CCXDEV-16159: controlplanemachinesets gatherer

[opokornyy]

This PR implements a ControlPlaneMachineSet gatherer.

Categories

• Bugfix
• Data Enhancement
• Feature
• Backporting
• Others (CI, Infrastructure, Documentation)

Sample Archive

• docs/insights-archive-sample/config/controlplanemachinesets/openshift-machine-api/cluster.json

Documentation

• docs/gathered-data.md

Unit Tests

• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go

Privacy

Yes. There are no sensitive data in the newly collected information.

Changelog

Breaking Changes

No

References

https://redhat.atlassian.net/browse/CCXDEV-16092

Summary by CodeRabbit

Release Notes

• New Features

  • Added capability to gather and collect control plane machine set information from OpenShift clusters, including configuration and status details.

• Documentation

  • Updated documentation with details on control plane machine set data collection, including sample data locations and archival patterns.

[openshift-ci-robot]

@opokornyy: This pull request references CCXDEV-16159 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This PR implements a ControlPlaneMachineSet gatherer.

Categories

• Bugfix
• Data Enhancement
• Feature
• Backporting
• Others (CI, Infrastructure, Documentation)

Sample Archive

• docs/insights-archive-sample/config/controlplanemachinesets/openshift-machine-api/cluster.json

Documentation

• docs/gathered-data.md

Unit Tests

• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go

Privacy

Yes. There are no sensitive data in the newly collected information.

Changelog

Breaking Changes

No

References

https://redhat.atlassian.net/browse/CCXDEV-16092

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: opokornyy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [opokornyy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e12fe4f8-3629-40a8-9758-167cedd50ba9

📥 Commits

Reviewing files that changed from the base of the PR and between 699c023 and f6f8bbf.

📒 Files selected for processing (3)

• docs/insights-archive-sample/config/controlplanemachinesets/openshift-machine-api/cluster.json
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go

---

📝 Walkthrough

Walkthrough

This PR adds a new gatherer for collecting OpenShift ControlPlaneMachineSet resources. It includes schema and RBAC configuration, gatherer registration and implementation with sensitive field redaction, comprehensive table-driven tests with fixtures, and documentation with a sample manifest.

Changes

ControlPlaneMachineSet Gatherer

Layer / File(s)	Summary
Schema definition and RBAC permissions pkg/gatherers/clusterconfig/const.go, manifests/03-clusterrole.yaml	Defines controlPlaneMachineSetVersionResource for the machine.openshift.io/v1 API group and grants get, list, and watch verbs on controlplanemachineset resources.
Gatherer registration and implementation pkg/gatherers/clusterconfig/clusterconfig_gatherer.go, pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go	Registers GatherControlPlaneMachineSet in the gatherer framework; implements client creation, resource listing, namespace-aware naming, and redaction of spec.templates and spec.template fields.
Table-driven tests with fixtures pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go	Tests empty, single, and multi-resource scenarios with YAML fixtures, validating record count, record names, and field redaction behavior.
Documentation and sample manifest docs/gathered-data.md, docs/insights-archive-sample/config/controlplanemachinesets/openshift-machine-api/cluster.json	Documents the gatherer's purpose, archive location patterns, versioning, and provides a complete sample ControlPlaneMachineSet manifest with metadata, spec, and status sections.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check specifies Ginkgo test quality (It blocks, BeforeEach/AfterEach), but the PR contains standard Go table-driven tests, not Ginkgo tests.	Clarify if the check applies only to Ginkgo tests or should also cover standard Go unit tests. This codebase uses standard Go testing patterns.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly references the JIRA issue (CCXDEV-16159) and clearly describes the main change: implementing a controlplanemachinesets gatherer, which aligns with the PR's primary objective.
Description check	✅ Passed	The PR description follows the repository template with all required sections completed: categories, sample archive, documentation, unit tests, privacy considerations, breaking changes, and references are all properly filled in.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test uses standard Go testing with static, descriptive names: "single resource with namespace", "single resource without namespace", "empty list", "multiple resources". No dynamic content.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Only a standard Go unit test using testing.T is present, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added; only a unit test using testing.T with fake Kubernetes client. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only a gatherer function and RBAC to read ControlPlaneMachineSet resources. No workload deployments or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	No violations of OTE Binary Stdout Contract found. klog.Errorf calls are in normal function execution (not process-level code), and klog is configured to write to stderr by default.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. The test file (gather_control_plane_machine_sets_test.go) uses standard Go testing package with testify assertions, not Ginkgo. No e2e tests were added.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure token/secret comparisons found in the PR code.
Container-Privileges	✅ Passed	PR does not introduce new container privileges. The 10-insights-runtime-extractor.yaml is a renamed existing file with pre-existing privileged settings. Manifest changes are RBAC/formatting only.
No-Sensitive-Data-In-Logs	✅ Passed	Sensitive data properly redacted in spec.template/templates. Only generic API errors logged, no field values exposed, resource names/namespaces only metadata logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@manifests/03-clusterrole.yaml`:
- Line 250: The ClusterRole currently grants the wrong RBAC resource name
"controlplanemachineset" (singular) while the gatherer expects
"controlplanemachinesets" (plural); update the resources list in the ClusterRole
to use "controlplanemachinesets" so the verb rules (get/list/watch) apply to the
plural resource and avoid Forbidden errors when the gatherer queries
controlplanemachinesets. Ensure the exact resource string
"controlplanemachinesets" replaces "controlplanemachineset" in the ClusterRole's
resources section.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 839433e8-30c6-4c2b-a42d-d5f64e4ac534

📥 Commits

Reviewing files that changed from the base of the PR and between 0a21a2a and 7c277d2.

📒 Files selected for processing (6)

• docs/insights-archive-sample/config/controlplanemachinesets/openshift-machine-api/cluster.json
• manifests/03-clusterrole.yaml
• pkg/gatherers/clusterconfig/clusterconfig_gatherer.go
• pkg/gatherers/clusterconfig/const.go
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify RBAC resource name matches gatherer GVR resource.
rg -n 'controlplanemachineset|controlplanemachinesets' manifests/03-clusterrole.yaml pkg/gatherers/clusterconfig/const.go

Repository: openshift/insights-operator

Length of output: 216

---

🏁 Script executed:

rg -n 'controlplanemachineset|controlplanemachinesets' manifests/03-clusterrole.yaml pkg/gatherers/clusterconfig/const.go

Repository: openshift/insights-operator

Length of output: 216

---

Fix RBAC resource name mismatch for controlplane machinesets

manifests/03-clusterrole.yaml grants controlplanemachineset (singular), but the gatherer queries controlplanemachinesets (plural). Update the RBAC resource to match to avoid Forbidden errors.

Suggested fix

-      - controlplanemachineset
+      - controlplanemachinesets

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- controlplanemachineset
	- controlplanemachinesets

🧰 Tools

🪛 Trivy (0.69.3)

[error] 250-257: Manage all resources

ClusterRole 'insights-operator-gather' shouldn't manage all resources

Rule: KSV-0046

Learn more

(IaC/Kubernetes)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/03-clusterrole.yaml` at line 250, The ClusterRole currently grants
the wrong RBAC resource name "controlplanemachineset" (singular) while the
gatherer expects "controlplanemachinesets" (plural); update the resources list
in the ClusterRole to use "controlplanemachinesets" so the verb rules
(get/list/watch) apply to the plural resource and avoid Forbidden errors when
the gatherer queries controlplanemachinesets. Ensure the exact resource string
"controlplanemachinesets" replaces "controlplanemachineset" in the ClusterRole's
resources section.

[opokornyy]

/retest

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/insights-archive-sample/config/controlplanemachinesets/cluster.json`:
- Around line 11-13: The sample JSON includes a metadata.namespace field but is
intended to be the non-namespaced archive variant; remove the metadata.namespace
entry (the "namespace": "openshift-machine-api" line under metadata) so the
object is truly non-namespaced, or alternatively convert this file into the
namespaced archive variant by keeping metadata.namespace and ensuring it is
placed under the namespaced output layout; specifically update the JSON that
contains "name": "cluster" and the metadata.namespace key to match the chosen
variant.

In `@pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go`:
- Around line 58-80: The loop is taking the address of the range variable ms
when building record.ResourceMarshaller{Resource: &ms}, which causes every
appended record to point to the same loop variable; fix it by making a local
copy inside the loop (e.g., mscopy := ms), perform the
unstructured.SetNestedField changes against that copy (use mscopy.Object), and
append record.ResourceMarshaller{Resource: &mscopy} to records so each record
references a distinct object instead of the shared range variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5ed3de81-5324-48fc-83eb-3257b3630be8

📥 Commits

Reviewing files that changed from the base of the PR and between 7c277d2 and 699c023.

📒 Files selected for processing (4)

• docs/gathered-data.md
• docs/insights-archive-sample/config/controlplanemachinesets/cluster.json
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go
• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/gatherers/clusterconfig/gather_control_plane_machine_sets_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Sample location and object namespace are inconsistent.

This file path represents the non-namespaced archive variant, but metadata.namespace is set. With current gatherer logic, this object would be written under config/controlplanemachinesets/{namespace}/{name} instead.

🧩 Suggested adjustment (if this file is intended to represent non-namespaced output)

-        "namespace": "openshift-machine-api",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/insights-archive-sample/config/controlplanemachinesets/cluster.json`
around lines 11 - 13, The sample JSON includes a metadata.namespace field but is
intended to be the non-namespaced archive variant; remove the metadata.namespace
entry (the "namespace": "openshift-machine-api" line under metadata) so the
object is truly non-namespaced, or alternatively convert this file into the
namespaced archive variant by keeping metadata.namespace and ensuring it is
placed under the namespaced output layout; specifically update the JSON that
contains "name": "cluster" and the metadata.namespace key to match the chosen
variant.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify this exact range-variable-address pattern in the changed file.
rg -n 'for _, ms := range controlPlaneMachineSets.Items' pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go -A30
rg -n 'Resource:\s*&ms' pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go -A2 -B2

Repository: openshift/insights-operator

Length of output: 1121

---

Fix address-of-range-variable capture (&ms) that can corrupt per-item payloads

pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go (lines 58-80) stores record.ResourceMarshaller{Resource: &ms} where ms is the for _, ms := range ... loop variable. In Go, taking the address of the range variable means all appended records can end up referencing the same loop variable (effectively the last element after the loop), producing incorrect/mismatched record payloads.

🔧 Proposed fix

-	for _, ms := range controlPlaneMachineSets.Items {
-		recordName := fmt.Sprintf("config/controlplanemachinesets/%s", ms.GetName())
-		if ms.GetNamespace() != "" {
-			recordName = fmt.Sprintf("config/controlplanemachinesets/%s/%s", ms.GetNamespace(), ms.GetName())
+	for i := range controlPlaneMachineSets.Items {
+		ms := &controlPlaneMachineSets.Items[i]
+		recordName := fmt.Sprintf("config/controlplanemachinesets/%s", ms.GetName())
+		if ms.GetNamespace() != "" {
+			recordName = fmt.Sprintf("config/controlplanemachinesets/%s/%s", ms.GetNamespace(), ms.GetName())
 		}
 
 		// remove the sensitive content by overwriting the values
 		err = unstructured.SetNestedField(ms.Object, nil, "spec", "templates")
 		if err != nil {
@@
 		records = append(records, record.Record{
 			Name: recordName,
-			Item: record.ResourceMarshaller{Resource: &ms},
+			Item: record.ResourceMarshaller{Resource: ms},
 		})
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for _, ms := range controlPlaneMachineSets.Items {
	recordName := fmt.Sprintf("config/controlplanemachinesets/%s", ms.GetName())
	if ms.GetNamespace() != "" {
	recordName = fmt.Sprintf("config/controlplanemachinesets/%s/%s", ms.GetNamespace(), ms.GetName())
	}
	// remove the sensitive content by overwriting the values
	err = unstructured.SetNestedField(ms.Object, nil, "spec", "templates")
	if err != nil {
	klog.Errorf("unable to set nested field: %v", err)
	errs = append(errs, err)
	}
	err = unstructured.SetNestedField(ms.Object, nil, "spec", "template")
	if err != nil {
	klog.Errorf("unable to set nested field: %v", err)
	errs = append(errs, err)
	}
	records = append(records, record.Record{
	Name: recordName,
	Item: record.ResourceMarshaller{Resource: &ms},
	})
	for i := range controlPlaneMachineSets.Items {
	ms := &controlPlaneMachineSets.Items[i]
	recordName := fmt.Sprintf("config/controlplanemachinesets/%s", ms.GetName())
	if ms.GetNamespace() != "" {
	recordName = fmt.Sprintf("config/controlplanemachinesets/%s/%s", ms.GetNamespace(), ms.GetName())
	}
	// remove the sensitive content by overwriting the values
	err = unstructured.SetNestedField(ms.Object, nil, "spec", "templates")
	if err != nil {
	klog.Errorf("unable to set nested field: %v", err)
	errs = append(errs, err)
	}
	err = unstructured.SetNestedField(ms.Object, nil, "spec", "template")
	if err != nil {
	klog.Errorf("unable to set nested field: %v", err)
	errs = append(errs, err)
	}
	records = append(records, record.Record{
	Name: recordName,
	Item: record.ResourceMarshaller{Resource: ms},
	})
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/gatherers/clusterconfig/gather_control_plane_machine_sets.go` around
lines 58 - 80, The loop is taking the address of the range variable ms when
building record.ResourceMarshaller{Resource: &ms}, which causes every appended
record to point to the same loop variable; fix it by making a local copy inside
the loop (e.g., mscopy := ms), perform the unstructured.SetNestedField changes
against that copy (use mscopy.Object), and append
record.ResourceMarshaller{Resource: &mscopy} to records so each record
references a distinct object instead of the shared range variable.

[opokornyy]

/retest

[coderabbitai]

Actionable comments posted: 0

[opokornyy]

/test insights-runtime-extractor-tests

[opokornyy]

/test insights-runtime-extractor-tests

[opokornyy]

/retest

[opokornyy]

/retest

[opokornyy]

/retest

[opokornyy]

/test tls-scanner-job

[opokornyy]

/test tls-scanner

[opokornyy]

/retest

[openshift-ci]

@opokornyy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/insights-operator-e2e-tests	f6f8bbf	link	true	/test insights-operator-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.