wip: Tls injection all in one (only for testing purposes)#8912
wip: Tls injection all in one (only for testing purposes)#8912ingvagabund wants to merge 8 commits into
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
📝 WalkthroughWalkthroughChangesThis PR propagates HostedControlPlane TLS security profile settings into multiple deployment specs, adds generated controller ConfigMaps for storage and snapshot components, replaces inline HAProxy config generation with a mounted ConfigMap, and adds TLS configuration flags to the ignition-server startup command. It also updates several CAPI provider deployment signatures to use the HostedControlPlane value when building container args. Related Issues: No related issues were referenced in the provided information. Related PRs: No related PRs were referenced in the provided information. Suggested labels: area/control-plane-operator, area/hypershift-operator, area/ignition-server Suggested reviewers: No specific reviewers could be determined from the provided information. Poem 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ingvagabund The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go (1)
68-95: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winDuplicated TLS-args construction across 7 platform files.
The
if hcp != nil { ... MinTLSVersion ... CipherSuites ... }block (and the surrounding args slice pattern) is copy-pasted identically across agent.go, aws.go, azure.go, gcp.go, kubevirt.go, openstack.go, and powervs.go, differing only in flag order and the variable name (argsvscapoArgs). Consider extracting a shared helper (e.g., insupport/config) that both platforms call, reducing 7x duplication to a single source of truth and also avoiding the doubleGetTLSSecurityProfile()call per file.♻️ Proposed shared helper
// support/config/tls.go func TLSArgs(hcp *hyperv1.HostedControlPlane) []string { if hcp == nil { return nil } profile := hcp.Spec.Configuration.GetTLSSecurityProfile() var args []string if v := MinTLSVersion(profile); v != "" { args = append(args, fmt.Sprintf("--tls-min-version=%s", v)) } if c := CipherSuites(profile); len(c) != 0 { args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(c, ","))) } return args }Also applies to: 96-116
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go` around lines 68 - 95, The TLS argument construction in Agent.CAPIProviderDeploymentSpec is duplicated across multiple platform deployment builders and also calls GetTLSSecurityProfile() more than once. Extract the shared TLS flag building into a helper (for example in support/config) that returns the min-version and cipher-suite args from a HostedControlPlane, then have CAPIProviderDeploymentSpec and the matching aws/azure/gcp/kubevirt/openstack/powervs deployment spec methods append that shared result instead of inlining the repeated hcp nil and MinTLSVersion/CipherSuites logic.control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go (1)
60-74: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winExtract shared TLS-arg helper to avoid 6x duplication.
This exact block (compute
MinTLSVersion/CipherSuites, conditionally append--tls-min-version/--tls-cipher-suites) is copy-pasted verbatim across the AWS, Azure, GCP, KubeVirt, OpenStack, and PowerVS cloud-controller-manager adapters in this PR. A shared helper insupport/config(which already ownsMinTLSVersion/CipherSuites) would remove the duplication and centralize any future changes (e.g. adjusting the flag names).♻️ Proposed helper and call-site simplification
+// in support/config (e.g. cipher.go) +func TLSArgs(hcp *hyperv1.HostedControlPlane) []string { + profile := hcp.Spec.Configuration.GetTLSSecurityProfile() + var args []string + if tlsMinVersion := MinTLSVersion(profile); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := CipherSuites(profile); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + return args +}podspec.UpdateContainer("cloud-controller-manager", deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) { - // Add TLS configuration based on cluster TLS security profile - if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { - c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) - } - if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { - c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) - } + c.Args = append(c.Args, config.TLSArgs(hcp)...) })This also fixes the minor inefficiency of calling
GetTLSSecurityProfile()twice per invocation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go` around lines 60 - 74, The TLS flag assembly in adaptDeployment is duplicated across multiple cloud-controller-manager adapters, so move the shared logic into a helper under support/config near MinTLSVersion and CipherSuites. Have the helper accept the TLS security profile once, compute both values once, and append the --tls-min-version and --tls-cipher-suites args so AWS/Azure/GCP/KubeVirt/OpenStack/PowerVS callers can just invoke it from their UpdateContainer blocks. This also lets you avoid calling GetTLSSecurityProfile() twice in adaptDeployment and keeps the flag formatting centralized for future changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go`:
- Around line 75-97: The TLS 1.3 cipher suites are being filtered out in the
HAProxy config builder and never emitted, so update the logic in the deployment
config generation to preserve them separately from TLS 1.2 ciphers. In the code
around the ciphers handling, split the list into TLS_ prefixed and non-TLS_
entries, keep the existing ciphers behavior for TLS 1.2 values, and add the TLS
1.3 values to both bindOptions and serverOptions using ciphersuites instead of
dropping them. Use the existing deployment config construction flow and
identifiers like minTLSVersion, cipherStr, bindOptions, and serverOptions to
locate the change.
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`:
- Around line 42-78: The TLS controller config generation logic in
adaptControllerConfig is duplicated across multiple deployment helpers, making
future updates hard to keep in sync. Extract the shared JSON→map→apiVersion/kind
injection→YAML marshaling flow into a common helper (for example under
support/config) that accepts the TLS profile and bind address, then have this
snapshotcontroller adaptControllerConfig delegate to it instead of rebuilding
the config inline. Keep the existing cm.Data["config.yaml"] write path unchanged
and preserve the current BindAddress difference as an argument.
In `@hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go`:
- Around line 206-209: Remove the placeholder version-conditional feature-gate
branch in gcp.go so the payloadVersion check in the GCP platform setup no longer
appends ClusterResourceSet=false. Update the featureGates construction in the
logic around p.payloadVersion to only include real, registered gates, since this
branch can pass an unrecognized flag and stop the manager from starting.
---
Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go`:
- Around line 60-74: The TLS flag assembly in adaptDeployment is duplicated
across multiple cloud-controller-manager adapters, so move the shared logic into
a helper under support/config near MinTLSVersion and CipherSuites. Have the
helper accept the TLS security profile once, compute both values once, and
append the --tls-min-version and --tls-cipher-suites args so
AWS/Azure/GCP/KubeVirt/OpenStack/PowerVS callers can just invoke it from their
UpdateContainer blocks. This also lets you avoid calling GetTLSSecurityProfile()
twice in adaptDeployment and keeps the flag formatting centralized for future
changes.
In
`@hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go`:
- Around line 68-95: The TLS argument construction in
Agent.CAPIProviderDeploymentSpec is duplicated across multiple platform
deployment builders and also calls GetTLSSecurityProfile() more than once.
Extract the shared TLS flag building into a helper (for example in
support/config) that returns the min-version and cipher-suite args from a
HostedControlPlane, then have CAPIProviderDeploymentSpec and the matching
aws/azure/gcp/kubevirt/openstack/powervs deployment spec methods append that
shared result instead of inlining the repeated hcp nil and
MinTLSVersion/CipherSuites logic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 4b253436-f71a-427d-a070-ecb9420c551f
⛔ Files ignored due to path filters (52)
control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yamlis excluded by!**/testdata/**hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yamlis excluded by!**/testdata/**
📒 Files selected for processing (28)
control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/storage/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.gohypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.gohypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.gohypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.gohypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.gohypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.gohypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.gohypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.goignition-server/cmd/start.go
| // Filter out TLS 1.3 ciphers (they start with "TLS_") - TLS 1.3 ciphers are not configurable in HAProxy | ||
| var cipherStr string | ||
| tls12Ciphers := []string{} | ||
| for _, cipher := range ciphers { | ||
| if !strings.HasPrefix(cipher, "TLS_") { | ||
| tls12Ciphers = append(tls12Ciphers, cipher) | ||
| } | ||
| } | ||
| if len(tls12Ciphers) > 0 { | ||
| cipherStr = strings.Join(tls12Ciphers, ":") | ||
| } | ||
|
|
||
| bindOptions := "bind :::8443 v4v6 ssl crt /tmp/tls.pem" | ||
| serverOptions := "server ignition-server ignition-server:443 check ssl ca-file /etc/ssl/root-ca/ca.crt" | ||
|
|
||
| if minTLSVersion != "" { | ||
| bindOptions += fmt.Sprintf(" ssl-min-ver %s", minTLSVersion) | ||
| serverOptions += fmt.Sprintf(" ssl-min-ver %s", minTLSVersion) | ||
| } | ||
| if cipherStr != "" { | ||
| bindOptions += fmt.Sprintf(" ciphers %s", cipherStr) | ||
| serverOptions += fmt.Sprintf(" ciphers %s", cipherStr) | ||
| } |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
Does HAProxy support the ciphersuites keyword on server lines (not just bind), and since which version?
💡 Result:
Yes, HAProxy supports the ciphersuites keyword on server lines [1][2]. The ciphersuites keyword is used specifically to configure TLSv1.3 cipher suites [3][4]. Support for the ciphersuites keyword was introduced in HAProxy 1.8.15 [4]. It requires that HAProxy be built with OpenSSL 1.1.1 or later, as this is the minimum version of OpenSSL required to support the TLSv1.3 protocol and its associated ciphersuites API [5][6][4]. While the directive can be used on individual server lines to define ciphersuites for TLSv1.3, HAProxy also provides the ssl-default-server-ciphersuites directive for global configuration [5]. These keywords are distinct from ciphers, which are used to configure ciphers for TLSv1.2 and earlier protocols [3][4].
Citations:
- 1: https://docs.haproxy.org/2.6/configuration.html
- 2: https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/
- 3: ssl-default-bind-ciphersuites influencing TLS1.2. haproxy/haproxy#2459
- 4: https://discourse.haproxy.org/t/tls1-3-not-operating-in-v1-8-14/3127
- 5: https://docs.haproxy.org/1.8/configuration.html
- 6: Fails to install on Deb9 due to ssl-default-bind-ciphersuites keyword haproxy/haproxy#1096
🏁 Script executed:
git ls-files control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy control-plane-operator/controllers/hostedcontrolplane/v2 | sed -n '1,200p'Repository: openshift/hypershift
Length of output: 20785
🏁 Script executed:
set -euo pipefail
echo "== deployment.go =="
cat -n control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go | sed -n '1,220p'
echo
echo "== haproxy-config asset =="
cat -n control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yaml | sed -n '1,220p'
echo
echo "== search for ciphers/ciphersuites in ignitionserver_proxy =="
rg -n "ciphersuites|ssl-min-ver|ciphers" control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxyRepository: openshift/hypershift
Length of output: 6654
Handle TLS 1.3 cipher suites separately.
TLS_-prefixed suites are filtered out here and never written to the HAProxy config, so a Modern/Custom profile can lose its TLS 1.3 restrictions and fall back to HAProxy defaults. Emit the TLS 1.3 values with ciphersuites on the bind/server lines instead of dropping them.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go`
around lines 75 - 97, The TLS 1.3 cipher suites are being filtered out in the
HAProxy config builder and never emitted, so update the logic in the deployment
config generation to preserve them separately from TLS 1.2 ciphers. In the code
around the ciphers handling, split the list into TLS_ prefixed and non-TLS_
entries, keep the existing ciphers behavior for TLS 1.2 values, and add the TLS
1.3 values to both bindOptions and serverOptions using ciphersuites instead of
dropping them. Use the existing deployment config construction flow and
identifiers like minTLSVersion, cipherStr, bindOptions, and serverOptions to
locate the change.
| func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error { | ||
| profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile() | ||
| controllerConfig := configv1.GenericControllerConfig{ | ||
| ServingInfo: configv1.HTTPServingInfo{ | ||
| ServingInfo: configv1.ServingInfo{ | ||
| BindAddress: ":8443", | ||
| CipherSuites: config.CipherSuites(profile), | ||
| MinTLSVersion: config.MinTLSVersion(profile), | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| asJSON, err := json.Marshal(controllerConfig) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to json marshal config: %w", err) | ||
| } | ||
|
|
||
| asMap := map[string]any{} | ||
| if err := json.Unmarshal(asJSON, &asMap); err != nil { | ||
| return fmt.Errorf("failed to json unmarshal config: %w", err) | ||
| } | ||
|
|
||
| asMap["apiVersion"] = configv1.GroupVersion.String() | ||
| asMap["kind"] = "GenericControllerConfig" | ||
|
|
||
| data, err := yaml.Marshal(asMap) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to yaml marshal config: %w", err) | ||
| } | ||
|
|
||
| if cm.Data == nil { | ||
| cm.Data = map[string]string{} | ||
| } | ||
|
|
||
| cm.Data["config.yaml"] = string(data) | ||
| return nil | ||
| } |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win
Extract shared adaptControllerConfig helper to eliminate triplicated TLS-config logic.
This function is byte-for-byte identical in structure to adaptControllerConfig in control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go (lines 51-87) and closely mirrors registryoperator/configmap.go's version (JSON→map→inject apiVersion/kind→YAML marshal→write to cm.Data["config.yaml"]), differing only in BindAddress. Any future change to the TLS-profile-to-config mapping (e.g. adding new fields, fixing a marshal bug) now needs to be replicated in three places.
Consider extracting a shared helper, e.g. in support/config, that takes the bind address and TLS profile and returns the marshaled YAML bytes (or writes directly into the ConfigMap), then have each component call it with its own BindAddress.
♻️ Example shared helper sketch
+// in support/config (new helper)
+func BuildGenericControllerConfigYAML(bindAddress string, profile *configv1.TLSSecurityProfile) ([]byte, error) {
+ controllerConfig := configv1.GenericControllerConfig{
+ ServingInfo: configv1.HTTPServingInfo{
+ ServingInfo: configv1.ServingInfo{
+ BindAddress: bindAddress,
+ CipherSuites: CipherSuites(profile),
+ MinTLSVersion: MinTLSVersion(profile),
+ },
+ },
+ }
+ asJSON, err := json.Marshal(controllerConfig)
+ if err != nil {
+ return nil, fmt.Errorf("failed to json marshal config: %w", err)
+ }
+ asMap := map[string]any{}
+ if err := json.Unmarshal(asJSON, &asMap); err != nil {
+ return nil, fmt.Errorf("failed to json unmarshal config: %w", err)
+ }
+ asMap["apiVersion"] = configv1.GroupVersion.String()
+ asMap["kind"] = "GenericControllerConfig"
+ return yaml.Marshal(asMap)
+}-func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
- profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
- controllerConfig := configv1.GenericControllerConfig{
- ...
- }
- asJSON, err := json.Marshal(controllerConfig)
- ...
- cm.Data["config.yaml"] = string(data)
- return nil
-}
+func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error {
+ profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()
+ data, err := config.BuildGenericControllerConfigYAML(":8443", profile)
+ if err != nil {
+ return err
+ }
+ if cm.Data == nil {
+ cm.Data = map[string]string{}
+ }
+ cm.Data["config.yaml"] = string(data)
+ return nil
+}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go`
around lines 42 - 78, The TLS controller config generation logic in
adaptControllerConfig is duplicated across multiple deployment helpers, making
future updates hard to keep in sync. Extract the shared JSON→map→apiVersion/kind
injection→YAML marshaling flow into a common helper (for example under
support/config) that accepts the TLS profile and bind address, then have this
snapshotcontroller adaptControllerConfig delegate to it instead of rebuilding
the config inline. Keep the existing cm.Data["config.yaml"] write path unchanged
and preserve the current BindAddress difference as an argument.
| // Version-conditional feature gates (future-proofing) | ||
| if p.payloadVersion != nil && p.payloadVersion.Major == 4 && p.payloadVersion.Minor > 16 { | ||
| featureGates = append(featureGates, "ClusterResourceSet=false") // Example | ||
| } |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
Does cluster-api-provider-gcp v1.11.0 register a ClusterResourceSet feature gate flag?
💡 Result:
No, cluster-api-provider-gcp v1.11.0 does not register a ClusterResourceSet feature gate flag. The ClusterResourceSet feature was promoted to General Availability (GA) in Cluster API v1.10 [1][2]. Following its transition to GA, the associated feature gate flag was deprecated in Cluster API and subsequently removed in later versions [3][4][1]. As Cluster API Provider GCP (CAPG) v1.11.0 upgraded its underlying Cluster API dependencies to v1.11 [5], it aligns with the upstream state where this feature is considered GA and no longer managed via a feature gate flag [3][1]. Historically, while the feature was in beta, it was controlled by the EXP_CLUSTER_RESOURCE_SET environment variable or the ClusterResourceSet feature gate [6]. However, as of its current GA status, it is enabled by default and does not require a feature gate to be registered or enabled [1][7].
Citations:
- 1: Feature: ClusterResourceSet kubernetes-sigs/cluster-api#11114
- 2: ✨ Promote feature CRS to GA kubernetes-sigs/cluster-api#11365
- 3: 🌱 Remove deprecated ClusterResourceSet feature gate kubernetes-sigs/cluster-api#12950
- 4: ⚠️ Deprecate the ClusterResourceSet feature flag kubernetes-sigs/cluster-api#11741
- 5: Upgrade to CAPI v1.11 kubernetes-sigs/cluster-api-provider-gcp#1509
- 6: https://release-1-8.cluster-api.sigs.k8s.io/tasks/experimental-features/cluster-resource-set
- 7: https://cluster-api.sigs.k8s.io/tasks/cluster-resource-set
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file="hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go"
# Show the relevant area with line numbers.
sed -n '180,235p' "$file" | cat -nRepository: openshift/hypershift
Length of output: 2627
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file="hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go"
echo "== relevant section =="
sed -n '180,250p' "$file" | cat -n
echo
echo "== featureGates consumers in gcp platform code =="
rg -n 'featureGates|ClusterResourceSet' hypershift-operator/controllers/hostedcluster/internal/platform/gcp -A 3 -B 3Repository: openshift/hypershift
Length of output: 5523
🌐 Web query:
Kubernetes feature-gates unknown feature gate argument behavior binary startup
💡 Result:
In Kubernetes, the default behavior for providing an unknown feature gate argument at binary startup is to trigger an error, which causes the component to fail to start [1][2][3][4]. When a Kubernetes component (such as the kube-apiserver or kubelet) initializes, it processes the --feature-gates flag [5]. The internal feature gate subsystem performs strict validation against the list of known feature gates [6]. If an argument is provided that does not match a registered feature gate, the system returns an "unrecognized feature gate" error [6][1]. This validation failure results in the component logging the error and exiting immediately to prevent the cluster or node from running in an unsupported or unintended state [1][2][3][4]. Key points regarding this behavior include: - Fail-Fast Mechanism: The component-level startup logic acts as a safeguard. If a configuration file or command-line argument specifies a gate that the running binary does not recognize—often occurring during version upgrades or misconfiguration—the process will not proceed [1][4]. - Error Logs: When this occurs, you will typically see an error message in the component logs, such as: "Failed to set feature gates from initial flags-based config" followed by "unrecognized feature gate: " [1][3][4]. - Troubleshooting: To resolve this, you must identify the component receiving the invalid flag and remove it from the corresponding configuration file (e.g., /etc/kubernetes/manifests/ or systemd service configurations) or command-line arguments [1][4]. - Exceptions: While the standard behavior is to error out, some downstream distributions or custom builds may patch the code to downgrade this error to a warning to maintain compatibility in specific environments [7]. However, in upstream Kubernetes, the strict validation is standard [6][1]. Additionally, Kubernetes enforces dependencies between feature gates at startup [8]. As of recent releases, if a feature is enabled that depends on another feature, and that dependency is disabled, the component will refuse to start [8].
Citations:
- 1: https://stackoverflow.com/questions/70380269/failed-to-set-feature-gates-from-initial-flags-based-config-err-unrecognized
- 2: Fail init cluster with feature-gates kubernetes/kubeadm#2879
- 3: https://access.redhat.com/solutions/7118670
- 4: vSphere cluster upgrade failure : unrecognized feature gate: KubeletCredentialProviders aws/eks-anywhere#8984
- 5: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
- 6: https://github.com/kubernetes/kubernetes/blob/63b36867/staging/src/k8s.io/component-base/featuregate/feature_gate.go
- 7: kubernetes/kubernetes@90b73d8
- 8: Codify feature gate dependencies kubernetes/kubernetes#133697
Remove the placeholder feature-gate branch
ClusterResourceSet is GA and CAPG v1.11.0 doesn’t register this gate anymore. Leaving this // Example branch in place can pass an unrecognized --feature-gates value and prevent the manager from starting.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go`
around lines 206 - 209, Remove the placeholder version-conditional feature-gate
branch in gcp.go so the payloadVersion check in the GCP platform setup no longer
appends ClusterResourceSet=false. Update the featureGates construction in the
logic around p.payloadVersion to only include real, registered gates, since this
branch can pass an unrecognized flag and stop the manager from starting.
|
I now have all the information needed for a comprehensive report. Let me compile the final analysis. Test Failure Analysis CompleteJob Information
Test Failure AnalysisErrorSummaryAll 5 failures are caused by the PR's own code changes — no infrastructure flakes. The primary blocker is a missing test fixture file: the PR adds a new Root Cause1. Unit Test Failure (primary blocker): 2. Lint Failure:
3. Gitlint Failure: 4. Codecov Failures: Recommendations
Evidence
|
|
POC: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/control-plane-operator-main:on-pr-f706a08ab1f27a1c32c29e48a30e8f800fbe0056 |
Inject --tls-min-version and --tls-cipher-suites flags to all six cloud controller manager providers based on HCP TLS security profile.
Inject --tls-min-version and --tls-cipher-suites flags to all six cloud capi providers based on HCP TLS security profile.
Inject --tls-min-version and --tls-cipher-suites flags to capi-manager based on HCP TLS security profile.
Mount a configmap with an operator config injected with the HCP TLS security profile.
…uration Mount a configmap with an operator config injected with the HCP TLS security profile.
…igmap So later on the config can be injected with a TLS configuration
Inject with the HCP TLS security profile configuration
Inject with the HCP TLS security profile configuration
f706a08 to
de73e84
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
ignition-server/cmd/start.go (1)
60-78: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winReturn TLS flag parsing errors instead of aborting
ignition-server/cmd/start.go:60-77
SecureTLSConfigalready applies the default TLS 1.2 floor and cipher suites, so the remaining problem islog.Fatalf/CipherSuitesOrDieterminating the process on bad user input. Returning(*tls.Config, error)and bubbling that throughrunkeeps startup failures on the normal error path.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ignition-server/cmd/start.go` around lines 60 - 78, buildTLSConfig currently aborts the process on invalid TLS flags instead of returning a normal startup error. Update buildTLSConfig to return (*tls.Config, error), use librarycrypto.TLSVersion and librarycrypto.CipherSuites without fatal exits, and propagate any parsing failures back to run so bad user input is handled on the standard error path. Keep the existing tls.Config setup and SecureTLSConfig call, but ensure the caller checks and returns the error instead of terminating.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@ignition-server/cmd/start.go`:
- Around line 60-78: buildTLSConfig currently aborts the process on invalid TLS
flags instead of returning a normal startup error. Update buildTLSConfig to
return (*tls.Config, error), use librarycrypto.TLSVersion and
librarycrypto.CipherSuites without fatal exits, and propagate any parsing
failures back to run so bad user input is handled on the standard error path.
Keep the existing tls.Config setup and SecureTLSConfig call, but ensure the
caller checks and returns the error instead of terminating.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 434dfd0b-cab6-485e-9c8b-beaf0b4eed1c
⛔ Files ignored due to path filters (82)
control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_config_configmap.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_controlplanecomponent.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server-proxy/zz_fixture_TestControlPlaneComponents_ignition_server_proxy_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/AROSwift/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/GCP/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/IBMCloud/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/ignition-server/zz_fixture_TestControlPlaneComponents_ignition_server_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yamlis excluded by!**/testdata/**hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yamlis excluded by!**/testdata/**hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yamlis excluded by!**/testdata/**
📒 Files selected for processing (28)
control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/deployment.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yamlcontrol-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/storage/component.gocontrol-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.gohypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.gohypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.gohypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.gohypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.gohypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.gohypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.gohypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.goignition-server/cmd/start.go
✅ Files skipped from review due to trivial changes (2)
- control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml
- control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml
🚧 Files skipped from review as they are similar to previous changes (24)
- control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go
- hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go
- control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go
- hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go
- control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml
- hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go
- control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go
- control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/component.go
- hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go
- hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go
- hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go
- control-plane-operator/controllers/hostedcontrolplane/v2/assets/ignition-server-proxy/haproxy-config.yaml
- hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
- control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go
- control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml
- control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/ignitionserver_proxy/deployment.go
- control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go
|
@ingvagabund: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
cpo: quay.io/redhat-user-workloads/crt-redhat-acm-tenant/control-plane-operator-main:on-pr-de73e846092e7a63d0b3d4db64d76190acf378d8 |
/hold
Only to produce the cpo and ho images for local testing.
Picks up:
Summary by CodeRabbit
New Features
Bug Fixes