Skip to content

ROX-30578: Configure process baseline auto locking via helm #16462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JoukoVirtanen merged 30 commits into from
Oct 1, 2025
Merged

ROX-30578: Configure process baseline auto locking via helm #16462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
88372ac
X-Smart-Branch-Parent: master
JoukoVirtanen Oct 1, 2025
79addc5
Added autolockProcessBaseline.enabled to helm
JoukoVirtanen Aug 19, 2025
875d758
Helm config is used if the manage type is not manual
JoukoVirtanen Aug 19, 2025
a421cd1
Deploy script sets process autolocking via helm
JoukoVirtanen Aug 19, 2025
e2afdd9
Fixed style
JoukoVirtanen Aug 20, 2025
210bb06
Modified test case for better code coverage
JoukoVirtanen Aug 21, 2025
0d1b275
Fixes after rebase
JoukoVirtanen Sep 5, 2025
314ec76
More fixes after rebase
JoukoVirtanen Sep 5, 2025
3aad4b8
Set default for SECURED_CLUSTER_AUTOLOCK_PROCESS_BASELINE
JoukoVirtanen Sep 5, 2025
8eed7a2
Set a default for the setting
JoukoVirtanen Sep 5, 2025
84b7516
Changed autolock to autoLock
JoukoVirtanen Sep 5, 2025
8cfdf93
Fixes after another rebase
JoukoVirtanen Sep 8, 2025
1b3da85
Changed autoLockProcessBaseline to autoLockProcessBaselines
JoukoVirtanen Sep 8, 2025
fd51e28
Split tests. All of them should run
JoukoVirtanen Sep 8, 2025
29a9105
Fixes after rebase
JoukoVirtanen Sep 9, 2025
0b48835
Made env var plural
JoukoVirtanen Sep 9, 2025
a5f4db3
Added tests for process baseline auto locking
JoukoVirtanen Sep 9, 2025
fc2f283
Removed blank line
JoukoVirtanen Sep 10, 2025
062f1c4
Added a unit test for manual managment
JoukoVirtanen Sep 10, 2025
02a4f46
Changed feature flag env var to ROX_AUTO_LOCK_PROCESS_BASELINES
JoukoVirtanen Sep 11, 2025
ebd38f7
cluster-config uses autoLockProcessBaselinesConfig
JoukoVirtanen Sep 15, 2025
11bfe7a
Fixed test
JoukoVirtanen Sep 15, 2025
e750516
Using feature flag in 30-base-config.yaml.htpl
JoukoVirtanen Sep 23, 2025
669b033
Changed ROX_AUTOLOCK_PROCESS_BASELINES to ROX_AUTO_LOCK_PROCESS_BASEL…
JoukoVirtanen Sep 23, 2025
3843997
When the feature is not enabled the feature doesn't appear in the hel…
JoukoVirtanen Sep 23, 2025
613d41a
Fixed indentation
JoukoVirtanen Sep 24, 2025
35a4c28
Not using a feature flag in 30-base-config.yaml.htpl anymore
JoukoVirtanen Sep 24, 2025
e72ed16
Reverted change to test
JoukoVirtanen Sep 24, 2025
2dad5a9
Changed cluster-config.yaml.tpl to cluster-config.yaml.tpl.htpl. Adde…
JoukoVirtanen Sep 30, 2025
2917cf7
Unit tests are now dependent upon the feature flag
JoukoVirtanen Sep 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion central/detection/lifecycle/manager_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,11 @@ func (m *managerImpl) isAutoLockEnabledForCluster(clusterId string) bool {
return false
}

return cluster.GetDynamicConfig().GetAutoLockProcessBaselinesConfig().GetEnabled()
if cluster.GetManagedBy() == storage.ManagerType_MANAGER_TYPE_MANUAL {
return cluster.GetDynamicConfig().GetAutoLockProcessBaselinesConfig().GetEnabled()
}

return cluster.GetHelmConfig().GetDynamicConfig().GetAutoLockProcessBaselinesConfig().GetEnabled()
}

func (m *managerImpl) flushIndicatorQueue() {
Expand Down
32 changes: 27 additions & 5 deletions central/detection/lifecycle/manager_impl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,19 +27,32 @@ import (

var (
clusterAutolockEnabled = &storage.Cluster{
ManagedBy: storage.ManagerType_MANAGER_TYPE_MANUAL,
DynamicConfig: &storage.DynamicClusterConfig{
AutoLockProcessBaselinesConfig: &storage.AutoLockProcessBaselinesConfig{
Enabled: true,
ManagedBy: storage.ManagerType_MANAGER_TYPE_HELM_CHART,
HelmConfig: &storage.CompleteClusterConfig{
DynamicConfig: &storage.DynamicClusterConfig{
AutoLockProcessBaselinesConfig: &storage.AutoLockProcessBaselinesConfig{
Enabled: true,
},
},
},
}

clusterAutolockDisabled = &storage.Cluster{
ManagedBy: storage.ManagerType_MANAGER_TYPE_HELM_CHART,
HelmConfig: &storage.CompleteClusterConfig{
DynamicConfig: &storage.DynamicClusterConfig{
AutoLockProcessBaselinesConfig: &storage.AutoLockProcessBaselinesConfig{
Enabled: false,
},
},
},
}

clusterAutolockManualEnabled = &storage.Cluster{
ManagedBy: storage.ManagerType_MANAGER_TYPE_MANUAL,
DynamicConfig: &storage.DynamicClusterConfig{
AutoLockProcessBaselinesConfig: &storage.AutoLockProcessBaselinesConfig{
Enabled: false,
Enabled: true,
},
},
}
Expand Down Expand Up @@ -269,6 +282,15 @@ func (suite *ManagerTestSuite) TestAutoLockProcessBaselinesDisabled() {
suite.False(enabled)
}

func (suite *ManagerTestSuite) TestAutoLockProcessBaselinesManual() {
clusterId := fixtureconsts.Cluster1

suite.T().Setenv(features.AutoLockProcessBaselines.EnvVar(), "true")
suite.cluster.EXPECT().GetCluster(gomock.Any(), clusterId).Return(clusterAutolockManualEnabled, true, nil)
enabled := suite.manager.isAutoLockEnabledForCluster(clusterId)
suite.True(enabled)
}

func (suite *ManagerTestSuite) TestAutoLockProcessBaselinesNoCluster() {
clusterId := fixtureconsts.Cluster1

Expand Down
4 changes: 4 additions & 0 deletions deploy/common/k8sbased.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -651,6 +651,10 @@ function launch_sensor {
extra_helm_config+=(--set "admissionControl.listenOnEvents=${bool_val}")
fi

if [[ "${SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES:-}" == "true" ]]; then
extra_helm_config+=(--set "autoLockProcessBaselines.enabled=true")
fi

if [[ -n "$ROXCTL_TIMEOUT" ]]; then
echo "Extending roxctl timeout to $ROXCTL_TIMEOUT"
extra_config+=("--timeout=$ROXCTL_TIMEOUT")
Expand Down
4 changes: 4 additions & 0 deletions ...-cluster/internal/cluster-config.yaml.tpl → ...ter/internal/cluster-config.yaml.tpl.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,9 @@ clusterConfig:
disableBypass: {{ ._rox.admissionControl.dynamic.disableBypass }}
enforceOnUpdates: {{ ._rox.admissionControl.dynamic.enforceOnUpdates }}
registryOverride: {{ ._rox.registryOverride }}
[<- if .FeatureFlags.ROX_AUTO_LOCK_PROCESS_BASELINES >]
autoLockProcessBaselinesConfig:
enabled: {{ ._rox.autoLockProcessBaselines.enabled }}
[<- end >]
configFingerprint: {{ ._rox._configFP }}
clusterLabels: {{- toYaml ._rox.clusterLabels | nindent 4 }}
2 changes: 2 additions & 0 deletions image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,8 @@ collector:
enabled: null # bool
auditLogs:
disableCollection: null # bool
autoLockProcessBaselines:
enabled: null # bool
customize:
labels: {} # dict
annotations: {} # dict
Expand Down
5 changes: 5 additions & 0 deletions image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,11 @@ collector:
auditLogs:
disableCollection: {{ ne ._rox.env.openshift 4 }}

[<- if .FeatureFlags.ROX_AUTO_LOCK_PROCESS_BASELINES >]
autoLockProcessBaselines:
enabled: false
[<- end >]

network:
enableNetworkPolicies: true

Expand Down
2 changes: 1 addition & 1 deletion pkg/features/list.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ var (
LLMRiskRecommendation = registerFeature("Intgrate with LLM for risk recommendations", "ROX_LLM_RISK_RECOMMENDATION")

// Locks process baselines when their deployments leave the observation period
AutoLockProcessBaselines = registerFeature("Locks process baselines when their deployments leave the observation period", "ROX_AUTOLOCK_PROCESS_BASELINES")
AutoLockProcessBaselines = registerFeature("Locks process baselines when their deployments leave the observation period", "ROX_AUTO_LOCK_PROCESS_BASELINES")
)

// The following feature flags are related to Scanner V4.
Expand Down
12 changes: 12 additions & 0 deletions pkg/helm/charts/tests/securedclusterservices/feature-flags/feature_flags_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,18 @@ func TestWithDifferentFeatureFlags(t *testing.T) {
},
flavor: defaults.RHACSReleaseImageFlavor(),
},
"auto-lock-process-baselines": {
featureFlags: map[string]bool{
"ROX_AUTO_LOCK_PROCESS_BASELINES": true,
},
flavor: defaults.RHACSReleaseImageFlavor(),
},
"auto-lock-process-baselines-disabled": {
featureFlags: map[string]bool{
"ROX_AUTO_LOCK_PROCESS_BASELINES": false,
},
flavor: defaults.RHACSReleaseImageFlavor(),
},
}

for testCaseName, testCaseSpec := range testCases {
Expand Down
16 changes: 16 additions & 0 deletions ...ata/helmtest/auto-lock-process-baselines-disabled/process-baseline-auto-locking.test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
values:
imagePullSecrets:
allowNone: true
tests:
- name: "Process baseline auto-locking should not exist since the feature flag is disabled even if it is enabled in the secured cluster"
values:
autoLockProcessBaselines:
enabled: true
expect: |
.secrets["helm-cluster-config"].stringData["config.yaml"] | fromyaml | .clusterConfig.dynamicConfig.autoLockProcessBaselinesConfig.enabled | assertThat(. == null)
- name: "Process baseline auto-locking should not exist"
values:
autoLockProcessBaelines:
enabled: false
expect: |
.secrets["helm-cluster-config"].stringData["config.yaml"] | fromyaml | .clusterConfig.dynamicConfig.autoLockProcessBaselinesConfig.enabled | assertThat(. == null)
16 changes: 16 additions & 0 deletions ...ags/testdata/helmtest/auto-lock-process-baselines/process-baseline-auto-locking.test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
values:
imagePullSecrets:
allowNone: true
tests:
- name: "Process baseline auto-locking should be enabled"
values:
autoLockProcessBaselines:
enabled: true
expect: |
.secrets["helm-cluster-config"].stringData["config.yaml"] | fromyaml | .clusterConfig.dynamicConfig.autoLockProcessBaselinesConfig.enabled | assertThat(. == true)
- name: "Process baseline auto-locking should be disabled"
values:
autoLockProcessBaelines:
enabled: false
expect: |
.secrets["helm-cluster-config"].stringData["config.yaml"] | fromyaml | .clusterConfig.dynamicConfig.autoLockProcessBaselinesConfig.enabled | assertThat(. == false)
2 changes: 1 addition & 1 deletion ui/apps/platform/src/Containers/Clusters/DynamicConfigurationForm.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ function DynamicConfigurationForm({
}: DynamicConfigurationFormProps) {
const { isFeatureFlagEnabled } = useFeatureFlags();
const isAutoLockProcessBaselinesEnabled = isFeatureFlagEnabled(
'ROX_AUTOLOCK_PROCESS_BASELINES'
'ROX_AUTO_LOCK_PROCESS_BASELINES'
);
const { version } = useMetadata();

Expand Down
2 changes: 1 addition & 1 deletion ui/apps/platform/src/types/featureFlag.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
export type FeatureFlagEnvVar =
| 'ROX_ACTIVE_VULN_MGMT'
| 'ROX_ADMISSION_CONTROLLER_CONFIG'
| 'ROX_AUTOLOCK_PROCESS_BASELINES'
| 'ROX_AUTO_LOCK_PROCESS_BASELINES'
| 'ROX_CLUSTERS_PAGE_MIGRATION_UI'
| 'ROX_CUSTOMIZABLE_PLATFORM_COMPONENTS'
| 'ROX_EXTERNAL_IPS'
Expand Down
Loading