CCXDEV-15992: obfuscation config precedence

[opokornyy]

Ensure ConfigMap based obfuscation configuration is applied before InsightsDataGather configuration.

Categories

• Bugfix
• Data Enhancement
• Feature
• Backporting
• Others (CI, Infrastructure, Documentation)

Sample Archive

• None

Documentation

• None

Unit Tests

• pkg/controller/periodic/periodic_test.go

Privacy

Yes. There are no sensitive data in the newly collected information.

Changelog

• None

Breaking Changes

No

References

CCXDEV-15992

Summary by CodeRabbit

• Refactor

  • Improved configuration handling for data gathering with enhanced precedence logic between different configuration sources.
  • Refined data obfuscation policy application with better fallback mechanisms.

• Tests

  • Added test coverage for configuration precedence rules in data gathering workflows.

[openshift-ci-robot]

@opokornyy: This pull request references CCXDEV-15992 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Ensure ConfigMap based obfuscation configuration is applied before InsightsDataGather configuration.

Categories

• Bugfix
• Data Enhancement
• Feature
• Backporting
• Others (CI, Infrastructure, Documentation)

Sample Archive

• None

Documentation

• None

Unit Tests

• pkg/controller/periodic/periodic_test.go

Privacy

Yes. There are no sensitive data in the newly collected information.

Changelog

• None

Breaking Changes

No

References

CCXDEV-15992

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[opokornyy]

/retest

[BaiyangZhou]

/test e2e-gcp-ovn-techpreview

[opokornyy]

/cc @ncaak

[ncaak]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncaak, opokornyy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ncaak,opokornyy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[opokornyy]

/verified later @BaiyangZhou

[openshift-ci-robot]

@opokornyy: This PR has been marked to be verified later by @BaiyangZhou.

Details

In response to this:

/verified later @BaiyangZhou

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[BaiyangZhou]

/retest

[BaiyangZhou]

/retest

[BaiyangZhou]

/retest

[BaiyangZhou]

/retest

[opokornyy]

/retest

[opokornyy]

/retest

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes refactor configuration handling in the periodic controller by introducing an insightsConfig variable to centralize configuration access. The obfuscation configuration is sourced from ConfigMap with fallback to InsightsDataGather CRD DataPolicy, implementing a precedence-based approach for determining data gathering behavior.

Changes

Cohort / File(s)	Summary
Configuration Handling Refactoring pkg/controller/periodic/periodic.go	Replaced direct config access with dedicated insightsConfig variable. Updated obfuscation logic to use ConfigMap values with fallback to DataPolicy from InsightsDataGather CRD, preserving default to GatheringModeAll behavior.
Test Updates pkg/controller/periodic/periodic_test.go	Updated existing test setups to initialize mock ConfigMapConfigurator. Added new test TestCreateDataGatherAttributeValues_ConfigMapObfuscationPrecedence to validate precedence rules between ConfigMap obfuscation and Insights CR data policy.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Configuration now flows with grace,
ConfigMap takes the foremost place!
When obfuscation's not defined so clear,
The CRD's DataPolicy draws near.
Precedence rules, both tested and true! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main change: implementing obfuscation configuration precedence between ConfigMap and InsightsDataGather, which is the primary objective of the PR.
Description check	✅ Passed	The description provides a clear summary, correctly categorizes as a bugfix, lists unit tests added, addresses privacy concerns, notes no changelog/breaking changes, and includes the Jira reference.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@opokornyy: This pull request references CCXDEV-15992 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Ensure ConfigMap based obfuscation configuration is applied before InsightsDataGather configuration.

Categories

• Bugfix
• Data Enhancement
• Feature
• Backporting
• Others (CI, Infrastructure, Documentation)

Sample Archive

• None

Documentation

• None

Unit Tests

• pkg/controller/periodic/periodic_test.go

Privacy

Yes. There are no sensitive data in the newly collected information.

Changelog

• None

Breaking Changes

No

References

CCXDEV-15992

Summary by CodeRabbit

• Refactor

• Improved configuration handling for data gathering with enhanced precedence logic between different configuration sources.

• Refined data obfuscation policy application with better fallback mechanisms.

• Tests

• Added test coverage for configuration precedence rules in data gathering workflows.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/controller/periodic/periodic_test.go (1)

793-861: Split the fallback coverage into nil and empty ConfigMap cases.

Line 826 uses config.Obfuscation{} to represent “no ConfigMap setting”, but in Go that is an explicit empty slice, not the same state as nil. Covering nil and empty separately here would make the intended precedence contract unambiguous.

Please align this test with the confirmed nil-vs-empty behavior from the production path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/periodic/periodic_test.go` around lines 793 - 861, The test
uses config.Obfuscation{} (an empty slice) but doesn't cover the nil ConfigMap
case; update TestCreateDataGatherAttributeValues_ConfigMapObfuscationPrecedence
to include two distinct cases for "no ConfigMap setting": one with
configMapObfuscation set to nil (e.g. var nilObf config.Obfuscation = nil) and
one with an explicit empty slice (config.Obfuscation{}), and assert that
createDataGatherAttributeValues() (via mockController from
NewMockConfigMapConfigurator) yields the expected DataPolicyOption fallback for
the nil case and the explicit-empty behavior for the empty case so the
precedence contract is unambiguous.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controller/periodic/periodic.go`:
- Around line 897-910: The current fallback check uses len(dataPolicy) == 0
which cannot distinguish "field omitted" vs "field explicitly set to []" because
YAML unmarshals slices to non-nil empty slices; change the ConfigMap obfuscation
field type from []ObfuscationValue to *[]ObfuscationValue (preserving nil for
omitted fields), update all code that reads/writes that field to handle a nil
pointer (e.g., check cm.Obfuscation == nil rather than len), and replace the
fallback condition in periodic.go (the dataPolicy selection logic that now looks
at dataPolicy variable and gatherConfig) to use the pointer-nil check so an
explicit empty ConfigMap clears obfuscation instead of inheriting
InsightsDataGather.Spec.DataPolicy.

---

Nitpick comments:
In `@pkg/controller/periodic/periodic_test.go`:
- Around line 793-861: The test uses config.Obfuscation{} (an empty slice) but
doesn't cover the nil ConfigMap case; update
TestCreateDataGatherAttributeValues_ConfigMapObfuscationPrecedence to include
two distinct cases for "no ConfigMap setting": one with configMapObfuscation set
to nil (e.g. var nilObf config.Obfuscation = nil) and one with an explicit empty
slice (config.Obfuscation{}), and assert that createDataGatherAttributeValues()
(via mockController from NewMockConfigMapConfigurator) yields the expected
DataPolicyOption fallback for the nil case and the explicit-empty behavior for
the empty case so the precedence contract is unambiguous.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f9649a60-aa35-41be-adef-192c762cc6a1

📥 Commits

Reviewing files that changed from the base of the PR and between bca542a and 717e954.

📒 Files selected for processing (2)

• pkg/controller/periodic/periodic.go
• pkg/controller/periodic/periodic_test.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -name "types.go" -type f | head -20

Repository: openshift/insights-operator

Length of output: 1055

---

🏁 Script executed:

fd -t f "config" --path "*pkg/config*" | head -30

Repository: openshift/insights-operator

Length of output: 304

---

🏁 Script executed:

rg -l "DataReporting" --type go | head -20

Repository: openshift/insights-operator

Length of output: 939

---

🏁 Script executed:

cat -n pkg/config/types.go | head -100

Repository: openshift/insights-operator

Length of output: 4241

---

🏁 Script executed:

rg -A 5 "type DataReporting struct" pkg/config/types.go

Repository: openshift/insights-operator

Length of output: 283

---

🏁 Script executed:

rg -l "Observer\|observer\|loader\|Loader" pkg/config --type go | head -20

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

rg -A 10 "type Obfuscation" pkg/config/types.go

Repository: openshift/insights-operator

Length of output: 136

---

🏁 Script executed:

rg -l "Observer\|InsightsConfigurationSerialized" . --type go | grep -v vendor | head -20

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

rg -A 5 "func.*Observer\|func.*Loader" pkg --type go | head -50

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

rg "insights-config" --type go | grep -v vendor | head -20

Repository: openshift/insights-operator

Length of output: 1343

---

🏁 Script executed:

rg -l "configAggregator\|ConfigAggregator" pkg --type go | head -10

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

rg -B 5 -A 10 "json.Unmarshal.*InsightsConfigurationSerialized\|Unmarshal.*dataReporting" --type go | head -80

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

cat -n pkg/config/configobserver/configmapobserver.go

Repository: openshift/insights-operator

Length of output: 5524

---

🏁 Script executed:

cat -n pkg/config/configobserver/config_aggregator.go

Repository: openshift/insights-operator

Length of output: 11600

---

🏁 Script executed:

rg -B 5 -A 20 "func.*ToConfig" pkg/config/types.go

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

rg -B 2 -A 10 "DataReportingSerialized.*ToConfig\|func.*DataReporting.*ToConfig" pkg/config --type go

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

rg "ToConfig" pkg/config/types.go

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

cat pkg/config/types.go | tail -200

Repository: openshift/insights-operator

Length of output: 4042

---

🏁 Script executed:

wc -l pkg/config/types.go

Repository: openshift/insights-operator

Length of output: 94

---

🏁 Script executed:

rg -n "func" pkg/config/types.go

Repository: openshift/insights-operator

Length of output: 53

---

🏁 Script executed:

find pkg/config -name "*.go" -type f | head -20

Repository: openshift/insights-operator

Length of output: 677

---

🏁 Script executed:

rg "func.*ToConfig" pkg/config --type go

Repository: openshift/insights-operator

Length of output: 229

---

🏁 Script executed:

cat -n pkg/config/config.go

Repository: openshift/insights-operator

Length of output: 6596

---

🏁 Script executed:

cat -n pkg/controller/periodic/periodic.go | sed -n '886,920p'

Repository: openshift/insights-operator

Length of output: 1935

---

🏁 Script executed:

cat -n pkg/controller/periodic/periodic.go | sed -n '860,900p'

Repository: openshift/insights-operator

Length of output: 2080

---

Explicit empty ConfigMap obfuscation still falls back to the CR.

Line 900 uses len(dataPolicy) == 0 as the fallback signal. Because Obfuscation is defined as a slice type []ObfuscationValue, YAML unmarshaling conflates "field omitted" and "field explicitly set to []" into the same empty slice. An explicit empty ConfigMap therefore still inherits InsightsDataGather.Spec.DataPolicy instead of clearing it, violating ConfigMap precedence.

The suggested fix in the original comment (checking cmObfuscation == nil) will not work, as YAML unmarshaling never produces nil for slice fields. To fix this, either:

• Change Obfuscation to a pointer type *[]ObfuscationValue to preserve nil for omitted fields, or
• Implement explicit field-set tracking (e.g., a separate bool flag in the serialized config), or
• Use custom YAML unmarshaling to distinguish omitted vs. empty slices

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/periodic/periodic.go` around lines 897 - 910, The current
fallback check uses len(dataPolicy) == 0 which cannot distinguish "field
omitted" vs "field explicitly set to []" because YAML unmarshals slices to
non-nil empty slices; change the ConfigMap obfuscation field type from
[]ObfuscationValue to *[]ObfuscationValue (preserving nil for omitted fields),
update all code that reads/writes that field to handle a nil pointer (e.g.,
check cm.Obfuscation == nil rather than len), and replace the fallback condition
in periodic.go (the dataPolicy selection logic that now looks at dataPolicy
variable and gatherConfig) to use the pointer-nil check so an explicit empty
ConfigMap clears obfuscation instead of inheriting
InsightsDataGather.Spec.DataPolicy.

[ncaak]

/lgtm

[BaiyangZhou]

/test insights-operator-e2e-tests

[opokornyy]

/verified later @BaiyangZhou

[openshift-ci-robot]

@opokornyy: This PR has been marked to be verified later by @BaiyangZhou.

Details

In response to this:

/verified later @BaiyangZhou

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@opokornyy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn-techpreview	054d206	link	true	/test e2e-gcp-ovn-techpreview
ci/prow/insights-operator-conditions-tests	054d206	link	true	/test insights-operator-conditions-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[BaiyangZhou]

/test insights-operator-e2e-tests