[SREP-1814] - Initial working commit for protected labels.

[Mhodesty]

Initial working version of protected labels for the rhobs API. This prevents users from manually patching these values.

% curl -s -X PATCH -H "Content-Type: application/json" \\n  -d '{"status": "active"}' \\n  http://localhost:8081/probes/39d4faed-d0f4-46d2-86f3-114662102d6a
{"error":{"message":"modification of status field is forbidden - it's managed by the system (only deletion via 'deleted' status is allowed)"}}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Mhodesty

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Mhodesty]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.95%. Comparing base (0770693) to head (afe352c).

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #94      +/-   ##
==========================================
+ Coverage   61.44%   62.95%   +1.51%     
==========================================
  Files           6        6              
  Lines         708      737      +29     
==========================================
+ Hits          435      464      +29     
  Misses        232      232              
  Partials       41       41              

Files with missing lines	Coverage Δ
internal/api/server.go	80.47% <100.00%> (+4.04%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jimdaga]

I added a few PR nits.

I also noticed tests are failing because of rpms-signature-scan errors.
I think we already fixed that on main (had to merge a PR) - you may need to rebase?

[jimdaga]

Modifying the "status" data object IS allowed.

We want to let RMO set a terminating status and the Synthetic Agent changes state to active / failed.

It's only the status label: that we're concerned about protecting, and you did that above (aka: probeStatusLabelKey).

It's a little confusing, but you'll see:

• "status": "active" in the `probe-config.json - this is the thing we want to allow to be modified.
• rhobs-synthetics/status: active in the labels: - that's what we're protecting.

ocm backplane elevate "SREP-333" -- get cm -n rhobs-int probe-config-4dd39ee5-42d1-45cc-8b5c-49b1fd8907dc -o yaml
apiVersion: v1
data:
  probe-config.json: '{"id":"4dd39ee5-42d1-45cc-8b5c-49b1fd8907dc","labels":{"cluster-id":"361327b1-5a11-4f06-b75f-268ba6e99dcc","private":"false","tenant":"hcp"},"static_url":"https://api.cs-ci-m7dqj.af4m.i3.devshift.org/livez","status":"active"}'
kind: ConfigMap
metadata:
  creationTimestamp: "2025-09-16T01:20:45Z"
  labels:
    app: rhobs-synthetics-probe
    cluster-id: 361327b1-5a11-4f06-b75f-268ba6e99dcc
    private: "false"
    rhobs-synthetics/static-url-hash: 47d80a225655474a41c076ff2f21fe6c940f93a8e3c848b08bc341afa0ebce0
    rhobs-synthetics/status: active
    tenant: hcp
  name: probe-config-4dd39ee5-42d1-45cc-8b5c-49b1fd8907dc
  namespace: rhobs-int
  resourceVersion: "119427894"
  uid: 407d596d-17a8-4985-9441-689ef1c169d8

TLDR; We don't need validateProtectedFields()

[Mhodesty]

Hi Jim.
I know this is a few weeks old but could you explain what you mean here because I am confused.

You're saying that you want us to still be able to run patch commands on the API to change the status of the probe, but you want me to put something in place so the configMap can't be modified?

[jimdaga]

Should be updated to only call validateProtectedLabels()

[jimdaga]

Revert

[openshift-ci]

@Mhodesty: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/coverage	a130d34	link	true	/test coverage
ci/prow/test	a130d34	link	true	/test test

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.