fix(kubeapifilter): add missing logic for omitManagedFields

[jcantrill]

LOG-9388

Description

This PR:

• adds missing logic for omitingManagedFields when specified using the kubeAPIAudit filter

Links

• https://redhat.atlassian.net/browse/LOG-9388

cc @vparfonov @Clee2691

Summary by CodeRabbit

• New Features

  • Added OmitManagedFields option for audit policies (defaults false); when enabled, managed fields are removed from root metadata as well as request and response object metadata in audit events.

• Tests

  • Added unit and functional tests covering VRL/template generation and runtime behavior for OmitManagedFields set true, false, and unset, ensuring correct removal or preservation of managed fields.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds OmitManagedFields support to the KubeAPIAudit VRL template and tests. The template emits an omit_managed flag set from the rule option and conditionally deletes metadata.managedFields from root, request, and response. Unit and functional tests validate true, false, and unset cases.

Changes

OmitManagedFields filtering support

Layer / File(s)	Summary
VRL template implementation internal/generator/vector/filter/apiaudit/policy.vrl.tmpl	Template adds omit_managed (default false), assigns it from .OmitManagedFields when present, and emits conditional deletion of metadata.managedFields from root, .requestObject.metadata, and .responseObject.metadata when true.
VRL generation test suite internal/generator/vector/filter/apiaudit/filter_test.go	Ginkgo unit tests generate VRL for rules with OmitManagedFields true, false, and unset; they assert the omit_managed initialization, absence/presence of omit_managed = true/false, and deletion or conditional deletion code is present in the generated VRL string.
Functional filter tests test/functional/filters/apiaudit/vrl/filter_test.go	Functional tests build events with ManagedFields on request/response PartialObjectMetadata and root-level metadata, asserting the filter removes them when OmitManagedFields: true and preserves them when false or unset.
PrometheusExporter formatting internal/generator/vector/api/sinks/prometheus_export.go	Whitespace/alignment changes to PrometheusExporter struct fields; no semantic or tag changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nibbled through the template tight,
Hid managed fields away from sight,
Request and response now clean and spare,
Tests hopped round to make sure they're there.
A tidy patch — I left a little flare.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description references a JIRA issue and explains the purpose, but lacks key sections from the template like /assign, /cc with proper reviewer assignments, and detailed context or rationale.	Add /assign and /cc directives with reviewer names, expand the Description section with more context about the issue being addressed and implementation details.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding missing logic for omitManagedFields in the kubeapifilter.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/generator/vector/filter/apiaudit/policy.vrl.tmpl`:
- Around line 33-35: The template is emitting an internal flag into the event
payload via `.omit_managed_fields = {{.OmitManagedFields}}`; instead, capture
the input flag into a local template variable (e.g. `{{- $omitManaged :=
.OmitManagedFields}}`) and use that local variable for any conditional logic,
then remove the `.omit_managed_fields = ...` assignment so the internal control
flag is not written to the output event; update any references in this template
that used `.OmitManagedFields` to use the new local `$omitManaged` variable
instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 25a4ed72-e58e-4f7e-b665-7241771baf5d

📥 Commits

Reviewing files that changed from the base of the PR and between 1e78ce5 and aec2599.

📒 Files selected for processing (2)

• internal/generator/vector/filter/apiaudit/filter_test.go
• internal/generator/vector/filter/apiaudit/policy.vrl.tmpl

[jcantrill]

/hold

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/functional/filters/apiaudit/vrl/filter_test.go`:
- Around line 240-350: The test assigns v1.PartialObjectMetadata directly to
Event.RequestObject/ResponseObject but those fields are *runtime.Unknown after
Filtered() marshaling; change createEventWithManagedFields to set RequestObject
and ResponseObject to &runtime.Unknown containing the JSON-marshaled
PartialObjectMetadata (set ContentType to "application/json"), and update
assertions in the three its to first type-assert to *runtime.Unknown (from
filtered.RequestObject/ResponseObject), then json.Unmarshal respUnknown.Raw into
a v1.PartialObjectMetadata to inspect ObjectMeta.ManagedFields; reference
symbols: createEventWithManagedFields, Event.RequestObject,
Event.ResponseObject, Filtered(), and v1.PartialObjectMetadata.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2f37ae64-c6f7-4925-bfcd-edf16ad45c4c

📥 Commits

Reviewing files that changed from the base of the PR and between aec2599 and 4d7f502.

📒 Files selected for processing (3)

• internal/generator/vector/filter/apiaudit/filter_test.go
• internal/generator/vector/filter/apiaudit/policy.vrl.tmpl
• test/functional/filters/apiaudit/vrl/filter_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/generator/vector/filter/apiaudit/policy.vrl.tmpl

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/functional/filters/apiaudit/vrl/filter_test.go`:
- Around line 268-269: The test currently ignores errors from json.Marshal
(e.g., the reqJSON, respJSON assignments), which can mask setup failures; update
each json.Marshal call in filter_test.go to check the returned error and fail
the test immediately (use t.Fatalf or require.NoError) when marshal
fails—specifically handle the errors for reqJSON and respJSON and the other
marshal/unmarshal occurrences noted (around the other
json.Marshal/json.Unmarshal calls) so failures surface clearly during test
setup.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a4b7c3e3-682e-4fb5-bd4a-4a274e9cc8fc

📥 Commits

Reviewing files that changed from the base of the PR and between 4d7f502 and 2ab0334.

📒 Files selected for processing (4)

• internal/generator/vector/api/sinks/prometheus_export.go
• internal/generator/vector/filter/apiaudit/filter_test.go
• internal/generator/vector/filter/apiaudit/policy.vrl.tmpl
• test/functional/filters/apiaudit/vrl/filter_test.go

✅ Files skipped from review due to trivial changes (1)

• internal/generator/vector/api/sinks/prometheus_export.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Handle JSON errors explicitly in test helpers.

Ignoring marshal/unmarshal errors here can hide setup failures and produce less actionable test failures.

Suggested patch

-			reqJSON, _ := json.Marshal(reqObj)
-			respJSON, _ := json.Marshal(respObj)
+			reqJSON, err := json.Marshal(reqObj)
+			Expect(err).NotTo(HaveOccurred())
+			respJSON, err := json.Marshal(respObj)
+			Expect(err).NotTo(HaveOccurred())
@@
-				eventJSON, _ := json.Marshal(event)
+				eventJSON, err := json.Marshal(event)
+				Expect(err).NotTo(HaveOccurred())
@@
-				_ = json.Unmarshal(eventJSON, &eventMap)
+				err = json.Unmarshal(eventJSON, &eventMap)
+				Expect(err).NotTo(HaveOccurred())
@@
-				modifiedJSON, _ := json.Marshal(eventMap)
+				modifiedJSON, err := json.Marshal(eventMap)
+				Expect(err).NotTo(HaveOccurred())
 				return modifiedJSON

Also applies to: 370-370, 374-374, 383-383

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/functional/filters/apiaudit/vrl/filter_test.go` around lines 268 - 269,
The test currently ignores errors from json.Marshal (e.g., the reqJSON, respJSON
assignments), which can mask setup failures; update each json.Marshal call in
filter_test.go to check the returned error and fail the test immediately (use
t.Fatalf or require.NoError) when marshal fails—specifically handle the errors
for reqJSON and respJSON and the other marshal/unmarshal occurrences noted
(around the other json.Marshal/json.Unmarshal calls) so failures surface clearly
during test setup.

[jcantrill]

/retest

[openshift-ci]

@jcantrill: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/functional-target	2ab0334	link	true	/test functional-target
ci/prow/e2e-target	2ab0334	link	true	/test e2e-target

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.