STOR-2954: inject centralized TLS configuration for storage operators#8887
STOR-2954: inject centralized TLS configuration for storage operators#8887ingvagabund wants to merge 2 commits into
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@ingvagabund: This pull request references STOR-2954 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ingvagabund The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #8887 +/- ##
==========================================
- Coverage 43.26% 43.24% -0.02%
==========================================
Files 770 771 +1
Lines 95479 95578 +99
==========================================
+ Hits 41311 41335 +24
- Misses 51284 51359 +75
Partials 2884 2884
... and 3 files with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
70b9d62 to
063ba79
Compare
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (30)
📒 Files selected for processing (8)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (7)
📝 WalkthroughWalkthroughThis change adds generated controller config files for the storage and snapshot-controller operators. New Sequence Diagram(s)sequenceDiagram
participant NewComponent as Component wiring
participant adaptControllerConfig as Config adapter
participant TLSProfile as TLS security profile
participant ConfigMap as controller-config ConfigMap
participant Deployment as Operator deployment
NewComponent->>adaptControllerConfig: attach controller-config.yaml adapter
adaptControllerConfig->>TLSProfile: read TLS settings
adaptControllerConfig->>ConfigMap: write config.yaml
Deployment->>ConfigMap: mount config volume
Deployment->>Deployment: read /var/run/configmaps/config/config.yaml
Deployment->>Deployment: use --config and --terminate-on-files
Related Issues: None specified Related PRs: None specified Suggested labels: ok-to-test, do-not-merge/hold Suggested reviewers: csrwng, sjenning Poem YAML found its way to disk, 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go (1)
41-78: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winSimplify: set
TypeMetadirectly instead of JSON→map→YAML roundtrip.
configv1.GenericControllerConfigembedsmetav1.TypeMetainline, soapiVersion/kindcan be set as struct fields and the whole config YAML-marshaled directly — no need for the JSON marshal/unmarshal-to-map dance. This also drops theencoding/jsonimport.This exact function body is duplicated verbatim in
storage/deployment.go. Consider extracting a shared helper (e.g. insupport/config) that both callers invoke with just theComponentName/BindAddress, to avoid maintaining two copies of this marshal logic.♻️ Proposed simplification
-func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error { - profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile() - controllerConfig := configv1.GenericControllerConfig{ - ServingInfo: configv1.HTTPServingInfo{ - ServingInfo: configv1.ServingInfo{ - BindAddress: ":8443", - CipherSuites: config.CipherSuites(profile), - MinTLSVersion: config.MinTLSVersion(profile), - }, - }, - } - - asJSON, err := json.Marshal(controllerConfig) - if err != nil { - return fmt.Errorf("failed to json marshal config: %w", err) - } - - asMap := map[string]any{} - if err := json.Unmarshal(asJSON, &asMap); err != nil { - return fmt.Errorf("failed to json unmarshal config: %w", err) - } - - asMap["apiVersion"] = configv1.GroupVersion.String() - asMap["kind"] = "GenericControllerConfig" - - data, err := yaml.Marshal(asMap) +func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error { + profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile() + controllerConfig := configv1.GenericControllerConfig{ + TypeMeta: metav1.TypeMeta{ + APIVersion: configv1.GroupVersion.String(), + Kind: "GenericControllerConfig", + }, + ServingInfo: configv1.HTTPServingInfo{ + ServingInfo: configv1.ServingInfo{ + BindAddress: ":8443", + CipherSuites: config.CipherSuites(profile), + MinTLSVersion: config.MinTLSVersion(profile), + }, + }, + } + + data, err := yaml.Marshal(controllerConfig) if err != nil { return fmt.Errorf("failed to yaml marshal config: %w", err) }I flagged this with `` since it touches the
openshift/api`GenericControllerConfig` struct shape; please confirm the embedded `TypeMeta` field name/tag matches what's assumed above.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go` around lines 41 - 78, Simplify adaptControllerConfig by setting configv1.GenericControllerConfig.TypeMeta directly and YAML-marshaling the struct instead of converting through JSON and a map. Remove the unnecessary encoding/json roundtrip, keep the existing TLS profile-derived ServingInfo setup, and ensure apiVersion/kind are populated via the embedded TypeMeta on GenericControllerConfig. Since this logic is duplicated in storage/deployment.go, consider extracting a shared helper so both callers reuse the same config rendering path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`:
- Around line 41-78: Simplify adaptControllerConfig by setting
configv1.GenericControllerConfig.TypeMeta directly and YAML-marshaling the
struct instead of converting through JSON and a map. Remove the unnecessary
encoding/json roundtrip, keep the existing TLS profile-derived ServingInfo
setup, and ensure apiVersion/kind are populated via the embedded TypeMeta on
GenericControllerConfig. Since this logic is duplicated in
storage/deployment.go, consider extracting a shared helper so both callers reuse
the same config rendering path.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: af393ddb-20c4-4046-b1ae-8da2c8c37591
⛔ Files ignored due to path filters (30)
control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**
📒 Files selected for processing (8)
control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/storage/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
|
Now I have the complete picture. The key finding is:
The Test Failure Analysis CompleteJob Information
Test Failure AnalysisErrorSummaryBoth codecov checks failed because the PR adds two new Root CauseThe PR adds two identical
These functions build a Why codecov reports 0% patch coverage:
Established pattern not followed: Other components with the same codecov/project fails because the 61 new uncovered lines cause a net -0.02% drop in overall project coverage (from 43.26% to 43.24%). codecov/patch fails because 0 of the 61 new executable lines are hit by any test that generates a coverage profile for these packages. Recommendations
Evidence
|
|
Running the CPO image locally: |
Mount a configmap with an operator config injected with the HCP TLS security profile.
…uration Mount a configmap with an operator config injected with the HCP TLS security profile.
063ba79 to
b12aa98
Compare
|
Validated via #8912 (comment). Both operators are running |
|
/lgtm |
|
Scheduling tests matching the |
Test Resultse2e-aws
e2e-aks
|
|
@ingvagabund: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What this PR does / why we need it:
have cloud-storage-operator and csi-snapshot-controller-operator honor the centralized TLS configuration
Which issue(s) this PR fixes:
Fixes
Special notes for your reviewer:
Checklist:
Summary by CodeRabbit
New Features
Bug Fixes