CNTRLPLANE-3426: restart operator upon tls config change#1389
CNTRLPLANE-3426: restart operator upon tls config change#1389ricardomaraschini wants to merge 1 commit into
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@ricardomaraschini: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThe PR observes the cluster APIServer TLS security profile, returns a defensive MinTLSVersion and cipher suite list, applies them to the metrics serving TLS template, and wires an APIServer informer to trigger shutdown when those settings change so the metrics server restarts with updated TLS settings. ChangesAPIServer TLS Configuration Integration
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 10 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (10 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ricardomaraschini The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/cvo/metrics.go`:
- Around line 435-440: The code assigns options.CipherSuites directly to
baseTlSConfig.CipherSuites (in the block handling Apply APIServer TLS
configuration) which may contain TLS 1.3 suite IDs that Go ignores; update the
assignment to filter out TLS 1.3 cipher suite IDs (those defined in
ObserveAPIServerTLSConfig / the observed profile) before setting
baseTlSConfig.CipherSuites, or alternatively add a clear comment/log explaining
that TLS 1.3 suites are not configurable in crypto/tls; locate the logic around
options.CipherSuites and baseTlSConfig.CipherSuites and implement the filter
step to drop TLS 1.3 IDs prior to assignment.
In `@pkg/start/start.go`:
- Around line 334-350: The baseline TLS profile is captured from the lister
before the APIServer informer cache is started/synced
(o.MetricsOptions.ListenAddress branch), so startMinTLS/startCiphers (from
cvo.ObserveAPIServerTLSConfig) can be read from an empty cache causing an
immediate false-positive runCancel; fix by deferring the initial call to
cvo.ObserveAPIServerTLSConfig until after ConfigInformerFactory.Start(...) and
WaitForCacheSync(...) complete (or otherwise ensure the
apiServerInformer.Informer() has synced) and only then set
startMinTLS/startCiphers once (or set a boolean so the first post-sync
observation initializes the baseline), leaving the existing handler logic that
compares current vs start and calls runCancel unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: d6e1b8c7-a6f5-4891-b1d2-dcd57d5c2c0b
📒 Files selected for processing (3)
pkg/cvo/metrics.gopkg/cvo/metrics_test.gopkg/start/start.go
ricardomaraschini
force-pushed
the
restart-cvo-on-tls-changes
branch
from
fc32b95 to
9469b26
Compare
ricardomaraschini
force-pushed
the
restart-cvo-on-tls-changes
branch
from
9469b26 to
55d653c
Compare
ricardomaraschini
changed the title
|
@ricardomaraschini: This pull request references CNTRLPLANE-3426 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@ricardomaraschini: This pull request references CNTRLPLANE-3426 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
ricardomaraschini
force-pushed
the
restart-cvo-on-tls-changes
branch
from
55d653c to
b7a72a9
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/start/start.go`:
- Around line 370-379: The current event handler only uses UpdateFunc and misses
Add/Delete transitions; extract the TLS-change detection into a helper
closure/function (e.g., checkAPIServerTLSChange) that calls
cvo.ObserveAPIServerTLSConfig(apiServerLister), compares with startMinTLSVersion
and startCipherSuites (use slices.Equal for ciphers), logs via klog.Infof and
calls runCancel() on change, then register that helper for AddFunc, UpdateFunc
and DeleteFunc on apiServerSharedIndexInformer via
cache.ResourceEventHandlerFuncs so all three events trigger the same check.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: bae20338-20bd-41b3-a6b5-aec4c02873db
📒 Files selected for processing (3)
pkg/cvo/metrics.gopkg/cvo/metrics_test.gopkg/start/start.go
🚧 Files skipped from review as they are similar to previous changes (2)
- pkg/cvo/metrics_test.go
- pkg/cvo/metrics.go
ricardomaraschini
force-pushed
the
restart-cvo-on-tls-changes
branch
2 times, most recently
from
bb2538b to
884fdc1
Compare
when the cluster wide tls config changes we now restart the operator by cancelling the run context. by doing so we ensure that the metrics end point will always use the correct tls version and ciphers.
ricardomaraschini
force-pushed
the
restart-cvo-on-tls-changes
branch
from
884fdc1 to
ab62b8b
Compare
|
@ricardomaraschini: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
when the cluster wide tls config changes we now restart the operator by cancelling the run context. by doing so we ensure that the metrics end point will always use the correct tls version and ciphers.
Summary by CodeRabbit
New Features
Tests