Skip to content

HYPERFLEET-1160 - feat: separate resource_labels table for generic resource labels#270

Open
kuudori wants to merge 1 commit into
openshift-hyperfleet:mainfrom
kuudori:HYPERFLEET-1160-feat-resource-labels
Open

HYPERFLEET-1160 - feat: separate resource_labels table for generic resource labels#270
kuudori wants to merge 1 commit into
openshift-hyperfleet:mainfrom
kuudori:HYPERFLEET-1160-feat-resource-labels

Conversation

@kuudori

@kuudori kuudori commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace labels JSONB column on resources table with dedicated resource_labels table (composite PK (resource_id, key), FK with CASCADE delete)
  • Add ResourceLabel model, ResourceLabelDao with delete+insert ReplaceLabels, preload labels on all DAO read methods
  • Update service layer: Create/Patch call ReplaceLabels explicitly (DAO uses Omit(clause.Associations))
  • Block labels.xxx TSL search for Resource entities until JOIN-based query support added

Why

JSONB cannot enforce label key uniqueness at DB level, doesn't support efficient label-filter queries without GIN indexes, and conflates user-writable fields with system fields. Separate table enforces uniqueness via composite PK and enables indexed lookups. Per design doc §4.1-4.2.

Test plan

  • All unit tests pass (make test — 1314 tests)
  • All integration tests pass (make test-integration — 237 tests, 3 skipped)
  • Lint clean (golangci-lint — 0 issues)
  • Helm chart tests pass
  • Label round-trip verified: create→get→list→patch flows in channel/version integration tests
  • TestVersionList/ListByLabel skipped — TSL parser needs changes for JOIN-based label queries on separate table

Ticket

https://redhat-internal.atlassian.net/browse/HYPERFLEET-1160

@openshift-ci openshift-ci Bot requested review from Mischulee and tirthct July 2, 2026 15:58
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 49a58b4d-08e1-4905-b147-f67df2e1ce7d

📥 Commits

Reviewing files that changed from the base of the PR and between 9f97971 and 6640b02.

📒 Files selected for processing (15)
  • pkg/api/presenters/resource.go
  • pkg/api/presenters/resource_test.go
  • pkg/api/resource.go
  • pkg/api/resource_label.go
  • pkg/dao/resource.go
  • pkg/dao/resource_label.go
  • pkg/db/migrations/202607010001_add_resource_labels.go
  • pkg/db/migrations/migration_structs.go
  • pkg/db/sql_helpers.go
  • pkg/services/resource.go
  • pkg/services/resource_test.go
  • plugins/resources/plugin.go
  • test/integration/channels_test.go
  • test/integration/resource_helpers.go
  • test/integration/versions_test.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)
✅ Files skipped from review due to trivial changes (2)
  • pkg/api/presenters/resource_test.go
  • pkg/db/sql_helpers.go
🚧 Files skipped from review as they are similar to previous changes (12)
  • test/integration/resource_helpers.go
  • pkg/api/resource.go
  • plugins/resources/plugin.go
  • pkg/dao/resource_label.go
  • test/integration/versions_test.go
  • pkg/services/resource_test.go
  • pkg/db/migrations/202607010001_add_resource_labels.go
  • pkg/db/migrations/migration_structs.go
  • test/integration/channels_test.go
  • pkg/dao/resource.go
  • pkg/api/presenters/resource.go
  • pkg/services/resource.go

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Resources now support labels as structured key/value entries, with labels saved separately and loaded automatically.
    • Label changes are now handled more consistently during create and update actions.
  • Bug Fixes

    • Improved patch behavior so generation updates only when resource data or labels actually change.
    • Empty labels are now handled cleanly and returned as absent rather than blank data.
    • Resources with labels now display and persist labels more reliably across reads and edits.

Walkthrough

Resource labels now use a normalized resource_labels table with ResourceLabel rows instead of a JSONB field. Presenters convert between API maps and label slices, service create/patch persists labels through a dedicated DAO, and DAO queries preload label associations. Label patch handling adds validation, change detection, and soft-delete conflict handling. CWE-20/CWE-915 apply to label validation and assignment paths.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant ResourceService
  participant ResourceDAO
  participant ResourceLabelDAO
  participant Database
  Client->>ResourceService: create or patch resource
  ResourceService->>ResourceDAO: persist resource row
  ResourceService->>ResourceLabelDAO: ReplaceLabels
  ResourceLabelDAO->>Database: delete old labels
  ResourceLabelDAO->>Database: insert label rows
  ResourceService-->>Client: resource with Labels slice
Loading
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: moving generic resource labels to a separate table.
Description check ✅ Passed The description directly covers the same schema, DAO, service, and search changes in the diff.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No non-test/example log statement logs token/password/credential/secret; connection strings are redacted via LogSafeConnectionString/redactPassword. CWE-532 avoided.
No Hardcoded Secrets ✅ Passed No hardcoded secrets found; matches were test fixtures/placeholders only (e.g. configs/config.yaml.example, test/support/certs.json).
No Weak Cryptography ✅ Passed PASS: Scans of changed Go files and repo-wide Go sources found no crypto/md5, crypto/des, crypto/rc4, SHA1/ECB, or insecure secret comparisons (CWE-327/CWE-208).
No Injection Vectors ✅ Passed PASS: New DB writes use parameterized GORM/Squirrel queries; unsafe fmt.Sprintf inputs are whitelisted/validated (registry kind, UUID ownerID, label regex). No CWE-89/78/79/502.
No Privileged Containers ✅ Passed PASS: no new privileged K8s/OpenShift settings. Dockerfile uses USER root only transiently, then drops to 1001/65532; Helm defaults stay non-root/allowPrivilegeEscalation=false.
No Pii Or Sensitive Data In Logs ✅ Passed No slog/logr/zap/fmt.Print logging was added in touched files; no PII-sensitive log paths found (CWE-532 not triggered).
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Comment @coderabbitai help to get the list of available commands.

@hyperfleet-ci-bot

hyperfleet-ci-bot Bot commented Jul 2, 2026

Copy link
Copy Markdown

Risk Score: 2 — risk/medium

Signal Detail Points
PR size 369 lines (>200) +1
Sensitive paths none +0
Test coverage Missing tests for: pkg/api pkg/dao pkg/db pkg/db/migrations plugins/resources +1

Computed by hyperfleet-risk-scorer

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/api/presenters/resource.go`:
- Around line 123-132: `convertLabelsToModel` currently forwards user-supplied
label keys and values without enforcing the `ResourceLabel` size limits, so
oversized input falls through as a DB constraint error instead of a validation
error. Add boundary validation in `convertLabelsToModel` for key and value
length (matching the `pkg/api/resource_label.go` limits) and return a typed
validation error before persistence. Update `ConvertResource` to propagate the
new error return, and apply the same validation flow in `applyResourcePatch` so
both create and patch paths reject invalid labels consistently.

In `@pkg/db/migrations/202607010001_add_resource_labels.go`:
- Around line 11-31: The migration in the resource labels `Migrate` function
drops `resources.labels` without preserving existing data, and it has no
rollback path. Before the `ALTER TABLE resources DROP COLUMN IF EXISTS labels`
step, backfill `resource_labels` from the existing `resources.labels` JSONB data
in the same migration, then remove the column only after the copy succeeds. Also
add a `Rollback` for this migration that recreates `resources.labels` and
restores data from `resource_labels` using the migration’s existing symbols
(`Migrate`, `Rollback`, `resource_labels`, `resources.labels`) so rollbacks and
rolling deploys remain safe.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 123fe713-ae4e-4454-b5cf-0d71a78eeefd

📥 Commits

Reviewing files that changed from the base of the PR and between 4c4266f and 4a7c909.

📒 Files selected for processing (15)
  • pkg/api/presenters/resource.go
  • pkg/api/presenters/resource_test.go
  • pkg/api/resource.go
  • pkg/api/resource_label.go
  • pkg/dao/resource.go
  • pkg/dao/resource_label.go
  • pkg/db/migrations/202607010001_add_resource_labels.go
  • pkg/db/migrations/migration_structs.go
  • pkg/db/sql_helpers.go
  • pkg/services/resource.go
  • pkg/services/resource_test.go
  • plugins/resources/plugin.go
  • test/integration/channels_test.go
  • test/integration/resource_helpers.go
  • test/integration/versions_test.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

Comment thread pkg/api/presenters/resource.go Outdated
Comment thread pkg/db/migrations/202607010001_add_resource_labels.go
@kuudori kuudori force-pushed the HYPERFLEET-1160-feat-resource-labels branch 2 times, most recently from 32471e8 to 9f97971 Compare July 2, 2026 18:31

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/db/migrations/202607010001_add_resource_labels.go`:
- Around line 12-24: The migration in Migrate creates resource_labels and drops
resources.labels, but it never adds the planned (key, value) index. Update the
migration to create that composite index as part of the same transaction, using
the resource_labels table definition and keeping the existing Exec error
handling consistent. Make sure the new index creation is placed near the table
setup so the schema change fully matches the PR objective.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 956f56ad-d3c4-497f-a25b-608e88b90765

📥 Commits

Reviewing files that changed from the base of the PR and between 32471e8 and 9f97971.

📒 Files selected for processing (15)
  • pkg/api/presenters/resource.go
  • pkg/api/presenters/resource_test.go
  • pkg/api/resource.go
  • pkg/api/resource_label.go
  • pkg/dao/resource.go
  • pkg/dao/resource_label.go
  • pkg/db/migrations/202607010001_add_resource_labels.go
  • pkg/db/migrations/migration_structs.go
  • pkg/db/sql_helpers.go
  • pkg/services/resource.go
  • pkg/services/resource_test.go
  • plugins/resources/plugin.go
  • test/integration/channels_test.go
  • test/integration/resource_helpers.go
  • test/integration/versions_test.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)
✅ Files skipped from review due to trivial changes (3)
  • pkg/db/migrations/migration_structs.go
  • pkg/api/resource_label.go
  • pkg/db/sql_helpers.go
🚧 Files skipped from review as they are similar to previous changes (11)
  • plugins/resources/plugin.go
  • pkg/api/presenters/resource_test.go
  • pkg/api/resource.go
  • pkg/services/resource_test.go
  • pkg/dao/resource.go
  • test/integration/versions_test.go
  • test/integration/channels_test.go
  • test/integration/resource_helpers.go
  • pkg/api/presenters/resource.go
  • pkg/services/resource.go
  • pkg/dao/resource_label.go

Comment thread pkg/db/migrations/202607010001_add_resource_labels.go
@kuudori kuudori force-pushed the HYPERFLEET-1160-feat-resource-labels branch from 9f97971 to 6640b02 Compare July 2, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant