Skip to content

STOR-2954: inject centralized TLS configuration for storage operators#8887

Open
ingvagabund wants to merge 2 commits into
openshift:mainfrom
ingvagabund:storage-operators-tls
Open

STOR-2954: inject centralized TLS configuration for storage operators#8887
ingvagabund wants to merge 2 commits into
openshift:mainfrom
ingvagabund:storage-operators-tls

Conversation

@ingvagabund

@ingvagabund ingvagabund commented Jul 1, 2026

Copy link
Copy Markdown
Member

What this PR does / why we need it:

have cloud-storage-operator and csi-snapshot-controller-operator honor the centralized TLS configuration

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Summary by CodeRabbit

  • New Features

    • Added automatic generation and injection of controller configuration for the snapshot and storage components via ConfigMaps.
    • Mounted the generated configuration into the running pods so updated settings take effect on startup.
  • Bug Fixes

    • Ensured controller settings are generated consistently using the cluster’s TLS security profile.
    • Updated deployments to terminate when the config file is present/changes, enabling a clean restart with the latest configuration.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot

openshift-ci-robot commented Jul 1, 2026

Copy link
Copy Markdown

@ingvagabund: This pull request references STOR-2954 which is a valid jira issue.

Details

In response to this:

What this PR does / why we need it:

have cloud-storage-operator and csi-snapshot-controller-operator honor the centralized TLS configuration

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

  • Subject and description added to both, commit and PR.
  • Relevant issues have been referenced.
  • This change includes docs.
  • This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 1, 2026
@openshift-ci openshift-ci Bot requested review from bryan-cox and jparrill July 1, 2026 13:56
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign cblecker for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release and removed do-not-merge/needs-area labels Jul 1, 2026
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 72 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.24%. Comparing base (ca3d347) to head (b12aa98).
⚠️ Report is 31 commits behind head on main.

Files with missing lines Patch % Lines
...edcontrolplane/v2/snapshotcontroller/deployment.go 0.00% 32 Missing ⚠️
...ollers/hostedcontrolplane/v2/storage/deployment.go 0.00% 32 Missing ⚠️
...tedcontrolplane/v2/snapshotcontroller/component.go 0.00% 4 Missing ⚠️
...rollers/hostedcontrolplane/v2/storage/component.go 0.00% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8887      +/-   ##
==========================================
- Coverage   43.26%   43.24%   -0.02%     
==========================================
  Files         770      771       +1     
  Lines       95479    95578      +99     
==========================================
+ Hits        41311    41335      +24     
- Misses      51284    51359      +75     
  Partials     2884     2884              
Files with missing lines Coverage Δ
...tedcontrolplane/v2/snapshotcontroller/component.go 11.36% <0.00%> (-1.14%) ⬇️
...rollers/hostedcontrolplane/v2/storage/component.go 0.00% <0.00%> (ø)
...edcontrolplane/v2/snapshotcontroller/deployment.go 0.00% <0.00%> (ø)
...ollers/hostedcontrolplane/v2/storage/deployment.go 0.00% <0.00%> (ø)

... and 3 files with indirect coverage changes

Flag Coverage Δ
cmd-support 36.67% <ø> (+0.04%) ⬆️
cpo-hostedcontrolplane 45.12% <0.00%> (-0.20%) ⬇️
cpo-other 45.10% <ø> (ø)
hypershift-operator 53.58% <ø> (-0.01%) ⬇️
other 31.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ingvagabund ingvagabund force-pushed the storage-operators-tls branch from 70b9d62 to 063ba79 Compare July 1, 2026 14:20
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2f183aa2-4f8f-44b0-9fa7-4bf8c888588e

📥 Commits

Reviewing files that changed from the base of the PR and between 063ba79 and b12aa98.

⛔ Files ignored due to path filters (30)
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
📒 Files selected for processing (8)
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
✅ Files skipped from review due to trivial changes (1)
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
🚧 Files skipped from review as they are similar to previous changes (7)
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go

📝 Walkthrough

Walkthrough

This change adds generated controller config files for the storage and snapshot-controller operators. New controller-config.yaml ConfigMaps are introduced, deployment manifests mount them at /var/run/configmaps/config, and container args reference the config path with --config and --terminate-on-files. New adaptControllerConfig helpers build GenericControllerConfig YAML from the workload TLS security profile, and the component wiring registers these adapters with WithManifestAdapter.

Sequence Diagram(s)

sequenceDiagram
  participant NewComponent as Component wiring
  participant adaptControllerConfig as Config adapter
  participant TLSProfile as TLS security profile
  participant ConfigMap as controller-config ConfigMap
  participant Deployment as Operator deployment

  NewComponent->>adaptControllerConfig: attach controller-config.yaml adapter
  adaptControllerConfig->>TLSProfile: read TLS settings
  adaptControllerConfig->>ConfigMap: write config.yaml
  Deployment->>ConfigMap: mount config volume
  Deployment->>Deployment: read /var/run/configmaps/config/config.yaml
  Deployment->>Deployment: use --config and --terminate-on-files
Loading

Related Issues: None specified

Related PRs: None specified

Suggested labels: ok-to-test, do-not-merge/hold

Suggested reviewers: csrwng, sjenning

Poem

YAML found its way to disk,
TLS settings, neat and brisk,
Volumes mounted, paths aligned,
Configs written, well designed.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: injecting centralized TLS configuration into storage operators.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test titles were changed; the diff only touches source and snapshot YAML fixtures, with no *_test.go files or It/Describe/Context/When edits.
Test Structure And Quality ✅ Passed No *_test.go files changed in the PR; only production Go files and generated asset fixtures were updated, so this test-quality check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed The diff only adds ConfigMap/TLS config wiring; no new nodeSelector, required anti-affinity, topologySpreadConstraints, or replica changes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes controller code, manifests, and generated fixtures.
No-Weak-Crypto ✅ Passed Changed files only wire existing TLS profile helpers into ConfigMap generation; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret comparisons found.
Container-Privileges ✅ Passed Touched deployments keep allowPrivilegeEscalation:false, drop ALL, runAsNonRoot:true; no privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/runAsUser:0 introduced.
No-Sensitive-Data-In-Logs ✅ Passed No new logging APIs or sensitive payloads were added; only generic error wrapping and config/deployment manifest updates.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go (1)

41-78: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Simplify: set TypeMeta directly instead of JSON→map→YAML roundtrip.

configv1.GenericControllerConfig embeds metav1.TypeMeta inline, so apiVersion/kind can be set as struct fields and the whole config YAML-marshaled directly — no need for the JSON marshal/unmarshal-to-map dance. This also drops the encoding/json import.

This exact function body is duplicated verbatim in storage/deployment.go. Consider extracting a shared helper (e.g. in support/config) that both callers invoke with just the ComponentName/BindAddress, to avoid maintaining two copies of this marshal logic.

♻️ Proposed simplification
-func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
-	profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
-	controllerConfig := configv1.GenericControllerConfig{
-		ServingInfo: configv1.HTTPServingInfo{
-			ServingInfo: configv1.ServingInfo{
-				BindAddress:   ":8443",
-				CipherSuites:  config.CipherSuites(profile),
-				MinTLSVersion: config.MinTLSVersion(profile),
-			},
-		},
-	}
-
-	asJSON, err := json.Marshal(controllerConfig)
-	if err != nil {
-		return fmt.Errorf("failed to json marshal config: %w", err)
-	}
-
-	asMap := map[string]any{}
-	if err := json.Unmarshal(asJSON, &asMap); err != nil {
-		return fmt.Errorf("failed to json unmarshal config: %w", err)
-	}
-
-	asMap["apiVersion"] = configv1.GroupVersion.String()
-	asMap["kind"] = "GenericControllerConfig"
-
-	data, err := yaml.Marshal(asMap)
+func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
+	profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
+	controllerConfig := configv1.GenericControllerConfig{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: configv1.GroupVersion.String(),
+			Kind:       "GenericControllerConfig",
+		},
+		ServingInfo: configv1.HTTPServingInfo{
+			ServingInfo: configv1.ServingInfo{
+				BindAddress:   ":8443",
+				CipherSuites:  config.CipherSuites(profile),
+				MinTLSVersion: config.MinTLSVersion(profile),
+			},
+		},
+	}
+
+	data, err := yaml.Marshal(controllerConfig)
	if err != nil {
		return fmt.Errorf("failed to yaml marshal config: %w", err)
	}

I flagged this with `` since it touches the openshift/api `GenericControllerConfig` struct shape; please confirm the embedded `TypeMeta` field name/tag matches what's assumed above.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`
around lines 41 - 78, Simplify adaptControllerConfig by setting
configv1.GenericControllerConfig.TypeMeta directly and YAML-marshaling the
struct instead of converting through JSON and a map. Remove the unnecessary
encoding/json roundtrip, keep the existing TLS profile-derived ServingInfo
setup, and ensure apiVersion/kind are populated via the embedded TypeMeta on
GenericControllerConfig. Since this logic is duplicated in
storage/deployment.go, consider extracting a shared helper so both callers reuse
the same config rendering path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`:
- Around line 41-78: Simplify adaptControllerConfig by setting
configv1.GenericControllerConfig.TypeMeta directly and YAML-marshaling the
struct instead of converting through JSON and a map. Remove the unnecessary
encoding/json roundtrip, keep the existing TLS profile-derived ServingInfo
setup, and ensure apiVersion/kind are populated via the embedded TypeMeta on
GenericControllerConfig. Since this logic is duplicated in
storage/deployment.go, consider extracting a shared helper so both callers reuse
the same config rendering path.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: af393ddb-20c4-4046-b1ae-8da2c8c37591

📥 Commits

Reviewing files that changed from the base of the PR and between 8c71b38 and 063ba79.

⛔ Files ignored due to path filters (30)
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
📒 Files selected for processing (8)
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go

@hypershift-jira-solve-ci

hypershift-jira-solve-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown

Now I have the complete picture. The key finding is:

  • snapshotcontroller package: 6.7% coverage (the existing test TestIsStorageAndCSIManaged only covers a tiny predicate; the new adaptControllerConfig function is NOT directly tested)
  • storage package: 16.0% coverage (similar situation)

The TestControlPlaneComponents fixture test in the parent package does exercise the code indirectly, but the Go coverage profile measures per-package coverage — since there's no deployment_test.go in either snapshotcontroller/ or storage/ that directly calls adaptControllerConfig, codecov reports 0% patch coverage.

Test Failure Analysis Complete

Job Information

  • Prow Job: N/A — these are GitHub Actions codecov checks, not Prow CI jobs
  • Build ID: GitHub Actions run 28524443466 (unit tests), codecov check runs 84561659958 (project) and 84561184525 (patch)
  • PR: #8887STOR-2954: inject centralized TLS configuration for storage operators
  • Branch: ingvagabund:storage-operators-tls

Test Failure Analysis

Error

codecov/patch:   0.00% of diff hit (target 43.26%)
codecov/project: 43.24% (-0.02%) compared to ca3d347

Summary

Both codecov checks failed because the PR adds two new adaptControllerConfig Go functions (one in snapshotcontroller/deployment.go, one in storage/deployment.go) totaling ~61 executable lines of new code, but neither function has a direct unit test in its own package. The TestControlPlaneComponents fixture test in the parent package exercises the code indirectly (and generates the correct testdata fixtures), but Go's -coverprofile only records coverage for the package under test — not cross-package calls. As a result, codecov reports 0% patch coverage and a -0.02% project coverage regression. This is not a product bug or a test logic failure; it is a missing direct unit test for new functions.

Root Cause

The PR adds two identical adaptControllerConfig functions:

  1. control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
  2. control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go

These functions build a GenericControllerConfig with TLS cipher suites and min TLS version from the HostedControlPlane's TLS security profile, then serialize it to YAML and inject it into a ConfigMap.

Why codecov reports 0% patch coverage:

  • Go's -coverprofile flag only instruments and records coverage for the package being tested. The TestControlPlaneComponents integration test lives in the parent package (hostedcontrolplane/) and calls into snapshotcontroller and storage packages — but this cross-package execution is not recorded in the coverage profile for those sub-packages.
  • The snapshotcontroller package has only one test file (component_test.go) which tests isStorageAndCSIManaged — it does not test adaptControllerConfig. Package-level coverage is 6.7%.
  • The storage package has only envreplace_test.go — it does not test adaptControllerConfig. Package-level coverage is 16.0%.

Established pattern not followed: Other components with the same adaptControllerConfig pattern (e.g., pkioperator, registryoperator) have dedicated configmap_test.go files that directly unit-test the function. This PR did not follow that pattern.

codecov/project fails because the 61 new uncovered lines cause a net -0.02% drop in overall project coverage (from 43.26% to 43.24%).

codecov/patch fails because 0 of the 61 new executable lines are hit by any test that generates a coverage profile for these packages.

Recommendations
  1. Add configmap_test.go to both packages — Follow the existing pattern from pkioperator/configmap_test.go and registryoperator/configmap_test.go. Create:

    • v2/snapshotcontroller/configmap_test.go
    • v2/storage/configmap_test.go

    Each should test adaptControllerConfig with multiple TLS profiles (Intermediate, Modern, Old, Custom, nil) and verify the generated ConfigMap YAML contains the expected cipher suites and min TLS version.

  2. Alternatively, if codecov checks are non-blocking — confirm with the team whether codecov/patch and codecov/project are required checks for merge. Recent merged PRs (OCPBUGS-94178: Remove --skip-crd-migration-phases flags from CAPI deployment #8881, NO-JIRA: fix(e2e-v2): gate ConfigOperatorReconciliationSucceeded on 4.23+ #8875, CNTRLPLANE-3737: Add find-push-pipelinerun script #8851) all passed codecov, so these checks appear to be enforced. Adding the tests is the correct fix.

  3. Consider deduplicating — The adaptControllerConfig functions in snapshotcontroller/deployment.go and storage/deployment.go are byte-for-byte identical. Extract a shared helper (e.g., in support/config/ or a shared storage_common package) to reduce maintenance burden and test surface.

Evidence
Evidence Detail
codecov/patch result 0.00% of diff hit (target 43.26%) — zero new lines covered
codecov/project result 43.24% (-0.02%) compared to ca3d347 — net coverage regression
snapshotcontroller package coverage 6.7% of statements (from CI log)
storage package coverage 16.0% of statements (from CI log)
Changed Go files 4 files: snapshotcontroller/{component,deployment}.go, storage/{component,deployment}.go
New executable lines ~61 lines across 2 new adaptControllerConfig functions
Existing test pattern pkioperator/configmap_test.go and registryoperator/configmap_test.go both test adaptControllerConfig directly
Missing tests No configmap_test.go in snapshotcontroller/ or storage/
Unit tests overall All 5 unit test shards passed (cpo-hostedcontrolplane, cpo-other, hypershift-operator, cmd-support, other)
Fixture tests TestControlPlaneComponents fixtures updated correctly (new config_configmap.yaml files) — code works, but coverage not recorded cross-package
Recent merged PRs #8881, #8875, #8851 all passed codecov (coverage unaffected or improved)
Base comparison ca3d347 (main) at 43.26% project coverage

@ingvagabund

ingvagabund commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

Running the CPO image locally:

$ oc logs -n clusters-jchaloup-20260702 csi-snapshot-controller-operator-65778b549d-rkhjh 
...
I0703 10:50:01.324010       1 builder.go:304] csi-snapshot-controller-operator version -
F0703 10:50:01.324180       1 cmd.go:182] bindAddress is invalid: not an IP
$ oc logs -n clusters-jchaloup-20260702 cluster-storage-operator-9db98c6f4-pk2k7
...
I0703 11:13:43.020670       1 builder.go:304] cluster-storage-operator version 4.22.0-202607010254.p2.g8dfdf2e.assembly.stream.el9-8dfdf2e-8dfdf2ef3310358f3559a5481df43b98b2294791
F0703 11:13:43.020784       1 cmd.go:182] bindAddress is invalid: not an IP

Mount a configmap with an operator config injected with the HCP TLS security
profile.
…uration

Mount a configmap with an operator config injected with the HCP TLS security
profile.
@ingvagabund ingvagabund force-pushed the storage-operators-tls branch from 063ba79 to b12aa98 Compare July 3, 2026 11:47
@ingvagabund

Copy link
Copy Markdown
Member Author

Validated via #8912 (comment). Both operators are running

@dfajmon

dfajmon commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

@cwbotbot

cwbotbot commented Jul 3, 2026

Copy link
Copy Markdown

Test Results

e2e-aws

e2e-aks

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@ingvagabund: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-v2-self-managed b12aa98 link true /test e2e-azure-v2-self-managed

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants