MON: rename remote write SafeAuthorization to Authorization

[marioferh]

Align remote write auth with CMO by replacing SafeAuthorization and BearerToken with type Authorization and a credentials secret reference.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The remote-write authorization union now uses Authorization as the secret-based discriminator value. The Go types and generated CRD schema add the authorization nested secret selector and update validation rules to reject BearerToken and SafeAuthorization along with the legacy fields.

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: renaming remote write SafeAuthorization to Authorization.
Description check	✅ Passed	The description is directly related to the change, describing the new Authorization type and secret reference.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The added remoteWrite test titles are static, descriptive strings; none include dates, suffixes, IDs, IPs, or other run-to-run values.
Test Structure And Quality	✅ Passed	PASS: These are declarative schema validation cases, not Ginkgo resource tests; each new case covers one behavior and matches existing YAML test patterns.
Microshift Test Compatibility	✅ Passed	The PR adds YAML schema-validation cases, not new Ginkgo e2e tests, so the MicroShift-specific API/feature checks don’t apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The added remoteWrite auth cases are schema-validation YAML tests only; no Ginkgo code, node-placement logic, or SNO-sensitive assumptions were added.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR only changes remote-write auth API/schema and tests; I found no nodeSelector, affinity, replicas, or topology-related scheduling logic.
Ote Binary Stdout Contract	✅ Passed	PASS: The PR only changes API type definitions and YAML tests; the touched Go file has no fmt/klog/log/Stdout calls or main/init/TestMain/suite hooks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new cases are declarative onCreate schema-validation tests, not executable e2e logic; no IPv4-only code or external connectivity is present.
No-Weak-Crypto	✅ Passed	Touched files only change API schema/tests; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were introduced.
Container-Privileges	✅ Passed	Scanned the PR files and found no privileged:true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation:true in any manifest.
No-Sensitive-Data-In-Logs	✅ Passed	No new logging calls or debug output were added; changes are API/schema/test-only, with no evidence of secrets being emitted in logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

Hello @marioferh! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/v1alpha1/types_cluster_monitoring.go`:
- Around line 1675-1677: The comment for RemoteWriteAuthorization states that
exactly one nested config must be set, but this does not accurately reflect the
CEL validation rule which shows that when type is ServiceAccount, credentials
are forbidden, and when type is Authorization, credentials are required. Update
the comment on line 1675-1677 to clarify the actual constraint: that credential
requirements are dependent on the type value, where type Authorization requires
credentials while type ServiceAccount forbids them, ensuring the generated API
documentation accurately describes the validation behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 696d9812-3db2-450a-9d64-9d3f278c1f8f

📥 Commits

Reviewing files that changed from the base of the PR and between c5eb460 and 1bb239b.

⛔ Files ignored due to path filters (6)

• config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (2)

• config/v1alpha1/types_cluster_monitoring.go
• payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml

[marioferh]

@everettraven do we need a tombstone here?

[marioferh]

related: openshift/cluster-monitoring-operator#2953

[simonpasquier]

authorization is modeled after https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Authorization and has 2 properties:

• authz scheme, e.g. Bearer. Only Basic-Auth should be forbidden.
• authz parameters (or credentials), e.g. the bearer token value.

See also https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization

[marioferh]

authorization is modeled after https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Authorization and has 2 properties:

* [authz scheme](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Authentication#authentication_schemes), e.g. `Bearer`. Only `Basic-Auth` should be forbidden.

* authz parameters (or credentials), e.g. the bearer token value.

See also https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.SafeAuthorization

ty

[everettraven]

A few comments. We need to align with DU patterns and tombstone removed fields/values.

[everettraven]

Following discriminated union patterns, this field name would need to be authorization.

[marioferh]

done

[everettraven]

The removed fields must be tombstoned so we never add them back in the future for this api version.

[marioferh]

done

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml`:
- Around line 3501-3503: Update the generated CRD field descriptions for the
legacy bearerToken-related fields so they no longer describe them as normal
SecretKeySelectors; mark them as deprecated and rejected to match the validation
behavior in the ClusterMonitoring CRD. Make the change in the source that
generates the CRD docs (not by hand-editing the manifest), then regenerate the
manifest so the descriptions for the affected fields reflect the tombstone
status consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a1fa1f7e-16e4-4948-9b2d-53d7e2768d36

📥 Commits

Reviewing files that changed from the base of the PR and between 1bb239b and 62a162b.

⛔ Files ignored due to path filters (6)

• config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (2)

• config/v1alpha1/types_cluster_monitoring.go
• payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml

[everettraven]

Aside from some tombstoning corrections, this change seems fine to me.

Are there any integration test changes that need to happen since we are removing some fields?

[everettraven]

Comment the actual constants out so they can't be used by clients.

[marioferh]

done

[everettraven]

These fields need to be commented out to be tombstoned so that they no longer appear in the API surface and are not included in the generated CRD schema.

[marioferh]

done

[marioferh]

There were no existing integration tests for the removed fields. I added some test for new fields

[coderabbitai]

🧹 Nitpick comments (1)

config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml (1)

2970-2983: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add the matching SafeAuthorization rejection case.

This test covers the removed BearerToken discriminator, but the API contract also tombstones SafeAuthorization. Add the same unsupported-value coverage for type: SafeAuthorization so both removed values are protected by tests.

Suggested additional test

     - name: Should reject prometheusConfig remoteWrite deprecated BearerToken type
       initial: |
         apiVersion: config.openshift.io/v1alpha1
         kind: ClusterMonitoring
@@
                 authorization:
                   type: BearerToken
       expectedError: 'spec.prometheusConfig.remoteWrite[0].authorization.type: Unsupported value: "BearerToken": supported values: "Authorization", "BasicAuth", "OAuth2", "SigV4", "ServiceAccount"'
+    - name: Should reject prometheusConfig remoteWrite deprecated SafeAuthorization type
+      initial: |
+        apiVersion: config.openshift.io/v1alpha1
+        kind: ClusterMonitoring
+        spec:
+          userDefined:
+            mode: "Disabled"
+          prometheusConfig:
+            remoteWrite:
+              - name: primary
+                url: https://example.com/api/v1/write
+                authorization:
+                  type: SafeAuthorization
+      expectedError: 'spec.prometheusConfig.remoteWrite[0].authorization.type: Unsupported value: "SafeAuthorization": supported values: "Authorization", "BasicAuth", "OAuth2", "SigV4", "ServiceAccount"'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml`
around lines 2970 - 2983, The remoteWrite validation tests only cover the
removed BearerToken discriminator; add a matching rejection case for the removed
SafeAuthorization discriminator in the same ClusterMonitoringConfig test group.
Update the test data near the existing remoteWrite authorization cases so the
spec.prometheusConfig.remoteWrite[].authorization.type path also asserts
Unsupported value for SafeAuthorization, using the same style as the current
deprecated BearerToken coverage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml`:
- Around line 2970-2983: The remoteWrite validation tests only cover the removed
BearerToken discriminator; add a matching rejection case for the removed
SafeAuthorization discriminator in the same ClusterMonitoringConfig test group.
Update the test data near the existing remoteWrite authorization cases so the
spec.prometheusConfig.remoteWrite[].authorization.type path also asserts
Unsupported value for SafeAuthorization, using the same style as the current
deprecated BearerToken coverage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f752a38c-370c-4334-9a3a-cfdd0a38eb04

📥 Commits

Reviewing files that changed from the base of the PR and between 08db43d and a62c989.

⛔ Files ignored due to path filters (6)

• config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• config/v1alpha1/zz_generated.featuregated-crd-manifests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• openapi/openapi.json is excluded by !openapi/**

📒 Files selected for processing (3)

• config/v1alpha1/tests/clustermonitorings.config.openshift.io/ClusterMonitoringConfig.yaml
• config/v1alpha1/types_cluster_monitoring.go
• payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml

💤 Files with no reviewable changes (1)

• payload-manifests/crds/0000_10_config-operator_01_clustermonitorings.crd.yaml

[everettraven]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change
/test minor-e2e-upgrade-minor

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everettraven]

TPNU only v1alpha1 API and properly tombstones. Overriding failures because of field removal.

/override ci/prow/verify-crd-schema
/override ci/prow/verify-crdify

[openshift-ci]

@everettraven: Overrode contexts on behalf of everettraven: ci/prow/verify-crd-schema, ci/prow/verify-crdify

Details

In response to this:

TPNU only v1alpha1 API and properly tombstones. Overriding failures because of field removal.

/override ci/prow/verify-crd-schema
/override ci/prow/verify-crdify

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@marioferh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure	a62c989	link	true	/test e2e-azure
ci/prow/e2e-gcp	a62c989	link	true	/test e2e-gcp
ci/prow/e2e-aws-ovn-hypershift	a62c989	link	true	/test e2e-aws-ovn-hypershift
ci/prow/e2e-aws-ovn-techpreview	a62c989	link	true	/test e2e-aws-ovn-techpreview
ci/prow/minor-e2e-upgrade-minor	a62c989	link	true	/test minor-e2e-upgrade-minor
ci/prow/e2e-aws-ovn-hypershift-conformance	a62c989	link	true	/test e2e-aws-ovn-hypershift-conformance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.