ROX-28780: Unify Sensor endpoint env vars

[vikin91]

Description

ROX_SENSOR_ENDPOINT and ROX_ADVERTISED_ENDPOINT both describe the in-cluster Sensor address but were registered separately, with StripAnyPrefix only on the legacy name. Helm already sets both from sensor.endpoint (default sensor.{{ namespace }}.svc:443), yet compliance used ROX_ADVERTISED_ENDPOINT while admission and scanner v4 used ROX_SENSOR_ENDPOINT. This is ambiguous and we should rather have one variable for configuring this, not two.

Add env.SensorEndpointSetting() to resolve the canonical env var, fall back to the legacy name, and derive sensor.{POD_NAMESPACE}.svc:443 when neither is set. Switch in-cluster callers (compliance, admission, scanner transport) to that helper. Inject ROX_SENSOR_ENDPOINT alongside ROX_ADVERTISED_ENDPOINT in Helm for a safe transition; removal of the legacy env var from charts is follow-up.

Before: compliance connected via ROX_ADVERTISED_ENDPOINT only; unset env
with a wrong namespace default could point at sensor.stackrox.svc.

After: all in-cluster clients use the same resolution order; a custom
namespace works without setting either var when POD_NAMESPACE is present.

Central kubectl bundle rendering (central/clusters/deployer.go) still reads
env.AdvertisedEndpoint directly because Central runs outside the secured
cluster namespace.

Fixes ROX-28780 (follow-up to
ROX-28698).

AI-Assisted: cursor, implementation and tests generated, user reviewed logic

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

• Unit tests only

[vikin91]

This change is part of the following stack:

• ROX-28780: Unify Sensor endpoint env vars #20751 ◀

_{Change managed by git-spice.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates sensor endpoint resolution from using advertised endpoint to a new unified SensorEndpointSetting() function with fallback logic. Changes span environment variable registration, Helm templates, and all internal components (compliance, scanner, sensor) that connect to the sensor, including test updates for the new behavior.

Changes

Sensor Endpoint Resolution and Migration

Layer / File(s)	Summary
Sensor endpoint resolution contract and environment variable setup pkg/env/sensor_endpoint.go, pkg/env/sensor_endpoint_test.go, pkg/env/sensor.go, pkg/env/node_index.go	New SensorEndpointSetting() function resolves the sensor endpoint by checking canonical ROX_SENSOR_ENDPOINT, falling back to legacy ROX_ADVERTISED_ENDPOINT, deriving from namespace, and using a hardcoded default. Environment variable registration updated to normalize and strip scheme prefixes. Comprehensive test coverage validates resolution order and edge cases.
Helm template environment variable injection image/templates/helm/stackrox-secured-cluster/templates/collector.yaml.htpl, image/templates/helm/stackrox-secured-cluster/templates/sensor.yaml.htpl	Helm templates now inject ROX_SENSOR_ENDPOINT environment variable into both the collector compliance container and the sensor container, sourced from the chart's sensor endpoint configuration.
Compliance component updates compliance/compliance.go, compliance/node/index/indexer.go, compliance/node/index/indexer_test.go	Compliance app gRPC connection and indexer mapping URL construction now use SensorEndpointSetting() instead of AdvertisedEndpoint.Setting(). Logging reports the resolved sensor endpoint. Tests restructured to validate sensor endpoint with optional legacy fallback behavior.
Scanner component updates scanner/internal/httputil/transport_mux.go, scanner/internal/httputil/transport_mux_test.go	Transport mux now derives sensor hostname via SensorEndpointSetting() instead of SensorEndpoint.Setting(). Tests updated to verify namespace-based endpoint derivation and confirm advertised endpoint is not consulted for sensor routing.
Sensor component updates sensor/admission-control/main.go, sensor/common/sensor/sensor.go	Admission control gRPC connection now calls SensorEndpointSetting() instead of SensorEndpoint.Setting(). Sensor struct removes the unused advertisedEndpoint field; initialization only tracks centralEndpoint.
Helm test validation pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/suite.yaml	Helm test suite updated to validate ROX_SENSOR_ENDPOINT is correctly injected into the sensor container, verifying the template configuration change.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title is concise and directly describes the main change: unifying how Sensor endpoint environment variables are handled across components.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive, detailed, and follows the template structure with all major sections completed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch piotr/ROX-28780-sensor-endpoint-unification

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Build Images Ready

Images are ready for commit 0466f53. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-1098-g0466f53974

[vikin91]

CI e2e fails with Quota 'SSD_TOTAL_GB' exceeded

[openshift-ci]

@vikin91: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/gke-upgrade-tests	0466f53	link	false	/test gke-upgrade-tests
ci/prow/ocp-4-12-compliance-e2e-tests	0466f53	link	false	/test ocp-4-12-compliance-e2e-tests
ci/prow/ocp-4-12-nongroovy-e2e-tests	0466f53	link	false	/test ocp-4-12-nongroovy-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.