HYPERFLEET-1123 - feat: define hyperfleet-critical PriorityClass and apply to maestro pods

[kuudori]

Summary

• Define hyperfleet-critical PriorityClass (value: 1000000000) as a standalone manifest at manifests/priority-classes.yaml
• Add install-priority-classes Makefile target, hooked into install-all and install-all-rabbitmq before install-maestro
• Wire priorityClassName: hyperfleet-critical into all four maestro pod specs (server, agent, db, mqtt)
• Bump chart dependency versions to 0.1.1 for upstream priorityClassName hooks

Verification

Tested on local kind cluster:

• make install-priority-classes creates the PriorityClass with correct value
• Idempotent on re-apply
• kubectl get priorityclass hyperfleet-critical returns value=1000000000

Test plan

• Upstream HYPERFLEET-1120 - feat(charts): expose podAnnotations and priorityClassName on agent/postgresql/mosquitto templates openshift-online/maestro#542 merges to main
• make install-priority-classes succeeds
• kubectl get priorityclass hyperfleet-critical shows value below system-cluster-critical (2B)
• kubectl get pods -n maestro -o custom-columns=NAME:.metadata.name,PRIORITY_CLASS:.spec.priorityClassName shows hyperfleet-critical on all four pods

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: aaa214ab-53b2-492b-ae77-ba1f8bbccbc9

📥 Commits

Reviewing files that changed from the base of the PR and between e21624d and 6a30649.

📒 Files selected for processing (4)

• Makefile
• helm/maestro/Chart.yaml
• helm/maestro/values.yaml
• manifests/priority-classes.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

🚧 Files skipped from review as they are similar to previous changes (4)

• manifests/priority-classes.yaml
• helm/maestro/values.yaml
• helm/maestro/Chart.yaml
• Makefile

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added pod priority class configuration for critical workloads to ensure proper scheduling priority and protection against cluster autoscaling-related pod eviction.

• Chores

  • Helm chart updated to version 0.1.2 with corresponding dependency version updates.

Walkthrough

A new Kubernetes PriorityClass named hyperfleet-critical is defined in manifests/priority-classes.yaml at priority value 1000000000 with globalDefault: false. A Makefile target install-priority-classes is added to apply this manifest via kubectl apply, and this target is inserted into the dependency chains of local-up-kind and local-up-gcp. The umbrella Helm chart version is bumped from 0.1.0 to 0.1.2, and both maestro-server and maestro-agent subchart dependency versions move from 0.1.0 to 0.1.1. The values.yaml adds priorityClassName: hyperfleet-critical and cluster-autoscaler.kubernetes.io/safe-to-evict: "false" annotations to the server, PostgreSQL, Mosquitto, and agent components.

Security notes

Priority class value exposure: PriorityClass hyperfleet-critical at 1000000000 is high privilege. Confirm this value does not exceed system-reserved classes; misconfiguration can starve critical workloads (CWE-400: Uncontrolled Resource Consumption).

Kubectl apply in Makefile without validation: The install-priority-classes target applies manifests directly with kubectl apply after only checking for kubectl binary presence. No schema validation, dry-run, or authorization check is performed. Supply chain risk if manifests/priority-classes.yaml is modified upstream without review.

Safe-to-evict false on non-critical paths: Setting cluster-autoscaler.kubernetes.io/safe-to-evict: "false" on PostgreSQL and Mosquitto prevents scaling optimizations. Confirm these dependencies are crash-critical; overly broad non-evictable policy increases cluster fragmentation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changeset: defining and applying the hyperfleet-critical PriorityClass to maestro pods.
Description check	✅ Passed	The description is directly related to the changeset, covering the PriorityClass definition, Makefile integration, pod spec updates, and verification steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements (slog, log, logr, zap, fmt.Print*) expose tokens, passwords, credentials, or secrets. Configuration values stored separately from logging calls.
No Hardcoded Secrets	✅ Passed	PR contains no hardcoded secrets. The password field in helm/maestro/values.yaml is a placeholder for development/demo embedded PostgreSQL, explicitly documented as such and matching excluded categ...
No Weak Cryptography	✅ Passed	No weak cryptography detected. PR contains only Makefile targets, Helm chart metadata, and Kubernetes manifests—no cryptographic code, banned primitives, or unsafe comparisons.
No Injection Vectors	✅ Passed	No injection vectors detected. All inputs are hardcoded constants or static manifests; no SQL concatenation (CWE-89), exec.Command injection (CWE-78), template injection (CWE-79), or unsafe yaml.Un...
No Privileged Containers	✅ Passed	No privileged containers, elevated capabilities, or unsafe security contexts found. PR adds PriorityClass scheduling only; no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivil...
No Pii Or Sensitive Data In Logs	✅ Passed	No PII or sensitive data found in logging statements. The echo statement added in the new install-priority-classes target outputs only "OK: PriorityClasses applied", a generic message with no sensi...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/maestro/Chart.yaml`:
- Around line 9-16: The chart dependencies maestro-server and maestro-agent have
a reproducibility issue where the version fields are pinned to "0.1.1" but the
repository URLs use the mutable branch ref "?ref=main". To fix this, replace the
mutable branch references (?ref=main) in both the maestro-server and
maestro-agent repository URLs with an immutable reference that matches version
0.1.1, either by using an immutable git tag (such as ?ref=v0.1.1) or a specific
commit SHA, depending on what the upstream maestro repository provides for that
version.

In `@Makefile`:
- Line 117: The kubectl apply recipe on line 117 expands the $(MANIFESTS_DIR)
variable unquoted, creating a shell injection vulnerability (CWE-78) where
malicious input could execute arbitrary commands. Fix this by quoting the
variable reference in the file path passed to kubectl apply, changing
$(MANIFESTS_DIR) to "$(MANIFESTS_DIR)" to safely handle any input containing
special characters or shell metacharacters.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ebb6030d-47f8-49ca-99c2-3fa45aacd35a

📥 Commits

Reviewing files that changed from the base of the PR and between 9034fc3 and e21624d.

📒 Files selected for processing (4)

• Makefile
• helm/maestro/Chart.yaml
• helm/maestro/values.yaml
• manifests/priority-classes.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Quote recipe variable to prevent shell injection (CWE-78).

Line 117 expands $(MANIFESTS_DIR) unquoted inside a shell command. If that variable is injected via environment/CLI in CI, this can execute arbitrary shell fragments on the runner.

Proposed fix

-	kubectl apply -f $(MANIFESTS_DIR)/priority-classes.yaml
+	kubectl apply -f "$(MANIFESTS_DIR)/priority-classes.yaml"

As per coding guidelines, **/Makefile: “Flag shell injection via unquoted variables in recipes.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl apply -f $(MANIFESTS_DIR)/priority-classes.yaml
	kubectl apply -f "$(MANIFESTS_DIR)/priority-classes.yaml"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 117, The kubectl apply recipe on line 117 expands the
$(MANIFESTS_DIR) variable unquoted, creating a shell injection vulnerability
(CWE-78) where malicious input could execute arbitrary commands. Fix this by
quoting the variable reference in the file path passed to kubectl apply,
changing $(MANIFESTS_DIR) to "$(MANIFESTS_DIR)" to safely handle any input
containing special characters or shell metacharacters.

Source: Coding guidelines

[openshift-ci]

@kuudori: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/integration	6a30649	link	false	/test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.