Skip to content

CNTRLPLANE-3652: Add TLS ownership for 5 unowned artifacts#31348

Open
oceanc80 wants to merge 2 commits into
openshift:mainfrom
redhat-chai-bot:tls-ownership-fix
Open

CNTRLPLANE-3652: Add TLS ownership for 5 unowned artifacts#31348
oceanc80 wants to merge 2 commits into
openshift:mainfrom
redhat-chai-bot:tls-ownership-fix

Conversation

@oceanc80

@oceanc80 oceanc80 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Add ownership information for 5 TLS artifacts that were listed as missing owners in the TLS registry:

  • ns/openshift-ingress secret/router-certs-default → Networking / router
  • ns/openshift-ingress-operator secret/router-ca → Networking / router
  • ns/kube-system configmap/extension-apiserver-authentication → kube-apiserver
  • ns/openshift-config-managed configmap/default-ingress-cert → Networking / router
  • ns/openshift-console configmap/default-ingress-cert → Networking / router

Updates ownership.json, ownership.md, all raw-data files, and empties the ownership-violations.json file.

Ref: CNTRLPLANE-3652

Summary by CodeRabbit

  • Documentation
    • Updated TLS documentation (ownership, descriptions, refresh period, and test cases) to add a Networking / router section, remove Unknown Owner listings, and refresh table-of-contents counts and numbering.
  • New Features
    • Populated previously-empty owning component and description metadata for aggregated API server and default ingress/router TLS artifacts across generated TLS metadata.
  • Bug Fixes
    • Cleared stale ownership-violation lists so reported violations no longer include outdated locations.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 29, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 29, 2026

Copy link
Copy Markdown

@oceanc80: This pull request references CNTRLPLANE-3652 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add ownership information for 5 TLS artifacts that were listed as missing owners in the TLS registry:

  • ns/openshift-ingress secret/router-certs-default → Networking / router
  • ns/openshift-ingress-operator secret/router-ca → Networking / router
  • ns/kube-system configmap/extension-apiserver-authentication → kube-apiserver
  • ns/openshift-config-managed configmap/default-ingress-cert → Networking / router
  • ns/openshift-console configmap/default-ingress-cert → Networking / router

Updates ownership.json, ownership.md, all raw-data files, and empties the ownership-violations.json file.

Ref: CNTRLPLANE-3652

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 292a550e-d65f-4c3e-bfa4-6367bc468a7f

📥 Commits

Reviewing files that changed from the base of the PR and between a9a7155 and 196a8c5.

⛔ Files ignored due to path filters (1)
  • vendor/github.com/openshift/library-go/pkg/markdown/markdown.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (5)
  • tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md
  • tls/descriptions/descriptions.md
  • tls/ownership/ownership.md
  • tls/refresh-period/refresh-period.md
  • tls/testcase/testcase.md

Walkthrough

TLS ownership metadata was populated for kube-apiserver and Networking / router artifacts across canonical JSON, raw snapshot JSON, and generated markdown inventories. Related ownership violations entries were removed.

Changes

TLS ownership metadata population

Layer / File(s) Summary
Metadata JSON updates
tls/ownership/ownership.json, tls/descriptions/descriptions.json, tls/refresh-period/refresh-period.json, tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json, tls/testcase/testcase.json
Populates owningJiraComponent and description for kube-apiserver and router-related CA bundle and cert key pair entries.
Inventory markdown updates
tls/ownership/ownership.md, tls/descriptions/descriptions.md, tls/refresh-period/refresh-period.md, tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md, tls/testcase/testcase.md
Removes Unknown Owner sections, adds Networking / router sections, and renumbers kube-apiserver CA bundle listings in the generated inventories.
Raw TLS snapshot updates
tls/raw-data/raw-tls-artifacts-*.json
Applies the same ownership and description metadata changes across the platform snapshot JSON files.
Violation list removal
tls/violations/ownership/ownership-violations.json
Replaces the populated violation lists with null.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding TLS ownership for five previously unowned artifacts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changes TLS ownership JSON/MD artifacts; no Ginkgo test files or titles were modified, so no unstable test names are present.
Test Structure And Quality ✅ Passed No Ginkgo test code was changed; the PR only updates TLS JSON/MD metadata and ownership files, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the TLS diff only changes JSON and markdown ownership/docs files, with no Go test files.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only updates TLS ownership JSON/MD metadata; no Go/Ginkgo test declarations or multi-node assumptions were added, so the SNO check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only updates TLS ownership/docs/raw-data JSON metadata and clears violations; it adds no deployment manifests, controllers, or scheduling logic.
Ote Binary Stdout Contract ✅ Passed PASS: The PR scope is TLS metadata/docs/raw-data; the only Go file under tls is an embed-only helper with no stdout/logging, so no process-level stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The PR only changes TLS JSON/MD metadata files; no new Ginkgo e2e tests or network-related code were added.
No-Weak-Crypto ✅ Passed Touched files are TLS registry/docs JSON only; precise scan found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparison code.
Container-Privileges ✅ Passed PR only touches JSON/MD TLS registry files; targeted scans found no privileged/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed The PR only changes TLS ownership JSON/MD metadata and clears violations; I found no logging statements or secret/token/PII exposure in the scoped files.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from deads2k and sjenning June 29, 2026 11:11
@openshift-ci openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jun 29, 2026

@oceanc80 oceanc80 left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@oceanc80: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oceanc80
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Set owningJiraComponent and description for:
- ns/kube-system configmap/extension-apiserver-authentication (kube-apiserver)
- ns/openshift-config-managed configmap/default-ingress-cert (Networking / router)
- ns/openshift-console configmap/default-ingress-cert (Networking / router)
- ns/openshift-ingress secret/router-certs-default (Networking / router)
- ns/openshift-ingress-operator secret/router-ca (Networking / router)

Ownership info updated in raw-data files and all derived files
regenerated via `go run -mod vendor ./cmd/update-tls-artifacts generate-ownership`.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tls/ownership/ownership.md`:
- Around line 23-25: The table of contents links use manually written
title-cased anchor fragments that do not match the generated markdown heading
IDs, so update the TOC entries to use the actual lowercase slug format. Fix the
links for the relevant headings in ownership.md, including the entries
associated with Networking / router and kube-apiserver, and keep the fragment
text consistent with the rendered markdown anchors so the TOC resolves
correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 28e46bfa-6e01-4e2b-89f3-66924722bb99

📥 Commits

Reviewing files that changed from the base of the PR and between 9a99e04 and a9a7155.

📒 Files selected for processing (24)
  • tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json
  • tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md
  • tls/descriptions/descriptions.json
  • tls/descriptions/descriptions.md
  • tls/ownership/ownership.json
  • tls/ownership/ownership.md
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/refresh-period/refresh-period.json
  • tls/refresh-period/refresh-period.md
  • tls/testcase/testcase.json
  • tls/testcase/testcase.md
  • tls/violations/ownership/ownership-violations.json
✅ Files skipped from review due to trivial changes (10)
  • tls/ownership/ownership.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json
🚧 Files skipped from review as they are similar to previous changes (4)
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json

Comment thread tls/ownership/ownership.md Outdated
The markdown TOC generator was producing title-cased anchor fragments
(e.g. #Certificates-2, #Certificate-Authority-Bundles-2) that don't
match the lowercase heading IDs rendered by GitHub/markdown processors
(e.g. #certificates-2, #certificate-authority-bundles-2).

Add strings.ToLower() to the tocLink generation in the vendored
library-go markdown package and regenerate all TLS ownership markdown.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the vendor-update Touching vendor dir or related files label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@oceanc80: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/go-verify-deps 196a8c5 link true /test go-verify-deps
ci/prow/verify-deps 196a8c5 link true /test verify-deps

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review vendor-update Touching vendor dir or related files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants