Skip to content

DO NOT REVIEW: experiment#19402

Draft
dashrews78 wants to merge 2 commits intomasterfrom
dashrews/deployment-experiment
Draft

DO NOT REVIEW: experiment#19402
dashrews78 wants to merge 2 commits intomasterfrom
dashrews/deployment-experiment

Conversation

@dashrews78
Copy link
Contributor

@dashrews78 dashrews78 commented Mar 12, 2026

Introduce storage.StoredDeployment as the persistence-only type used at
the postgres store boundary, keeping storage.Deployment as the API type
used by all consumers (~250+ files unchanged).

This separation enables independent evolution of the storage schema
(e.g., init/ephemeral container support, table normalization) without
impacting sensor, detection, API, or policy evaluation consumers.

Key changes:

  • Add ContainerType enum (STANDARD, INIT, EPHEMERAL) to proto
  • Add StoredDeployment, StoredContainer, StoredContainerImage messages
    with SQL tags for persistence
  • Add init_containers and ephemeral_containers fields to Deployment
  • Remove SQL tags from Deployment and ContainerImage (API-only types)
  • Internal Store interface now uses StoredDeployment; public DataStore
    interface unchanged
  • Conversion layer (ToStoredDeployment/FromStoredDeployment) merges and
    splits containers by type at the store boundary
  • No migration needed: same table name, same field numbers, GORM
    auto-creates new container_type column

Code partially generated by AI.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

Description

change me!

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

change me!

@dashrews78 @claude
refactor: separate storage.Deployment into API and storage types
854fc11 
Introduce storage.StoredDeployment as the persistence-only type used at
the postgres store boundary, keeping storage.Deployment as the API type
used by all consumers (~250+ files unchanged).

This separation enables independent evolution of the storage schema
(e.g., init/ephemeral container support, table normalization) without
impacting sensor, detection, API, or policy evaluation consumers.

Key changes:
- Add ContainerType enum (STANDARD, INIT, EPHEMERAL) to proto
- Add StoredDeployment, StoredContainer, StoredContainerImage messages
  with SQL tags for persistence
- Add init_containers and ephemeral_containers fields to Deployment
- Remove SQL tags from Deployment and ContainerImage (API-only types)
- Internal Store interface now uses StoredDeployment; public DataStore
  interface unchanged
- Conversion layer (ToStoredDeployment/FromStoredDeployment) merges and
  splits containers by type at the store boundary
- No migration needed: same table name, same field numbers, GORM
  auto-creates new container_type column

Code partially generated by AI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dashrews78
Copy link
Contributor Author

dashrews78 commented Mar 12, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link

openshift-ci bot commented Mar 12, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 12, 2026
edited
Loading

Images are ready for the commit at 0459905.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-311-g04599050ec.

@dashrews78 @claude
fix: suppress policy evaluator traversal of init/ephemeral containers
0459905 
Add search:"-" tags to init_containers and ephemeral_containers fields
on storage.Deployment to prevent the boolean policy evaluator from
traversing them. Without this, the evaluator panics at init time due to
duplicate search tags (e.g., "Environment Key" appearing at both
Containers.Config.Env.Key and InitContainers.Config.Env.Key).

This matches the existing pattern used for Container.ports, which is
suppressed with policy:",ignore" search:"-" in favor of Deployment.ports.

A future PR will extend the evaluator to support multi-path tags,
enabling policy evaluation on init/ephemeral containers. See
artifacts/multi-path-evaluator-plan.md for the design.

Code partially generated by AI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dashrews78
dashrews78 commented Mar 12, 2026
View reviewed changes
proto/storage/deployment.proto
Comment on lines +62 to +63
repeated Container init_containers = 36; // @gotags: search:"-"
repeated Container ephemeral_containers = 37; // @gotags: search:"-"
Copy link
Contributor Author

@dashrews78 dashrews78 Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without these we get a duplicate tag when policy eval paths are built.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/central area/postgres do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dashrews78 @rhacs-bot