EC-1694: feat(olm): add date-based FIPS annotation exemption for legacy bundles

[robnester-rh]

Summary

• Add date-based FIPS annotation exemption for OLM bundles created before January 31, 2025
• Uses the CSV's createdAt annotation to determine bundle creation date
• Includes warning message when createdAt has invalid RFC3339 format (fail closed for security)
• Configurable cutoff date via fips_exempt_created_before rule_data

Background

Per EC-1694, bundles created before the FIPS compliance requirement date should be exempt from the FIPS annotation check. The implementation uses date-based exemption (via createdAt annotation) rather than OCP version-based exemption, since the FIPS requirement applies to all OCP versions.

Test plan

• Bundle created before cutoff is exempt
• Bundle created after cutoff is NOT exempt
• Bundle without createdAt annotation is NOT exempt
• Only FIPS annotation is exempt; other annotations still checked
• Bundle created exactly on cutoff is NOT exempt
• Invalid date format fails closed with warning message
• Timezone handling works correctly
• Default cutoff date from rule_data.rego works
• All 37 OLM tests pass
• make fmt passes

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4e03af2d-adde-4d41-be9c-72ff92a75c1d

📥 Commits

Reviewing files that changed from the base of the PR and between a962436 and 87acc79.

📒 Files selected for processing (6)

• antora/docs/modules/ROOT/pages/packages/release_olm.adoc
• antora/docs/modules/ROOT/pages/release_policy.adoc
• antora/docs/modules/ROOT/partials/release_policy_nav.adoc
• policy/lib/rule_data/rule_data.rego
• policy/release/olm/olm.rego
• policy/release/olm/olm_test.rego

✅ Files skipped from review due to trivial changes (4)

• antora/docs/modules/ROOT/partials/release_policy_nav.adoc
• antora/docs/modules/ROOT/pages/release_policy.adoc
• policy/lib/rule_data/rule_data.rego
• policy/release/olm/olm_test.rego

🚧 Files skipped from review as they are similar to previous changes (1)

• antora/docs/modules/ROOT/pages/packages/release_olm.adoc

---

📝 Walkthrough

Walkthrough

Adds RFC3339 validation for CSV metadata.annotations.createdAt, a new warning rule olm.malformed_created_at, legacy-FIPS exemption logic based on a cutoff date (default 2025-01-31T00:00:00Z), rule-data default, tests covering exemption/malformed cases, and docs/navigation/source-link updates.

Changes

Cohort / File(s)	Summary
Documentation antora/docs/modules/ROOT/pages/packages/release_olm.adoc, antora/docs/modules/ROOT/pages/release_policy.adoc, antora/docs/modules/ROOT/partials/release_policy_nav.adoc	Added olm__malformed_created_at warning entry and xref/navigation; adjusted OLM rule “Source” link line numbers.
Policy Logic policy/release/olm/olm.rego	Added RFC3339 parsing helper (_parse_rfc3339_safe), date compare helpers (_date_before_cutoff, _fips_exempt_legacy_bundle), guard to skip FIPS value check for legacy bundles, _rule_data_errors validation for fips_exempt_created_before, and new warn rule olm.malformed_created_at.
Tests policy/release/olm/olm_test.rego	Added tests exercising FIPS exemption behavior vs. cutoff, malformed/empty timestamps producing warnings and deny behavior, timezone normalization, and scoping of exemption to the FIPS feature annotation.
Rule-data Defaults policy/lib/rule_data/rule_data.rego	Added default fips_exempt_created_before = "2025-01-31T00:00:00Z".

Sequence Diagram

sequenceDiagram
    participant CSV as ClusterServiceVersion
    participant Parser as RFC3339 Parser
    participant Config as Rule-data (cutoff)
    participant Policy as OLM Policy

    CSV->>Parser: read metadata.annotations.createdAt
    Parser-->>CSV: parsed timestamp / null
    alt parsed == null
        Policy->>CSV: emit olm.malformed_created_at (warn)
        Policy->>Policy: treat as non-exempt → enforce FIPS check
    else parsed valid
        Parser->>Config: request fips_exempt_created_before
        Config-->>Policy: return cutoff timestamp
        Policy->>Parser: compare createdAt vs cutoff
        alt createdAt < cutoff
            Policy-->>CSV: mark as FIPS-exempt (skip FIPS-value check)
        else
            Policy-->>CSV: enforce FIPS feature annotation requirement
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a date-based FIPS annotation exemption for legacy OLM bundles with a specific cutoff date.
Description check	✅ Passed	The description is well-detailed and directly related to the changeset, explaining the purpose, implementation approach, background, and comprehensive test plan for the FIPS exemption feature.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@policy/release/olm/olm.rego`:
- Around line 679-695: The current logic silently treats an invalid
lib.rule_data("fips_exempt_created_before") as non-parsable and simply causes
the exemption to be false; instead, add explicit validation for the cutoff
value: in _fips_exempt_legacy_bundle (which currently reads cutoff_date :=
lib.rule_data("fips_exempt_created_before")), assert cutoff_date is a non-empty
string and that _parse_rfc3339_safe(cutoff_date) returns a non-null value before
calling _date_before_cutoff; if parsing fails, emit an explicit configuration
error (e.g., a clear deny or config validation rule) referencing the bad
override so misconfiguration surfaces immediately rather than silently disabling
the exemption.
- Around line 115-117: The rule currently uses created_at :=
object.get(manifest.metadata.annotations, _created_at_annotation, "") which
conflates a missing annotation and an explicitly empty string; change the lookup
to use a null default (e.g. created_at :=
object.get(manifest.metadata.annotations, _created_at_annotation, null)) and
then require that created_at is not null (annotation present) before validating
its format with _parse_rfc3339_safe(created_at) == null so that
present-but-empty values trigger the olm.malformed_created_at warning while
genuinely-missing annotations are treated separately.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5fdc9a29-e89d-4da2-8c47-5fae09ede2fd

📥 Commits

Reviewing files that changed from the base of the PR and between f9daefc and 661b08e.

📒 Files selected for processing (6)

• antora/docs/modules/ROOT/pages/packages/release_olm.adoc
• antora/docs/modules/ROOT/pages/release_policy.adoc
• antora/docs/modules/ROOT/partials/release_policy_nav.adoc
• policy/lib/rule_data.rego
• policy/release/olm/olm.rego
• policy/release/olm/olm_test.rego

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines	Coverage Δ
policy/lib/rule_data/rule_data.rego	100.00% <ø> (ø)
policy/release/olm/olm.rego	100.00% <100.00%> (ø)
policy/release/olm/olm_test.rego	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@policy/release/olm/olm.rego`:
- Around line 407-414: The rule iterates "some path, manifest in
input.image.files" and hard-codes endswith(path, ".yaml"), bypassing the
existing CSV manifest selector and causing inconsistent warnings; update the
comprehension to iterate the canonical CSV manifest collection (use
_csv_manifests as the source instead of input.image.files) and drop the
hard-coded ".yaml" path check so the rule only evaluates manifests already
selected/filtered by _csv_manifests (leave the remaining logic using
manifest.metadata.annotations, _parse_rfc3339_safe(created_at), and
metadata.result_helper intact).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc31128d-b539-4b41-a56e-6ad1c4c7ee54

📥 Commits

Reviewing files that changed from the base of the PR and between d2284b4 and a962436.

📒 Files selected for processing (6)

• antora/docs/modules/ROOT/pages/packages/release_olm.adoc
• antora/docs/modules/ROOT/pages/release_policy.adoc
• antora/docs/modules/ROOT/partials/release_policy_nav.adoc
• policy/lib/rule_data/rule_data.rego
• policy/release/olm/olm.rego
• policy/release/olm/olm_test.rego

✅ Files skipped from review due to trivial changes (3)

• antora/docs/modules/ROOT/pages/release_policy.adoc
• antora/docs/modules/ROOT/partials/release_policy_nav.adoc
• policy/release/olm/olm_test.rego

🚧 Files skipped from review as they are similar to previous changes (2)

• policy/lib/rule_data/rule_data.rego
• antora/docs/modules/ROOT/pages/packages/release_olm.adoc

[robnester-rh]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.