Skip to content

ROX-31227: Only allow scheduling equivalent tailored profiles#19544

Closed
guzalv wants to merge 9 commits intomaster-base/gualvare/fix-compliance-custom-rules-gotchasfrom
stackrox-profile-equivalence
Closed

ROX-31227: Only allow scheduling equivalent tailored profiles#19544
guzalv wants to merge 9 commits intomaster-base/gualvare/fix-compliance-custom-rules-gotchasfrom
stackrox-profile-equivalence

Conversation

@guzalv
Copy link
Contributor

@guzalv guzalv commented Mar 23, 2026

Description

change me!

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

change me!

dependabot bot and others added 9 commits March 23, 2026 15:47
@dependabot @guzalv
chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 (
649bf10 
…#19540)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @guzalv
chore(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.1 (#19539)
aef06ab 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @guzalv
chore(deps): bump github.com/fatih/color from 1.18.0 to 1.19.0 (#19538)
44acb53 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@rhacs-bot @guzalv
chore(collector): Update COLLECTOR_VERSION (#19131)
62cf30b
@janisz @claude @guzalv
chore(lint): enable omitzero analyzer (#19520)
676a9fe 
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
@janisz @claude
@msugakov @guzalv
ROX-33560: Migrate operator konflux.Dockerfile to ubi8-micro (#19378)
165a7e8 
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
@vikin91 @guzalv
ROX-31733: Add regression tests for VM guard checks (#19497)
d1dec73
@clickboo @guzalv
chore(be): Fix code owner for admission controller (#19536)
8c32084
@guzalv @claude
ROX-31227: Restrict schedulable TPs to those equivalent across clusters
6e2697a 
This commit was mostly generated by Claude Sonnet 4.6, after providing
it with a detailed implementation plan which was joint work between
human author and Claude Opus 4.6.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@openshift-ci
Copy link

openshift-ci bot commented Mar 23, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions github-actions bot added ci-all-qa-tests Tells CI to run all API tests (not just BAT). area/auth area/central area/operator area/sensor area/ci konflux-build Run Konflux in PR. Push commit to trigger it. ai-review labels Mar 23, 2026
@guzalv guzalv changed the base branch from master to master-base/gualvare/fix-compliance-custom-rules-gotchas March 23, 2026 14:59
@guzalv
Copy link
Contributor Author

guzalv commented Mar 23, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

sourcery-ai[bot]
sourcery-ai bot reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • There are unresolved merge conflict markers in central/complianceoperator/v2/compliancemanager/manager_impl.go (around validateTailoredProfileHashConsistency and storageToInternalProfileKind); these need to be resolved before merging.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- There are unresolved merge conflict markers in central/complianceoperator/v2/compliancemanager/manager_impl.go (around validateTailoredProfileHashConsistency and storageToInternalProfileKind); these need to be resolved before merging.

## Individual Comments

### Comment 1
<location path="central/complianceoperator/v2/compliancemanager/manager_impl.go" line_range="582-591" />
<code_context>
+<<<<<<< HEAD
</code_context>
<issue_to_address>
**issue (bug_risk):** Resolve leftover merge conflict markers before merging

Unresolved conflict markers (`<<<<<<<`, `=======`, `>>>>>>>`) remain near `validateTailoredProfileHashConsistency` and `storageToInternalProfileKind`. These will break the build and tooling; resolve the conflicts and remove all markers before merging.
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

central/complianceoperator/v2/compliancemanager/manager_impl.go
Comment on lines +582 to +591
<<<<<<< HEAD
=======

// validateTailoredProfileHashConsistency verifies that each tailored profile in the scan
// request has an equivalent equivalence_hash on every selected cluster. Non-tailored profiles
// are not checked. Called only when hash checking is not bypassed.
//
// Hash equivalence: all instances share the same hash value (COUNT(DISTINCT hash) = 1).
// All-empty is allowed — treated as equivalent, matching the profile picker semantics.
func (m *managerImpl) validateTailoredProfileHashConsistency(
Copy link
Contributor

@sourcery-ai sourcery-ai bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Resolve leftover merge conflict markers before merging

Unresolved conflict markers (<<<<<<<, =======, >>>>>>>) remain near validateTailoredProfileHashConsistency and storageToInternalProfileKind. These will break the build and tooling; resolve the conflicts and remove all markers before merging.

@guzalv guzalv force-pushed the master-base/gualvare/fix-compliance-custom-rules-gotchas branch from 18097ac to 699451c Compare March 23, 2026 15:02
@github-actions
Copy link
Contributor

github-actions bot commented Mar 23, 2026

/konflux-retest main-on-push

@github-actions
Copy link
Contributor

github-actions bot commented Mar 23, 2026

/konflux-retest scanner-v4-on-push

@guzalv guzalv closed this Mar 23, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 23, 2026

/konflux-retest operator-on-push

@guzalv
Copy link
Contributor Author

guzalv commented Mar 23, 2026

Closed in favor of #19545

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@rhacs-bot rhacs-bot Awaiting requested review from rhacs-bot rhacs-bot will be requested when the pull request is marked ready for review rhacs-bot is a code owner

Assignees

No one assigned

Labels

ai-review area/auth area/central area/ci area/operator area/sensor ci-all-qa-tests Tells CI to run all API tests (not just BAT). do-not-merge/work-in-progress konflux-build Run Konflux in PR. Push commit to trigger it.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@guzalv @rhacs-bot @janisz @vikin91 @clickboo