added fedramp specific PKO templates

[fsferraz-rh]

added fedramp specific PKO templates

HCMSEC-2912

Summary by CodeRabbit

• New Features

  • Added FedRAMP-compliant deployment templates for AWS VPCE Operator, supporting high-security cluster configurations.
  • Introduced cluster selector-based deployment strategies enabling targeted rollouts to HyperShift and managed cluster environments.

• Chores

  • Updated resource application modes in deployment templates to improve consistency and reliability during infrastructure updates.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fsferraz-rh
Once this PR has been reviewed and has the lgtm label, please assign rafael-azevedo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Rate limit exceeded

@fsferraz-rh has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 58 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 2 minutes and 58 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0dccdc35-1076-47cd-bfeb-ab06686932f7

📥 Commits

Reviewing files that changed from the base of the PR and between 61a23b2 and bc09b8e.

⛔ Files ignored due to path filters (6)

• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/ensure.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**

📒 Files selected for processing (4)

• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• hack/pko/clusterpackage-fedramp.yaml

Walkthrough

Adds two OpenShift Template manifests that render a templated ClusterPackage (with PKO and operator image params) and three SelectorSyncSet resources targeting FedRAMP and HyperShift clusters; also updates resourceApplyMode values in an OLM artifacts template.

Changes

Cohort / File(s)	Summary
FedRAMP Hive Template hack/pko/clusterpackage-fedramp-hive.yaml	Adds fr-high-template (kind: Template) with parameters (PKO_IMAGE, OPERATOR_IMAGE, IMAGE_TAG, IMAGE_DIGEST, REPO_NAME, DISPLAY_NAME, NAMESPACE) that instantiates a package-operator.run/v1alpha1 ClusterPackage named ${REPO_NAME} and wires spec.image/spec.config.image to the templated PKO/operator images.
FedRAMP SelectorSyncSet Template hack/pko/clusterpackage-fedramp.yaml	Adds selectorsyncset-template (kind: Template) with parameters (CHANNEL, IMAGE_TAG, IMAGE_DIGEST, REPO_NAME, DISPLAY_NAME, PKO_IMAGE, OPERATOR_IMAGE) producing three hive.openshift.io/v1 SelectorSyncSet objects targeting FedRAMP and HyperShift subsets; they apply ClusterPackage manifests (templated images) and one applies an avo-config ConfigMap for VPC endpoint feature flags.
OLM artifacts template hack/olm-registry/olm-artifacts-template.yaml	Updates resourceApplyMode values (changed from Sync to Upsert) in one or more SelectorSyncSet blocks; applyBehavior: CreateOrUpdate remains unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 10

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'added fedramp specific PKO templates' directly and accurately summarizes the main change—adding FedRAMP-specific Package Operator templates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable and deterministic Ginkgo test names is not applicable to this pull request. The PR exclusively modifies YAML manifest files for Kubernetes/OpenShift configurations. No Go test files or Ginkgo test definitions are included in the changes.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test structure and quality is not applicable to this pull request because the PR modifies only YAML template files and does not include any changes to Ginkgo test code.
Microshift Test Compatibility	✅ Passed	PR modifies only Kubernetes manifest template YAML files with no Ginkgo e2e test additions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only YAML Kubernetes template files in hack/ directory and does not add or modify any Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	New FedRAMP templates and OLM artifact modifications do not introduce topology-breaking scheduling constraints; uses safe soft affinity rules.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this PR as only YAML manifest files were modified, not Go source code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR modifies only YAML manifest files, not new Ginkgo e2e test files. The custom check for IPv6 and disconnected network test compatibility does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/pko/clusterpackage-fedramp-hive.yaml`:
- Around line 13-14: The template defines parameters IMAGE_DIGEST and NAMESPACE
that are unused: either remove the IMAGE_DIGEST and NAMESPACE parameter entries
or wire NAMESPACE into the CredentialsRequest resources instead of the hardcoded
openshift-${REPO_NAME}; also remove the required: true flag from IMAGE_DIGEST if
you keep it but leave it optional. Locate the parameter block (IMAGE_DIGEST,
NAMESPACE) and the CredentialsRequest resource definitions (references to
openshift-${REPO_NAME}) and either delete the unused parameter(s) or replace the
hardcoded namespace with ${NAMESPACE} and ensure IMAGE_DIGEST is referenced
where intended or its required flag removed.

In `@hack/pko/clusterpackage-fedramp.yaml`:
- Around line 7-12: The parameters CHANNEL and IMAGE_DIGEST are declared with
required: true but not used; remove or make them optional, or wire them into the
template where images are defined. Either delete the CHANNEL and IMAGE_DIGEST
parameter blocks (or set required: false) or update the image template
references (e.g., replace image references that currently use IMAGE_TAG with a
digest form like ${PKO_IMAGE}@${IMAGE_DIGEST} or incorporate ${CHANNEL} into
image names/tags) so the declared symbols CHANNEL and IMAGE_DIGEST are actually
referenced by the template objects.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3d4d83a3-9ac4-4279-9621-a5508d45ee52

📥 Commits

Reviewing files that changed from the base of the PR and between f3f44a6 and 0166f2d.

📒 Files selected for processing (2)

• hack/pko/clusterpackage-fedramp-hive.yaml
• hack/pko/clusterpackage-fedramp.yaml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.69%. Comparing base (f3f44a6) to head (bc09b8e).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #372   +/-   ##
=======================================
  Coverage   40.69%   40.69%           
=======================================
  Files          32       32           
  Lines        2106     2106           
=======================================
  Hits          857      857           
  Misses       1145     1145           
  Partials      104      104           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fsferraz-rh]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/pko/clusterpackage-fedramp.yaml`:
- Around line 141-145: The ConfigMap resource "avo-config" currently hardcodes
the namespace "openshift-aws-vpce-operator"; change it to use the template
parameter (e.g. ${REPO_NAME}) so the namespace follows the rest of the package
parameterization. Locate the "kind: ConfigMap" block for avo-config and replace
the literal namespace value with the repository namespace variable used
elsewhere in this YAML/template so the ConfigMap lands in the correct namespace
when REPO_NAME is overridden.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a82f260f-b00c-407b-94db-f8a32f256eb3

📥 Commits

Reviewing files that changed from the base of the PR and between 92a5f89 and 61a23b2.

📒 Files selected for processing (3)

• hack/olm-registry/olm-artifacts-template.yaml
• hack/pko/clusterpackage-fedramp-hive.yaml
• hack/pko/clusterpackage-fedramp.yaml

[fsferraz-rh]

/retest-required

[openshift-ci]

@fsferraz-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.