feat: Feature flags configMap pull and prevents pulling non-sumo conf…#4103
feat: Feature flags configMap pull and prevents pulling non-sumo conf…#4103dhruv-shah-sumo wants to merge 1 commit intomainfrom
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
dhruv-shah-sumo
force-pushed
the
sdhruv/configmap_pull_sumo_only
branch
3 times, most recently
from
cd4b2da to
629beb7
Compare
…igmaps. Signed-off-by: Dhruv Shah <dhruv.shah@sumologic.com>
dhruv-shah-sumo
force-pushed
the
sdhruv/configmap_pull_sumo_only
branch
from
629beb7 to
2221e73
Compare
| match_type: regexp | ||
| record_attributes: | ||
| - key: configmap_name | ||
| value: ^{{ .Release.Name }}-(sumologic-metrics-collector|sumologic-metrics-targetallocator|sumologic-otelcol-events|sumologic-otelcol-instrumentation|sumologic-otelcol-logs|sumologic-otelcol-logs-collector|sumologic-otelcol-metrics|sumologic-pvc-cleaner|sumologic-traces-gateway|sumologic-traces-sampler)(-[0-9a-zA-Z]+)?$ |
There was a problem hiding this comment.
This regex might fail in release name is longer than 13 characters since we have a limit on ReleaseName + chartName to 22 chars.
https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/deploy/helm/sumologic/templates/_helpers/_common.tpl#L11
if releaseName = prodKafkaZookeeper
Then prodKafkaZookeeper-sum-metrics-collector will be the metrics pod name.
-
Since we already have namespace filter in receiver itself, would it be fine just to have something like
.(metrics-collector|metrics-targetallocator|otelcol-events|otelcol-instrumentation|otelcol-logs|otelcol-logs-collector|otelcol-metrics|pvc-cleaner|traces-gateway|traces-sampler). -
Also another alternate approach would be using labels in configmap to determine if configmap belongs to sumologic. We always have label , chart: sumologic as constant.
https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/deploy/helm/sumologic/templates/_helpers/_common.tpl#L316
There was a problem hiding this comment.
Pull request overview
Adds a Helm chart feature flag to control whether the Events OTel Collector reports (exports) Kubernetes ConfigMaps, and narrows what gets exported to a Sumo Logic–related subset to address forced ConfigMap logging concerns raised in #4102.
Changes:
- Introduces
otelevents.reportConfigMaps(defaulttrue) to enable/disable the ConfigMap receiver + pipeline. - Adds an OTel transform + filter processor to only export matching Sumo Logic collection ConfigMaps.
- Updates Helm goldenfiles and chart documentation/changelog to reflect the new option.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
deploy/helm/sumologic/conf/events/otelcol/config.yaml |
Gates ConfigMap receiver/pipeline behind reportConfigMaps and adds transform+filter processors. |
deploy/helm/sumologic/values.yaml |
Adds the new otelevents.reportConfigMaps value with default true. |
deploy/helm/sumologic/README.md |
Documents the new Helm value in the parameters table. |
tests/helm/testdata/goldenfile/events_otc/basic.output.yaml |
Updates expected rendered config to include new processors for default behavior. |
tests/helm/testdata/goldenfile/events_otc/sumologic-mock.output.yaml |
Updates expected rendered config for mock exporter scenario. |
tests/helm/testdata/goldenfile/events_otc/options.input.yaml |
Adds reportConfigMaps: false test input. |
tests/helm/testdata/goldenfile/events_otc/options.output.yaml |
Updates expected output to remove ConfigMap receiver/pipeline when disabled. |
.changelog/4103.added.txt |
Adds changelog entry for the feature flag and filtering behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: configmaps | ||
| # Only pull sumologic configmaps every day | ||
| namespaces: | ||
| - {{ .Release.Namespace | quote }} | ||
| mode: pull | ||
| interval: 24h |
There was a problem hiding this comment.
The receiver still pulls all ConfigMaps in the release namespace; the filtering happens later in the pipeline, so this comment is misleading. Please update it to reflect that only exporting/reporting is restricted (and if the goal is to truly restrict API pulls, consider using a receiver-level selector if supported).
| @@ -0,0 +1 @@ | |||
| feat: Feature flags configMap pull and prevents pulling non-sumo configmaps. No newline at end of file | |||
There was a problem hiding this comment.
This changelog entry says it “prevents pulling non-sumo configmaps”, but the implementation still pulls all ConfigMaps from the namespace and only filters what gets exported/reported. Please adjust the wording to avoid implying receiver-side filtering.
How to disable this configmap reporting to sumo?
NOTE: This feature does not pull any secret from the user's environment. Only sumologic collection related configmaps are being pulled.
#4102
Checklist