OCPBUGS-69447: feat(updates): enable CVO metrics access with RHOBS monitoring flag

[Chee-Lu]

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

Aldo add --cvo-prometheus-url flag to allow overriding the default Prometheus endpoint. This provides flexibility for future changes (e.g., if ROSA changes the service name) or for platforms with different monitoring architectures (e.g., ARO HCP's self-managed Prometheus). When not specified, platform-appropriate defaults are used.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift or ARP HCP): https://thanos-querier.openshift-monitoring.svc:9092
• Custom URL: Configurable via --cvo-prometheus-url parameter

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift or ARO HCP) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Add --cvo-prometheus-url flag to configure CVO Prometheus endpoint

Which issue(s) this PR fixes:

fixes https://issues.redhat.com//browse/OCM-10395
fixes https://issues.redhat.com//browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.17.z, 4.18.z, 4.19.z, 4.20.z and 4.21.z to benefit customers on that version.

[openshift-ci-robot]

@Chee-Lu: This pull request references OCM-10395 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Flag description updated to document automatic CVO metrics access behavior
• Flags remain mutually exclusive to prevent misconfiguration

Which issue(s) this PR fixes:

fixes https://issues.redhat.com/browse/OCM-10395
fixes https://issues.redhat.com/browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.21 to benefit customers upgrading to that version. A corresponding OCPBUGS ticket will be created to track the backport. Please let me know if I should do it and if there is any guidance about that.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

Adds RHOBS monitoring gating, ROSA HCP detection, and RHOBS Prometheus URL propagation: introduces awsutil.IsROSAHCP, a new --rhobs-prometheus-url install flag and env var, conditionally enables CVO metrics access with dynamic metrics URL/TLS, and adjusts Metrics Server network policy egress target based on RHOBS enablement and HCP type.

Changes

Cohort / File(s)	Summary
Install flags & operator asset cmd/install/install.go, cmd/install/assets/hypershift_operator.go	Adds RHOBSPrometheusURL string to installer Options and HyperShiftOperatorDeployment; new CLI flag --rhobs-prometheus-url wired to it; when set, the operator deployment build injects env var RHOBS_PROMETHEUS_URL.
CVO deployment metrics config control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go	Adds gating for CVO metrics access via RHOBS env/flag or explicit flag; imports os, awsutil, rhobsmonitoring; when enabled sets metrics label/service account, appends --use-dns-for-services, and conditionally configures metrics URL and TLS: RHOBS+ROSA → HTTP no-TLS to RHOBS Prometheus; otherwise → HTTPS to Thanos querier with CA bundle.
Metrics Server network policy hypershift-operator/controllers/hostedcluster/network_policies.go	Adds RHOBS env flag handling and uses awsutil.IsROSAHCP; reconcileNetworkPolicies computes enableMetricsAccess; signature change reconcileMetricsServerNetworkPolicy(..., hcp *hyperv1.HostedControlPlane) and builds conditional egress: port 9090 to openshift-observability-operator (RHOBS/ROSA) or port 9092 to openshift-monitoring (Thanos).
AWS platform utility & tests support/awsutil/platform.go, support/awsutil/platform_test.go	Adds exported IsROSAHCP(hcp *hyperv1.HostedControlPlane) bool detecting ROSA via AWS ResourceTags (red-hat-managed=true) and accompanying TestIsROSAHCP covering various tag/platform scenarios.
RHOBS monitoring constants support/rhobsmonitoring/scheme.go	Adds public env var constant PrometheusURLEnvVar set to RHOBS_PROMETHEUS_URL.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@Chee-Lu: This pull request references OCM-10395 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Flag description updated to document automatic CVO metrics access behavior
• Flags remain mutually exclusive to prevent misconfiguration

Which issue(s) this PR fixes:

fixes https://issues.redhat.com/browse/OCM-10395
fixes https://issues.redhat.com/browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.21 to benefit customers upgrading to that version. A corresponding OCPBUGS ticket will be created to track the backport. Please let me know if I should do it and if there is any guidance about that.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Chee-Lu: This pull request references OCM-10395 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Flag description updated to document automatic CVO metrics access behavior
• Flags remain mutually exclusive to prevent misconfiguration

Which issue(s) this PR fixes:

fixes https://issues.redhat.com//browse/OCM-10395
fixes https://issues.redhat.com//browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.21 to benefit customers upgrading to that version. A corresponding OCPBUGS ticket will be created to track the backport. Please let me know if I should do it and if there is any guidance about that.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Chee-Lu]

/auto-cc

[openshift-ci]

Hi @Chee-Lu. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@Chee-Lu: This pull request references OCM-10395 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Flag description updated to document automatic CVO metrics access behavior
• Flags remain mutually exclusive to prevent misconfiguration

Which issue(s) this PR fixes:

fixes https://issues.redhat.com//browse/OCM-10395
fixes https://issues.redhat.com//browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.21 to benefit customers upgrading to that version. A corresponding OCPBUGS ticket will be created to track the backport. Please let me know if I should do it and if there is any guidance about that.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Chee-Lu: This pull request references OCM-10395 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Flag description updated to document automatic CVO metrics access behavior
• Flags remain mutually exclusive to prevent misconfiguration

Which issue(s) this PR fixes:

fixes https://issues.redhat.com//browse/OCM-10395
fixes https://issues.redhat.com//browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.x to benefit customers upgrading to that version. A corresponding OCPBUGS ticket will be created to track the backport. Please let me know if I should do it and if there is any guidance about that.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sdminonne]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go (1)

102-119: Consider extracting duplicate enableMetricsAccess check.

The enableMetricsAccess variable is computed identically on lines 33 and 103. Consider computing it once at the function start and reusing it to reduce duplication.

The conditional metrics URL configuration looks correct, routing to the appropriate monitoring endpoint (RHOBS Prometheus vs CoreOS Thanos) with the correct protocols.

Apply this diff to eliminate the duplicate check:

 func (cvo *clusterVersionOperator) adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error {
+	// Enable CVO metrics access if either RHOBS monitoring is enabled or the explicit flag is set
+	enableMetricsAccess := os.Getenv(rhobsmonitoring.EnvironmentVariable) == "1" || cvo.enableCVOManagementClusterMetricsAccess
+
-	// Enable CVO metrics access if either RHOBS monitoring is enabled or the explicit flag is set
-	enableMetricsAccess := os.Getenv(rhobsmonitoring.EnvironmentVariable) == "1" || cvo.enableCVOManagementClusterMetricsAccess
-
 	if enableMetricsAccess {
 		if deployment.Spec.Template.Labels == nil {
 			deployment.Spec.Template.Labels = map[string]string{}
 		}
 		deployment.Spec.Template.Labels[config.NeedMetricsServerAccessLabel] = "true"
 		deployment.Spec.Template.Spec.ServiceAccountName = ComponentName
 	}
 
 	featureSet := configv1.Default
 	if cpContext.HCP.Spec.Configuration != nil && cpContext.HCP.Spec.Configuration.FeatureGate != nil {
 		featureSet = cpContext.HCP.Spec.Configuration.FeatureGate.FeatureSet
 	}
 
 	// ... (rest of the function)
 
 	util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
 		util.UpsertEnvVar(c, corev1.EnvVar{
 			Name:  "RELEASE_IMAGE",
 			Value: dataPlaneReleaseImage,
 		})
 
 		if updateService := cpContext.HCP.Spec.UpdateService; updateService != "" {
 			c.Args = append(c.Args, "--update-service", string(updateService))
 		}
 
-		// Enable CVO metrics access if either RHOBS monitoring is enabled or the explicit flag is set
-		enableMetricsAccess := os.Getenv(rhobsmonitoring.EnvironmentVariable) == "1" || cvo.enableCVOManagementClusterMetricsAccess
-
 		if enableMetricsAccess {
 			c.Args = append(c.Args, "--use-dns-for-services=true")
 
 			// Configure metrics endpoint based on monitoring stack
 			var metricsURL string
 			if os.Getenv(rhobsmonitoring.EnvironmentVariable) == "1" {
 				// RHOBS Prometheus uses HTTP without TLS
 				metricsURL = fmt.Sprintf("http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090?namespace=%s", cpContext.HCP.Namespace)
 			} else {
 				// CoreOS Thanos uses HTTPS with service CA
 				c.Args = append(c.Args, "--metrics-ca-bundle-file=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt")
 				metricsURL = fmt.Sprintf("https://thanos-querier.openshift-monitoring.svc:9092?namespace=%s", cpContext.HCP.Namespace)
 			}
 			c.Args = append(c.Args, fmt.Sprintf("--metrics-url=%s", metricsURL))
 		}
 	})
 
 	return nil
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 400c97a and 221e4a2.

📒 Files selected for processing (3)

• cmd/install/install.go (1 hunks)
• control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go (4 hunks)
• hypershift-operator/controllers/hostedcluster/network_policies.go (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• cmd/install/install.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go
• hypershift-operator/controllers/hostedcluster/network_policies.go

🔇 Additional comments (4)

cmd/install/install.go (1)

272-272: LGTM: Documentation clarifies RHOBS monitoring behavior.

The updated flag description accurately reflects the additional CVO metrics access capability enabled when --rhobs-monitoring is set.

control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go (1)

32-41: LGTM: Metrics access properly gated.

The logic correctly enables metrics access when either RHOBS monitoring is active (via environment variable) or the explicit flag is set. The label and service account configuration support the network policy egress rules.

hypershift-operator/controllers/hostedcluster/network_policies.go (2)

88-97: LGTM: Metrics access network policy properly gated.

The logic correctly creates the metrics server network policy when either RHOBS monitoring is active or the explicit flag is set, consistent with the CVO deployment configuration.

---

836-910: LGTM: Network policy properly routes to monitoring stack.

The refactored function correctly creates egress rules based on the monitoring stack:

• RHOBS: targets OBO Prometheus (port 9090)
• CoreOS: targets Thanos Querier (port 9092)

This aligns with the CVO deployment changes that configure the corresponding metrics URLs. The pod and namespace selectors appropriately identify the monitoring components.

[openshift-ci-robot]

@Chee-Lu: This pull request references Jira Issue OCPBUGS-69447, which is invalid:

• expected the bug to target only the "4.22.0" version, but multiple target versions were set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift): https://thanos-querier.openshift-monitoring.svc:9092

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Flag description updated to document automatic CVO metrics access behavior
• Flags remain mutually exclusive to prevent misconfiguration

Which issue(s) this PR fixes:

fixes https://issues.redhat.com//browse/OCM-10395
fixes https://issues.redhat.com//browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.x to benefit customers upgrading to that version. A corresponding OCPBUGS ticket will be created to track the backport. Please let me know if I should do it and if there is any guidance about that.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Chee-Lu]

/jira refresh

[Chee-Lu]

Hi @celebdor @csrwng, all tests for this PR have passed! Could you PTAL if we need an ok-to-test or an approval before it can be merged?

[tdrozdowski]

Hi @celebdor @csrwng, all tests for this PR have passed! Could you PTAL if we need an ok-to-test or an approval before it can be merged?

@celebdor / @csrwng - just a bump on this after the weekend. thx.

[celebdor]

/verified by @Chee-Lu

[openshift-ci-robot]

@celebdor: This PR has been marked as verified by @Chee-Lu.

Details

In response to this:

/verified by @Chee-Lu

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[celebdor]

/ok-to-test

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD a8694da and 2 for PR HEAD 7932939 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b746f4e and 1 for PR HEAD 7932939 in total

[Chee-Lu]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 825484e and 0 for PR HEAD 7932939 in total

[openshift-ci-robot]

/hold

Revision 7932939 was retested 3 times: holding

[Chee-Lu]

/retest-required

[celebdor]

/test e2e-aws-4-21

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 825484e and 2 for PR HEAD 7932939 in total

[openshift-ci]

@Chee-Lu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@Chee-Lu: Jira Issue Verification Checks: Jira Issue OCPBUGS-69447
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-69447 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What this PR does:

When --rhobs-monitoring=true is set (for ROSA HCP), enable CVO access to OBO Prometheus for conditional update risk evaluation.

Aldo add --cvo-prometheus-url flag to allow overriding the default Prometheus endpoint. This provides flexibility for future changes (e.g., if ROSA changes the service name) or for platforms with different monitoring architectures (e.g., ARO HCP's self-managed Prometheus). When not specified, platform-appropriate defaults are used.

The CVO deployment logic routes to different metrics endpoints based on the monitoring stack:

• RHOBS stack (ROSA HCP): http://hypershift-monitoring-stack-prometheus.openshift-observability-operator.svc:9090
• CoreOS stack (Self-managed HyperShift on OpenShift or ARP HCP): https://thanos-querier.openshift-monitoring.svc:9092
• Custom URL: Configurable via --cvo-prometheus-url parameter

Key changes:

• CVO deployment enables metrics access when either --rhobs-monitoring (for ROSA HCP) or --enable-cvo-management-cluster-metrics-access (for self-managed HyperShift on OpenShift or ARO HCP) is set
• Network policies updated to allow egress to the appropriate monitoring endpoint based on stack configuration
• Add --cvo-prometheus-url flag to configure CVO Prometheus endpoint

Which issue(s) this PR fixes:

fixes https://issues.redhat.com//browse/OCM-10395
fixes https://issues.redhat.com//browse/OCM-20970

Special notes for your reviewer:

Backport Requirements

This change should be backported to 4.17.z, 4.18.z, 4.19.z, 4.20.z and 4.21.z to benefit customers on that version.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@celebdor: new pull request created: #7632

Details

In response to this:

/cherry-pick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gaol]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@gaol: new pull request created: #7660

Details

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2026-02-08-124411