Skip to content

OCPBUGS-57627: cert-inspection: create stubs for in-memory certificates #1994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vrutkovs wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-57627: cert-inspection: create stubs for in-memory certificates #1994

vrutkovs wants to merge 1 commit into from

Conversation

@vrutkovs
Copy link
Contributor

@vrutkovs vrutkovs commented Aug 18, 2025
edited
Loading

We have no method to detect those, we have to create stub entries for every instance of apiserver.

Tested in openshift/origin#30005

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Aug 18, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 18, 2025

@vrutkovs: This pull request references Jira Issue OCPBUGS-57627, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

We have no method to detect those, we have to create stub entries for every instance of apiserver

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

wangke19
wangke19 reviewed Sep 1, 2025
View reviewed changes
pkg/certs/cert-inspection/certgraphanalysis/collector.go Outdated
for i, pod := range podList.Items {
certKeyPair := certgraphapi.CertKeyPair{
Name: fmt.Sprintf("%s-%d::1", detail.NamePrefix, i),
Description: "apiserver loopback certificate",
Copy link
Contributor

@wangke19 wangke19 Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description is hardcoded as "apiserver loopback certificate". This limits the function's reusability. It would be better to add a Description field to the InMemoryCertDetail
struct to allow callers to provide context-specific descriptions.

Copy link
Contributor Author

@vrutkovs vrutkovs Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea

wangke19
wangke19 reviewed Sep 1, 2025
View reviewed changes
pkg/certs/cert-inspection/certgraphanalysis/collector.go
list = &certgraphapi.PKIList{}
}

if list.InMemoryResourceData.CertKeyPairs == nil {
Copy link
Contributor

@wangke19 wangke19 Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We checking for nil on list.InMemoryResourceData.CertKeyPairs but then initializing list.CertKeyPairs.Items. This might likely be:

if list.InMemoryResourceData.CertKeyPairs == nil {
     list.InMemoryResourceData.CertKeyPairs = []certgraphapi.PKIRegistryInMemoryCertKeyPair{}
 }
 // and separately
 if list.CertKeyPairs.Items == nil {
      list.CertKeyPairs.Items = []certgraphapi.CertKeyPair{}
 }

Copy link
Contributor Author

@vrutkovs vrutkovs Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great find

@wangke19
Copy link
Contributor

wangke19 commented Sep 1, 2025

Add Unit Tests

The new functionality, especially in collector.go and deduplication.go, is not covered by new tests.

Advice:

  • Create a new test file pkg/certs/cert-inspection/certgraphanalysis/collector_test.go.
  • Add a unit test for CreateInMemoryPKIList using a fake kubeClient to ensure it correctly generates CertKeyPair objects based on a list of pods.
  • Add a unit test for CombineCertInMemoryLocations in deduplication.go to verify that it correctly merges and de-duplicates pod locations.

@vrutkovs vrutkovs force-pushed the inmemory-certs branch 2 times, most recently from e240400 to 96400ee Compare September 1, 2025 09:35
@vrutkovs
cert-inspection: create stubs for in-memory certificates
68b8074 
We have no method to detect those, we have to create stub entries for every instance of apiserver
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 1, 2025

@vrutkovs: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@wangke19
Copy link
Contributor

wangke19 commented Sep 3, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 3, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vrutkovs, wangke19
Once this PR has been reviewed and has the lgtm label, please assign p0lyn0mial for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link

openshift-bot commented Dec 2, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

1 more reviewer

@wangke19 wangke19 wangke19 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@wangke19 wangke19

Labels

jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vrutkovs @openshift-ci-robot @wangke19 @openshift-bot