Skip to content

wip: Tls injection all in one (only for testing purposes)#8912

Open
ingvagabund wants to merge 8 commits into
openshift:mainfrom
ingvagabund:tls-injection-all-in-one
Open

wip: Tls injection all in one (only for testing purposes)#8912
ingvagabund wants to merge 8 commits into
openshift:mainfrom
ingvagabund:tls-injection-all-in-one

Conversation

@ingvagabund

@ingvagabund ingvagabund commented Jul 2, 2026

Copy link
Copy Markdown
Member

/hold

Only to produce the cpo and ho images for local testing.

Picks up:

Summary by CodeRabbit

  • New Features

    • Added cluster-driven TLS configuration (minimum TLS version and cipher suites) across control plane services, cloud controller managers, and CAPI provider components.
    • Ignition server proxy now uses a prebuilt HAProxy configuration from a ConfigMap and supports TLS-aware startup.
    • Snapshot, storage, and related operators now generate and mount TLS-aware controller configuration via ConfigMaps.
  • Bug Fixes

    • Updated ignition server and proxy components to honor configured TLS settings instead of fixed defaults, improving consistent TLS behavior end-to-end.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/needs-area labels Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Changes

This PR propagates HostedControlPlane TLS security profile settings into multiple deployment specs, adds generated controller ConfigMaps for storage and snapshot components, replaces inline HAProxy config generation with a mounted ConfigMap, and adds TLS configuration flags to the ignition-server startup command. It also updates several CAPI provider deployment signatures to use the HostedControlPlane value when building container args.

Related Issues: No related issues were referenced in the provided information.

Related PRs: No related PRs were referenced in the provided information.

Suggested labels: area/control-plane-operator, area/hypershift-operator, area/ignition-server

Suggested reviewers: No specific reviewers could be determined from the provided information.

Poem
TLS values now travel far,
From HCP to every bar,
Configs mounted, flags aligned,
Startup args and ciphers bind.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: a broad TLS-configuration injection update across multiple components, with the WIP/testing note reflecting the PR intent.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The only Ginkgo titles added/changed are static, descriptive strings in two e2e test files; no dynamic names or generated values appear.
Test Structure And Quality ✅ Passed No Ginkgo test files were changed; the diff only touches code, fixtures, and manifests, so the test-structure check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds TLS flags/config to ignition-server and test fixtures; no new affinity, nodeSelector, PDB, or replica changes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the changed files are deployment/config/runtime code and contain no It/Describe/Context/When blocks or IPv4/external-network patterns.
No-Weak-Crypto ✅ Passed No added MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage; new TLS wiring only forwards configured profiles and adds no custom crypto.
Container-Privileges ✅ Passed No changed manifest sets privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation:true; the only new capability is NET_BIND_SERVICE and other pods keep allowPrivilegeEscalation:fal...
No-Sensitive-Data-In-Logs ✅ Passed No touched log statements emit tokens, passwords, PII, or internal data; the new code only logs non-sensitive request/config details.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from csrwng and enxebre July 2, 2026 20:47
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign muraee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/platform/aws PR/issue for AWS (AWSPlatform) platform area/platform/azure PR/issue for Azure (AzurePlatform) platform area/platform/gcp PR/issue for GCP (GCPPlatform) platform area/platform/kubevirt PR/issue for KubeVirt (KubevirtPlatform) platform area/platform/openstack PR/issue for OpenStack (OpenStackPlatform) platform area/platform/powervs PR/issue for PowerVS (PowerVSPlatform) platform and removed do-not-merge/needs-area labels Jul 2, 2026
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 12.53406% with 321 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.17%. Comparing base (488ef0e) to head (de73e84).

Files with missing lines Patch % Lines
...controlplane/v2/ignitionserver_proxy/deployment.go 0.00% 78 Missing ⚠️
...edcontrolplane/v2/snapshotcontroller/deployment.go 0.00% 32 Missing ⚠️
...ollers/hostedcontrolplane/v2/storage/deployment.go 0.00% 32 Missing ⚠️
...ers/hostedcluster/internal/platform/agent/agent.go 0.00% 18 Missing ⚠️
ignition-server/cmd/start.go 0.00% 18 Missing ⚠️
...rollers/hostedcluster/internal/platform/aws/aws.go 0.00% 17 Missing ⚠️
...ers/hostedcluster/internal/platform/azure/azure.go 0.00% 17 Missing ⚠️
...stedcluster/internal/platform/kubevirt/kubevirt.go 0.00% 16 Missing ⚠️
...hostedcluster/internal/platform/powervs/powervs.go 0.00% 16 Missing ⚠️
...plane/v2/cloud_controller_manager/aws/component.go 0.00% 13 Missing ⚠️
... and 9 more
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8912      +/-   ##
==========================================
- Coverage   43.28%   43.17%   -0.11%     
==========================================
  Files         771      771              
  Lines       95506    95808     +302     
==========================================
+ Hits        41335    41365      +30     
- Misses      51287    51557     +270     
- Partials     2884     2886       +2     
Files with missing lines Coverage Δ
...s/hostedcontrolplane/v2/capi_manager/deployment.go 100.00% <100.00%> (ø)
.../v2/cloud_controller_manager/powervs/deployment.go 100.00% <100.00%> (ø)
...hostedcontrolplane/v2/ignitionserver/deployment.go 43.85% <100.00%> (+9.16%) ⬆️
...dcontrolplane/v2/ignitionserver_proxy/component.go 33.33% <0.00%> (-5.80%) ⬇️
...tedcontrolplane/v2/snapshotcontroller/component.go 11.36% <0.00%> (-1.14%) ⬇️
...rollers/hostedcontrolplane/v2/storage/component.go 0.00% <0.00%> (ø)
...v2/cloud_controller_manager/kubevirt/deployment.go 0.00% <0.00%> (ø)
...rollers/hostedcluster/internal/platform/gcp/gcp.go 82.23% <46.15%> (-1.45%) ⬇️
...edcluster/internal/platform/openstack/openstack.go 70.44% <70.83%> (-0.84%) ⬇️
...2/cloud_controller_manager/openstack/deployment.go 9.25% <0.00%> (-1.62%) ⬇️
... and 12 more
Flag Coverage Δ
cmd-support 36.67% <ø> (ø)
cpo-hostedcontrolplane 44.84% <10.08%> (-0.48%) ⬇️
cpo-other 45.10% <ø> (ø)
hypershift-operator 53.46% <19.00%> (-0.13%) ⬇️
other 31.69% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go (1)

68-95: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicated TLS-args construction across 7 platform files.

The if hcp != nil { ... MinTLSVersion ... CipherSuites ... } block (and the surrounding args slice pattern) is copy-pasted identically across agent.go, aws.go, azure.go, gcp.go, kubevirt.go, openstack.go, and powervs.go, differing only in flag order and the variable name (args vs capoArgs). Consider extracting a shared helper (e.g., in support/config) that both platforms call, reducing 7x duplication to a single source of truth and also avoiding the double GetTLSSecurityProfile() call per file.

♻️ Proposed shared helper
// support/config/tls.go
func TLSArgs(hcp *hyperv1.HostedControlPlane) []string {
	if hcp == nil {
		return nil
	}
	profile := hcp.Spec.Configuration.GetTLSSecurityProfile()
	var args []string
	if v := MinTLSVersion(profile); v != "" {
		args = append(args, fmt.Sprintf("--tls-min-version=%s", v))
	}
	if c := CipherSuites(profile); len(c) != 0 {
		args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(c, ",")))
	}
	return args
}

Also applies to: 96-116

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go`
around lines 68 - 95, The TLS argument construction in
Agent.CAPIProviderDeploymentSpec is duplicated across multiple platform
deployment builders and also calls GetTLSSecurityProfile() more than once.
Extract the shared TLS flag building into a helper (for example in
support/config) that returns the min-version and cipher-suite args from a
HostedControlPlane, then have CAPIProviderDeploymentSpec and the matching
aws/azure/gcp/kubevirt/openstack/powervs deployment spec methods append that
shared result instead of inlining the repeated hcp nil and
MinTLSVersion/CipherSuites logic.
control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go (1)

60-74: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Extract shared TLS-arg helper to avoid 6x duplication.

This exact block (compute MinTLSVersion/CipherSuites, conditionally append --tls-min-version/--tls-cipher-suites) is copy-pasted verbatim across the AWS, Azure, GCP, KubeVirt, OpenStack, and PowerVS cloud-controller-manager adapters in this PR. A shared helper in support/config (which already owns MinTLSVersion/CipherSuites) would remove the duplication and centralize any future changes (e.g. adjusting the flag names).

♻️ Proposed helper and call-site simplification
+// in support/config (e.g. cipher.go)
+func TLSArgs(hcp *hyperv1.HostedControlPlane) []string {
+	profile := hcp.Spec.Configuration.GetTLSSecurityProfile()
+	var args []string
+	if tlsMinVersion := MinTLSVersion(profile); tlsMinVersion != "" {
+		args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion))
+	}
+	if cipherSuites := CipherSuites(profile); len(cipherSuites) != 0 {
+		args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ",")))
+	}
+	return args
+}
 	podspec.UpdateContainer("cloud-controller-manager", deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
-		// Add TLS configuration based on cluster TLS security profile
-		if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" {
-			c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion))
-		}
-		if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 {
-			c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ",")))
-		}
+		c.Args = append(c.Args, config.TLSArgs(hcp)...)
 	})

This also fixes the minor inefficiency of calling GetTLSSecurityProfile() twice per invocation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go`
around lines 60 - 74, The TLS flag assembly in adaptDeployment is duplicated
across multiple cloud-controller-manager adapters, so move the shared logic into
a helper under support/config near MinTLSVersion and CipherSuites. Have the
helper accept the TLS security profile once, compute both values once, and
append the --tls-min-version and --tls-cipher-suites args so
AWS/Azure/GCP/KubeVirt/OpenStack/PowerVS callers can just invoke it from their
UpdateContainer blocks. This also lets you avoid calling GetTLSSecurityProfile()
twice in adaptDeployment and keeps the flag formatting centralized for future
changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go`:
- Around line 75-97: The TLS 1.3 cipher suites are being filtered out in the
HAProxy config builder and never emitted, so update the logic in the deployment
config generation to preserve them separately from TLS 1.2 ciphers. In the code
around the ciphers handling, split the list into TLS_ prefixed and non-TLS_
entries, keep the existing ciphers behavior for TLS 1.2 values, and add the TLS
1.3 values to both bindOptions and serverOptions using ciphersuites instead of
dropping them. Use the existing deployment config construction flow and
identifiers like minTLSVersion, cipherStr, bindOptions, and serverOptions to
locate the change.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`:
- Around line 42-78: The TLS controller config generation logic in
adaptControllerConfig is duplicated across multiple deployment helpers, making
future updates hard to keep in sync. Extract the shared JSON→map→apiVersion/kind
injection→YAML marshaling flow into a common helper (for example under
support/config) that accepts the TLS profile and bind address, then have this
snapshotcontroller adaptControllerConfig delegate to it instead of rebuilding
the config inline. Keep the existing cm.Data["config.yaml"] write path unchanged
and preserve the current BindAddress difference as an argument.

In `@hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go`:
- Around line 206-209: Remove the placeholder version-conditional feature-gate
branch in gcp.go so the payloadVersion check in the GCP platform setup no longer
appends ClusterResourceSet=false. Update the featureGates construction in the
logic around p.payloadVersion to only include real, registered gates, since this
branch can pass an unrecognized flag and stop the manager from starting.

---

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go`:
- Around line 60-74: The TLS flag assembly in adaptDeployment is duplicated
across multiple cloud-controller-manager adapters, so move the shared logic into
a helper under support/config near MinTLSVersion and CipherSuites. Have the
helper accept the TLS security profile once, compute both values once, and
append the --tls-min-version and --tls-cipher-suites args so
AWS/Azure/GCP/KubeVirt/OpenStack/PowerVS callers can just invoke it from their
UpdateContainer blocks. This also lets you avoid calling GetTLSSecurityProfile()
twice in adaptDeployment and keeps the flag formatting centralized for future
changes.

In
`@hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go`:
- Around line 68-95: The TLS argument construction in
Agent.CAPIProviderDeploymentSpec is duplicated across multiple platform
deployment builders and also calls GetTLSSecurityProfile() more than once.
Extract the shared TLS flag building into a helper (for example in
support/config) that returns the min-version and cipher-suite args from a
HostedControlPlane, then have CAPIProviderDeploymentSpec and the matching
aws/azure/gcp/kubevirt/openstack/powervs deployment spec methods append that
shared result instead of inlining the repeated hcp nil and
MinTLSVersion/CipherSuites logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4b253436-f71a-427d-a070-ecb9420c551f

📥 Commits

Reviewing files that changed from the base of the PR and between 9aeb1f3 and f706a08.

⛔ Files ignored due to path filters (52)
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yaml is excluded by !**/testdata/**
  • hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yaml is excluded by !**/testdata/**
📒 Files selected for processing (28)
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go
  • ignition-server/cmd/start.go

Comment on lines +75 to +97
// Filter out TLS 1.3 ciphers (they start with "TLS_") - TLS 1.3 ciphers are not configurable in HAProxy
var cipherStr string
tls12Ciphers := []string{}
for _, cipher := range ciphers {
if !strings.HasPrefix(cipher, "TLS_") {
tls12Ciphers = append(tls12Ciphers, cipher)
}
}
if len(tls12Ciphers) > 0 {
cipherStr = strings.Join(tls12Ciphers, ":")
}

bindOptions := "bind :::8443 v4v6 ssl crt /tmp/tls.pem"
serverOptions := "server ignition-server ignition-server:443 check ssl ca-file /etc/ssl/root-ca/ca.crt"

if minTLSVersion != "" {
bindOptions += fmt.Sprintf(" ssl-min-ver %s", minTLSVersion)
serverOptions += fmt.Sprintf(" ssl-min-ver %s", minTLSVersion)
}
if cipherStr != "" {
bindOptions += fmt.Sprintf(" ciphers %s", cipherStr)
serverOptions += fmt.Sprintf(" ciphers %s", cipherStr)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does HAProxy support the ciphersuites keyword on server lines (not just bind), and since which version?

💡 Result:

Yes, HAProxy supports the ciphersuites keyword on server lines [1][2]. The ciphersuites keyword is used specifically to configure TLSv1.3 cipher suites [3][4]. Support for the ciphersuites keyword was introduced in HAProxy 1.8.15 [4]. It requires that HAProxy be built with OpenSSL 1.1.1 or later, as this is the minimum version of OpenSSL required to support the TLSv1.3 protocol and its associated ciphersuites API [5][6][4]. While the directive can be used on individual server lines to define ciphersuites for TLSv1.3, HAProxy also provides the ssl-default-server-ciphersuites directive for global configuration [5]. These keywords are distinct from ciphers, which are used to configure ciphers for TLSv1.2 and earlier protocols [3][4].

Citations:


🏁 Script executed:

git ls-files control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy control-plane-operator/controllers/hostedcontrolplane/v2 | sed -n '1,200p'

Repository: openshift/hypershift

Length of output: 20785


🏁 Script executed:

set -euo pipefail

echo "== deployment.go =="
cat -n control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go | sed -n '1,220p'

echo
echo "== haproxy-config asset =="
cat -n control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yaml | sed -n '1,220p'

echo
echo "== search for ciphers/ciphersuites in ignitionserver_proxy =="
rg -n "ciphersuites|ssl-min-ver|ciphers" control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy

Repository: openshift/hypershift

Length of output: 6654


Handle TLS 1.3 cipher suites separately.
TLS_-prefixed suites are filtered out here and never written to the HAProxy config, so a Modern/Custom profile can lose its TLS 1.3 restrictions and fall back to HAProxy defaults. Emit the TLS 1.3 values with ciphersuites on the bind/server lines instead of dropping them.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go`
around lines 75 - 97, The TLS 1.3 cipher suites are being filtered out in the
HAProxy config builder and never emitted, so update the logic in the deployment
config generation to preserve them separately from TLS 1.2 ciphers. In the code
around the ciphers handling, split the list into TLS_ prefixed and non-TLS_
entries, keep the existing ciphers behavior for TLS 1.2 values, and add the TLS
1.3 values to both bindOptions and serverOptions using ciphersuites instead of
dropping them. Use the existing deployment config construction flow and
identifiers like minTLSVersion, cipherStr, bindOptions, and serverOptions to
locate the change.

Comment on lines +42 to +78
func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
controllerConfig := configv1.GenericControllerConfig{
ServingInfo: configv1.HTTPServingInfo{
ServingInfo: configv1.ServingInfo{
BindAddress: ":8443",
CipherSuites: config.CipherSuites(profile),
MinTLSVersion: config.MinTLSVersion(profile),
},
},
}

asJSON, err := json.Marshal(controllerConfig)
if err != nil {
return fmt.Errorf("failed to json marshal config: %w", err)
}

asMap := map[string]any{}
if err := json.Unmarshal(asJSON, &asMap); err != nil {
return fmt.Errorf("failed to json unmarshal config: %w", err)
}

asMap["apiVersion"] = configv1.GroupVersion.String()
asMap["kind"] = "GenericControllerConfig"

data, err := yaml.Marshal(asMap)
if err != nil {
return fmt.Errorf("failed to yaml marshal config: %w", err)
}

if cm.Data == nil {
cm.Data = map[string]string{}
}

cm.Data["config.yaml"] = string(data)
return nil
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Extract shared adaptControllerConfig helper to eliminate triplicated TLS-config logic.

This function is byte-for-byte identical in structure to adaptControllerConfig in control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go (lines 51-87) and closely mirrors registryoperator/configmap.go's version (JSON→map→inject apiVersion/kind→YAML marshal→write to cm.Data["config.yaml"]), differing only in BindAddress. Any future change to the TLS-profile-to-config mapping (e.g. adding new fields, fixing a marshal bug) now needs to be replicated in three places.

Consider extracting a shared helper, e.g. in support/config, that takes the bind address and TLS profile and returns the marshaled YAML bytes (or writes directly into the ConfigMap), then have each component call it with its own BindAddress.

♻️ Example shared helper sketch
+// in support/config (new helper)
+func BuildGenericControllerConfigYAML(bindAddress string, profile *configv1.TLSSecurityProfile) ([]byte, error) {
+	controllerConfig := configv1.GenericControllerConfig{
+		ServingInfo: configv1.HTTPServingInfo{
+			ServingInfo: configv1.ServingInfo{
+				BindAddress:   bindAddress,
+				CipherSuites:  CipherSuites(profile),
+				MinTLSVersion: MinTLSVersion(profile),
+			},
+		},
+	}
+	asJSON, err := json.Marshal(controllerConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to json marshal config: %w", err)
+	}
+	asMap := map[string]any{}
+	if err := json.Unmarshal(asJSON, &asMap); err != nil {
+		return nil, fmt.Errorf("failed to json unmarshal config: %w", err)
+	}
+	asMap["apiVersion"] = configv1.GroupVersion.String()
+	asMap["kind"] = "GenericControllerConfig"
+	return yaml.Marshal(asMap)
+}
-func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
-	profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
-	controllerConfig := configv1.GenericControllerConfig{
-		...
-	}
-	asJSON, err := json.Marshal(controllerConfig)
-	...
-	cm.Data["config.yaml"] = string(data)
-	return nil
-}
+func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
+	profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
+	data, err := config.BuildGenericControllerConfigYAML(":8443", profile)
+	if err != nil {
+		return err
+	}
+	if cm.Data == nil {
+		cm.Data = map[string]string{}
+	}
+	cm.Data["config.yaml"] = string(data)
+	return nil
+}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`
around lines 42 - 78, The TLS controller config generation logic in
adaptControllerConfig is duplicated across multiple deployment helpers, making
future updates hard to keep in sync. Extract the shared JSON→map→apiVersion/kind
injection→YAML marshaling flow into a common helper (for example under
support/config) that accepts the TLS profile and bind address, then have this
snapshotcontroller adaptControllerConfig delegate to it instead of rebuilding
the config inline. Keep the existing cm.Data["config.yaml"] write path unchanged
and preserve the current BindAddress difference as an argument.

Comment on lines +206 to +209
// Version-conditional feature gates (future-proofing)
if p.payloadVersion != nil && p.payloadVersion.Major == 4 && p.payloadVersion.Minor > 16 {
featureGates = append(featureGates, "ClusterResourceSet=false") // Example
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does cluster-api-provider-gcp v1.11.0 register a ClusterResourceSet feature gate flag?

💡 Result:

No, cluster-api-provider-gcp v1.11.0 does not register a ClusterResourceSet feature gate flag. The ClusterResourceSet feature was promoted to General Availability (GA) in Cluster API v1.10 [1][2]. Following its transition to GA, the associated feature gate flag was deprecated in Cluster API and subsequently removed in later versions [3][4][1]. As Cluster API Provider GCP (CAPG) v1.11.0 upgraded its underlying Cluster API dependencies to v1.11 [5], it aligns with the upstream state where this feature is considered GA and no longer managed via a feature gate flag [3][1]. Historically, while the feature was in beta, it was controlled by the EXP_CLUSTER_RESOURCE_SET environment variable or the ClusterResourceSet feature gate [6]. However, as of its current GA status, it is enabled by default and does not require a feature gate to be registered or enabled [1][7].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go"

# Show the relevant area with line numbers.
sed -n '180,235p' "$file" | cat -n

Repository: openshift/hypershift

Length of output: 2627


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go"

echo "== relevant section =="
sed -n '180,250p' "$file" | cat -n

echo
echo "== featureGates consumers in gcp platform code =="
rg -n 'featureGates|ClusterResourceSet' hypershift-operator/controllers/hostedcluster/internal/platform/gcp -A 3 -B 3

Repository: openshift/hypershift

Length of output: 5523


🌐 Web query:

Kubernetes feature-gates unknown feature gate argument behavior binary startup

💡 Result:

In Kubernetes, the default behavior for providing an unknown feature gate argument at binary startup is to trigger an error, which causes the component to fail to start [1][2][3][4]. When a Kubernetes component (such as the kube-apiserver or kubelet) initializes, it processes the --feature-gates flag [5]. The internal feature gate subsystem performs strict validation against the list of known feature gates [6]. If an argument is provided that does not match a registered feature gate, the system returns an "unrecognized feature gate" error [6][1]. This validation failure results in the component logging the error and exiting immediately to prevent the cluster or node from running in an unsupported or unintended state [1][2][3][4]. Key points regarding this behavior include: - Fail-Fast Mechanism: The component-level startup logic acts as a safeguard. If a configuration file or command-line argument specifies a gate that the running binary does not recognize—often occurring during version upgrades or misconfiguration—the process will not proceed [1][4]. - Error Logs: When this occurs, you will typically see an error message in the component logs, such as: "Failed to set feature gates from initial flags-based config" followed by "unrecognized feature gate: " [1][3][4]. - Troubleshooting: To resolve this, you must identify the component receiving the invalid flag and remove it from the corresponding configuration file (e.g., /etc/kubernetes/manifests/ or systemd service configurations) or command-line arguments [1][4]. - Exceptions: While the standard behavior is to error out, some downstream distributions or custom builds may patch the code to downgrade this error to a warning to maintain compatibility in specific environments [7]. However, in upstream Kubernetes, the strict validation is standard [6][1]. Additionally, Kubernetes enforces dependencies between feature gates at startup [8]. As of recent releases, if a feature is enabled that depends on another feature, and that dependency is disabled, the component will refuse to start [8].

Citations:


Remove the placeholder feature-gate branch
ClusterResourceSet is GA and CAPG v1.11.0 doesn’t register this gate anymore. Leaving this // Example branch in place can pass an unrecognized --feature-gates value and prevent the manager from starting.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go`
around lines 206 - 209, Remove the placeholder version-conditional feature-gate
branch in gcp.go so the payloadVersion check in the GCP platform setup no longer
appends ClusterResourceSet=false. Update the featureGates construction in the
logic around p.payloadVersion to only include real, registered gates, since this
branch can pass an unrecognized flag and stop the manager from starting.

@hypershift-jira-solve-ci

Copy link
Copy Markdown

I now have all the information needed for a comprehensive report. Let me compile the final analysis.

Test Failure Analysis Complete

Job Information

  • PR: #8912 — "wip: Tls injection all in one (only for testing purposes)"
  • Branch: tls-injection-all-in-one
  • Author: Jan Chaloupka (ingvagabund)
  • Commit: f706a08ab1f27a1c32c29e48a30e8f800fbe0056
  • Failed Jobs: 5 (Unit Tests, Lint, Gitlint, codecov/project, codecov/patch)

Test Failure Analysis

Error

1) test / Unit Tests (cpo-hostedcontrolplane) — FAILED
   --- FAIL: TestControlPlaneComponents (14.40s)
       hostedcontrolplane_controller_test.go:1336: failed to read testdata file:
       open testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml:
       no such file or directory

2) lint / Lint — FAILED (2 gci issues)
   control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go:7:1: File is not properly formatted (gci)
   ignition-server/cmd/start.go:23:1: File is not properly formatted (gci)

3) gitlint / Gitlint — FAILED
   Commit 8a2c570a93: B6 Body message is missing

4) codecov/patch — FAILED: 18.13% of diff hit (target 43.26%)
5) codecov/project — FAILED: 43.24% (-0.03%) compared to ca3d347

Summary

All 5 failures are caused by the PR's own code changes — no infrastructure flakes. The primary blocker is a missing test fixture file: the PR adds a new controller-config.yaml ConfigMap for cluster-storage-operator with TLS security profile configuration but never generated the corresponding golden test fixture file that TestControlPlaneComponents expects. Additionally, two Go source files have import ordering violations (gci linter), one commit has a truncated commit message violating gitlint rule B6, and the new TLS injection code across ~80 files has only 18.13% test coverage vs the project's 43.26% target.

Root Cause

1. Unit Test Failure (primary blocker):
The PR adds a new ConfigMap manifest controller-config.yaml to the cluster-storage-operator component (v2/assets/cluster-storage-operator/controller-config.yaml) and registers it via WithManifestAdapter in v2/storage/component.go. The TestControlPlaneComponents test renders all component manifests and compares them against golden fixture files in testdata/. The test now expects fixture files at testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml (plus per-variant subdirectories: AROSwift, GCP, IBMCloud, TechPreviewNoUpgrade), but these fixture files were never generated and committed. The same fixture generation was correctly done for other new resources in this PR (e.g., ignition-server-proxy config configmap fixtures exist), but was missed for cluster-storage-operator.

2. Lint Failure:
Two files introduced by the PR have Go import blocks that violate the project's gci (Go Canonical Imports) ordering rules:

  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go line 7 — configv1 "github.com/openshift/api/config/v1" is in the wrong import group
  • ignition-server/cmd/start.go line 23 — "github.com/openshift/hypershift/support/util" is in the wrong import group

3. Gitlint Failure:
Commit 8a2c570a93 ("feat(csi-snapshot-controller-operator): inject centralized TLS config…") has a truncated headline and its body is just the leftover fragment …uration. Gitlint rule B6 requires a proper body message.

4. Codecov Failures:
The PR adds 164 net new lines but only 46 are covered by tests (116 uncovered). The new TLS injection code across platform providers (agent, AWS, Azure, GCP, KubeVirt, PowerVS, OpenStack) and CPO components (cloud controller managers, ignition server, storage, snapshot controller) has minimal test coverage. This is expected for a WIP PR marked /hold.

Recommendations
  1. Regenerate test fixtures — Run the test suite with the update flag to generate the missing fixture files:

    UPDATE_FIXTURES=true go test ./control-plane-operator/controllers/hostedcontrolplane/...

    This will create zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml in testdata/cluster-storage-operator/ and all variant subdirectories. Commit the generated files.

  2. Fix import ordering — Run gci write or the project's lint fixer on the two affected files:

    • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go
    • ignition-server/cmd/start.go

    Or run: make lint-fix if available.

  3. Fix truncated commit message — Amend commit 8a2c570a93 to have a complete headline and meaningful body:

    feat(csi-snapshot-controller-operator): inject centralized TLS configuration
    
    Mount a configmap with an operator config injected with the HCP TLS security
    profile.
    
  4. Add unit tests for TLS injection code — Before merging (when this moves beyond WIP), add tests for the new TLS configuration plumbing in platform providers and CPO components to meet the 43.26% coverage target.

Evidence
Evidence Detail
Unit test error hostedcontrolplane_controller_test.go:1336: failed to read testdata file: open testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml: no such file or directory
Missing fixture cause PR adds v2/assets/cluster-storage-operator/controller-config.yaml and registers it in v2/storage/component.go via WithManifestAdapter, but omits generating the golden test fixture
Similar fixtures present testdata/ignition-server-proxy/zz_fixture_..._config_configmap.yaml files were correctly generated for the same PR
Lint error 1 v2/ignitionserver_proxy/deployment.go:7:1: File is not properly formatted (gci) — import configv1 "github.com/openshift/api/config/v1" in wrong group
Lint error 2 ignition-server/cmd/start.go:23:1: File is not properly formatted (gci) — import "github.com/openshift/hypershift/support/util" in wrong group
Gitlint error Commit 8a2c570a93: 3: B6 Body message is missing — headline truncated to "...inject centralized TLS config…", body is just "…uration"
codecov/patch 18.13% of diff covered (target 43.26%) — 167 changed lines have no test coverage
codecov/project Project coverage dropped from 43.26% to 43.24% (-0.03%) — 116 new uncovered lines
PR status WIP with /hold — described as "only for testing purposes", picks up PRs #8910, #8887, #8864

@ingvagabund

Copy link
Copy Markdown
Member Author

POC: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/control-plane-operator-main:on-pr-f706a08ab1f27a1c32c29e48a30e8f800fbe0056
HO: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-operator/hypershift-operator-main:on-pr-f706a08ab1f27a1c32c29e48a30e8f800fbe0056

Inject --tls-min-version and --tls-cipher-suites flags to all six cloud
controller manager providers based on HCP TLS security profile.
Inject --tls-min-version and --tls-cipher-suites flags to all six cloud
capi providers based on HCP TLS security profile.
Inject --tls-min-version and --tls-cipher-suites flags
to capi-manager based on HCP TLS security profile.
Mount a configmap with an operator config injected with the HCP TLS security
profile.
…uration

Mount a configmap with an operator config injected with the HCP TLS security
profile.
…igmap

So later on the config can be injected with a TLS configuration
Inject with the HCP TLS security profile configuration
Inject with the HCP TLS security profile configuration
@ingvagabund ingvagabund force-pushed the tls-injection-all-in-one branch from f706a08 to de73e84 Compare July 3, 2026 12:01

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
ignition-server/cmd/start.go (1)

60-78: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Return TLS flag parsing errors instead of aborting ignition-server/cmd/start.go:60-77

SecureTLSConfig already applies the default TLS 1.2 floor and cipher suites, so the remaining problem is log.Fatalf/CipherSuitesOrDie terminating the process on bad user input. Returning (*tls.Config, error) and bubbling that through run keeps startup failures on the normal error path.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ignition-server/cmd/start.go` around lines 60 - 78, buildTLSConfig currently
aborts the process on invalid TLS flags instead of returning a normal startup
error. Update buildTLSConfig to return (*tls.Config, error), use
librarycrypto.TLSVersion and librarycrypto.CipherSuites without fatal exits, and
propagate any parsing failures back to run so bad user input is handled on the
standard error path. Keep the existing tls.Config setup and SecureTLSConfig
call, but ensure the caller checks and returns the error instead of terminating.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ignition-server/cmd/start.go`:
- Around line 60-78: buildTLSConfig currently aborts the process on invalid TLS
flags instead of returning a normal startup error. Update buildTLSConfig to
return (*tls.Config, error), use librarycrypto.TLSVersion and
librarycrypto.CipherSuites without fatal exits, and propagate any parsing
failures back to run so bad user input is handled on the standard error path.
Keep the existing tls.Config setup and SecureTLSConfig call, but ensure the
caller checks and returns the error instead of terminating.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 434dfd0b-cab6-485e-9c8b-beaf0b4eed1c

📥 Commits

Reviewing files that changed from the base of the PR and between f706a08 and de73e84.

⛔ Files ignored due to path filters (82)
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml is excluded by !**/testdata/**
  • hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yaml is excluded by !**/testdata/**
  • hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yaml is excluded by !**/testdata/**
📒 Files selected for processing (28)
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go
  • ignition-server/cmd/start.go
✅ Files skipped from review due to trivial changes (2)
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
🚧 Files skipped from review as they are similar to previous changes (24)
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
  • hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/component.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go
  • hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yaml
  • hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go
  • control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ingvagabund

Copy link
Copy Markdown
Member Author

cpo: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/control-plane-operator-main:on-pr-de73e846092e7a63d0b3d4db64d76190acf378d8
ho: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hypershift-operator/hypershift-operator-main:on-pr-de73e846092e7a63d0b3d4db64d76190acf378d8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release area/platform/aws PR/issue for AWS (AWSPlatform) platform area/platform/azure PR/issue for Azure (AzurePlatform) platform area/platform/gcp PR/issue for GCP (GCPPlatform) platform area/platform/kubevirt PR/issue for KubeVirt (KubevirtPlatform) platform area/platform/openstack PR/issue for OpenStack (OpenStackPlatform) platform area/platform/powervs PR/issue for PowerVS (PowerVSPlatform) platform do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant