Skip to content

ROX-33361: Per-namespace persistence in SecuredCluster CR#20102

Open
erthalion wants to merge 1 commit intomasterfrom
feature/per-namespace-persistence-secured-cluster
Open

ROX-33361: Per-namespace persistence in SecuredCluster CR#20102
erthalion wants to merge 1 commit intomasterfrom
feature/per-namespace-persistence-secured-cluster

Conversation

@erthalion
Copy link
Copy Markdown
Contributor

@erthalion erthalion commented Apr 20, 2026
edited
Loading

Description

NOTE: It's been split from #19455, for the purposes of simplifying the review. The PR contains only the second commit, wiring everything up into the operator. The implementation is exactly the same as in the original PR.

Commit 405c8cf ("ROX-33361: Per-namespace persistence for process indicators (#19957)") has introduced a possibility to configure per-namespace persistence for process indicators, but did not wire it up anywhere.

Allow to provide new dynamic config fields via SecuredCluster CR, in the form:

spec:
  processIndicators:
    persistence: true
    excludeNamespaceFilter: namespace-without-persistence
    excludeOpenshiftNs: false

It works in exactly the same way as above mentioned dynamic config counterpart, except the reversed "persistence" field. Contrary to a protobuf dynamic config, SecuredCluster CR allows to distinguish not set values, thus we choose more natural to read version. It will be converted into the "noPersistence" during translation.

indicators

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Manual validation (creating an operator-managed cluster and modifying the configuration), as well as E2E tests. Split from #19455 to simplify the review.

@erthalion erthalion requested review from a team as code owners April 20, 2026 11:06
@erthalion erthalion requested review from porridge and removed request for a team April 20, 2026 11:06
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 20, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 57f78fa. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-721-g57f78fa954

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 20, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 36.66667% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.68%. Comparing base (de32d18) to head (0c4b745).
⚠️ Report is 6 commits behind head on master.

Files with missing lines Patch % Lines
operator/api/v1alpha1/zz_generated.deepcopy.go 0.00% 29 Missing ⚠️
...l/securedcluster/values/translation/translation.go 75.86% 5 Missing and 2 partials ⚠️
operator/api/v1alpha1/securedcluster_types.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #20102   +/-   ##
=======================================
  Coverage   49.68%   49.68%           
=======================================
  Files        2766     2766           
  Lines      209299   209359   +60     
=======================================
+ Hits       103989   104028   +39     
- Misses      97616    97639   +23     
+ Partials     7694     7692    -2
Flag Coverage Δ
go-unit-tests 49.68% <36.66%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@erthalion
Copy link
Copy Markdown
Contributor Author

erthalion commented Apr 20, 2026

/test ocp-4-21-operator-e2e-tests

dashrews78
dashrews78 reviewed Apr 20, 2026
View reviewed changes
Comment thread image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl

enableOpenShiftMonitoring: false

[<- if .FeatureFlags.ROX_PROCESS_INDICATORS_PER_NAMESPACE >]
Copy link
Copy Markdown
Contributor

@dashrews78 dashrews78 Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need the feature flag for this? The act of updating the config would sort of handle that from a user perspective would it not?

Copy link
Copy Markdown
Contributor Author

@erthalion erthalion Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was a discussion about this with the Install team, unfortunately without any decisive conclusions yet.

dashrews78
dashrews78 approved these changes Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dashrews78 dashrews78 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but please get approval from install team before merging.

@JoukoVirtanen
Copy link
Copy Markdown
Contributor

JoukoVirtanen commented Apr 20, 2026
edited
Loading

Screenshots of the Openshift console with these configuration in the PR description might be nice. You can merge without my approval.

@erthalion
Copy link
Copy Markdown
Contributor Author

erthalion commented Apr 21, 2026

Screenshots of the Openshift console with these configuration in the PR description might be nice. You can merge without my approval.

Good point, forgot about this requirement.

@erthalion
ROX-33361: Per-namespace persistence in SecuredCluster CR
57f78fa 
Commit 405c8cf ("ROX-33361: Per-namespace persistence for process
indicators (#19957)") has introduced a possibility to configure
per-namespace persistence for process indicators, but did not wire it up
anywhere.

Allow to provide new dynamic config fields via SecuredCluster CR, in the
form:

    spec:
      processIndicators:
        persistence: true
        excludeNamespaceFilter: namespace-without-persistence
        excludeOpenshiftNs: false

It works in exactly the same way as above mentioned dynamic config
counterpart, except the reversed "persistence" field. Contrary to a
protobuf dynamic config, SecuredCluster CR allows to distinguish not set
values, thus we choose more natural to read version. It will be
converted into the "noPersistence" during translation.
@erthalion erthalion force-pushed the feature/per-namespace-persistence-secured-cluster branch from 0c4b745 to 57f78fa Compare April 21, 2026 10:04
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 21, 2026

@erthalion: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gke-qa-e2e-tests 57f78fa link false /test gke-qa-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dashrews78 dashrews78 dashrews78 approved these changes

@porridge porridge Awaiting requested review from porridge porridge is a code owner automatically assigned from stackrox/install

@vladbologa vladbologa Awaiting requested review from vladbologa

@ovalenti ovalenti Awaiting requested review from ovalenti

@AlexVulaj AlexVulaj Awaiting requested review from AlexVulaj

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/helm area/operator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erthalion @JoukoVirtanen @dashrews78