feat(operator): deprecate operatorconfig.collection.filter.matchOneOf

[bwplotka]

After time we realized that a bug caused the operator config export filtering logic to be not used from the GMP 0.14 release onwards. We decided to keep this field NOT applicable (changing this field being noop) going forward, so this PR makes the deprecation/removal of this functionality clear with the operation and export code removed.

• This feature since the beginning was extremely hard to use and confusing to users, users constantly assumed list of matchers are "AND-ed" while they are "OR-ed" or they are were filtering partial histograms (demo).
• This feature is not stopping collectors (Prometheus) to scrape the filtered out series, it only NOT send them forward. This limits the use of them for collector efficiency scenarios.
• We have evidences of users already starting to "misconfigure" their collection with this field, but they were "lucky" those filters are accidently turned off. "Fixing" them will immediately break those users in a hidden way.
• Finally, better alternatives exists https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed#filter-metrics

This feature, for dynamic config based setting in export pkg is already deprecated: GoogleCloudPlatform/prometheus#237

Post-mortem

For security hardening, when introducing reloadable config pieces (compression, credentials and matchers) in 0.14 we updated export package to load things from the correct place, but the matchers are initialized and copied into seriesCache and never updated later:

prometheus-engine/pkg/export/export.go

Line 419 in 10c5314

seriesCache: newSeriesCache(logger, reg, opts.MetricTypePrefix, opts.Matchers),

This affects both collector and rule-eval AFAIK.

We didn't have a good tests to test this e2e too.

AIs:

• Update public docs
• Remove this functionality (this PR and future)
• Ensure proper e2e test coverage of compression option (credentialFile is tested).
• Add this deprecation to the 0.14 changelog

NOTE: We don't plan to add deprecation warning to 0.15.

[bwplotka]

Updated changelog as well https://github.com/GoogleCloudPlatform/prometheus-engine/releases/tag/v0.14.0#:~:text=EDIT(June%202025,breakage%20before%20release.

[pintohutch]

prometheus-engine/pkg/export/export.go

Lines 1097 to 1107 in 77f0a33

	func (m *Matchers) Matches(lset labels.Labels) bool {
	if len(*m) == 0 {
	return true
	}
	for _, sel := range *m {
	if sel.Matches(lset) {
	return true
	}
	}
	return false
	}

is a logical OR, no?

[lyanco]

I'm not sure anymore whether it was an OR or an AND... but also I very much remember people shooting themselves in the foot with this back in 2022 because it wasn't implemented the way people thought it would be implemented, to the point where we had to change the examples in the docs to be negative matchers on metrics that don't exist because people kept copy-pasting the older examples verbatim and accidentally filtering out all their metrics.

[bwplotka]

Yup, double checked and indeed it's OR-ed, which only proves user can get misleading. Another (production cx) example is with broken histograms (demo).

Anyway, PR still stands I think we should proceed PTAL @pintohutch @dashpole

@lyanco you are ok with this approach (deprecating and removing?)

[bwplotka]

While we wished we could reenabled this under some different, bit easier to use config API surface, the decision with @lyanco is to remove it for as other alternatives exists and focus on more important tasks.

[dashpole]

approving go code changes. I don't have context on whether this is a good idea or not :)

[bwplotka]

NOTE: Tests are failing on some struct unmarshalling. I fixed those errors on #1711 and I expect #1711 to be merged first and this conflict resolved and merged.

[pintohutch]

Given the footgun-ness of the feature as Lee described, I agree we should proceed with the PRs and be explicit in our kubebuilder tags to mark the CR field as deprecated.

[bwplotka]

Should be rdy for review PTAL!

[bernot-dev]

Looks like tests are still failing.

[bwplotka]

Looks like tests are still failing.

Yea, I mentioned this on our standup. It's odd.. couldn't figure out why without local debugging session to do... will check tomorrow ):

[bwplotka]

OK, I found the bug -- it's due to me extending the tests, not related to this change.

Fixed in another PR (#1751) and chained this PR on it.

[bwplotka]

Don't merge before #1751 is merged pls (:

[bwplotka]

Given new revelations, let's reconsider this (: