Skip to content

ROX-33555: Add sensor cap checks for SensorAck for node scanning#19418

Merged
vikin91 merged 3 commits intomasterfrom
piotr/ROX-33555-sensor-ack-node-scanning
Mar 16, 2026
Merged

ROX-33555: Add sensor cap checks for SensorAck for node scanning#19418
vikin91 merged 3 commits intomasterfrom
piotr/ROX-33555-sensor-ack-node-scanning

Conversation

@vikin91
Copy link
Contributor

@vikin91 vikin91 commented Mar 13, 2026
edited
Loading

Description

This PR scopes the node-scanning ACK refactor isolated from #19323.

What changed:

  • Added central/sensor/service/common/sensor_ack.go with shared helpers to send:
    • capability-gated SensorACK
    • legacy NodeInventoryACK (always, for backward compatibility)
  • Updated Central node scanning pipelines to use the shared helper path:
    • nodeinventory ACK path
    • nodeindex ACK path
  • Extended node pipeline tests to validate both ACK channels.

Before/after behavior example:

  • Before: Central could emit SensorACK for node scanning regardless of Sensor capability.
  • After: Central emits SensorACK for node scanning only when Sensor advertises SensorACKSupport; legacy NodeInventoryACK remains emitted for compatibility.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

  • CI
  • On a cluser: Confirmed SensorACK is sent from Central to Sensor by looking at:
    • Sensor debug logs
    • Sensor metrics

Sensor debug logs:

➜ logs-sensor | grep ACK
common/compliance: 2026/03/16 16:01:26.700245 node_inventory_handler_impl.go:148: Debug: Received SensorACK message: type=NODE_INDEX_REPORT, action=ACK, resource_id=ip-10-0-27-46.ec2.internal, reason=
common/compliance: 2026/03/16 16:01:26.700471 node_inventory_handler_impl.go:377: Debug: Sent ComplianceACK to Compliance: type=NODE_INDEX_REPORT, action=ACK, resource_id=ip-10-0-27-46.ec2.internal, reason=
common/compliance: 2026/03/16 16:01:26.700553 node_inventory_handler_impl.go:190: Debug: Received legacy node-scanning-ACK message of type NodeIndexer, action ACK for node ip-10-0-27-46.ec2.internal

Sensor metrics:

# SensorACK
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-0-251.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-0-251.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-11-34.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-11-34.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-27-46.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-27-46.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-62-249.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INDEX_REPORT",node_name="ip-10-0-62-249.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INVENTORY",node_name="ip-10-0-17-180.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INVENTORY",node_name="ip-10-0-17-180.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INVENTORY",node_name="ip-10-0-43-129.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INVENTORY",node_name="ip-10-0-43-129.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INVENTORY",node_name="ip-10-0-62-249.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NODE_INVENTORY",node_name="ip-10-0-62-249.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1

# Legacy ACK
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-0-251.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-0-251.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-11-34.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-11-34.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-27-46.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-27-46.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-62-249.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-62-249.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-17-180.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-17-180.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-43-129.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-43-129.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-62-249.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-62-249.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1

For Sensor 4.8:

Logs (note no distinction on legacy or the new format):

➜ logs-sensor | grep ACK
common/compliance: 2026/03/16 16:12:23.409750 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeInventory, action ACK for node ip-10-0-37-221.ec2.internal
common/compliance: 2026/03/16 16:12:58.405974 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeInventory, action ACK for node ip-10-0-11-34.ec2.internal
common/compliance: 2026/03/16 16:12:59.643257 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeIndexer, action ACK for node ip-10-0-51-171.ec2.internal
common/compliance: 2026/03/16 16:12:59.655013 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeInventory, action ACK for node ip-10-0-51-171.ec2.internal
common/compliance: 2026/03/16 16:13:23.237674 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeIndexer, action ACK for node ip-10-0-11-34.ec2.internal
common/compliance: 2026/03/16 16:13:36.361637 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeInventory, action ACK for node ip-10-0-0-251.ec2.internal
common/compliance: 2026/03/16 16:13:50.946011 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeIndexer, action ACK for node ip-10-0-37-221.ec2.internal
common/compliance: 2026/03/16 16:13:51.780871 node_inventory_handler_impl.go:126: Debug: Received node-scanning-ACK message of type NodeIndexer, action ACK for node ip-10-0-11-34.ec2.internal

Metrics (note the lack of capitalized values in message_type):

rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-11-34.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-11-34.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-51-171.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeIndexer",node_name="ip-10-0-51-171.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-0-251.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-0-251.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-11-34.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-11-34.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-37-221.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-37-221.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-51-171.ec2.internal",operation="receive from Central",origin="Sensor",reason=""} 1
rox_sensor_node_scanning_ack_processed_total{ack_type="ACK",message_type="NodeInventory",node_name="ip-10-0-51-171.ec2.internal",operation="send to Compliance",origin="Sensor",reason="Forwarding from Central"} 1

Central logs (no errors "Failed injecting"):

➜ logs-central | grep injecting
detection/lifecycle: 2026/03/16 15:16:18.621095 singleton.go:50: Info: Done injecting policies.

@openshift-ci
Copy link

openshift-ci bot commented Mar 13, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@vikin91
Copy link
Contributor Author

vikin91 commented Mar 13, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@vikin91 vikin91 mentioned this pull request Mar 13, 2026
Open
11 tasks
@vikin91 vikin91 marked this pull request as ready for review March 13, 2026 15:38
sourcery-ai[bot]
sourcery-ai bot reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The recordingInjectorWithCapabilities type is duplicated in both nodeinventory and nodeindex tests; consider extracting a shared test helper (or extending recordingInjector with a default HasCapability implementation) to avoid repetition and keep capability behavior consistent across tests.
  • SendSensorACK silently returns when the injector does not implement capabilityChecker; if this is expected only for older/non-production injectors, consider documenting that assumption or adding a small debug log/TODO so it’s clearer when SensorACKs might be skipped due to injector type rather than capability.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The `recordingInjectorWithCapabilities` type is duplicated in both nodeinventory and nodeindex tests; consider extracting a shared test helper (or extending `recordingInjector` with a default `HasCapability` implementation) to avoid repetition and keep capability behavior consistent across tests.
- `SendSensorACK` silently returns when the injector does not implement `capabilityChecker`; if this is expected only for older/non-production injectors, consider documenting that assumption or adding a small debug log/TODO so it’s clearer when SensorACKs might be skipped due to injector type rather than capability.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 13, 2026
edited
Loading

Images are ready for the commit at 71b3ef5.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-328-g71b3ef53a3.

@codecov
Copy link

codecov bot commented Mar 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 36.36364% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.72%. Comparing base (846febd) to head (71b3ef5).
⚠️ Report is 10 commits behind head on master.

Files with missing lines Patch % Lines
central/sensor/service/common/sensor_ack.go 0.00% 35 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19418      +/-   ##
==========================================
+ Coverage   49.69%   49.72%   +0.02%     
==========================================
  Files        2702     2704       +2     
  Lines      203538   204051     +513     
==========================================
+ Hits       101155   101470     +315     
- Misses      94856    95010     +154     
- Partials     7527     7571      +44
Flag Coverage Δ
go-unit-tests 49.72% <36.36%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@vikin91 vikin91 requested a review from rhybrillou March 16, 2026 09:32
@vikin91
Copy link
Contributor Author

vikin91 commented Mar 16, 2026

check-generated-files fails with:

Run actions/setup-python@v5
Error: The specified python version file at: operator/bundle_helpers/.python-version doesn't exist.

Not sure how to get rid of that. I will rebase.

@vikin91 vikin91 force-pushed the piotr/ROX-33555-sensor-ack-node-scanning branch from 8b9adc1 to 97c2430 Compare March 16, 2026 09:36
rhybrillou
rhybrillou approved these changes Mar 16, 2026
View reviewed changes
@vikin91 vikin91 merged commit cb89faf into master Mar 16, 2026
153 of 176 checks passed
@vikin91 vikin91 deleted the piotr/ROX-33555-sensor-ack-node-scanning branch March 16, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@rhybrillou rhybrillou rhybrillou approved these changes

Assignees

No one assigned

Labels

ai-assisted ai-review area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vikin91 @rhacs-bot @rhybrillou