ROX-33022: refactor admission controller config map persister by Stringy · Pull Request #19707 · stackrox/stackrox

Stringy · 2026-03-31T10:56:45Z

Description

The admission controller's config_map_persister was tightly coupled to admission control settings. This refactors it into two parts:

A generic ConfigMap persister (sensor/common/configmap) that watches a ValueStream of ConfigMaps and applies them to Kubernetes
The settings-to-ConfigMap conversion logic moved into the admission controller's settings manager, which now exposes a ConfigMapStream()

This enables reuse of the ConfigMap persistence mechanism for other components (e.g. FACT file activity configuration).

The old sensor/kubernetes/admissioncontroller/config_map_persister.go is removed and its test relocated to the settings manager package.

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

change me!

openshift-ci · 2026-03-31T10:56:49Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

sourcery-ai

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

coderabbitai · 2026-03-31T11:06:36Z

📝 Walkthrough

Summary by CodeRabbit

Release Notes

Refactor
- Modernized admission controller configuration persistence mechanism with improved modularity.
- Transitioned to a generalized ConfigMap persister component for more flexible infrastructure management.
Tests
- Enhanced test coverage for configuration serialization and persistence workflows.

Walkthrough

Adds a ConfigMap stream to AdmissionController settings, serializes settings into gzipped Kubernetes ConfigMaps, introduces a shared ConfigMap persister component, removes the legacy admissioncontroller-specific persister, and wires the sensor to use the new shared persister.

Changes

Cohort / File(s)	Summary
SettingsManager Interface & Mocks `sensor/common/admissioncontroller/settings_manager.go`, `sensor/common/admissioncontroller/mocks/settings_manager.go`	Added `ConfigMapStream() concurrency.ReadOnlyValueStream[*v1.ConfigMap]` to the `SettingsManager` interface and updated GoMock mock and recorder methods.
SettingsManager Implementation `sensor/common/admissioncontroller/settings_manager_impl.go`	Added `configStream` and `ConfigMapStream()` accessor, refactored settings publication to `pushSettings()`, and implemented `settingsToConfigMap()` to marshal and gzip settings into a `*v1.ConfigMap`.
ConfigMap Persistence (new shared) `sensor/common/configmap/persister.go`	New `configMapPersister` component that iterates a `ValueStreamIter[*v1.ConfigMap]`, creates/updates ConfigMaps in Kubernetes, and exposes lifecycle methods; added `InfoAnnotations()` helper.
Legacy Implementation Removal `sensor/kubernetes/admissioncontroller/config_map_persister.go`	Removed legacy admissioncontroller-specific ConfigMap persister implementation and its exported constructor/lifecycle methods.
Sensor Integration `sensor/kubernetes/sensor/sensor.go`	Replaced use of legacy `NewConfigMapSettingsPersister` with `common/configmap.NewConfigMapPersister(...)`, feeding it `admCtrlSettingsMgr.ConfigMapStream().Iterator(false)`.
Tests `sensor/common/admissioncontroller/settings_manager_impl_test.go`, `sensor/kubernetes/admissioncontroller/config_map_persister_test.go`	Added `TestSettingsToConfigMap` to validate serialization and gzip payloads; removed the old test file from the legacy package.

Sequence Diagram

sequenceDiagram
    participant SettingsMgr as SettingsManager
    participant ConfigStream as ConfigMapStream
    participant ConfigPersister as ConfigMapPersister
    participant K8sAPI as Kubernetes API

    SettingsMgr->>SettingsMgr: UpdatePolicies/Config/FlushCache
    SettingsMgr->>SettingsMgr: pushSettings(settings)
    SettingsMgr->>SettingsMgr: settingsToConfigMap(settings)
    SettingsMgr->>ConfigStream: Push(*v1.ConfigMap)
    ConfigPersister->>ConfigStream: Iterator.Next()
    ConfigStream-->>ConfigPersister: *v1.ConfigMap
    ConfigPersister->>K8sAPI: Create(ConfigMap)
    alt ConfigMap exists
        K8sAPI-->>ConfigPersister: AlreadyExists
        ConfigPersister->>K8sAPI: Get(ConfigMap)
        K8sAPI-->>ConfigPersister: Existing ConfigMap
        ConfigPersister->>K8sAPI: Update(ConfigMap)
    else Created
        K8sAPI-->>ConfigPersister: Created
    end
    K8sAPI-->>ConfigPersister: Result

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description explains the refactoring rationale and structure, but the validation sections remain unchecked with placeholder text 'change me!' in the testing/validation section.	Complete the 'How I validated my change' section with specific validation details or explain why testing was skipped for this refactoring.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main refactoring: moving the admission controller's config map persister into a generic component. It accurately summarizes the primary change.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch giles/ROX-33022-refactor-configmap-persister

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@sensor/common/admissioncontroller/settings_manager_impl.go`:
- Around line 137-144: The current pushSettings function pushes to
settingsStream before converting to a ConfigMap, causing silent divergence if
settingsToConfigMap fails; update pushSettings so it first calls
settingsToConfigMap(newSettings) and if that succeeds push both
p.settingsStream.Push(newSettings) and p.configStream.Push(config) atomically,
and if conversion fails avoid pushing settings (or explicitly revert/notify) and
improve the error log to include the conversion error and note that configStream
was not updated (include the error and identifying context from newSettings);
reference pushSettings, settingsToConfigMap, settingsStream.Push, and
configStream.Push when making the change.

In `@sensor/common/configmap/persister.go`:
- Around line 56-63: The Start() logic is inverted because ErrorSignal.Reset()
returns false when unsignaled, causing configMapPersister.Start to error on
first call; change the check in Start() to treat a true Reset() as the "already
started" case (i.e., if p.stopSig.Reset() { return errors.New("config persister
was already started") }) or alternatively initialize p.stopSig to a triggered
state before Start so Reset() returns true only when already started; update the
Start() method of configMapPersister (referencing stopSig.Reset and Start)
accordingly so the component can actually start on first invocation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 1587e1c5-8db6-4bfd-a51a-b7ecadb30b83

📥 Commits

Reviewing files that changed from the base of the PR and between 7072ab4 and 96343fc.

📒 Files selected for processing (7)

sensor/common/admissioncontroller/mocks/settings_manager.go
sensor/common/admissioncontroller/settings_manager.go
sensor/common/admissioncontroller/settings_manager_impl.go
sensor/common/admissioncontroller/settings_manager_impl_test.go
sensor/common/configmap/persister.go
sensor/kubernetes/admissioncontroller/config_map_persister.go
sensor/kubernetes/sensor/sensor.go

💤 Files with no reviewable changes (1)

sensor/kubernetes/admissioncontroller/config_map_persister.go

sensor/common/admissioncontroller/settings_manager_impl.go

sensor/common/configmap/persister.go

rhacs-bot · 2026-03-31T11:13:37Z

Images are ready for the commit at 6d74b69.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-514-g6d74b69213.

codecov · 2026-03-31T11:28:33Z

Codecov Report

❌ Patch coverage is 52.77778% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.59%. Comparing base (a5de12f) to head (6d74b69).
⚠️ Report is 48 commits behind head on master.

Files with missing lines	Patch %	Lines
...ommon/admissioncontroller/settings_manager_impl.go	52.77%	28 Missing and 6 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #19707   +/-   ##
=======================================
  Coverage   49.59%   49.59%           
=======================================
  Files        2756     2755    -1     
  Lines      207961   207919   -42     
=======================================
- Hits       103129   103123    -6     
+ Misses      97172    97133   -39     
- Partials     7660     7663    +3

Flag	Coverage Δ
go-unit-tests	`49.59% <52.77%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

clickboo · 2026-03-31T16:08:39Z

/test gke-nongroovy-e2e-tests

clickboo

LGTM

The admission controller's config_map_persister was tightly coupled to admission control settings. This refactors it into two parts: - A generic ConfigMap persister (sensor/common/configmap) that watches a ValueStream of ConfigMaps and applies them to Kubernetes - The settings-to-ConfigMap conversion logic moved into the admission controller's settings manager, which now exposes a ConfigMapStream() This enables reuse of the ConfigMap persistence mechanism for other components (e.g. FACT file activity configuration). The old sensor/kubernetes/admissioncontroller/config_map_persister.go is removed and its test relocated to the settings manager package.

openshift-ci · 2026-04-04T08:08:55Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

coderabbitai

🧹 Nitpick comments (1)

sensor/common/configmap/persister.go (1)

108-132: Consider cloning the ConfigMap before mutation.

Line 124 mutates configMap.ResourceVersion directly on the object obtained from the stream. While the current usage in settingsToConfigMap creates a fresh ConfigMap per push (so this is safe in practice), directly mutating stream-provided values is fragile if future code reuses objects.

Optional defensive copy

 func (p *configMapPersister) applyCurrentConfigMap(ctx context.Context) error {
 	configMap := p.settingsStreamIt.Value()
 	if configMap == nil {
 		return nil
 	}
+	// Clone to avoid mutating the stream's value
+	configMap = configMap.DeepCopy()

 	_, err := p.client.Create(ctx, configMap, metav1.CreateOptions{})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@sensor/common/configmap/persister.go` around lines 108 - 132, The code in
configMapPersister.applyCurrentConfigMap mutates the stream-provided object from
p.settingsStreamIt.Value() by setting configMap.ResourceVersion; make a
defensive deep copy of the ConfigMap before any mutation (e.g. clone the
returned object into a new variable) so you never modify the stream's original;
update subsequent calls to use the cloned ConfigMap when calling
p.client.Create, p.client.Update and when copying ResourceVersion from existing,
ensuring the original stream value remains unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@sensor/common/configmap/persister.go`:
- Around line 108-132: The code in configMapPersister.applyCurrentConfigMap
mutates the stream-provided object from p.settingsStreamIt.Value() by setting
configMap.ResourceVersion; make a defensive deep copy of the ConfigMap before
any mutation (e.g. clone the returned object into a new variable) so you never
modify the stream's original; update subsequent calls to use the cloned
ConfigMap when calling p.client.Create, p.client.Update and when copying
ResourceVersion from existing, ensuring the original stream value remains
unchanged.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 54292650-ea16-4e35-8d25-d13b82dc99ba

📥 Commits

Reviewing files that changed from the base of the PR and between 96343fc and 6d74b69.

📒 Files selected for processing (8)

sensor/common/admissioncontroller/mocks/settings_manager.go
sensor/common/admissioncontroller/settings_manager.go
sensor/common/admissioncontroller/settings_manager_impl.go
sensor/common/admissioncontroller/settings_manager_impl_test.go
sensor/common/configmap/persister.go
sensor/kubernetes/admissioncontroller/config_map_persister.go
sensor/kubernetes/admissioncontroller/config_map_persister_test.go
sensor/kubernetes/sensor/sensor.go

💤 Files with no reviewable changes (2)

sensor/kubernetes/admissioncontroller/config_map_persister_test.go
sensor/kubernetes/admissioncontroller/config_map_persister.go

🚧 Files skipped from review as they are similar to previous changes (2)

sensor/common/admissioncontroller/settings_manager.go
sensor/common/admissioncontroller/mocks/settings_manager.go

openshift-ci bot added the do-not-merge/work-in-progress label Mar 31, 2026

github-actions bot added area/sensor ai-review coderabbit-review labels Mar 31, 2026

sourcery-ai bot reviewed Mar 31, 2026

View reviewed changes

Stringy changed the title ~~ROX-33022: extract generic ConfigMap persister from admission controller~~ ROX-33022: refactor admission controller config map persister Mar 31, 2026

Stringy marked this pull request as ready for review March 31, 2026 10:58

Stringy requested a review from a team as a code owner March 31, 2026 10:58

openshift-ci bot removed the do-not-merge/work-in-progress label Mar 31, 2026

Stringy requested a review from clickboo March 31, 2026 10:58

coderabbitai bot reviewed Mar 31, 2026

View reviewed changes

sensor/common/admissioncontroller/settings_manager_impl.go Show resolved Hide resolved

sensor/common/configmap/persister.go Show resolved Hide resolved

clickboo approved these changes Mar 31, 2026

View reviewed changes

Stringy added 2 commits April 1, 2026 09:28

Add comment describing grpc/config map expectations

6d74b69

Stringy force-pushed the giles/ROX-33022-refactor-configmap-persister branch from 50c286e to 6d74b69 Compare April 1, 2026 08:31

openshift-ci bot added the needs-rebase label Apr 4, 2026

coderabbitai bot reviewed Apr 4, 2026

View reviewed changes

Conversation

Stringy commented Mar 31, 2026

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

openshift-ci bot commented Mar 31, 2026

Uh oh!

sourcery-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Release Notes

Walkthrough

Changes

Sequence Diagram

Estimated code review effort

❌ Failed checks (1 warning, 1 inconclusive)

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

rhacs-bot commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Mar 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

clickboo commented Mar 31, 2026

Uh oh!

clickboo left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Apr 4, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

coderabbitai bot commented Mar 31, 2026 •

edited

Loading

rhacs-bot commented Mar 31, 2026 •

edited

Loading

codecov bot commented Mar 31, 2026 •

edited

Loading