Skip to content

OCPBUGS-74506: Remove ConsolePluginSecurityPolicy featuregate #2683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jhadvig wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-74506: Remove ConsolePluginSecurityPolicy featuregate #2683

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
186 changes: 186 additions & 0 deletions console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,189 @@ tests:
i18n:
loadType: Invalid
expectedError: "Unsupported value: \"Invalid\""
- name: Should be able to create a ConsolePlugin with valid CSP configuration
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- https://script1.com/
- directive: ImgSrc
values:
- https://img1.com/
expected: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- https://script1.com/
- directive: ImgSrc
values:
- https://img1.com/
- name: Should throw an error for duplicate CSP directive entries
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- https://script1.com/
- directive: ScriptSrc
values:
- https://script1.com/
expectedError: "spec.contentSecurityPolicy[1]: Duplicate value: map[string]interface {}{\"directive\":\"ScriptSrc\"}"
- name: Should throw an error for duplicate CSP directive values
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- https://script1.com/
- https://script1.com/
expectedError: "spec.contentSecurityPolicy[0].values: Invalid value: \"array\": each CSP directive value must be unique"
- name: Should throw an error for incorrect directive type
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: TestSrc
values:
- https://script1.com/
expectedError: "spec.contentSecurityPolicy[0].directive: Unsupported value: \"TestSrc\": supported values: \"DefaultSrc\", \"ScriptSrc\", \"StyleSrc\", \"ImgSrc\", \"FontSrc\""
- name: Should throw an error for invalid CSP directive values, using wildcard
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "*"
expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot be a wildcard"
- name: Should be able to create a ConsolePlugin with valid CSP value, using domain with wildcard prefix
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "*.example.com"
expected: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "*.example.com"
- name: Should throw an error for invalid CSP directive values, starting and ending with quotes
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "'none'"
expectedError: "\"string\": CSP directive value cannot contain a quote"
- name: Should throw an error for invalid CSP directive values with quote
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "foo'bar"
expectedError: "\"string\": CSP directive value cannot contain a quote"
- name: Should throw an error for invalid CSP directive values with comma
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "foo,bar"
expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a comma"
- name: Should throw an error for invalid CSP directive values with semi-colon
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- "foo;bar"
expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a semi-colon"
- name: Should throw an error for invalid CSP directive values with whitespace, using space
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- https://scr ipt1.com/
expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a whitespace"
- name: Should throw an error for invalid CSP directive values with whitespace, using tab
initial: |
apiVersion: console.openshift.io/v1
kind: ConsolePlugin
spec:
displayName: foo
backend:
type: Service
contentSecurityPolicy:
- directive: ScriptSrc
values:
- https://scri pt1.com/
expectedError: "spec.contentSecurityPolicy[0].values[0]: Invalid value: \"string\": CSP directive value cannot contain a whitespace"
Comment on lines +264 to +275
Copy link

@coderabbitai coderabbitai bot Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Test description says “tab” but the value uses spaces.
Either use an actual tab (escaped) or rename the test to “spaces” to avoid confusion.

🔧 Suggested fix (use a tab escape) 
-    - name: Should throw an error for invalid CSP directive values with whitespace, using tab
+    - name: Should throw an error for invalid CSP directive values with whitespace, using tab
       initial: |
         apiVersion: console.openshift.io/v1
         kind: ConsolePlugin
         spec:
           displayName: foo
           backend:
             type: Service
           contentSecurityPolicy:
           - directive: ScriptSrc
             values:
-            - https://scri    pt1.com/
+            - "https://scri\tpt1.com/"
🤖 Prompt for AI Agents 
In `@console/v1/tests/consoleplugins.console.openshift.io/AAA_ungated.yaml` around
lines 264 - 275, The test text and value are inconsistent: the test claims a
“tab” but the CSP value uses spaces; update the YAML so
spec.contentSecurityPolicy[0].values[0] contains an actual tab character (escape
it) in the URI (replace the series of spaces in the initial block value
"https://scri    pt1.com/" with a single \t where intended) or alternatively
rename the test description from “tab” to “spaces” so it accurately reflects the
current input; ensure you only modify the initial block value or the test name
and keep the expectedError unchanged.

194 changes: 0 additions & 194 deletions console/v1/tests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion console/v1/types_console_plugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ type ConsolePluginSpec struct {
// OpenShift web console server CSP response header:
// Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self' https://script1.com/ https://script2.com/ https://script3.com/; font-src 'self' https://font1.com/ https://font2.com/; img-src 'self' https://img1.com/; style-src 'self'; frame-src 'none'; object-src 'none'
//
// +openshift:enable:FeatureGate=ConsolePluginContentSecurityPolicy
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:rule="self.map(x, x.values.map(y, y.size()).sum()).sum() < 8192",message="the total combined size of values of all directives must not exceed 8192 (8kb)"
// +listType=map
Expand Down
Loading