Add dataverse exporter sidecar for feedback/transcripts collection

[omkarjoshi0304]

Deploy a dataverse exporter sidecar container that collect user feedback and transcripts from a shared EmptyDir volumeand uploads them to Red Hat Dataverse. The exporter is conditionally deployed only when data collection is enabled (FeedbackDisabled/TranscriptsDisabled both default to false).

Key changes:

• Add exporter container, shared data volume, and config volume to pod spec
• Add exporter ConfigMap reconciliation (create when enabled, delete when disabled)
• Add RBAC for pull-secret and clusterversions access (exporter authentication)
• Add KUTTL test assertions for exporter ConfigMap and updated ClusterRole

Summary by CodeRabbit

• New Features
  • Added support for data collection and automated export to Dataverse when enabled
  • Exporter sidecar container now deployed with the service to handle data export workflows
  • Configurable exporter settings managed through automated configuration

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ffc37e7-23f2-404e-a4e9-5e8a5bfb2220

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR adds a Dataverse exporter sidecar to LCore deployments when data collection is enabled. The operator now manages an exporter ConfigMap with service ID and ingress configuration, wires the sidecar into the Pod with shared user data volumes, extends RBAC rules to access cluster resources, and validates the setup through KUTTL test assertions.

Changes

Dataverse Exporter Sidecar Integration

Layer / File(s)	Summary
Exporter constants and error types internal/controller/constants.go, internal/controller/errors.go	New constants define the exporter ConfigMap name (lightspeed-exporter-config), container name (lightspeed-to-dataverse-exporter), and user data volume (ols-user-data). A new error type captures ConfigMap creation failures.
Configuration helpers and data collection detection internal/controller/lcore_config.go	isDataCollectionEnabled checks whether feedback or transcripts collection is enabled. buildExporterConfigMap constructs a ConfigMap with the exporter YAML configuration including service ID, ingress endpoint, allowed subdirectories, collection interval, and connection timeout.
LCore Pod template wiring for exporter sidecar internal/controller/lcore_deployment.go	When data collection is enabled, buildLCorePodTemplateSpec adds an EmptyDir volume for shared user data, mounts it into the lightspeed-service-api container, appends a Dataverse exporter sidecar container with explicit resource requests/limits, mounts both the user data and config volumes, and assembles the exporter config path via path.Join.
ConfigMap reconciliation and RBAC updates internal/controller/lcore_reconciler.go	ReconcileLCoreResources gains a Phase-1 task to manage the exporter ConfigMap. reconcileExporterConfigMap creates/patches the ConfigMap when data collection is enabled and deletes it when disabled. The reconcileSARRole ClusterRole rules extend to permit get access for clusterversions (OpenShift) and the pull-secret Secret (core API).
KUTTL test assertions for exporter configuration and RBAC test/kuttl/common/openstack-lightspeed-instance/assert-*, test/kuttl/tests/*/05-assert-exporter-config.yaml	Test suites assert the presence of the exporter ConfigMap with correct configuration parameters and validate the extended ClusterRole rules for clusterversions and pull-secret access across common and scenario-specific test cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• openstack-lightspeed/operator#94: Overlaps in controller constants, exporter-related changes, and LCore deployment/reconciler modifications for sidecar container wiring.

Suggested labels

lgtm, approved

Suggested reviewers

• umago
• Akrog

Poem

🐰 A sidecar springs to life,
Dataverse bound with grace,
ConfigMaps hold the settings tight,
Shared volumes find their place,
Data collection takes its flight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding a dataverse exporter sidecar container for collecting feedback and transcripts, which is the primary objective of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lpiwowar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

internal/controller/lcore_config.go (3)

210-210: ⚖️ Poor tradeoff

Hardcoded ingress URL may limit environment flexibility.

The ingress_server_url is hardcoded to Red Hat's production console API. Consider making this configurable via the OpenStackLightspeed CR spec to support different environments (dev, staging) or on-premise deployments where users might need to point to a different ingress endpoint.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/lcore_config.go` at line 210, The hardcoded
ingress_server_url value should be made configurable: add a new field (e.g.,
IngressServerURL) to the OpenStackLightspeed CR spec and update the code that
builds lcore_config (the ingress_server_url assignment in
internal/controller/lcore_config.go) to read that field with a sensible default
of "https://console.redhat.com/api/ingress/v1/upload" when the CR value is
empty; ensure the CR field is documented and used wherever lcore_config is
constructed so dev/staging/on‑prem deployments can override the endpoint.

---

209-218: 💤 Low value

Consider using yaml.Marshal for consistency.

The exporter config is built using fmt.Sprintf, while buildLCoreConfigYAML (line 234) uses yaml.Marshal for structured config generation. While the current approach works for this simple static configuration, using yaml.Marshal would provide better consistency and type safety.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/lcore_config.go` around lines 209 - 218, Summary:
exporterConfig is built with fmt.Sprintf instead of using yaml.Marshal like
buildLCoreConfigYAML, reducing consistency and type safety. Replace the raw
fmt.Sprintf block that assigns exporterConfig with a small struct (or map) whose
fields match the YAML keys (service_id, ingress_server_url, allowed_subdirs,
collection_interval, cleanup_after_send, ingress_connection_timeout), set
service_id using ServiceIDRHOSO, call yaml.Marshal on that struct, and assign
the result to exporterConfig; ensure you handle and return/log any marshal error
similarly to other error handling in buildLCoreConfigYAML.

---

211-214: 💤 Low value

Document the purpose of the "config_status" subdirectory.

The allowed_subdirs includes "config_status" in addition to "feedback" and "transcripts", but this is not mentioned in the PR description or comments. Consider adding a comment explaining what data the exporter collects in this subdirectory.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/lcore_config.go` around lines 211 - 214, The
allowed_subdirs list currently includes "config_status" but lacks documentation;
in internal/controller/lcore_config.go add a concise comment near the
allowed_subdirs variable (or the constant/struct that defines it) that explains
the purpose of the "config_status" subdirectory and exactly what data the
exporter writes there (e.g., exporter-generated configuration snapshots,
validation results, status metadata, timestamps, etc.), so reviewers and
maintainers understand what to expect from the exporter and why it's allowed
alongside "feedback" and "transcripts".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/controller/lcore_deployment.go`:
- Line 131: The exporter sidecar currently sets ImagePullPolicy to
corev1.PullAlways; change this to corev1.PullIfNotPresent in the exporter
container spec (where ImagePullPolicy is assigned for the exporter sidecar) to
improve production stability, and ensure image tags are versioned (not :latest);
optionally make the policy configurable via a constant or Deployment field
(e.g., Exporter ImagePullPolicy variable) so it can be overridden in testing if
needed.

In `@internal/controller/lcore_reconciler.go`:
- Around line 119-130: The RBAC currently grants get access to the "pull-secret"
Secret although no code references it; either remove the Resource/ResourceNames
entry for "secrets"/"pull-secret" from the ClusterRole (to least-privilege) or
explicitly use the secret where intended—e.g., add code that reads the Secret
for image registry credentials or dataverse auth and reference it in deployment
logic; search for clusterversions usage in ocp_version.go and the watch setup in
openstacklightspeed_controller.go to confirm clusterversions stays, and if you
keep the pull-secret permission instead of using it in code, add a short note in
deployment/security docs explaining why the operator needs get on the
"pull-secret" Secret and how it is used.

---

Nitpick comments:
In `@internal/controller/lcore_config.go`:
- Line 210: The hardcoded ingress_server_url value should be made configurable:
add a new field (e.g., IngressServerURL) to the OpenStackLightspeed CR spec and
update the code that builds lcore_config (the ingress_server_url assignment in
internal/controller/lcore_config.go) to read that field with a sensible default
of "https://console.redhat.com/api/ingress/v1/upload" when the CR value is
empty; ensure the CR field is documented and used wherever lcore_config is
constructed so dev/staging/on‑prem deployments can override the endpoint.
- Around line 209-218: Summary: exporterConfig is built with fmt.Sprintf instead
of using yaml.Marshal like buildLCoreConfigYAML, reducing consistency and type
safety. Replace the raw fmt.Sprintf block that assigns exporterConfig with a
small struct (or map) whose fields match the YAML keys (service_id,
ingress_server_url, allowed_subdirs, collection_interval, cleanup_after_send,
ingress_connection_timeout), set service_id using ServiceIDRHOSO, call
yaml.Marshal on that struct, and assign the result to exporterConfig; ensure you
handle and return/log any marshal error similarly to other error handling in
buildLCoreConfigYAML.
- Around line 211-214: The allowed_subdirs list currently includes
"config_status" but lacks documentation; in internal/controller/lcore_config.go
add a concise comment near the allowed_subdirs variable (or the constant/struct
that defines it) that explains the purpose of the "config_status" subdirectory
and exactly what data the exporter writes there (e.g., exporter-generated
configuration snapshots, validation results, status metadata, timestamps, etc.),
so reviewers and maintainers understand what to expect from the exporter and why
it's allowed alongside "feedback" and "transcripts".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25ea4017-87e5-45ac-98da-37329738162e

📥 Commits

Reviewing files that changed from the base of the PR and between e49e5a1 and 158b5ab.

📒 Files selected for processing (24)

• internal/controller/constants.go
• internal/controller/errors.go
• internal/controller/lcore_config.go
• internal/controller/lcore_deployment.go
• internal/controller/lcore_reconciler.go
• test/kuttl/common/openstack-lightspeed-instance/assert-exporter-config.yaml
• test/kuttl/common/openstack-lightspeed-instance/assert-openstack-lightspeed-instance.yaml
• test/kuttl/tests/basic-openstack-lightspeed-configuration/05-assert-exporter-config.yaml
• test/kuttl/tests/basic-openstack-lightspeed-configuration/06-assert-openstack-lightspeed-instance.yaml
• test/kuttl/tests/basic-openstack-lightspeed-configuration/07-cleanup-openstack-lightspeed-instance.yaml
• test/kuttl/tests/basic-openstack-lightspeed-configuration/08-errors-openstack-lightspeed-instance.yaml
• test/kuttl/tests/basic-openstack-lightspeed-configuration/09-cleanup-mock-objects.yaml
• test/kuttl/tests/basic-openstack-lightspeed-configuration/10-errors-mock-objects.yaml
• test/kuttl/tests/update-openstacklightspeed/05-assert-exporter-config.yaml
• test/kuttl/tests/update-openstacklightspeed/06-assert-openstack-lightspeed-instance.yaml
• test/kuttl/tests/update-openstacklightspeed/07-update-openstack-lightspeed-instance.yaml
• test/kuttl/tests/update-openstacklightspeed/08-assert-configmaps-update.yaml
• test/kuttl/tests/update-openstacklightspeed/09-assert-lightspeed-stack-config-update.yaml
• test/kuttl/tests/update-openstacklightspeed/10-assert-llama-stack-config-update.yaml
• test/kuttl/tests/update-openstacklightspeed/11-assert-openstacklightspeed-update.yaml
• test/kuttl/tests/update-openstacklightspeed/12-cleanup-openstack-lightspeed-instance.yaml
• test/kuttl/tests/update-openstacklightspeed/13-errors-openstack-lightspeed-instance.yaml
• test/kuttl/tests/update-openstacklightspeed/14-cleanup-mock-objects.yaml
• test/kuttl/tests/update-openstacklightspeed/15-errors-mock-objects.yaml

[lpiwowar]

Nice one! 👍 Overall looks good to me!:)

[umago]

Code looks good. The only exception is the kubectl issue Lukas pointed out.

[lpiwowar]

Overall LGTM:) 👍 but there is one thing we need to figure out before merging. It looks like the test transcripts and feedback were not sent to https://console.redhat.com/api/ingress/v1/upload during testing. Let's figure out what is happening there. I'm going to take a look.

[lpiwowar]

/lgtm

The code looks OK, but we are currently losing the data somewhere in the pipeline. After discussing this with the team, I agree it might be a good idea to merge it, as it seems to be working (the data gets sent to the endpoint and the configuration seems to be correct). As a follow-up, we just need to figure out what is happening with the data after it gets sent out to console.redhat.com.

[umago]

/approved

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lpiwowar, omkarjoshi0304, umago

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [lpiwowar,umago]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment