Skip to content

CORENET-7114: Add OCP centralized TLS profile support#3014

Open
tpantelis wants to merge 2 commits into
openshift:masterfrom
tpantelis:tls_profile_support
Open

CORENET-7114: Add OCP centralized TLS profile support#3014
tpantelis wants to merge 2 commits into
openshift:masterfrom
tpantelis:tls_profile_support

Conversation

@tpantelis

@tpantelis tpantelis commented May 26, 2026

Copy link
Copy Markdown
Contributor

See commits for details.

Summary by CodeRabbit

  • New Features

    • Reconcile triggers for API server TLS/security profile changes, including HyperShift-hosted clusters
    • Support passing a custom manifest path for operator deployment
  • Improvements

    • MTU probe polls more frequently for faster detection
    • Bootstrap-populated TLS profile is used to populate rendered manifests (min version & ciphers)
  • Tests

    • Extensive new test coverage for rendering, HyperShift, MTU probing, reconciliation and failure scenarios
  • Chores

    • Linter and dependency configuration updates

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds TLS profile types and render helpers, integrates TLS retrieval into Bootstrap, extends controller watches for APIServer/HostedCluster TLS changes, refactors MTU prober to use manifestPath and faster polling, enhances fake client/cache and status manager, and adds comprehensive operconfig and network tests.

Changes

TLS Profile Support with Comprehensive Testing

Layer / File(s) Summary
TLS Profile Data Model
pkg/bootstrap/types.go
New TLSProfile field added to BootstrapResult and exported TLSProfile type added.
TLS Profile Retrieval and Rendering
pkg/network/tls.go, pkg/network/tls_test.go
AddTLSInfoToRenderData populates template data from TLS profile; getTLSProfile reads from APIServer or HostedCluster and converts into bootstrap.TLSProfile. Unit tests validate adherence behavior and cipher handling.
Bootstrap Integration and Network Tests
pkg/network/bootstrap.go, pkg/network/bootstrap_test.go, pkg/network/network_suite_test.go, pkg/network/render_test.go
Bootstrap calls getTLSProfile and stores result in BootstrapResult. Tests added for standalone and HyperShift TLS extraction, IPTablesAlerter defaults, and render test adjustments.
Test Infra: Fake client SSA & RESTMapper
pkg/client/fake/fake_client.go
Fake client improved to emulate SSA Apply patches, separate typed vs dynamic stores, use a real REST mapper, support management cluster dynamic client, and persist custom informers.
Test Infra: Fake cache and helpers
pkg/controller/fake/cache.go
New fake Cache wraps crclient.Client and exposes GetInformer backed by watch.FakeWatcher, emits bookmark event, supports AwaitWatcher and SeedInformerStore, and implements WaitForCacheSync.
Controller core and watches
pkg/controller/operconfig/operconfig_controller.go
Added AddWithManifestPath(manifestPath); reconciler stores manifestPath; added filtered watches for configv1.APIServer TLS fields and, in HyperShift, management-cluster HostedCluster TLS nested fields.
MTU prober refactor
pkg/controller/operconfig/mtu_probe.go
renderMTUProber made a method on reconciler, MTU result polling cadence reduced to 1s, and manifest path usage switched to r.manifestPath.
HyperShift refactor & exports
pkg/hypershift/hypershift.go
Read HyperShift env vars at call time in NewHyperShiftConfig; export HostedClusterGVK and HostedClusterGVR.
StatusManager test constructor
pkg/controller/statusmanager/status_manager.go
Added NewWithClock to inject a clock.PassiveClock for deterministic status tests.
OperConfig test suite & scenarios
pkg/controller/operconfig/*_test.go
Comprehensive Ginkgo operconfig tests: suite scaffolding, testDriver, fake cache/manager wiring, render/applied/MTU/failure/HyperShift scenarios, watch-trigger tests, and helpers for condition polling and dynamic client fault injection.
Supporting files: deps & linter
go.mod, .golangci.yaml
Dependencies updated (controller-runtime v0.23.3, ginkgo v2 added, openshift libs updated); linter config whitelists dot-imports for Ginkgo/Gomega.

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 11

❌ Failed checks (1 warning, 10 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 24.14% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Stable And Deterministic Test Names ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title matches the main change: adding centralized TLS profile support across networking and operconfig code.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from danwinship and taanyas May 26, 2026 16:57
@tpantelis

Copy link
Copy Markdown
Contributor Author

/cc @danwinship

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
pkg/client/fake/fake_client.go (1)

194-198: 💤 Low value

All types are registered as namespace-scoped, which may cause issues with cluster-scoped resources.

The REST mapper adds all known types with meta.RESTScopeNamespace, but cluster-scoped resources like ClusterOperator, Node, Infrastructure, etc., should use meta.RESTScopeRoot. This could cause unexpected behavior if code paths rely on scope information from the mapper.

Consider determining the correct scope per type, or at minimum, document this limitation.

💡 Potential fix to handle cluster-scoped types
 	for gvk := range scheme.Scheme.AllKnownTypes() {
-		restMapper.Add(gvk, meta.RESTScopeNamespace)
+		// Determine scope based on type - cluster-scoped types don't have namespace
+		// This is a simplification; a more complete solution would check API discovery
+		scope := meta.RESTScopeNamespace
+		if isClusterScoped(gvk) {
+			scope = meta.RESTScopeRoot
+		}
+		restMapper.Add(gvk, scope)
 	}

Where isClusterScoped checks known cluster-scoped kinds like Node, Namespace, ClusterOperator, Infrastructure, etc.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/client/fake/fake_client.go` around lines 194 - 198, The REST mapper is
incorrectly adding every known GVK with meta.RESTScopeNamespace; update the loop
that iterates scheme.Scheme.AllKnownTypes() and call restMapper.Add(gvk, scope)
where scope is decided per-GVK (use meta.RESTScopeRoot for cluster-scoped kinds
like Node, Namespace, ClusterOperator, Infrastructure, etc., and
meta.RESTScopeNamespace otherwise) — implement a small helper (e.g.,
isClusterScoped(gvk) or isClusterKind(kind)) to determine scope and apply it
when calling restMapper.Add, or at minimum add an inline comment documenting
this limitation if you cannot resolve scopes programmatically.
pkg/controller/operconfig/controller_test.go (1)

312-321: 💤 Low value

FakeClock mixes real and stubbed time, which may cause subtle test issues.

Now() returns the actual current time while Since() always returns 3 minutes regardless of the input. This inconsistency could cause confusing behavior if any code path computes elapsed time using both methods, e.g., clock.Since(clock.Now()) would return 3 minutes even if called immediately.

Consider using a fully deterministic fake clock (e.g., from k8s.io/utils/clock/testing) or documenting this intentional behavior.

💡 Alternative using k8s.io/utils/clock/testing
+import clocktesting "k8s.io/utils/clock/testing"

-type FakeClock struct {
-}
-
-func (f FakeClock) Now() time.Time {
-	return time.Now()
-}
-
-func (f FakeClock) Since(t time.Time) time.Duration {
-	return time.Minute * 3
-}

// In newTestDriver:
-t.statusManager = statusmanager.NewWithClock(t.fakeClient, clusterOperatorName, "", &FakeClock{})
+fakeClock := clocktesting.NewFakeClock(time.Now())
+// Advance past the degraded threshold
+fakeClock.Step(3 * time.Minute)
+t.statusManager = statusmanager.NewWithClock(t.fakeClient, clusterOperatorName, "", fakeClock)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/operconfig/controller_test.go` around lines 312 - 321,
FakeClock is inconsistent because Now() returns real time while Since(t
time.Time) always returns 3 minutes, which can produce surprising results (e.g.,
clock.Since(clock.Now()) != 0); change FakeClock to be deterministic by storing
a fixed base time field and implement Now() to return that base time and
Since(t) to compute baseTime.Sub(t) (or switch to
k8s.io/utils/clock/testing.FakeClock and use its Now/Since utilities); update
usages/tests accordingly to either advance the fake clock explicitly or rely on
the deterministic behavior of the k8s fake clock.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/fake/cache.go`:
- Around line 41-101: GetInformer currently checks f.informers under a read lock
then creates and inserts a new informer under a write lock, which allows a race
where another goroutine creates the informer between the RUnlock and Lock. Fix
by using a double-checked locking pattern in GetInformer: keep the initial RLock
check as-is, but if not found, build fakeWatcher and newInformer (no
side-effects), then acquire f.Lock(), re-check f.informers[objType]; if an
informer now exists return that, otherwise set f.watchers[objType] = fakeWatcher
and f.informers[objType] = newInformer and release the lock, then start
newInformer.Run(ctx.Done()). Ensure you reference the GetInformer function and
the f.informers / f.watchers maps and handle the fakeWatcher/newInformer
replacement logic accordingly.

In `@pkg/controller/operconfig/controller_hypershift_test.go`:
- Around line 196-198: The test currently only checks the annotation when it
exists, letting the case where it's missing pass silently; update the test to
explicitly assert that co.Annotations contains the key
names.RelatedClusterObjectsAnnotation (e.g., Expect/co.Annotations to have that
key) and then assert the value is not empty using the value at
co.Annotations[names.RelatedClusterObjectsAnnotation]; replace the conditional
"if annotation, exists := ..." pattern with two explicit expectations so absence
fails the test.

---

Nitpick comments:
In `@pkg/client/fake/fake_client.go`:
- Around line 194-198: The REST mapper is incorrectly adding every known GVK
with meta.RESTScopeNamespace; update the loop that iterates
scheme.Scheme.AllKnownTypes() and call restMapper.Add(gvk, scope) where scope is
decided per-GVK (use meta.RESTScopeRoot for cluster-scoped kinds like Node,
Namespace, ClusterOperator, Infrastructure, etc., and meta.RESTScopeNamespace
otherwise) — implement a small helper (e.g., isClusterScoped(gvk) or
isClusterKind(kind)) to determine scope and apply it when calling
restMapper.Add, or at minimum add an inline comment documenting this limitation
if you cannot resolve scopes programmatically.

In `@pkg/controller/operconfig/controller_test.go`:
- Around line 312-321: FakeClock is inconsistent because Now() returns real time
while Since(t time.Time) always returns 3 minutes, which can produce surprising
results (e.g., clock.Since(clock.Now()) != 0); change FakeClock to be
deterministic by storing a fixed base time field and implement Now() to return
that base time and Since(t) to compute baseTime.Sub(t) (or switch to
k8s.io/utils/clock/testing.FakeClock and use its Now/Since utilities); update
usages/tests accordingly to either advance the fake clock explicitly or rely on
the deterministic behavior of the k8s fake clock.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 95684223-4841-4ced-86e7-cddd68f08edb

📥 Commits

Reviewing files that changed from the base of the PR and between bea98c0 and 3a8ac96.

⛔ Files ignored due to path filters (182)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/go-task/slim-sprig/v3/.editorconfig is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitattributes is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/date.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/defaults.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/dict.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/list.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/network.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/numeric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/reflect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/regex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/url.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/RELEASING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/config/deprecated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/boostrap_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generators_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/test_suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/verify_version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/labels/labels_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/import.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/unfocus/unfocus_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hashes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_cli_dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/counter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/failer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/global/init.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_bsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_reporter_manager.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/tree.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/deprecated_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/json_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/code_location.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecation_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/enum_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/file_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/label_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/elements.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/errors/nested_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/fields.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/ignore.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/pointer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/cover/profile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/FAQ.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/RELEASE.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/alias.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/versioned_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_posix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/scheme/scheme.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (22)
  • .golangci.yaml
  • go.mod
  • pkg/bootstrap/types.go
  • pkg/client/fake/fake_client.go
  • pkg/controller/fake/cache.go
  • pkg/controller/operconfig/controller_applied_test.go
  • pkg/controller/operconfig/controller_failures_test.go
  • pkg/controller/operconfig/controller_hypershift_test.go
  • pkg/controller/operconfig/controller_mtu_test.go
  • pkg/controller/operconfig/controller_rendering_test.go
  • pkg/controller/operconfig/controller_test.go
  • pkg/controller/operconfig/controller_watch_test.go
  • pkg/controller/operconfig/mtu_probe.go
  • pkg/controller/operconfig/operconfig_controller.go
  • pkg/controller/statusmanager/status_manager.go
  • pkg/hypershift/hypershift.go
  • pkg/network/bootstrap.go
  • pkg/network/bootstrap_test.go
  • pkg/network/network_suite_test.go
  • pkg/network/render_test.go
  • pkg/network/tls.go
  • pkg/network/tls_test.go

Comment thread pkg/controller/fake/cache.go Outdated
Comment thread pkg/controller/operconfig/controller_hypershift_test.go Outdated
@tpantelis tpantelis force-pushed the tls_profile_support branch from 3a8ac96 to d4d99b4 Compare May 26, 2026 17:35

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
pkg/client/fake/fake_client.go (1)

195-198: 💤 Low value

All types registered as namespace-scoped in RESTMapper.

The loop adds all known types with meta.RESTScopeNamespace, but cluster-scoped resources like Node, ClusterOperator, and Infrastructure should use meta.RESTScopeRoot. This could cause issues if tests rely on the mapper to determine resource scope.

Consider using the scheme's scope information or maintaining a list of cluster-scoped types:

 for gvk := range scheme.Scheme.AllKnownTypes() {
-	restMapper.Add(gvk, meta.RESTScopeNamespace)
+	// Simplified: most resources are namespaced, cluster-scoped ones 
+	// would need explicit handling if scope-dependent behavior is tested
+	restMapper.Add(gvk, meta.RESTScopeNamespace)
 }

If tests don't rely on scope behavior, this is acceptable for fake client usage.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/client/fake/fake_client.go` around lines 195 - 198, The RESTMapper
initialization currently registers every GVK as namespace-scoped (restMapper :=
meta.NewDefaultRESTMapper(...) and the loop over scheme.Scheme.AllKnownTypes()),
which is wrong for cluster-scoped resources; update the loop to consult the
scheme's scope info (or maintain a set of known cluster-scoped GVKs) and call
restMapper.Add(gvk, meta.RESTScopeRoot) for cluster-scoped types (e.g., Node,
ClusterOperator, Infrastructure) and meta.RESTScopeNamespace for
namespace-scoped types so the mapper reflects correct scopes.
pkg/controller/operconfig/operconfig_controller.go (1)

243-252: 💤 Low value

Inconsistent fallback behavior on type assertion failures.

When ObjectNew assertion fails (line 245-247), it returns false (no reconcile). When ObjectOld assertion fails (line 249-252), it returns true (triggers reconcile). This asymmetry could cause unexpected behavior.

Consider making the fallback consistent:

 oldObj, ok := evt.ObjectOld.(*uns.Unstructured)
 if !ok {
-	return true
+	return false
 }

Or add logging to understand why the assertion would fail.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/operconfig/operconfig_controller.go` around lines 243 - 252,
The UpdateFunc's type assertions for evt.ObjectNew and evt.ObjectOld are
inconsistent: newObj failure returns false while oldObj failure returns true,
which can trigger unexpected reconciles; make the fallback behavior consistent
by choosing one policy (e.g., return false on both assertion failures) and apply
it to both checks in UpdateFunc (evt.ObjectNew and evt.ObjectOld of type
*uns.Unstructured), and optionally add a processLogger.Warn or similar log that
includes the event type and which assertion failed to aid debugging.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/network/bootstrap_test.go`:
- Line 141: Fix the typo in the test description used in the Ginkgo When call:
change the string passed to When(...) that currently reads "the the
HostedCluster CR exists" to "the HostedCluster CR exists" in
pkg/network/bootstrap_test.go so the test description is correct.

In `@pkg/network/tls.go`:
- Around line 72-74: The code unconditionally type-asserts apiServerConfig to
map[string]interface{} which can panic if spec.configuration.apiServer exists
but is not an object; update the logic in the TLS conversion path to first test
the concrete type (e.g., m, ok := apiServerConfig.(map[string]interface{})) and
return a descriptive error when the assertion fails before calling
runtime.DefaultUnstructuredConverter.FromUnstructured, ensuring apiServerSpec is
only populated from a verified map; reference apiServerConfig, apiServerSpec,
runtime.DefaultUnstructuredConverter.FromUnstructured and the
bootstrap.TLSProfile error return to locate the change.

---

Nitpick comments:
In `@pkg/client/fake/fake_client.go`:
- Around line 195-198: The RESTMapper initialization currently registers every
GVK as namespace-scoped (restMapper := meta.NewDefaultRESTMapper(...) and the
loop over scheme.Scheme.AllKnownTypes()), which is wrong for cluster-scoped
resources; update the loop to consult the scheme's scope info (or maintain a set
of known cluster-scoped GVKs) and call restMapper.Add(gvk, meta.RESTScopeRoot)
for cluster-scoped types (e.g., Node, ClusterOperator, Infrastructure) and
meta.RESTScopeNamespace for namespace-scoped types so the mapper reflects
correct scopes.

In `@pkg/controller/operconfig/operconfig_controller.go`:
- Around line 243-252: The UpdateFunc's type assertions for evt.ObjectNew and
evt.ObjectOld are inconsistent: newObj failure returns false while oldObj
failure returns true, which can trigger unexpected reconciles; make the fallback
behavior consistent by choosing one policy (e.g., return false on both assertion
failures) and apply it to both checks in UpdateFunc (evt.ObjectNew and
evt.ObjectOld of type *uns.Unstructured), and optionally add a
processLogger.Warn or similar log that includes the event type and which
assertion failed to aid debugging.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7fc2c3ad-c2e9-4857-9af4-cb1774f3095a

📥 Commits

Reviewing files that changed from the base of the PR and between 3a8ac96 and d4d99b4.

⛔ Files ignored due to path filters (182)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/go-task/slim-sprig/v3/.editorconfig is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitattributes is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/date.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/defaults.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/dict.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/list.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/network.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/numeric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/reflect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/regex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/url.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/RELEASING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/config/deprecated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/boostrap_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generators_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/test_suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/verify_version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/labels/labels_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/import.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/unfocus/unfocus_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hashes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_cli_dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/counter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/failer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/global/init.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_bsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_reporter_manager.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/tree.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/deprecated_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/json_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/code_location.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecation_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/enum_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/file_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/label_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/elements.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/errors/nested_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/fields.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/ignore.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/pointer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/cover/profile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/FAQ.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/RELEASE.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/alias.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/versioned_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_posix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/scheme/scheme.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (26)
  • .golangci.yaml
  • bindata/network/multus/multus.yaml
  • bindata/network/ovn-kubernetes/common/008-script-lib.yaml
  • bindata/network/ovn-kubernetes/common/error-cni.yaml
  • bindata/network/ovn-kubernetes/common/pre-puller.yaml
  • go.mod
  • pkg/bootstrap/types.go
  • pkg/client/fake/fake_client.go
  • pkg/controller/fake/cache.go
  • pkg/controller/operconfig/controller_applied_test.go
  • pkg/controller/operconfig/controller_failures_test.go
  • pkg/controller/operconfig/controller_hypershift_test.go
  • pkg/controller/operconfig/controller_mtu_test.go
  • pkg/controller/operconfig/controller_rendering_test.go
  • pkg/controller/operconfig/controller_test.go
  • pkg/controller/operconfig/controller_watch_test.go
  • pkg/controller/operconfig/mtu_probe.go
  • pkg/controller/operconfig/operconfig_controller.go
  • pkg/controller/statusmanager/status_manager.go
  • pkg/hypershift/hypershift.go
  • pkg/network/bootstrap.go
  • pkg/network/bootstrap_test.go
  • pkg/network/network_suite_test.go
  • pkg/network/render_test.go
  • pkg/network/tls.go
  • pkg/network/tls_test.go
✅ Files skipped from review due to trivial changes (2)
  • .golangci.yaml
  • pkg/network/tls_test.go

Comment thread pkg/network/bootstrap_test.go Outdated
Comment thread pkg/network/tls.go Outdated
@tpantelis tpantelis force-pushed the tls_profile_support branch from d4d99b4 to 768ff86 Compare May 26, 2026 18:31

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
pkg/controller/operconfig/mtu_probe.go (1)

45-46: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix incorrect platform name in Azure MTU log message.

At Line 45, the Azure path logs "AWS cluster"; this makes debugging misleading.

Suggested patch
-			klog.Infof("AWS cluster, omitting MTU probing and using default of %d", azureMTU)
+			klog.Infof("Azure cluster, omitting MTU probing and using default of %d", azureMTU)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/operconfig/mtu_probe.go` around lines 45 - 46, The log message
incorrectly says "AWS cluster" when returning the Azure MTU; update the Infof
call that references azureMTU to say "Azure cluster" instead of "AWS cluster"
(look for the klog.Infof line that prints azureMTU in
pkg/controller/operconfig/mtu_probe.go and adjust the string to "Azure cluster,
omitting MTU probing and using default of %d").
🧹 Nitpick comments (5)
pkg/controller/operconfig/controller_test.go (1)

312-321: 💤 Low value

Consider documenting the intent of the hardcoded 3-minute duration in FakeClock.

FakeClock.Since() always returns 3 minutes, which exceeds the degradedFailureDurationThreshold (2 minutes) in StatusManager. This causes the degraded condition to be set immediately without debouncing. While this is likely intentional for faster test execution, a comment would clarify this behavior.

📝 Suggested documentation
 type FakeClock struct {
 }
 
 func (f FakeClock) Now() time.Time {
 	return time.Now()
 }
 
+// Since always returns 3 minutes to exceed the degradedFailureDurationThreshold (2 minutes)
+// in StatusManager, allowing tests to immediately observe degraded conditions without waiting.
 func (f FakeClock) Since(t time.Time) time.Duration {
 	return time.Minute * 3
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/operconfig/controller_test.go` around lines 312 - 321, Add a
short comment/docstring to FakeClock explaining why Since() returns a hardcoded
3-minute duration: state that returning 3 minutes intentionally exceeds
StatusManager's degradedFailureDurationThreshold (2 minutes) so degraded
condition triggers immediately for faster tests; reference the FakeClock type
and its Since() method and mention the related constant
degradedFailureDurationThreshold and StatusManager so future readers understand
this deliberate test behavior.
pkg/controller/operconfig/operconfig_controller.go (2)

243-252: ⚡ Quick win

Inconsistent handling of type assertion failures in UpdateFunc.

When newObj assertion fails (line 245-247), the function returns false (skip reconciliation). But when oldObj assertion fails (line 249-252), it returns true (trigger reconciliation). This asymmetry could lead to unexpected behavior. Consider handling both consistently.

♻️ Suggested fix for consistent behavior
 				UpdateFunc: func(evt event.UpdateEvent) bool {
 					newObj, ok := evt.ObjectNew.(*uns.Unstructured)
 					if !ok {
-						return false
+						return true // Reconcile on unexpected type to be safe
 					}
 
 					oldObj, ok := evt.ObjectOld.(*uns.Unstructured)
 					if !ok {
 						return true
 					}

Alternatively, return false for both to skip on assertion failures:

 					oldObj, ok := evt.ObjectOld.(*uns.Unstructured)
 					if !ok {
-						return true
+						return false
 					}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/operconfig/operconfig_controller.go` around lines 243 - 252,
The UpdateFunc currently treats failed type assertions asymmetrically: when
evt.ObjectNew fails to cast to *uns.Unstructured it returns false, but when
evt.ObjectOld fails it returns true; make them consistent by changing the oldObj
assertion branch in UpdateFunc (the block checking evt.ObjectOld against
*uns.Unstructured) to return false on failure, so both failed assertions skip
reconciliation for UpdateFunc (refer to UpdateFunc, evt.ObjectNew,
evt.ObjectOld, and uns.Unstructured).

254-261: 💤 Low value

Errors from unstructured field extraction are silently ignored.

The errors from NestedFieldCopy and NestedString are discarded. While these fields may be optional, ignoring errors could mask issues with malformed HostedCluster objects. Consider logging unexpected errors.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/operconfig/operconfig_controller.go` around lines 254 - 261,
The current change-detection logic uses uns.NestedFieldCopy and uns.NestedString
to populate oldTLSProfile/ newTLSProfile and oldAdherence/ newAdherence but
discards the returned errors; update the watcher comparator to check the error
returns from NestedFieldCopy and NestedString, and log
unexpected/malformed-field errors (including context like which object and
field) before proceeding with the reflect.DeepEqual/ string comparison so
malformed HostedCluster objects aren't silently ignored; keep the same semantics
of only reconciling when the profile or adherence actually changed (use the same
symbols oldTLSProfile, newTLSProfile, oldAdherence, newAdherence and
reflect.DeepEqual).
pkg/client/fake/fake_client.go (2)

195-198: 💤 Low value

All types registered as namespace-scoped may cause issues for cluster-scoped resources.

The REST mapper registers all known types with RESTScopeNamespace, but some resources (like Namespace, Node, ClusterOperator) are cluster-scoped. This could cause incorrect behavior when the fake client needs to determine resource scope.

Consider using meta.RESTScopeRoot for cluster-scoped resources or using a more sophisticated mapper that respects the actual scope of each resource type.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/client/fake/fake_client.go` around lines 195 - 198, The REST mapper
currently marks every GVK as namespace-scoped (restMapper.Add(gvk,
meta.RESTScopeNamespace)), which is wrong for cluster-scoped resources; update
the loop over scheme.Scheme.AllKnownTypes() so that for each gvk you detect
cluster scope and call restMapper.Add(gvk, meta.RESTScopeRoot) for
cluster-scoped types and meta.RESTScopeNamespace for namespaced ones. Implement
detection by checking gvk.Kind/GroupVersion against a small whitelist/set (e.g.,
"Namespace", "Node", "ClusterOperator", etc.) or by consulting a helper that
knows which kinds are namespaced, and update the code around
restMapper/NewDefaultRESTMapper to use that decision when calling
restMapper.Add.

149-159: 💤 Low value

Simplify redundant nil check after successful Get.

When err == nil, the returned obj from Tracker().Get() will be non-nil. The && obj != nil check is redundant.

♻️ Suggested simplification
 		// Try to get the existing object
 		obj, err := dynClient.Tracker().Get(gvr, namespace, name)
-		if err == nil && obj != nil {
+		if err == nil {
 			// Object exists, update it by replacing with the patch data
 			// For Server-Side Apply, we just replace the whole object
 			err = dynClient.Tracker().Update(gvr, unstructuredObj, namespace)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/client/fake/fake_client.go` around lines 149 - 159, The nil check on obj
is redundant because dynClient.Tracker().Get(gvr, namespace, name) guarantees a
non-nil obj when err == nil; simplify the conditional by removing "&& obj !=
nil" and only test "if err == nil" before calling
dynClient.Tracker().Update(gvr, unstructuredObj, namespace) and returning the
updated unstructuredObj and nil error, preserving the existing error handling
around Update.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/controller/operconfig/mtu_probe.go`:
- Around line 45-46: The log message incorrectly says "AWS cluster" when
returning the Azure MTU; update the Infof call that references azureMTU to say
"Azure cluster" instead of "AWS cluster" (look for the klog.Infof line that
prints azureMTU in pkg/controller/operconfig/mtu_probe.go and adjust the string
to "Azure cluster, omitting MTU probing and using default of %d").

---

Nitpick comments:
In `@pkg/client/fake/fake_client.go`:
- Around line 195-198: The REST mapper currently marks every GVK as
namespace-scoped (restMapper.Add(gvk, meta.RESTScopeNamespace)), which is wrong
for cluster-scoped resources; update the loop over scheme.Scheme.AllKnownTypes()
so that for each gvk you detect cluster scope and call restMapper.Add(gvk,
meta.RESTScopeRoot) for cluster-scoped types and meta.RESTScopeNamespace for
namespaced ones. Implement detection by checking gvk.Kind/GroupVersion against a
small whitelist/set (e.g., "Namespace", "Node", "ClusterOperator", etc.) or by
consulting a helper that knows which kinds are namespaced, and update the code
around restMapper/NewDefaultRESTMapper to use that decision when calling
restMapper.Add.
- Around line 149-159: The nil check on obj is redundant because
dynClient.Tracker().Get(gvr, namespace, name) guarantees a non-nil obj when err
== nil; simplify the conditional by removing "&& obj != nil" and only test "if
err == nil" before calling dynClient.Tracker().Update(gvr, unstructuredObj,
namespace) and returning the updated unstructuredObj and nil error, preserving
the existing error handling around Update.

In `@pkg/controller/operconfig/controller_test.go`:
- Around line 312-321: Add a short comment/docstring to FakeClock explaining why
Since() returns a hardcoded 3-minute duration: state that returning 3 minutes
intentionally exceeds StatusManager's degradedFailureDurationThreshold (2
minutes) so degraded condition triggers immediately for faster tests; reference
the FakeClock type and its Since() method and mention the related constant
degradedFailureDurationThreshold and StatusManager so future readers understand
this deliberate test behavior.

In `@pkg/controller/operconfig/operconfig_controller.go`:
- Around line 243-252: The UpdateFunc currently treats failed type assertions
asymmetrically: when evt.ObjectNew fails to cast to *uns.Unstructured it returns
false, but when evt.ObjectOld fails it returns true; make them consistent by
changing the oldObj assertion branch in UpdateFunc (the block checking
evt.ObjectOld against *uns.Unstructured) to return false on failure, so both
failed assertions skip reconciliation for UpdateFunc (refer to UpdateFunc,
evt.ObjectNew, evt.ObjectOld, and uns.Unstructured).
- Around line 254-261: The current change-detection logic uses
uns.NestedFieldCopy and uns.NestedString to populate oldTLSProfile/
newTLSProfile and oldAdherence/ newAdherence but discards the returned errors;
update the watcher comparator to check the error returns from NestedFieldCopy
and NestedString, and log unexpected/malformed-field errors (including context
like which object and field) before proceeding with the reflect.DeepEqual/
string comparison so malformed HostedCluster objects aren't silently ignored;
keep the same semantics of only reconciling when the profile or adherence
actually changed (use the same symbols oldTLSProfile, newTLSProfile,
oldAdherence, newAdherence and reflect.DeepEqual).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b89591c9-83fe-4138-8dfd-f9760ffbbd9b

📥 Commits

Reviewing files that changed from the base of the PR and between d4d99b4 and 768ff86.

⛔ Files ignored due to path filters (182)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/go-task/slim-sprig/v3/.editorconfig is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitattributes is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/date.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/defaults.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/dict.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/list.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/network.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/numeric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/reflect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/regex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/url.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/RELEASING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/config/deprecated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/boostrap_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generators_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/test_suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/verify_version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/labels/labels_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/import.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/unfocus/unfocus_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hashes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_cli_dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/counter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/failer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/global/init.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_bsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_reporter_manager.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/tree.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/deprecated_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/json_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/code_location.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecation_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/enum_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/file_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/label_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/elements.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/errors/nested_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/fields.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/ignore.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/pointer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/cover/profile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/FAQ.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/RELEASE.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/alias.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/versioned_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_posix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/scheme/scheme.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (22)
  • .golangci.yaml
  • go.mod
  • pkg/bootstrap/types.go
  • pkg/client/fake/fake_client.go
  • pkg/controller/fake/cache.go
  • pkg/controller/operconfig/controller_applied_test.go
  • pkg/controller/operconfig/controller_failures_test.go
  • pkg/controller/operconfig/controller_hypershift_test.go
  • pkg/controller/operconfig/controller_mtu_test.go
  • pkg/controller/operconfig/controller_rendering_test.go
  • pkg/controller/operconfig/controller_test.go
  • pkg/controller/operconfig/controller_watch_test.go
  • pkg/controller/operconfig/mtu_probe.go
  • pkg/controller/operconfig/operconfig_controller.go
  • pkg/controller/statusmanager/status_manager.go
  • pkg/hypershift/hypershift.go
  • pkg/network/bootstrap.go
  • pkg/network/bootstrap_test.go
  • pkg/network/network_suite_test.go
  • pkg/network/render_test.go
  • pkg/network/tls.go
  • pkg/network/tls_test.go
✅ Files skipped from review due to trivial changes (1)
  • .golangci.yaml

@tpantelis tpantelis changed the title Add TLS profile support to the ReconcileOperConfig controller CORENET-7114: Add TLS profile support to the ReconcileOperConfig controller May 26, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 26, 2026
@openshift-ci-robot

openshift-ci-robot commented May 26, 2026

Copy link
Copy Markdown
Contributor

@tpantelis: This pull request references CORENET-7114 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

See commits for details.

Summary by CodeRabbit

Release Notes

  • New Features

  • Added monitoring of API server TLS configuration changes to trigger operator reconciliation

  • Added detection of HyperShift TLS security profile and adherence policy changes

  • Support for configurable manifest template paths during operator deployment

  • Improvements

  • Increased MTU probe polling frequency for faster detection of network configuration changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tpantelis tpantelis force-pushed the tls_profile_support branch 2 times, most recently from 9c1f257 to 526901b Compare May 27, 2026 02:00

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/controller/statusmanager/status_manager.go (1)

168-172: ⚡ Quick win

Make NewWithClock nil-safe by defaulting to clock.RealClock{}

Current call sites use non-nil clocks (e.g., operconfig/controller_test.go passes &FakeClock{}), but adding a nil fallback prevents a latent panic if future callers pass nil.

Suggested patch
func NewWithClock(client cnoclient.Client, name, cluster string, clock clock.PassiveClock) *StatusManager {
	status := New(client, name, cluster)
-	status.clock = clock
+	if clock == nil {
+		status.clock = clock.RealClock{}
+	} else {
+		status.clock = clock
+	}
	return status
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/statusmanager/status_manager.go` around lines 168 - 172,
NewWithClock currently assigns the provided clock directly which can panic if
callers pass nil; update NewWithClock (in
pkg/controller/statusmanager/status_manager.go) to default to a real clock when
clock == nil by setting status.clock = clock if non-nil else status.clock =
clock.RealClock{} (so StatusManager created via NewWithClock will always have a
valid clock); keep the rest of the function (calling New(client, name, cluster)
and returning status) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/controller/statusmanager/status_manager.go`:
- Around line 168-172: NewWithClock currently assigns the provided clock
directly which can panic if callers pass nil; update NewWithClock (in
pkg/controller/statusmanager/status_manager.go) to default to a real clock when
clock == nil by setting status.clock = clock if non-nil else status.clock =
clock.RealClock{} (so StatusManager created via NewWithClock will always have a
valid clock); keep the rest of the function (calling New(client, name, cluster)
and returning status) unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aaa1e01e-61a0-4805-a1b9-8ab9520d790c

📥 Commits

Reviewing files that changed from the base of the PR and between 768ff86 and 526901b.

⛔ Files ignored due to path filters (182)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/go-task/slim-sprig/v3/.editorconfig is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitattributes is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/date.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/defaults.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/dict.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/list.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/network.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/numeric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/reflect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/regex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-task/slim-sprig/v3/url.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/RELEASING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/config/deprecated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_others.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/colorable_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/boostrap_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_templates.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generators_common.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/test_suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/verify_version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/labels/labels_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/import.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/unfocus/unfocus_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hashes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_cli_dependencies.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/counter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/failer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/global/init.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_bsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_wasm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_report_win.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/progress_reporter_manager.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/tree.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/internal/writer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/deprecated_reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/json_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/reporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/around_node.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/code_location.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/deprecation_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/enum_support.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/file_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/label_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/report_entry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/elements.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/errors/nested_types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/fields.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/ignore.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/pointer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gstruct/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/cover/profile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/FAQ.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/RELEASE.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/VERSIONING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/alias.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/config/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/client/fake/versioned_tracker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_posix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/manager/signals/signal_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/scheme/scheme.go is excluded by !**/vendor/**, !vendor/**
  • vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (22)
  • .golangci.yaml
  • go.mod
  • pkg/bootstrap/types.go
  • pkg/client/fake/fake_client.go
  • pkg/controller/fake/cache.go
  • pkg/controller/operconfig/controller_applied_test.go
  • pkg/controller/operconfig/controller_failures_test.go
  • pkg/controller/operconfig/controller_hypershift_test.go
  • pkg/controller/operconfig/controller_mtu_test.go
  • pkg/controller/operconfig/controller_rendering_test.go
  • pkg/controller/operconfig/controller_test.go
  • pkg/controller/operconfig/controller_watch_test.go
  • pkg/controller/operconfig/mtu_probe.go
  • pkg/controller/operconfig/operconfig_controller.go
  • pkg/controller/statusmanager/status_manager.go
  • pkg/hypershift/hypershift.go
  • pkg/network/bootstrap.go
  • pkg/network/bootstrap_test.go
  • pkg/network/network_suite_test.go
  • pkg/network/render_test.go
  • pkg/network/tls.go
  • pkg/network/tls_test.go
🚧 Files skipped from review as they are similar to previous changes (20)
  • .golangci.yaml
  • pkg/network/network_suite_test.go
  • pkg/network/bootstrap.go
  • pkg/hypershift/hypershift.go
  • go.mod
  • pkg/controller/operconfig/controller_mtu_test.go
  • pkg/controller/operconfig/controller_rendering_test.go
  • pkg/network/tls.go
  • pkg/controller/operconfig/controller_failures_test.go
  • pkg/client/fake/fake_client.go
  • pkg/controller/fake/cache.go
  • pkg/controller/operconfig/mtu_probe.go
  • pkg/network/bootstrap_test.go
  • pkg/controller/operconfig/controller_hypershift_test.go
  • pkg/network/render_test.go
  • pkg/bootstrap/types.go
  • pkg/network/tls_test.go
  • pkg/controller/operconfig/operconfig_controller.go
  • pkg/controller/operconfig/controller_test.go
  • pkg/controller/operconfig/controller_applied_test.go

@tpantelis tpantelis force-pushed the tls_profile_support branch 2 times, most recently from 55ffe0a to 54295fd Compare May 29, 2026 12:33
Comment thread pkg/client/fake/fake_client.go Outdated
Comment thread pkg/client/fake/fake_client.go Outdated
Comment thread pkg/client/fake/fake_client.go Outdated
Comment thread pkg/controller/fake/cache.go Outdated
Comment thread pkg/controller/operconfig/controller_applied_test.go Outdated
Comment thread pkg/controller/operconfig/mtu_probe.go Outdated
Comment thread pkg/controller/operconfig/operconfig_controller.go Outdated
Comment thread pkg/controller/statusmanager/status_manager.go Outdated
Comment thread vendor/sigs.k8s.io/controller-runtime/.gitignore
Comment thread pkg/controller/operconfig/controller_hypershift_test.go Outdated
@tpantelis tpantelis force-pushed the tls_profile_support branch 2 times, most recently from 31cb5e0 to b654b02 Compare June 10, 2026 15:23
@tpantelis

Copy link
Copy Markdown
Contributor Author

I removed the oper config unit tests to simplify the PR and change the other unit tests I added in the network package to use Go testing.

@tpantelis tpantelis force-pushed the tls_profile_support branch from b654b02 to 10ddb5e Compare June 10, 2026 19:35
@danwinship

Copy link
Copy Markdown
Contributor

You pushed a bunch of unrelated commits along with your branch...

@tpantelis tpantelis force-pushed the tls_profile_support branch from 10ddb5e to fe3e0d6 Compare June 14, 2026 14:18
@tpantelis

tpantelis commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

@danwinship So it turns out CNO uses controllercmd.NewControllerCommandConfig

cmdcfg := controllercmd.NewControllerCommandConfig("network-operator", version.Get(), func(ctx context.Context, controllerConfig *controllercmd.ControllerContext) error {
return operator.RunOperator(ctx, controllerConfig, *inClusterClientName, *extraClusters)
}, clock.RealClock{})

which automatically sets up an HTTPS metrics server but with hard-coded TLS min version (TLS 1.2) and cipher suites, which, of course, isn't TLS profile compliant. I missed that before. It also does not (directly) provide a way to customize the TLS config, although it seems there is a clunky way to do it. Assuming that's true, we'll also need to watch for TLS profile changes and restart the process (there's no way to hot-reload the metrics server). Given that, the changes I made to the ReconcileOperConfig controller to watch the APIServer (and HostedCluster for hypershift) would basically move to a higher-level and trigger process restart.

Other options are:

  • use plain HTTP for operator metrics
  • continue to use the hard-coded TLS defaults and don't honor the centralized TLS profile for operator metrics

but I assume neither of those is acceptable.

@danwinship

Copy link
Copy Markdown
Contributor

So it turns out CNO uses controllercmd.NewControllerCommandConfig ...
which automatically sets up an HTTPS metrics server but with hard-coded TLS min version (TLS 1.2) and cipher suites, which, of course, isn't TLS profile compliant.

I assume someone is going to have to fix that as part of all the 5.0 TLS work anyway though?

use plain HTTP for operator metrics

That's what we do for most components, and then add kube-rbac-proxy to export via HTTPS, so this ought to be easy / similar to other patches?

@tpantelis

Copy link
Copy Markdown
Contributor Author

So it turns out CNO uses controllercmd.NewControllerCommandConfig ...
which automatically sets up an HTTPS metrics server but with hard-coded TLS min version (TLS 1.2) and cipher suites, which, of course, isn't TLS profile compliant.

I assume someone is going to have to fix that as part of all the 5.0 TLS work anyway though?

I asked about it on the #forum-ocp-tls-strict-obedience channel but no answer (yet). There's no open PR but I suspect if controllercmd was going to be updated it would've been done by now. A prior post asking about controllercmd had no resolution other than to move anyway from using controllercmd. Looking at another openshift project using controllercmd, https://github.com/openshift/aws-ebs-csi-driver-operator/blob/master/cmd/aws-ebs-csi-driver-operator/main.go, it's not doing anything to use the centralized TLS profile.

Anyway, there is a way to configure the TLS settings in controllercmd although it requires duplicating some code from controllercmd. Another option is to convert to using controller runtime but that may be more work and we'd probably lose some functionality provided by controllercmd.

use plain HTTP for operator metrics

That's what we do for most components, and then add kube-rbac-proxy to export via HTTPS, so this ought to be easy / similar to other patches?

I assume that would entail adding a kube-rbac-proxy sidecar container like https://github.com/openshift/ingress-node-firewall/blob/1c7880a7aa38192761538fb98446acca09509e09/config/manager/manager.yaml#L89. But then there's the issue of how to configure the values for the --tls params instead of hard-coding in the yaml which is even more problematic.

@tpantelis

tpantelis commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

@danwinship I added e0a9cc3 to configure the TLS settings for the CNO metrics server. I moved the TLS profile watching from ReconcileOperConfig to a new controller that triggers a restart on TLS profile update. I can squash the two commits once reviewed.

@tpantelis tpantelis force-pushed the tls_profile_support branch 2 times, most recently from 2a9a463 to 2985d92 Compare June 16, 2026 21:54
@tpantelis

Copy link
Copy Markdown
Contributor Author

@tpantelis can you squash the HostedControlPlane/HostedCluster fix back into the original commit (rather than having it initially be wrong and then fixing it). And then I'll approve and then wrestle with CI overrides until I can get this to merge

Done

@tpantelis tpantelis changed the title CORENET-7114: Add TLS profile support to the ReconcileOperConfig controller CORENET-7114: Add OCP centralized TLS profile support Jul 1, 2026
@danwinship

Copy link
Copy Markdown
Contributor

/verified by @weliang
(just rebased around irrelevant changes)
/lgtm
/override ci/prow/e2e-aws-ovn-upgrade-ipsec

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@danwinship: This PR has been marked as verified by @weliang.

Details

In response to this:

/verified by @weliang
(just rebased around irrelevant changes)
/lgtm
/override ci/prow/e2e-aws-ovn-upgrade-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 1, 2026
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-aws-ovn-upgrade-ipsec

Details

In response to this:

/verified by @weliang
(just rebased around irrelevant changes)
/lgtm
/override ci/prow/e2e-aws-ovn-upgrade-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 8f06c7e and 2 for PR HEAD 046d565 in total

@danwinship

Copy link
Copy Markdown
Contributor

/override ci/prow/e2e-aws-ovn-upgrade-ipsec
/retest

@danwinship

Copy link
Copy Markdown
Contributor

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec ci/prow/e2e-ovn-ipsec-step-registry ci/prow/e2e-aws-ovn-upgrade-ipsec

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-aws-ovn-upgrade-ipsec, ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec, ci/prow/e2e-ovn-ipsec-step-registry

Details

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec ci/prow/e2e-ovn-ipsec-step-registry ci/prow/e2e-aws-ovn-upgrade-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@danwinship

Copy link
Copy Markdown
Contributor

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

Details

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@danwinship

Copy link
Copy Markdown
Contributor

@tpantelis serial test is failing because you added a new host-network listening socket that doesn't have a Service pointing to it...

...to enable TLS profile compliance for the various component
deployments rendered by the ReconcileOperConfig controller and
for the CNO metrics server.

The CNO metrics server (port 9104) was using default TLS settings
but now support honoring the cluster TLS profile via two
coordinated mechanisms:

  1. Apply TLS profile at startup: main.go hooks into the controllercmd
     startup to configure TLS for metrics server. It obtians the
     cluster's TLS profile and applies the TLS minVersion and
     cipherSuites to the metrics server ServingInfo.

  2. Restart on profile change: A new pkg/controller/tls controller
     watches for TLS profile or adherence policy changes. When detected,
     it calls the cancel function passed from main.go, triggering a
     graceful restart via context cancellation.

Other changes:
  - Add TLSProfile type to bootstrap.BootstrapResult to capture cluster
    TLS configuration and adherence policy
  - Implement GetTLSProfile() in pkg/network/bootstrap.go to fetch the TLS
    settings from the Openshift APIServer resource or,
    in HyperShift environments, the HostedControlPlane resource.
  - Add helper function addTLSInfoToRenderData() in pkg/network/tls.go
    to prepare TLS data for template rendering
  - Add APIServerSpec field to the HostedControlPlane struct in hypershift
    package
  - Add GetHostedControlPlane() function in hypershift package
  - Update dependencies: controller-runtime-common for TLS helpers and
    library-go for ShouldHonorClusterTLSProfile()

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@tpantelis tpantelis force-pushed the tls_profile_support branch from 046d565 to d11954f Compare July 2, 2026 22:33
@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Jul 2, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2026
@tpantelis

Copy link
Copy Markdown
Contributor Author

@tpantelis serial test is failing because you added a new host-network listening socket that doesn't have a Service pointing to it...

So the refactoring to override the default StartController behavior bypassed the --listen flag handling so the bind address was on the default port 8443 instead of the intended exposed port 9104.

Fixed by extracting and applying the --listen flag value in startControllerWithTLSCustomization.

PS: I think we should consider migrating to the controller runtime API in the next release instead of using library-go's controllercmd.

@danwinship

Copy link
Copy Markdown
Contributor

PS: I think we should consider migrating to the controller runtime API in the next release instead of using library-go's controllercmd.

yeah, CNO needs a lot of refactoring...

@danwinship

Copy link
Copy Markdown
Contributor

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec
/lgtm

@danwinship

Copy link
Copy Markdown
Contributor

/verified by @weliang
and by CI

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, tpantelis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

Details

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec
/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 3, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@danwinship: This PR has been marked as verified by @weliang.

Details

In response to this:

/verified by @weliang
and by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@danwinship

Copy link
Copy Markdown
Contributor

/retest-required
/override ci/prow/e2e-ovn-ipsec-step-registry ci/prow/e2e-aws-ovn-upgrade-ipsec

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@danwinship: Overrode contexts on behalf of danwinship: ci/prow/e2e-aws-ovn-upgrade-ipsec, ci/prow/e2e-ovn-ipsec-step-registry

Details

In response to this:

/retest-required
/override ci/prow/e2e-ovn-ipsec-step-registry ci/prow/e2e-aws-ovn-upgrade-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@tpantelis: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade 54295fd link false /test 4.22-upgrade-from-stable-4.21-e2e-gcp-ovn-upgrade
ci/prow/4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade 54295fd link false /test 4.22-upgrade-from-stable-4.21-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-fdp-qe d11954f link true /test e2e-aws-ovn-fdp-qe
ci/prow/e2e-aws-ovn-rhcos10-techpreview d11954f link false /test e2e-aws-ovn-rhcos10-techpreview
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade d11954f link false /test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade
ci/prow/5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade d11954f link false /test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade d11954f link false /test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
ci/prow/e2e-azure-ovn-upgrade d11954f link true /test e2e-azure-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants