Make downwardMetric feature gate opt-in

[jcanocan]

What this PR does / why we need it:
The feature gate downwardMetric is an opt-out feature gate. This is due to backward compatibility reasons. Before this feature gate was introduced, it was hardcoded. It makes this feature gate to be disabled by default, leaving this decision to the final user.
Reviewer Checklist

Reviewers are supposed to review the PR for every aspect below one by one. To check an item means the PR is either "OK" or "Not Applicable" in terms of that item. All items are supposed to be checked before merging a PR.

• PR Message
• Commit Messages
• How to test
• Unit Tests
• Functional Tests
• User Documentation
• Developer Documentation
• Upgrade Scenario
• Uninstallation Scenario
• Backward Compatibility
• Troubleshooting Friendly

Jira Ticket:

Release note:

Disable by default the `downwardMetric` feature gate

[jcanocan]

/cc @nunnatsa

[coveralls]

Pull Request Test Coverage Report for Build 8508193253

Details

• 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.007%) to 86.061%

---

Totals
Change from base Build 8497598491:	-0.007%
Covered Lines:	5279
Relevant Lines:	6134

---

💛 - Coveralls

[nunnatsa]

Looks good in general. Please also update the e2e defaults test to match this change. It currently fails in ci.

[hco-bot]

hco-e2e-kv-smoke-azure lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-gcp

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-gcp

In response to this:

hco-e2e-kv-smoke-azure lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nunnatsa]

@jcanocan please also add the default value for the FeatureGates field (line 69), and for the spec field (line 824).

[jcanocan]

Done.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[jcanocan]

Looks good in general. Please also update the e2e defaults test to match this change. It currently fails in ci.

Thanks for the pointer. I wasn't aware of such tests. Done!

[hco-bot]

hco-e2e-consecutive-operator-sdk-upgrades-aws lane succeeded.
/override ci/prow/hco-e2e-consecutive-operator-sdk-upgrades-azure
okd-hco-e2e-upgrade-operator-sdk-aws lane succeeded.
/override ci/prow/okd-hco-e2e-upgrade-operator-sdk-gcp
okd-hco-e2e-operator-sdk-aws lane succeeded.
/override ci/prow/okd-hco-e2e-operator-sdk-gcp
hco-e2e-upgrade-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-operator-sdk-sno-azure
hco-e2e-upgrade-prev-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-operator-sdk-sno-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-consecutive-operator-sdk-upgrades-azure, ci/prow/hco-e2e-upgrade-operator-sdk-sno-azure, ci/prow/hco-e2e-upgrade-prev-operator-sdk-sno-azure, ci/prow/okd-hco-e2e-operator-sdk-gcp, ci/prow/okd-hco-e2e-upgrade-operator-sdk-gcp

In response to this:

hco-e2e-consecutive-operator-sdk-upgrades-aws lane succeeded.
/override ci/prow/hco-e2e-consecutive-operator-sdk-upgrades-azure
okd-hco-e2e-upgrade-operator-sdk-aws lane succeeded.
/override ci/prow/okd-hco-e2e-upgrade-operator-sdk-gcp
okd-hco-e2e-operator-sdk-aws lane succeeded.
/override ci/prow/okd-hco-e2e-operator-sdk-gcp
hco-e2e-upgrade-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-operator-sdk-sno-azure
hco-e2e-upgrade-prev-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-operator-sdk-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nunnatsa]

/retest

[hco-bot]

hco-e2e-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-sno-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-operator-sdk-sno-azure

In response to this:

hco-e2e-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hco-bot]

hco-e2e-operator-sdk-gcp lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-aws
hco-e2e-operator-sdk-gcp lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-operator-sdk-aws, ci/prow/hco-e2e-operator-sdk-azure

In response to this:

hco-e2e-operator-sdk-gcp lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-aws
hco-e2e-operator-sdk-gcp lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hco-bot]

hco-e2e-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-sno-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-operator-sdk-sno-azure

In response to this:

hco-e2e-operator-sdk-sno-aws lane succeeded.
/override ci/prow/hco-e2e-operator-sdk-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hco-bot]

hco-e2e-upgrade-operator-sdk-azure lane succeeded.
/override ci/prow/hco-e2e-upgrade-operator-sdk-aws

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-operator-sdk-aws

In response to this:

hco-e2e-upgrade-operator-sdk-azure lane succeeded.
/override ci/prow/hco-e2e-upgrade-operator-sdk-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nunnatsa]

/test hco-e2e-upgrade-prev-operator-sdk-aws
/test hco-e2e-upgrade-prev-operator-sdk-azure

[kubevirt-bot]

@nunnatsa: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test build-hco-test-utils-image
• /test pull-hyperconverged-cluster-operator-e2e-k8s-1.27
• /test pull-hyperconverged-cluster-operator-e2e-k8s-1.28

Use /test all to run the following jobs that were automatically triggered:

• pull-hyperconverged-cluster-operator-e2e-k8s-1.27
• pull-hyperconverged-cluster-operator-e2e-k8s-1.28

In response to this:

/test hco-e2e-upgrade-prev-operator-sdk-aws
/test hco-e2e-upgrade-prev-operator-sdk-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hco-bot]

hco-e2e-kv-smoke-gcp lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-azure

In response to this:

hco-e2e-kv-smoke-gcp lane succeeded.
/override ci/prow/hco-e2e-kv-smoke-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nunnatsa]

I think it's OK. @tiraboschi - WDYT? will it work on update?

[hco-bot]

hco-e2e-upgrade-prev-operator-sdk-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure

In response to this:

hco-e2e-upgrade-prev-operator-sdk-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@jcanocan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-hco-e2e-operator-sdk-gcp	8399021	link	true	/test okd-hco-e2e-operator-sdk-gcp
ci/prow/okd-hco-e2e-upgrade-operator-sdk-gcp	8399021	link	true	/test okd-hco-e2e-upgrade-operator-sdk-gcp
ci/prow/hco-e2e-upgrade-prev-operator-sdk-sno-azure	8399021	link	false	/test hco-e2e-upgrade-prev-operator-sdk-sno-azure
ci/prow/hco-e2e-upgrade-operator-sdk-sno-azure	8399021	link	false	/test hco-e2e-upgrade-operator-sdk-sno-azure
ci/prow/hco-e2e-consecutive-operator-sdk-upgrades-azure	8399021	link	true	/test hco-e2e-consecutive-operator-sdk-upgrades-azure
ci/prow/hco-e2e-operator-sdk-aws	8399021	link	true	/test hco-e2e-operator-sdk-aws
ci/prow/hco-e2e-upgrade-operator-sdk-aws	8399021	link	true	/test hco-e2e-upgrade-operator-sdk-aws
ci/prow/hco-e2e-operator-sdk-sno-azure	8399021	link	false	/test hco-e2e-operator-sdk-sno-azure
ci/prow/hco-e2e-kv-smoke-azure	8399021	link	true	/test hco-e2e-kv-smoke-azure
ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure	8399021	link	true	/test hco-e2e-upgrade-prev-operator-sdk-azure

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[hco-bot]

hco-e2e-upgrade-prev-operator-sdk-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure

In response to this:

hco-e2e-upgrade-prev-operator-sdk-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-operator-sdk-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[nunnatsa]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nunnatsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nunnatsa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jcanocan]

/cherry-pick release-1.11

[kubevirt-bot]

@jcanocan: #2844 failed to apply on top of branch "release-1.11":

Applying: Make `downwardMetric` feature gate opt-in
.git/rebase-apply/patch:401: trailing whitespace.
**Note**: Updates from previous versions require to enable this feature gate if the metrics was used in any 
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	api/v1beta1/hyperconverged_types.go
M	api/v1beta1/zz_generated.defaults.go
M	api/v1beta1/zz_generated.openapi.go
M	config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml
M	controllers/hyperconverged/hyperconverged_controller_test.go
M	controllers/operands/kubevirt.go
M	controllers/operands/kubevirt_test.go
M	deploy/crds/hco00.crd.yaml
M	deploy/hco.cr.yaml
A	deploy/index-image/community-kubevirt-hyperconverged/1.12.0/manifests/hco00.crd.yaml
A	deploy/olm-catalog/community-kubevirt-hyperconverged/1.12.0/manifests/hco00.crd.yaml
M	docs/api.md
M	docs/cluster-configuration.md
M	tests/func-tests/defaults_test.go
M	tests/vendor/github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1/hyperconverged_types.go
M	tests/vendor/github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1/zz_generated.defaults.go
M	tests/vendor/github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1/zz_generated.openapi.go
Falling back to patching base and 3-way merge...
Auto-merging tests/vendor/github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1/zz_generated.openapi.go
Auto-merging tests/vendor/github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1/zz_generated.defaults.go
Auto-merging tests/vendor/github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1/hyperconverged_types.go
Auto-merging tests/func-tests/defaults_test.go
Auto-merging docs/cluster-configuration.md
Auto-merging docs/api.md
Auto-merging deploy/olm-catalog/community-kubevirt-hyperconverged/1.11.1/manifests/hco00.crd.yaml
Auto-merging deploy/index-image/community-kubevirt-hyperconverged/1.11.1/manifests/hco00.crd.yaml
Auto-merging deploy/hco.cr.yaml
Auto-merging deploy/crds/hco00.crd.yaml
Auto-merging controllers/operands/kubevirt_test.go
CONFLICT (content): Merge conflict in controllers/operands/kubevirt_test.go
Auto-merging controllers/operands/kubevirt.go
Auto-merging controllers/hyperconverged/hyperconverged_controller_test.go
Auto-merging config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml
Auto-merging api/v1beta1/zz_generated.openapi.go
Auto-merging api/v1beta1/zz_generated.defaults.go
Auto-merging api/v1beta1/hyperconverged_types.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Make `downwardMetric` feature gate opt-in
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hco-bot]

Rebase Bot action has failed.
Action URL: https://github.com/kubevirt/hyperconverged-cluster-operator/actions/runs/8556193742

[nunnatsa]

@jcanocan - I think we should not take it to 1.11

@tiraboschi WDYT?

[sarahbx]

Hi @nunnatsa , @tiraboschi,
This is recommended to mitigate https://access.redhat.com/security/cve/CVE-2024-31419 upstream for earlier v1 branches.
A more comprehensive solution to this access would be ideal, and I hope we see something in a future release, but currently any existing consumers of this feature on earlier v1 branches would have to disable this cluster-wide feature manually. While this is classified as 'low' impact, it is still a CVE originating from the kubevirt org without explicit admin approval.

[tiraboschi]

This is compatibility breaking change so we need at least an intermediate release (1.11 here) to avoid silently breaking upstream users that are currently relying on that.
By the way this is just a partial mitigation since it could only be enabled or disabled at cluster scope with no more fine grained control: so, if at least one VM in the cluster needs it for a good reason, all the other VMs are still going to have it.
So this is still not the right solution.
I'd suggest to properly fix it instead it with a more fine grained API to limit it only to VMs/namespaces that really need it.