feat: add sentinel label value for global metric visibility

[notque]

Summary

• Adds maia.label_value_for_global_visibility config option: a sentinel value appended to tenant scope regexes so metrics tagged with it become visible to all tenants
• Solves the problem of schema/info metrics (e.g. kube_node_info) that lack tenant labels being invisible to authenticated tenants
• Simpler and safer than a metric-name allowlist — reuses existing scope machinery with no query-time lookups

Design

• Sentinel mechanism: Configured value (e.g. "all") is appended to every scope constraint, so project_id=~"p1|p2" becomes project_id=~"p1|p2|all"
• Write-once: Sentinel resolved once at startup, immutable during request handling
• Fail-fast: Startup panics if value contains regex metacharacters (regexp.QuoteMeta validation)
• Disabled by default: Empty string means no sentinel, no behavioral change
• No new abstractions: One 5-line utility function (appendSentinelValue) called after every scopeToLabelConstraint()

Configuration

[maia]
# A special label value that, when present on a metric's project_id or domain_id label,
# makes that metric visible to all tenants. Disabled when empty (default).
# label_value_for_global_visibility = all

Files Changed

File	Change
pkg/api/util.go	appendSentinelValue() function + INVARIANT comment
pkg/api/util_test.go	6 table-driven unit tests
pkg/api/server.go	Startup validation + sentinel resolution
pkg/api/v1api.go	Call appendSentinelValue in Query, QueryRange, LabelValues
pkg/api/api_test.go	Integration tests for sentinel visibility
pkg/util/promqlmod.go	Fix reflect.DeepEqual → field comparison for matcher equality
pkg/cmd/root.go	Viper default
etc/maia.conf	Configuration documentation
CHANGELOG.md	Unreleased entry

Test plan

• Unit tests for appendSentinelValue (empty sentinel, single/multiple values, spare capacity)
• Integration tests verifying sentinel appears in scope regexes for label-values queries
• make check passes (tests + golangci-lint)
• Multi-perspective local review (security, conventions, over-engineering): all APPROVE

[majewsky]

Alternative proposal: To remove the need to maintain this allowlist, we could recognize global metrics through a sentinel value in the project_id label, e.g. project_id="any" or project_id="all". This label could be maintained either in the application emitting the metrics, or in the Maia federation config through a relabeling step.

If we go with the allowlist design, I would like to request for them to be regexes. Ref: https://github.com/sapcc/limes/blob/57e7e18a1ba2aefb91c69d8f91a400c0575a322a/internal/collector/metrics.go#L864-L869

[notque]

@viennaa @majewsky are we reasonably happy with this, or would we like more changes?

[Copilot]

Pull request overview

This PR introduces a configurable “global visibility” sentinel label value that gets appended to tenant scope constraints, allowing metrics tagged with the sentinel to be visible across all authenticated tenants (useful for cluster/info metrics that otherwise lack tenant labels).

Changes:

• Add maia.label_value_for_global_visibility config default and server-side startup validation (reject regex metacharacters).
• Append the resolved sentinel value to project/domain scope label constraints, affecting all endpoints that rely on scope resolution.
• Extend API tests and fixtures to cover sentinel behavior; adjust PromQL matcher equality logic to avoid incorrect duplication.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/api/server.go	Resolves + validates the sentinel config once at startup.
pkg/api/util.go	Appends the configured sentinel to scope-derived label value lists.
pkg/api/api_test.go	Adds integration-style tests ensuring sentinel appears in injected scope constraints.
pkg/api/fixtures/label_values_sentinel_names_query_range.json	New fixture for label-values tests involving globally visible metrics.
pkg/api/fixtures/label_values_sentinel_node_query_range.json	New fixture for label-values tests involving globally visible metrics.
pkg/util/promqlmod.go	Fixes matcher equality to avoid reliance on reflect.DeepEqual for labels.Matcher.
pkg/cmd/root.go	Adds Viper default for the new configuration key.
etc/maia.conf	Documents the new config option in the sample config.
CHANGELOG.md	Adds an Unreleased entry documenting the new feature.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[majewsky]

Looks good to me, thanks!

[viennaa]

Really like the idea of having this value configurable, small thing before I can stamp :)

[github-actions]

Merging this branch will decrease overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/SAP-cloud-infrastructure/maia/pkg/api	75.12% (-0.71%)	👎
github.com/SAP-cloud-infrastructure/maia/pkg/cmd	74.05% (-0.18%)	👎
github.com/SAP-cloud-infrastructure/maia/pkg/util	83.33% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/SAP-cloud-infrastructure/maia/pkg/api/server.go	63.81% (-3.19%)	525 (+25)	335	190 (+25)	👎
github.com/SAP-cloud-infrastructure/maia/pkg/api/util.go	81.52% (+0.27%)	1055 (+15)	860 (+15)	195	👍
github.com/SAP-cloud-infrastructure/maia/pkg/cmd/root.go	21.74% (-0.99%)	115 (+5)	25	90 (+5)	👎
github.com/SAP-cloud-infrastructure/maia/pkg/util/promqlmod.go	87.88% (ø)	165	145	20

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

• github.com/SAP-cloud-infrastructure/maia/pkg/api/api_test.go