Add the new mcoa-obs-api as hosts in the observability-server-certs

[coleenquadros]

Summary by CodeRabbit

• New Features

  • Add the mcoa-observatorium API host to observability server certificates.

• Improvements

  • Extend RBAC to allow managing Thanos resources and read-only discovery of route hosts for API endpoints.
  • Allow selecting alternate Observatorium API gateways so the operator can resolve MCOA endpoints.
  • Bump Go toolchain directive (minor build metadata update).

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: coleenquadros

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [coleenquadros]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Exports Obs API gateway constants, adds a second MCOA gateway, updates GetObsAPIExternalURL signature and its call sites, propagates gateway selection through controllers and certificate host generation, extends RBAC for Thanos resources, updates tests, tweaks renderer whitespace, and bumps Go version.

Changes

Cohort / File(s)	Summary
RBAC & Permissions operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml	Added read-only rule for route.openshift.io routes and full management verbs for monitoring.thanos.io resources (thanosreceives, thanosqueries, thanoscompacts, thanosstores, thanosrulers).
Configuration & Gateways operators/multiclusterobservability/pkg/config/config.go, operators/multiclusterobservability/pkg/config/config_test.go	Exported ObsAPIGateway, added McoaObsAPIGateway, changed GetObsAPIExternalURL(...) to accept obsapi string; tests updated to use exported constants and new signature.
Controllers & Reconcilers operators/multiclusterobservability/controllers/.../multiclusterobservability_controller.go, operators/multiclusterobservability/controllers/placementrule/hub_info_secret.go	Updated calls to GetObsAPIExternalURL to pass gateway identifier arguments (e.g., ObsAPIGateway / McoaObsAPIGateway).
Certificates & SANs operators/multiclusterobservability/pkg/certificates/certificates.go	getHosts now appends an in-cluster MCOA service hostname and resolves external MCOA gateway URL via McoaObsAPIGateway, adding hostnames to certificate SANs.
Rendering operators/multiclusterobservability/pkg/rendering/renderer_mcoa.go	Inserted a single blank line inside renderAddonDeploymentConfig; no behavioral change.
Build go.mod	Bumped Go version directive from 1.25.0 to 1.25.1.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Controller as Controller
    participant Config as Config (GetObsAPIExternalURL)
    participant RouteAPI as Cluster Route/Ingress
    participant Certs as Certificates
    participant Renderer as Renderer

    Controller->>Config: GetObsAPIExternalURL(obsapi, namespace)
    Config->>RouteAPI: GetRouteHost(obsapi, namespace)
    RouteAPI-->>Config: return external URL
    Config-->>Controller: return parsed URL (host)
    Controller->>Certs: request SANs (include ObsAPI host, MCOA service)
    Certs-->>Controller: return SAN list
    Controller->>Renderer: pass obsAPIHost and SANs to renderer options
    Renderer-->>Controller: rendered manifests/deployment configs

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

"Two gateways march through the stack, signatures adjusted like gears,
RBAC widened for Thanos, cert SANs stitched across peers.
Tests nudged, go bumped, whitespace tamed — small plumbing, no smoke.
Ship it with vigilance; we're debugging together. 🔍🚨✅"

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding MCOA observability API as hosts in server certificates, with supporting RBAC and configuration updates across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

proxy/pkg/proxy/proxy_test.go (1)

350-356: Disambiguate this subtest name for cleaner failure triage.

Line 350 uses the same name as the existing case at Line 358, so test output gets less searchable (Go adds numeric suffixes behind the scenes). Consider renaming this one to explicitly include the {} matcher variant. Small change, big debugging ergonomics. 🚨

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@proxy/pkg/proxy/proxy_test.go` around lines 350 - 356, Rename the ambiguous
subtest name string in the test table entry that currently reads "should handle
GET to label values endpoint with correct metric" to a unique, explicit name
that indicates the "{} matcher variant (e.g., include "{}` matcher" or "with {}
matcher") so it no longer collides with the other case; update the test case
with that new name where the table item uses method "GET" and path containing
config.RBACProxyLabelMetricName + "{}" to make failures easy to triage (leave
other fields like path, expectedBody and expectedToHandle unchanged).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml`:
- Around line 95-97: The RBAC rule granting verbs
["get","list","watch","create","update","delete","patch"] on apiGroup
"monitoring.thanos.io" for resources
["thanosreceives","thanosqueries","thanoscompacts","thanosstores","thanosrulers"]
is overly permissive; either remove this rule entirely or change the verbs to
read-only ["get","list","watch"] (if only querying), and if mutation verbs are
truly required add an inline comment explaining why full
create/update/delete/patch access to those Thanos CRDs is necessary; update the
ClusterRole entry that declares apiGroups: ["monitoring.thanos.io"] accordingly.

---

Nitpick comments:
In `@proxy/pkg/proxy/proxy_test.go`:
- Around line 350-356: Rename the ambiguous subtest name string in the test
table entry that currently reads "should handle GET to label values endpoint
with correct metric" to a unique, explicit name that indicates the "{} matcher
variant (e.g., include "{}` matcher" or "with {} matcher") so it no longer
collides with the other case; update the test case with that new name where the
table item uses method "GET" and path containing config.RBACProxyLabelMetricName
+ "{}" to make failures easy to triage (leave other fields like path,
expectedBody and expectedToHandle unchanged).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1cf40cdb-886b-4e02-9b1d-61fb8468aae4

📥 Commits

Reviewing files that changed from the base of the PR and between c9f236c and fe64cd7.

📒 Files selected for processing (3)

• operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml
• proxy/pkg/proxy/proxy.go
• proxy/pkg/proxy/proxy_test.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

operators/multiclusterobservability/pkg/config/config_test.go (1)

315-367: ⚠️ Potential issue | 🟡 Minor

Fix undefined constant reference at line 264 in TestGetObsAPIRouteHost. 🚨

The changed test segments (lines 315-367) look solid—routes are created with ObsAPIGateway, calls pass the exported constant, and you've got good coverage on the happy path, custom URL override, and error handling for malformed URLs. That's the foundation we want.

However, the verification uncovered a landmine: Line 264 references obsAPIGateway (unexported), but this constant has no definition anywhere in the config package. That test will fail at runtime or compilation. Update line 264 to use ObsAPIGateway (the exported constant) to match the rest of the codebase—consistency is how we avoid these traps.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operators/multiclusterobservability/pkg/config/config_test.go` around lines
315 - 367, The test references an undefined, unexported constant obsAPIGateway;
replace that usage with the exported ObsAPIGateway constant so
TestGetObsAPIRouteHost (and related tests like TestGetObsAPIExternalHost /
TestGetObsAPIRouteHost) consistently use ObsAPIGateway when creating routes and
calling GetObsAPIExternalURL/GetObsAPIRouteHost; ensure all occurrences of
obsAPIGateway in the test file are updated to ObsAPIGateway so the code compiles
and uses the defined exported symbol.

🧹 Nitpick comments (1)

operators/multiclusterobservability/controllers/multiclusterobservability/multiclusterobservability_controller.go (1)

256-259: Use config.ObsAPIGateway for consistency at line 256. 🔧

The local obsAPIGateway constant in observatorium.go has the same value as the exported config.ObsAPIGateway. At line 256, passing config.ObsAPIGateway would align with the function's expected input and make the intent clearer.

Note: The local obsAPIGateway constant still needs to exist in observatorium.go since it's used 5+ times for Kubernetes resource naming (concatenated with prefixes for Route and Service names).

♻️ Suggested fix for line 256

-	obsAPIURL, err := config.GetObsAPIExternalURL(ctx, r.Client, obsAPIGateway, config.GetDefaultNamespace())
+	obsAPIURL, err := config.GetObsAPIExternalURL(ctx, r.Client, config.ObsAPIGateway, config.GetDefaultNamespace())

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@operators/multiclusterobservability/controllers/multiclusterobservability/multiclusterobservability_controller.go`
around lines 256 - 259, At the call to GetObsAPIExternalURL in
multiclusterobservability_controller.go replace the local obsAPIGateway argument
with the exported config.ObsAPIGateway to be consistent with the function's
expected input and project conventions; keep the local obsAPIGateway constant in
observatorium.go for resource naming where it’s used elsewhere, and ensure the
call uses config.ObsAPIGateway when invoking GetObsAPIExternalURL (function
name: GetObsAPIExternalURL; identifier to change: obsAPIGateway ->
config.ObsAPIGateway).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@operators/multiclusterobservability/pkg/config/config_test.go`:
- Around line 315-367: The test references an undefined, unexported constant
obsAPIGateway; replace that usage with the exported ObsAPIGateway constant so
TestGetObsAPIRouteHost (and related tests like TestGetObsAPIExternalHost /
TestGetObsAPIRouteHost) consistently use ObsAPIGateway when creating routes and
calling GetObsAPIExternalURL/GetObsAPIRouteHost; ensure all occurrences of
obsAPIGateway in the test file are updated to ObsAPIGateway so the code compiles
and uses the defined exported symbol.

---

Nitpick comments:
In
`@operators/multiclusterobservability/controllers/multiclusterobservability/multiclusterobservability_controller.go`:
- Around line 256-259: At the call to GetObsAPIExternalURL in
multiclusterobservability_controller.go replace the local obsAPIGateway argument
with the exported config.ObsAPIGateway to be consistent with the function's
expected input and project conventions; keep the local obsAPIGateway constant in
observatorium.go for resource naming where it’s used elsewhere, and ensure the
call uses config.ObsAPIGateway when invoking GetObsAPIExternalURL (function
name: GetObsAPIExternalURL; identifier to change: obsAPIGateway ->
config.ObsAPIGateway).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6fa3f800-086b-423d-a5a8-2eec226ca758

📥 Commits

Reviewing files that changed from the base of the PR and between fe64cd7 and 83b9c3b.

📒 Files selected for processing (7)

• operators/multiclusterobservability/controllers/multiclusterobservability/multiclusterobservability_controller.go
• operators/multiclusterobservability/controllers/placementrule/hub_info_secret.go
• operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml
• operators/multiclusterobservability/pkg/certificates/certificates.go
• operators/multiclusterobservability/pkg/config/config.go
• operators/multiclusterobservability/pkg/config/config_test.go
• operators/multiclusterobservability/pkg/rendering/renderer_mcoa.go

✅ Files skipped from review due to trivial changes (1)

• operators/multiclusterobservability/pkg/rendering/renderer_mcoa.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml (1)

99-101: ⚠️ Potential issue | 🟠 Major

Thanos CRD permissions are still broader than least privilege requires.

Line 99-101 still grants mutate verbs (create/update/delete/patch) across five monitoring.thanos.io resources without evidence in the provided context of direct write paths. This is the same security concern raised earlier and appears unresolved.

🔒 Tighten to read-only unless write paths are explicitly required

     - apiGroups: ["monitoring.thanos.io"]
       resources: ["thanosreceives", "thanosqueries", "thanoscompacts", "thanosstores", "thanosrulers"]
-      verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+      verbs: ["get", "list", "watch"]

As per coding guidelines, **/manifests/**/*.yaml: “Check for security best practices (RBAC, SecurityContext, NetworkPolicies)”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml`
around lines 99 - 101, The ClusterRole rule granting apiGroups:
monitoring.thanos.io for resources thanosreceives, thanosqueries,
thanoscompacts, thanosstores, thanosrulers currently includes mutate verbs
(create, update, delete, patch); change those verbs to read-only verbs ("get",
"list", "watch") to follow least-privilege. If any controller truly requires
write access, scope it to the minimal resource(s) and verbs needed or create a
separate ClusterRole/Role for that write path and document the justification;
update the rule that references apiGroups: monitoring.thanos.io and resources:
thanosreceives, thanosqueries, thanoscompacts, thanosstores, thanosrulers
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml`:
- Around line 95-97: The ClusterRole for
multicluster-observability-addon-manager is under-scoped for
route.openshift.io/routes; update the ClusterRole (resource block currently
listing apiGroups ["route.openshift.io"] resources ["routes"]) to include create
and update permissions (and consider patch) so the addon manager can perform
GenerateAPIGatewayRoute operations called from observatorium.go
(GenerateAPIGatewayRoute at lines ~289 and ~324) without hitting forbidden
errors; ensure the verbs include at least "create" and "update" (plus "patch" if
you use partial updates) in addition to the existing read verbs.

---

Duplicate comments:
In
`@operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml`:
- Around line 99-101: The ClusterRole rule granting apiGroups:
monitoring.thanos.io for resources thanosreceives, thanosqueries,
thanoscompacts, thanosstores, thanosrulers currently includes mutate verbs
(create, update, delete, patch); change those verbs to read-only verbs ("get",
"list", "watch") to follow least-privilege. If any controller truly requires
write access, scope it to the minimal resource(s) and verbs needed or create a
separate ClusterRole/Role for that write path and document the justification;
update the rule that references apiGroups: monitoring.thanos.io and resources:
thanosreceives, thanosqueries, thanoscompacts, thanosstores, thanosrulers
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 66d66897-9007-4bb4-a564-d7a5376d3ee7

📥 Commits

Reviewing files that changed from the base of the PR and between dcf9676 and edea76c.

📒 Files selected for processing (1)

• operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml

[coderabbitai]

♻️ Duplicate comments (1)

operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml (1)

99-101: ⚠️ Potential issue | 🟠 Major

Trim Thanos RBAC verbs or document why full mutation is required.

Lines [99]-[101] grant full write access (create/update/delete/patch) on multiple Thanos CRDs. That’s a bigger wrench than this change appears to need. Please reduce to least privilege (get/list/watch) unless mutation is required, and if required, add an inline rationale in this rule.

🔧 Suggested least-privilege baseline

     - apiGroups: ["monitoring.thanos.io"]
       resources: ["thanosreceives", "thanosqueries", "thanoscompacts", "thanosstores", "thanosrulers"]
-      verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+      verbs: ["get", "list", "watch"]

As per coding guidelines **/manifests/**/*.yaml: "Check for security best practices (RBAC, SecurityContext, NetworkPolicies)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml`
around lines 99 - 101, The ClusterRole rule granting verbs
["create","update","delete","patch"] for apiGroups "monitoring.thanos.io" on
resources
["thanosreceives","thanosqueries","thanoscompacts","thanosstores","thanosrulers"]
is overly permissive; change the verbs to the least-privilege set
["get","list","watch"] unless your controller truly needs to mutate these Thanos
CRDs, and if mutation is required keep only the specific verbs needed and add an
inline YAML comment next to this rule explaining the exact justification
(who/what requires mutation and why) so reviewers can validate the exception.

🧹 Nitpick comments (1)

operators/multiclusterobservability/pkg/config/config.go (1)

402-420: Add input validation to fail fast on empty obsapi parameter.

Since GetObsAPIExternalURL now accepts a free-form gateway name instead of using a hardcoded constant, add a guard to catch empty strings early. Without it, an empty obsapi would result in GetRouteHost constructing an invalid hostname like -namespace.domain in its fallback path.

🛠️ Suggested guard

 func GetObsAPIExternalURL(ctx context.Context, client client.Client, obsapi string, namespace string) (*url.URL, error) {
+	if strings.TrimSpace(obsapi) == "" {
+		return nil, fmt.Errorf("obsapi route name cannot be empty")
+	}
+
 	mco := &observabilityv1beta2.MultiClusterObservability{}
 	err := client.Get(ctx,
 		types.NamespacedName{
 			Name: GetMonitoringCRName(),

All current call sites use constants, so this is defensive housekeeping against future misuse. 🔍

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@operators/multiclusterobservability/pkg/config/config.go` around lines 402 -
420, GetObsAPIExternalURL lacks input validation for the obsapi parameter, so an
empty obsapi can produce invalid hostnames via GetRouteHost; add a guard at the
start of GetObsAPIExternalURL (function GetObsAPIExternalURL) to return a clear
error when obsapi == "" (or strings.TrimSpace(obsapi) == "") before calling
GetRouteHost, returning a descriptive error value so callers fail fast and avoid
constructing invalid hostnames.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In
`@operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml`:
- Around line 99-101: The ClusterRole rule granting verbs
["create","update","delete","patch"] for apiGroups "monitoring.thanos.io" on
resources
["thanosreceives","thanosqueries","thanoscompacts","thanosstores","thanosrulers"]
is overly permissive; change the verbs to the least-privilege set
["get","list","watch"] unless your controller truly needs to mutate these Thanos
CRDs, and if mutation is required keep only the specific verbs needed and add an
inline YAML comment next to this rule explaining the exact justification
(who/what requires mutation and why) so reviewers can validate the exception.

---

Nitpick comments:
In `@operators/multiclusterobservability/pkg/config/config.go`:
- Around line 402-420: GetObsAPIExternalURL lacks input validation for the
obsapi parameter, so an empty obsapi can produce invalid hostnames via
GetRouteHost; add a guard at the start of GetObsAPIExternalURL (function
GetObsAPIExternalURL) to return a clear error when obsapi == "" (or
strings.TrimSpace(obsapi) == "") before calling GetRouteHost, returning a
descriptive error value so callers fail fast and avoid constructing invalid
hostnames.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 14f11b2b-f02d-4a10-b125-cd6b460a67d0

📥 Commits

Reviewing files that changed from the base of the PR and between edea76c and a4c0160.

📒 Files selected for processing (8)

• go.mod
• operators/multiclusterobservability/controllers/multiclusterobservability/multiclusterobservability_controller.go
• operators/multiclusterobservability/controllers/placementrule/hub_info_secret.go
• operators/multiclusterobservability/manifests/base/multicluster-observability-addon/cluster_role.yaml
• operators/multiclusterobservability/pkg/certificates/certificates.go
• operators/multiclusterobservability/pkg/config/config.go
• operators/multiclusterobservability/pkg/config/config_test.go
• operators/multiclusterobservability/pkg/rendering/renderer_mcoa.go

✅ Files skipped from review due to trivial changes (1)

• operators/multiclusterobservability/pkg/rendering/renderer_mcoa.go

🚧 Files skipped from review as they are similar to previous changes (5)

• operators/multiclusterobservability/controllers/placementrule/hub_info_secret.go
• operators/multiclusterobservability/pkg/config/config_test.go
• operators/multiclusterobservability/controllers/multiclusterobservability/multiclusterobservability_controller.go
• go.mod
• operators/multiclusterobservability/pkg/certificates/certificates.go

[coleenquadros]

/test pr-image-mirror-rbac-query-proxy

[openshift-ci]

@coleenquadros: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/test-e2e	1283d18	link	true	/test test-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.