Skip to content

OCPBUGS-57627: cert-inspection: create stubs for in-memory certificates #1994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-57627: cert-inspection: create stubs for in-memory certificates #1994

wants to merge 1 commit into from

Conversation

vrutkovs
Copy link
Member

@vrutkovs vrutkovs commented Aug 18, 2025
edited
Loading

We have no method to detect those, we have to create stub entries for every instance of apiserver.

Tested in openshift/origin#30005

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Aug 18, 2025
@openshift-ci-robot
Copy link

@vrutkovs: This pull request references Jira Issue OCPBUGS-57627, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

We have no method to detect those, we have to create stub entries for every instance of apiserver

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

wangke19
wangke19 reviewed Sep 1, 2025
View reviewed changes
pkg/certs/cert-inspection/certgraphanalysis/collector.go Outdated
for i, pod := range podList.Items {
certKeyPair := certgraphapi.CertKeyPair{
Name: fmt.Sprintf("%s-%d::1", detail.NamePrefix, i),
Description: "apiserver loopback certificate",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description is hardcoded as "apiserver loopback certificate". This limits the function's reusability. It would be better to add a Description field to the InMemoryCertDetail
struct to allow callers to provide context-specific descriptions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea

wangke19
wangke19 reviewed Sep 1, 2025
View reviewed changes
pkg/certs/cert-inspection/certgraphanalysis/collector.go
list = &certgraphapi.PKIList{}
}

if list.InMemoryResourceData.CertKeyPairs == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We checking for nil on list.InMemoryResourceData.CertKeyPairs but then initializing list.CertKeyPairs.Items. This might likely be:

if list.InMemoryResourceData.CertKeyPairs == nil {
     list.InMemoryResourceData.CertKeyPairs = []certgraphapi.PKIRegistryInMemoryCertKeyPair{}
 }
 // and separately
 if list.CertKeyPairs.Items == nil {
      list.CertKeyPairs.Items = []certgraphapi.CertKeyPair{}
 }

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great find

@wangke19
Copy link
Contributor

wangke19 commented Sep 1, 2025

Add Unit Tests

The new functionality, especially in collector.go and deduplication.go, is not covered by new tests.

Advice:

  • Create a new test file pkg/certs/cert-inspection/certgraphanalysis/collector_test.go.
  • Add a unit test for CreateInMemoryPKIList using a fake kubeClient to ensure it correctly generates CertKeyPair objects based on a list of pods.
  • Add a unit test for CombineCertInMemoryLocations in deduplication.go to verify that it correctly merges and de-duplicates pod locations.

@vrutkovs vrutkovs force-pushed the inmemory-certs branch 2 times, most recently from e240400 to 96400ee Compare September 1, 2025 09:35
@vrutkovs
cert-inspection: create stubs for in-memory certificates
68b8074 
We have no method to detect those, we have to create stub entries for every instance of apiserver
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 1, 2025

@vrutkovs: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@wangke19
Copy link
Contributor

wangke19 commented Sep 3, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 3, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vrutkovs, wangke19
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

1 more reviewer

@wangke19 wangke19 wangke19 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@wangke19 wangke19

Labels
jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vrutkovs @openshift-ci-robot @wangke19