Skip to content

OCPCLOUD-3261: feat(cloud providers): inject centralized TLS configuration#8864

Open
ingvagabund wants to merge 3 commits into
openshift:mainfrom
ingvagabund:aws-cloud-controller-manager-tls
Open

OCPCLOUD-3261: feat(cloud providers): inject centralized TLS configuration#8864
ingvagabund wants to merge 3 commits into
openshift:mainfrom
ingvagabund:aws-cloud-controller-manager-tls

Conversation

@ingvagabund

@ingvagabund ingvagabund commented Jun 29, 2026

Copy link
Copy Markdown
Member

What this PR does / why we need it:

  • have all cloud-controller-manager providers honor the centralized TLS configuration
  • have all capi-provider deployments honor the centralized TLS configuration

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Summary by CodeRabbit

  • New Features
    • Cloud provider controllers now automatically apply TLS security profile settings.
    • When configured, deployments set the minimum TLS version and cipher suites (comma-delimited) for both the cloud controller manager and the platform manager components.
    • Supported across AWS, Azure, GCP, KubeVirt, OpenStack, and PowerVS.
  • Chores
    • Improved CLI argument construction to apply TLS flags consistently across providers.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci openshift-ci Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/needs-area labels Jun 29, 2026
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Across the cloud-controller-manager adapters and hosted-cluster platform deployment specs, container args now include TLS minimum version and cipher suite flags derived from the HostedControlPlane TLS security profile. Several deployment builders now construct args slices dynamically, and some component builders register deployment adaptation hooks to apply the changes.

Sequence Diagram(s)

sequenceDiagram
  participant HostedControlPlane
  participant PlatformDeploymentSpec
  participant Deployment
  HostedControlPlane->>PlatformDeploymentSpec: provide TLS security profile
  PlatformDeploymentSpec->>PlatformDeploymentSpec: build args slice
  PlatformDeploymentSpec->>Deployment: set Args with TLS flags
Loading

Suggested reviewers

  • devguyio
  • sdminonne
🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Scanned relevant test files; 15 literal titles found and none used dynamic values or unstable identifiers.
Test Structure And Quality ✅ Passed PASS: The touched tests are plain table-driven unit tests, not Ginkgo specs; they use fake clients and no cluster waits/timeouts or cleanup concerns.
Topology-Aware Scheduling Compatibility ✅ Passed Touched files only add TLS CLI args/imports; no new affinity, nodeSelector, topology spread, replica, or PDB scheduling constraints were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff only changes controller code, fixtures, and unit tests, so the IPv6/disconnected check is not applicable.
No-Weak-Crypto ✅ Passed Only existing TLS-profile helpers are wired into args; no new MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons were added.
Container-Privileges ✅ Passed No touched manifest/spec adds privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation:true; changes only append TLS args.
No-Sensitive-Data-In-Logs ✅ Passed No new log statements were added in the changed files; the only logger call found is pre-existing and does not expose secrets.
Title check ✅ Passed The title accurately reflects the main change: centralized TLS configuration is injected across cloud provider deployments.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from cblecker and csrwng June 29, 2026 17:24
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign cblecker for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/platform/aws PR/issue for AWS (AWSPlatform) platform area/platform/azure PR/issue for Azure (AzurePlatform) platform area/platform/gcp PR/issue for GCP (GCPPlatform) platform area/platform/kubevirt PR/issue for KubeVirt (KubevirtPlatform) platform area/platform/openstack PR/issue for OpenStack (OpenStackPlatform) platform area/platform/powervs PR/issue for PowerVS (PowerVSPlatform) platform and removed do-not-merge/needs-area labels Jun 29, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go (1)

63-70: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Factor the TLS arg assembly into a shared helper.

This exact MinTLSVersion/CipherSuites append block is now copied across all six CCM providers in this PR, so the next TLS flag change will be easy to miss in one of them. A small helper in the cloud-controller-manager package would keep the behavior aligned everywhere.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go`
around lines 63 - 70, The TLS flag assembly in the cloud-controller-manager
provider setup is duplicated across the CCM implementations, so factor the
repeated MinTLSVersion/CipherSuites append logic into a shared helper in the
cloud-controller-manager package. Update the component wiring to call that
helper from the AWS path (and the other provider component files) so all
providers build TLS args consistently from
hcp.Spec.Configuration.GetTLSSecurityProfile().
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go`:
- Around line 63-70: The TLS flag assembly in the cloud-controller-manager
provider setup is duplicated across the CCM implementations, so factor the
repeated MinTLSVersion/CipherSuites append logic into a shared helper in the
cloud-controller-manager package. Update the component wiring to call that
helper from the AWS path (and the other provider component files) so all
providers build TLS args consistently from
hcp.Spec.Configuration.GetTLSSecurityProfile().

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8700e9d8-9b45-47e5-8557-59d3cd06c5e7

📥 Commits

Reviewing files that changed from the base of the PR and between 74c07cf and b45a4de.

📒 Files selected for processing (6)
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 19.89247% with 149 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.24%. Comparing base (ca3d347) to head (c4ef20b).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
...ers/hostedcluster/internal/platform/agent/agent.go 0.00% 18 Missing ⚠️
...rollers/hostedcluster/internal/platform/aws/aws.go 0.00% 17 Missing ⚠️
...ers/hostedcluster/internal/platform/azure/azure.go 0.00% 17 Missing ⚠️
...stedcluster/internal/platform/kubevirt/kubevirt.go 0.00% 16 Missing ⚠️
...hostedcluster/internal/platform/powervs/powervs.go 0.00% 16 Missing ⚠️
...plane/v2/cloud_controller_manager/aws/component.go 0.00% 13 Missing ⚠️
...plane/v2/cloud_controller_manager/gcp/component.go 0.00% 13 Missing ⚠️
...ne/v2/cloud_controller_manager/azure/deployment.go 0.00% 10 Missing ⚠️
...2/cloud_controller_manager/openstack/deployment.go 0.00% 8 Missing ⚠️
...v2/cloud_controller_manager/kubevirt/deployment.go 0.00% 7 Missing ⚠️
... and 2 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8864      +/-   ##
==========================================
- Coverage   43.26%   43.24%   -0.03%     
==========================================
  Files         770      771       +1     
  Lines       95479    95641     +162     
==========================================
+ Hits        41311    41357      +46     
- Misses      51284    51398     +114     
- Partials     2884     2886       +2     
Files with missing lines Coverage Δ
...s/hostedcontrolplane/v2/capi_manager/deployment.go 100.00% <100.00%> (ø)
.../v2/cloud_controller_manager/powervs/deployment.go 100.00% <100.00%> (ø)
...v2/cloud_controller_manager/kubevirt/deployment.go 0.00% <0.00%> (ø)
...rollers/hostedcluster/internal/platform/gcp/gcp.go 82.23% <46.15%> (-1.45%) ⬇️
...edcluster/internal/platform/openstack/openstack.go 70.44% <70.83%> (-0.84%) ⬇️
...2/cloud_controller_manager/openstack/deployment.go 9.25% <0.00%> (-1.62%) ⬇️
...ne/v2/cloud_controller_manager/azure/deployment.go 0.00% <0.00%> (ø)
...plane/v2/cloud_controller_manager/aws/component.go 0.00% <0.00%> (ø)
...plane/v2/cloud_controller_manager/gcp/component.go 5.40% <0.00%> (-2.93%) ⬇️
...stedcluster/internal/platform/kubevirt/kubevirt.go 17.01% <0.00%> (-0.93%) ⬇️
... and 4 more

... and 1 file with indirect coverage changes

Flag Coverage Δ
cmd-support 36.67% <ø> (+0.04%) ⬆️
cpo-hostedcontrolplane 45.22% <21.53%> (-0.10%) ⬇️
cpo-other 45.10% <ø> (ø)
hypershift-operator 53.46% <19.00%> (-0.13%) ⬇️
other 31.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ingvagabund ingvagabund force-pushed the aws-cloud-controller-manager-tls branch from b45a4de to 758f5be Compare June 29, 2026 17:54
@ingvagabund ingvagabund changed the title wip: feat(cloud-controller-manager): inject centralized TLS configuration OCPCLOUD-3261: feat(cloud-controller-manager): inject centralized TLS configuration Jun 29, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 29, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 29, 2026

Copy link
Copy Markdown

@ingvagabund: This pull request references OCPCLOUD-3261 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

What this PR does / why we need it:

To have all cloud-controller-manager providers honor the centralized TLS configuration

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Summary by CodeRabbit

  • New Features
  • Cloud controller manager deployments now automatically include TLS configuration based on the cluster’s configured TLS security profile.
  • When specified, the deployments add the configured minimum TLS version.
  • When specified, deployments also add the configured cipher suites (as a comma-delimited list).
  • This behavior is applied across multiple cloud providers, including AWS, Azure, GCP, KubeVirt, OpenStack, and PowerVS.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 29, 2026
@ingvagabund ingvagabund force-pushed the aws-cloud-controller-manager-tls branch from 758f5be to 21b3b69 Compare June 29, 2026 18:12
@openshift-ci openshift-ci Bot added the area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release label Jun 29, 2026
@ingvagabund ingvagabund force-pushed the aws-cloud-controller-manager-tls branch from e17a807 to 9fce135 Compare June 29, 2026 19:02

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go (1)

77-94: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract the TLS arg append into a shared helper.

This exact hcpconfig.MinTLSVersion / config.CipherSuites block is now copied across all seven provider specs. Centralizing it would reduce drift the next time the TLS flag contract changes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go`
around lines 77 - 94, The TLS flag assembly in the agent args setup is
duplicated across provider specs, so extract the repeated hcp-based TLS append
logic into a shared helper and reuse it from the agent container arg builder.
Move the block that calls config.MinTLSVersion and config.CipherSuites into a
common function with a clear name, then have the existing arg construction path
in agent.go call that helper after the base args are created. Keep the helper
responsible only for appending the TLS-related flags so all provider specs share
the same contract.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go`:
- Around line 77-94: The TLS flag assembly in the agent args setup is duplicated
across provider specs, so extract the repeated hcp-based TLS append logic into a
shared helper and reuse it from the agent container arg builder. Move the block
that calls config.MinTLSVersion and config.CipherSuites into a common function
with a clear name, then have the existing arg construction path in agent.go call
that helper after the base args are created. Keep the helper responsible only
for appending the TLS-related flags so all provider specs share the same
contract.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: aca41bfd-9b08-4ded-ad68-5126f0f9527d

📥 Commits

Reviewing files that changed from the base of the PR and between 21b3b69 and e17a807.

📒 Files selected for processing (7)
  • hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go

@ingvagabund ingvagabund changed the title OCPCLOUD-3261: feat(cloud-controller-manager): inject centralized TLS configuration OCPCLOUD-3261: feat(cloud providers): inject centralized TLS configuration Jun 29, 2026

@cblecker cblecker left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding TLS security profile support across the CCM and CAPI providers — the implementation is clean and the fixture coverage is thorough.

One thing I'd like to see addressed (either in this PR or a follow-up): there's no enforcement mechanism that validates all components that should honor the centralized TLS configuration actually do. Today it's purely manual — if someone adds a new component that serves HTTPS, nothing flags the missing TLS configuration. This PR adds the same pattern to 13 files independently, and the next component won't know it needs to do the same.

A lightweight option would be a cross-component test that asserts every deployment with an HTTPS-serving container has --tls-min-version in its args or equivalent config. This would catch regressions and make the requirement discoverable. An even better option would be a helper (e.g., config.TLSFlags(profile)) that the component framework could apply automatically, but that's a larger change.

Would you be open to adding a tracking issue for this if it's out of scope here?

@ingvagabund ingvagabund force-pushed the aws-cloud-controller-manager-tls branch from ffc14df to 6abac17 Compare June 29, 2026 21:21
@ingvagabund

Copy link
Copy Markdown
Member Author

Hello @cblecker. Thank you for taking a closer look at the PR. So far the changes are luckily quite straightforward.

There's a new tls-scanner periodic job for a HS introduced. The latest run: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-tls-scanner-main-periodic-hypershift-tls/2070729428597477376 (from Jun 27). Would that be a sufficient gating mechanism?

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 1, 2026
Inject --tls-min-version and --tls-cipher-suites flags to all six cloud
controller manager providers based on HCP TLS security profile.
@ingvagabund ingvagabund force-pushed the aws-cloud-controller-manager-tls branch from 6abac17 to 2f045ee Compare July 1, 2026 12:22
@ingvagabund

Copy link
Copy Markdown
Member Author

Just rebasing

@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 1, 2026
Inject --tls-min-version and --tls-cipher-suites flags to all six cloud
capi providers based on HCP TLS security profile.
Inject --tls-min-version and --tls-cipher-suites flags
to capi-manager based on HCP TLS security profile.
@ingvagabund ingvagabund force-pushed the aws-cloud-controller-manager-tls branch from 2f045ee to c4ef20b Compare July 1, 2026 13:07
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@hypershift-jira-solve-ci

Copy link
Copy Markdown

Now I have all the information needed. Let me compile the final report.

Test Failure Analysis Complete

Job Information

  • Prow Job: N/A — these are Codecov GitHub Check Runs, not Prow CI jobs
  • Build ID: Check Run IDs 84553519917 (codecov/patch) and 84553516079 (codecov/project)
  • PR: #8864OCPCLOUD-3261: feat(cloud providers): inject centralized TLS configuration
  • Branch: aws-cloud-controller-manager-tlsmain
  • Head Commit: c4ef20b
  • Base Commit: ca3d347

Test Failure Analysis

Error

codecov/patch: 19.89% of diff hit (target 43.26%) — FAILED
codecov/project: 43.24% (-0.03%) compared to ca3d347 — FAILED

149 new executable lines in the diff have zero test coverage.

Summary

Both Codecov checks failed because PR #8864 adds centralized TLS configuration injection (--tls-min-version, --tls-cipher-suites args) to cloud controller manager deployments and CAPI provider deployments across 12 platform-specific Go files, but only 37 of the 186 new executable lines are covered by existing tests. The 149 uncovered lines are nearly identical TLS injection code repeated across 10 files that have 0% patch coverage. The codecov/patch check requires the diff to meet the project baseline of 43.26% coverage, but it achieved only 19.89%. The codecov/project check fails because overall project coverage dropped from 43.26% to 43.24%.

Root Cause

The PR adds identical TLS configuration logic to two categories of files, neither of which has adequate unit test coverage for the new code:

Category 1: Control-plane-operator CCM deployment files (v2/ cloud_controller_manager)

  • aws/component.go — new adaptDeployment() function (13 uncovered lines)
  • gcp/component.go — new adaptDeployment() function (13 uncovered lines)
  • azure/deployment.go — TLS injection added to existing adaptDeployment() (10 uncovered lines)
  • kubevirt/deployment.go — TLS injection added to existing adaptDeployment() (7 uncovered lines)
  • openstack/deployment.go — TLS injection added to existing adaptDeployment() (8 uncovered lines)
  • powervs/deployment.go — already has 100% coverage (covered by existing fixture-based component tests)

These files build Deployment specs for cloud controller managers. The AWS and GCP files introduce entirely new adaptDeployment() functions wired via .WithAdaptFunction(), but there are no unit tests exercising these adapt functions. The fixture-based TestControlPlaneComponents tests updated in the PR's YAML testdata files validate the output deployment YAML but the underlying Go code in component.go files has 0% unit test coverage because the test framework invokes the component through a higher-level reconciliation path that Codecov's coverage instrumentation doesn't attribute to these specific source lines.

Category 2: Hypershift-operator CAPI provider deployment spec files (platform/)

  • agent/agent.go — 18 uncovered lines
  • aws/aws.go — 17 uncovered lines
  • azure/azure.go — 17 uncovered lines
  • kubevirt/kubevirt.go — 16 uncovered lines
  • powervs/powervs.go — 16 uncovered lines
  • gcp/gcp.go — 7 uncovered lines (46.15% patch coverage, partial)
  • openstack/openstack.go — partial coverage (70.83%)

These CAPIProviderDeploymentSpec() methods previously ignored the *hyperv1.HostedControlPlane parameter (named _). The PR renames it to hcp and adds TLS arg construction, but the existing unit tests for these methods either don't pass an hcp object with a TLS security profile set, or don't exist at all. The if hcp != nil guard means the TLS branches are never exercised in tests.

Only the capi_manager/deployment.go file (which adds TLS to the CAPI manager adapt function) achieves 100% coverage because its existing test infrastructure already exercises the adapt function with a fully populated WorkloadContext.

The root cause is missing unit tests for the TLS injection paths in 10 of the 12 modified Go files. The code is functionally correct (the updated fixture YAMLs confirm the args are generated properly), but Codecov's line-level coverage tracking shows the test suite never executes these specific lines.

Recommendations
  1. Add unit tests for the new adaptDeployment() functions in aws/component.go and gcp/component.go. These are entirely new functions with zero coverage. A test should create a WorkloadContext with a TLS security profile and verify the deployment's container args include the expected --tls-min-version and --tls-cipher-suites flags.

  2. Add or update unit tests for CAPIProviderDeploymentSpec() methods across all 7 platform files (agent, aws, azure, gcp, kubevirt, openstack, powervs). Each test should:

    • Pass a non-nil *hyperv1.HostedControlPlane with .Spec.Configuration containing a TLS security profile
    • Assert that the returned DeploymentSpec container args include the TLS flags
    • Optionally test the hcp == nil fallback path (no TLS args added)
  3. For the CCM deployment files (azure, kubevirt, openstack), extend the existing adaptDeployment() tests to include a TLS security profile in the WorkloadContext.HCP and verify the container args.

  4. Consider extracting the repeated TLS injection pattern into a shared helper function (e.g., support/config.AppendTLSArgs(args []string, profile *configv1.TLSSecurityProfile) []string) to reduce code duplication across 12 files and make testing easier — one test for the helper covers the logic for all platforms.

  5. If these checks are non-blocking, the PR can merge without coverage fixes since the code is validated by the updated fixture YAML tests (TestControlPlaneComponents, TestReconcileComponents). However, adding explicit unit tests would be the correct long-term approach.

Evidence
Evidence Detail
codecov/patch result 19.89% patch coverage vs 43.26% target — 149 of 186 new lines uncovered
codecov/project result 43.24% overall (−0.03% from baseline 43.26% on ca3d347)
Files changed 12 Go source files + 32 YAML test fixture files + 1 new file (771 total, +1)
Lines added/removed +162 net new lines (95,641 total, up from 95,479)
Hits/Misses delta +46 hits, +114 misses, +2 partials
Worst offenders (0% patch) agent.go (18), aws.go (17), azure.go (17), kubevirt.go (16), powervs.go (16), aws/component.go (13), gcp/component.go (13), azure/deployment.go (10)
Only fully covered file capi_manager/deployment.go (100%), powervs/deployment.go (100%) — have existing test infrastructure
Partially covered files gcp/gcp.go (46.15%), openstack/openstack.go (70.83%) — some TLS paths exercised
Pattern across all files Identical TLS injection code: config.MinTLSVersion()--tls-min-version, config.CipherSuites()--tls-cipher-suites
Codecov config (.codecov.yml) No explicit patch or project thresholds defined — uses Codecov defaults (patch must meet project baseline)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/platform/aws PR/issue for AWS (AWSPlatform) platform area/platform/azure PR/issue for Azure (AzurePlatform) platform area/platform/gcp PR/issue for GCP (GCPPlatform) platform area/platform/kubevirt PR/issue for KubeVirt (KubevirtPlatform) platform area/platform/openstack PR/issue for OpenStack (OpenStackPlatform) platform area/platform/powervs PR/issue for PowerVS (PowerVSPlatform) platform jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants