testing.T) {
tests := []struct {
name string
input string
expectedKey string
expectedVal string
expectError bool
}{
{
name: "simple KEY=VALUE",
input: "RELATED_IMAGE_MAIN=quay.io/rhacs-eng/main:4.7.0",
expectedKey: "RELATED_IMAGE_MAIN",
expectedVal: "quay.io/rhacs-eng/main:4.7.0",
},
{
name: "value containing equals sign",
input: "MY_VAR=a=b=c",
expectedKey: "MY_VAR",
expectedVal: "a=b=c",
},
{
name: "empty value",
input: "MY_VAR=",
expectedKey: "MY_VAR",
expectedVal: "",
},
{
name: "value with spaces",
input: "MY_VAR= hello world ",
expectedKey: "MY_VAR",
expectedVal: " hello world ",
},
{
name: "value with commas",
input: "MY_VAR=a,b,c",
expectedKey: "MY_VAR",
expectedVal: "a,b,c",
},
{
name: "missing equals sign",
input: "NO_VALUE",
expectError: true,
},
{
name: "empty key",
input: "=value",
expectError: true,
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
key, value, err := ParseOperatorEnvVar(tt.input)
if tt.expectError {
require.Error(t, err)
return
}
require.NoError(t, err)
assert.Equal(t, tt.expectedKey, key)
assert.Equal(t, tt.expectedVal, value)
})
}
}


func TestEnvVarsToSortedList(t *testing.T) {
Comment on lines +74 to +75

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix gofmt violation before merge.

CI reports formatting drift at Line 71 (extra blank line before TestEnvVarsToSortedList).

Proposed fix 
 }
-
 
 func TestEnvVarsToSortedList(t *testing.T) {
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/deployer/operator_env_test.go` around lines 74 - 75, The
TestEnvVarsToSortedList function has an extra blank line before it, causing a
gofmt formatting violation. Remove the extra blank line that appears immediately
before the TestEnvVarsToSortedList function declaration to comply with Go
formatting standards and resolve the CI formatting drift.

Source: Pipeline failures

input := map[string]string{
"ZZZ": "z",
"AAA": "a",
"MMM": "m",
}
result := envVarsToSortedList(input)

require.Len(t, result, 3)

expectedOrder := []string{"AAA", "MMM", "ZZZ"}
for i, item := range result {
name := item.(map[string]interface{})["name"].(string)
assert.Equal(t, expectedOrder[i], name, "index %d", i)
}
}
31 changes: 23 additions & 8 deletions internal/deployer/operator_olm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ const (
func (d *Deployer) deployOperatorViaOLM(ctx context.Context) error {
d.logger.Info("🚀 Deploying operator via OLM...")
d.logger.Infof("Operator tag: %s", d.config.Operator.Version)
if len(d.config.Operator.EnvVars) > 0 {
d.logger.Infof("Custom operator env vars: %d", len(d.config.Operator.EnvVars))
for _, envVar := range envVarsToSortedList(d.config.Operator.EnvVars) {
ev := envVar.(map[string]interface{})
d.logger.Dimf(" %s=%s", ev["name"], ev["value"])
}
}

if err := d.checkOLMInstalled(ctx); err != nil {
return err
Expand Down Expand Up @@ -200,21 +207,29 @@ func (d *Deployer) createSubscription(ctx context.Context) error {

startingCSV := fmt.Sprintf("rhacs-operator.v%s", d.config.Operator.Version)

subscriptionSpec := map[string]interface{}{
"channel": operatorChannel,
"name": "rhacs-operator",
"source": catalogSourceName,
"sourceNamespace": operatorNamespace,
"installPlanApproval": "Manual",
"startingCSV": startingCSV,
}

if len(d.config.Operator.EnvVars) > 0 {
subscriptionSpec["config"] = map[string]interface{}{
"env": envVarsToSortedList(d.config.Operator.EnvVars),
}
}

subscription := map[string]interface{}{
"apiVersion": "operators.coreos.com/v1alpha1",
"kind": "Subscription",
"metadata": map[string]interface{}{
"name": subscriptionName,
"namespace": operatorNamespace,
},
"spec": map[string]interface{}{
"channel": operatorChannel,
"name": "rhacs-operator",
"source": catalogSourceName,
"sourceNamespace": operatorNamespace,
"installPlanApproval": "Manual",
"startingCSV": startingCSV,
},
"spec": subscriptionSpec,
}

yamlData, err := yaml.Marshal(subscription)
Expand Down
Loading