CA Paths Fixes

[Neon-White]

This PR picks up where #1570 left off and adds minor finishing touches.

Summary by CodeRabbit

• New Features

  • Improved handling and validation of custom certificate bundles for application pods.
  • Enhanced configuration options for mounting and using CA bundles.

• Refactor

  • Updated naming and environment variable usage for certificate bundle paths.
  • Standardized mount paths for CA bundle volumes across the application.
  • Refined logic for combining and managing certificate authorities.
  • Renamed functions and constants to clarify certificate bundle management.

• Bug Fixes

  • Added validation to ensure CA bundle ConfigMaps are only mounted when containing valid data.

• Chores

  • Improved comments and logging for certificate handling.

[coderabbitai]

Walkthrough

The changes remove a deprecated constant, introduce new constants for certificate bundle file paths, rename a utility function for combining CA bundles, and update reconciler logic to use these new constants and functions. They improve checks for ConfigMap existence and data before mounting CA bundles, adjust mount paths, and enhance AWS SDK HTTP client configuration with a custom transport.

Changes

Cohort / File(s)	Change Summary
Options constant removal pkg/options/options.go	Removed the ServiceServingCertCAFile constant and its comment.
CA bundle mounting and environment updates pkg/system/phase2_creating.go, pkg/system/phase4_configuring.go	Enhanced ConfigMap existence checks to also verify data presence before mounting CA bundles; changed CA bundle mount path from .crt file to directory; added HTTP client with GlobalCARefreshingTransport and 10-second timeout to AWS SDK config in prepareAWSBackingStore.
Reconciler struct and logic updates pkg/system/reconciler.go	Added comment to ApplyCAsToPods field; changed ConfigMap name to fixed "ocp-injected-ca-bundle"; replaced call to AddToRootCAs with CombineCaBundle; updated CA bundle handling logic including unconditional assignment of ApplyCAsToPods; added detailed explanatory comment on CA handling.
Utility constants and function rename pkg/util/util.go	Added constants for CA bundle file paths; renamed AddToRootCAs to CombineCaBundle; updated logic to use new constants; clarified comments on HTTP transports; fixed typo in log message.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Reconciler
    participant Util
    participant KubeAPI

    User->>Reconciler: Trigger Reconcile()
    Reconciler->>Util: CombineCaBundle(ServiceServingCertCAFile)
    Util->>Util: Read system cert pool
    Util->>Util: Append InjectedBundleCertCAFile
    Util->>Util: Append ServiceServingCertCAFile
    Util->>Reconciler: Return success or error
    alt Success
        Reconciler->>Reconciler: Set ApplyCAsToPods = ServiceServingCertCAFile
    else Error (not file not found)
        Reconciler->>Reconciler: Log error with details, set requeue delay
        Reconciler->>Reconciler: Set ApplyCAsToPods = ServiceServingCertCAFile
    end
    Reconciler->>KubeAPI: Continue reconciliation logic

Loading

sequenceDiagram
    participant Controller
    participant KubeAPI
    participant Pod

    Controller->>KubeAPI: Check CaBundleConf ConfigMap
    alt ConfigMap exists and has data
        Controller->>Pod: Mount /etc/ocp-injected-ca-bundle volume
        Controller->>Pod: Set NODE_EXTRA_CA_CERTS env var to ApplyCAsToPods
    else
        Controller->>Pod: Skip CA bundle mount
    end
    Pod->>Pod: Use CA bundle for TLS connections

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22464a2 and e1260ff.

📒 Files selected for processing (5)

• pkg/options/options.go (0 hunks)
• pkg/system/phase2_creating.go (3 hunks)
• pkg/system/phase4_configuring.go (4 hunks)
• pkg/system/reconciler.go (3 hunks)
• pkg/util/util.go (3 hunks)

💤 Files with no reviewable changes (1)

• pkg/options/options.go

🚧 Files skipped from review as they are similar to previous changes (4)

• pkg/system/phase2_creating.go
• pkg/system/reconciler.go
• pkg/util/util.go
• pkg/system/phase4_configuring.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-admission-test
• GitHub Check: run-operator-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: golangci-lint
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-cli-tests
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-hac-test

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (3)

pkg/system/phase2_creating.go (1)

474-485: 💡 Verification agent

🧩 Analysis chain

NODE_EXTRA_CA_CERTS is set unconditionally even when the path is empty

r.UserCertBundlePath is only initialised in Reconciler.Reconcile() when util.CombineCaBundle succeeds.
If CombineCaBundle returns an os.IsNotExist error (very common when the ocp-injected-ca-bundle ConfigMap is not mounted into the operator pod),
r.UserCertBundlePath stays the empty string but we still inject it into the pod as the value of NODE_EXTRA_CA_CERTS.

At runtime NodeJS treats an empty value as disable extra certs, not fall back to the system pool, so TLS failures against
service endpoints that present the service-serving CA are still possible.

case "NODE_EXTRA_CA_CERTS":
-    c.Env[j].Value = r.UserCertBundlePath
+    // Fall back to the service-serving CA when no user bundle is available
+    if r.UserCertBundlePath == "" {
+        c.Env[j].Value = util.ServiceServingCertCAFile
+    } else {
+        c.Env[j].Value = r.UserCertBundlePath
+    }

This guarantees the container always receives a usable CA file path even when no user bundle exists.

---

🏁 Script executed:

#!/bin/bash
set -e

echo "🔍 Searching for CombineCaBundle usage in pkg..."
rg -n "CombineCaBundle" -n pkg

echo -e "\n🔍 Searching for UserCertBundlePath declaration and assignments..."
rg -n "UserCertBundlePath" -n .

echo -e "\n🔍 Searching for ServiceServingCertCAFile definition..."
rg -n "ServiceServingCertCAFile" -n .

Length of output: 1595

---

🏁 Script executed:

#!/bin/bash
echo "🔍 Extracting lines 380-430 from pkg/system/reconciler.go for context"
sed -n '380,430p' pkg/system/reconciler.go

Length of output: 1919

---

🏁 Script executed:

#!/bin/bash
echo "🔍 Extracting lines 390-430 from pkg/system/phase4_configuring.go for NODE_EXTRA_CA_CERTS handling"
sed -n '390,430p' pkg/system/phase4_configuring.go

Length of output: 1523

---

🏁 Script executed:

#!/bin/bash
echo "🔍 Displaying CombineCaBundle implementation"
rg -n "func CombineCaBundle" -A20 -n pkg/util/util.go

Length of output: 748

---

Ensure NODE_EXTRA_CA_CERTS Always Points to a Valid CA Bundle

r.UserCertBundlePath remains empty whenever CombineCaBundle returns os.IsNotExist (e.g., no injected CA bundle), and we currently inject that empty string into NODE_EXTRA_CA_CERTS. Node.js treats an empty NODE_EXTRA_CA_CERTS as “disable extra certs,” not “use system CAs,” leading to TLS failures against service‐serving CAs.

Please update both places where NODE_EXTRA_CA_CERTS is set to fall back to util.ServiceServingCertCAFile when r.UserCertBundlePath is empty:

• pkg/system/phase2_creating.go (around line 478)
• pkg/system/phase4_configuring.go (around line 410)

Suggested diff for each:

 case "NODE_EXTRA_CA_CERTS":
-    c.Env[j].Value = r.UserCertBundlePath
+    if r.UserCertBundlePath == "" {
+        // Fallback to service-serving CA when no injected bundle is available
+        c.Env[j].Value = util.ServiceServingCertCAFile
+    } else {
+        c.Env[j].Value = r.UserCertBundlePath
+    }

This change guarantees every Node.js container receives a usable CA file path.

pkg/system/phase4_configuring.go (1)

510-533: ⚠️ Potential issue

Guard against missing ca-bundle.crt key to prevent pod startup failure

The volume mounts unconditionally reference ca-bundle.crt.
If the ConfigMap exists but happens to lack that key, the pod will fail to mount and remain in CrashLoopBackOff.

-// we want to check that the cm exists and also that it has data in it
-if util.KubeCheckQuiet(r.CaBundleConf) && len(r.CaBundleConf.Data) > 0 {
+// ensure CM exists *and* contains the expected key with non-empty content
+if util.KubeCheckQuiet(r.CaBundleConf) {
+    if crt, ok := r.CaBundleConf.Data["ca-bundle.crt"]; ok && len(crt) > 0 {

(The rest of the block stays the same.)

Failing fast here avoids introducing a hard-to-diagnose scheduling error at runtime.

pkg/util/util.go (1)

155-184: 🛠️ Refactor suggestion

CombineCaBundle should skip missing files and/or improve error wording

1. On a fresh cluster the injected bundle (/etc/ocp-injected-ca-bundle/ca-bundle.crt) may not exist. Returning an error aborts startup even though the file is optional.
2. The log message says "Successfully appended …" after the append attempt, regardless of the result of AppendCertsFromPEM (which could fail silently if the file is empty).

A resilient pattern:

  for _, certFile := range certFiles {
-    certs, err := os.ReadFile(certFile)
-    if err != nil {
-        return err
-    }
+    certs, err := os.ReadFile(certFile)
+    if os.IsNotExist(err) {
+        log.Infof("CA bundle %q not found – skipping", certFile)
+        continue
+    } else if err != nil {
+        return err
+    }
 
     // Append our cert to the system pool
-    if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+    if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
         log.Errorf("Failed to append %q to RootCAs", certFile)
         return fmt.Errorf("failed to append %q to RootCAs", certFile)
     }
 
-    // Trust the augmented cert pool in our client
-    log.Infof("Successfully appended %q to RootCAs", certFile)
+    log.Infof("Appended %q to RootCAs", certFile)
 }

This keeps the operator functional when only one of the files is present.

🧹 Nitpick comments (7)

pkg/system/phase2_creating.go (2)

660-670: Duplicated CA-bundle mounting logic

The identical util.KubeCheckQuiet(...) && len(...Data) > 0 stanza is repeated for both containers.
Extracting it into a helper would avoid divergence in future edits.

Not blocking, but worth considering.

---

704-723: Race-free merge of Volume definitions

util.MergeVolumeList is called after a conditional check that may be executed in two different
containers; if both branches add the same volume concurrently an unnecessary array scan occurs
each reconciliation loop.
Moving the pod-level volume addition to a single, outer block (once per pod) will save work and keep the spec deterministic.

Minor optimisation – no action required if low priority.

pkg/system/reconciler.go (1)

70-73: Field initialisation: consider a reliable default

UserCertBundlePath is only set later in Reconcile(). Initialising it here to
util.ServiceServingCertCAFile would avoid the empty-value edge-case noted in phase2_creating.go
and keeps the struct in a self-contained, safe state.

pkg/system/phase4_configuring.go (3)

417-417: Skip NODE_EXTRA_CA_CERTS when the bundle path is empty

c.Env[j].Value = r.UserCertBundlePath blindly populates the env-var even when UserCertBundlePath is an empty string.
For NodeJS, an empty value is still treated as “variable present”, which causes an attempted read of "" and emits noisy ENOENT warnings on every TLS handshake.

case "NODE_EXTRA_CA_CERTS":
-    c.Env[j].Value = r.UserCertBundlePath
+    if r.UserCertBundlePath != "" {
+        c.Env[j].Value = r.UserCertBundlePath
+    }

This keeps the container log clean and avoids surprising behaviour when the ConfigMap was intentionally omitted.

---

529-531: Avoid hard-coding mount paths

"/etc/ocp-injected-ca-bundle" is duplicated across several files. Consider exporting it once (e.g. util.CaBundleDir) and re-using the constant to keep the path in sync across the codebase.

-    MountPath: "/etc/ocp-injected-ca-bundle",
+    MountPath: util.CaBundleDir,

---

1412-1414: Prefer a secure default transport

Switching from the insecure transport to GlobalCARefreshingTransport only when UserCertBundlePath is set leaves the non-CA-bundle case using InsecureHTTPTransport, which skips certificate verification entirely.

If the intention is “use custom CAs when supplied, otherwise fall back to the system pool”, consider:

-client := &http.Client{
-    Transport: util.InsecureHTTPTransport,
+transport := util.GlobalCARefreshingTransport
+if r.UserCertBundlePath == "" {
+    transport = util.InsecureHTTPTransport
+}
+client := &http.Client{
+    Transport: transport,
     Timeout:   10 * time.Second,
 }

This reduces the attack surface while preserving current behaviour.

pkg/util/util.go (1)

132-140: Harden TLS configuration

Both transports omit an explicit minimum TLS version. Relying on Go defaults means a future change could silently lower the bar (e.g., server-side default is still TLS-1.0). Set it explicitly—TLS 1.2 for legacy compatibility or TLS 1.3 if you can.

-	TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	TLSClientConfig: &tls.Config{
+		InsecureSkipVerify: true,
+		MinVersion:         tls.VersionTLS12, // or tls.VersionTLS13 if legacy clients are irrelevant
+	},

Likewise for GlobalCARefreshingTransport.
[security]

🧰 Tools

🪛 ast-grep (0.38.1)

[warning] 133-133: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: true}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

---

[warning] 138-138: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: false}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4ecadab and 6d65e0c.

📒 Files selected for processing (5)

• pkg/options/options.go (0 hunks)
• pkg/system/phase2_creating.go (4 hunks)
• pkg/system/phase4_configuring.go (4 hunks)
• pkg/system/reconciler.go (3 hunks)
• pkg/util/util.go (4 hunks)

💤 Files with no reviewable changes (1)

• pkg/options/options.go

🧰 Additional context used

🧬 Code Graph Analysis (3)

pkg/system/phase2_creating.go (1)

pkg/util/util.go (1)

• KubeCheckQuiet (620-633)

pkg/system/phase4_configuring.go (1)

pkg/util/util.go (1)

• KubeCheckQuiet (620-633)

pkg/system/reconciler.go (1)

pkg/util/util.go (2)

• CombineCaBundle (156-185)
• ServiceServingCertCAFile (89-89)

🪛 ast-grep (0.38.1)

pkg/util/util.go

[warning] 133-133: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: true}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

⏰ Context from checks skipped due to timeout of 90000ms (13)

• GitHub Check: run-core-config-map-tests
• GitHub Check: run-operator-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: golangci-lint
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-hac-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-cli-tests
• GitHub Check: run-kms-tls-token-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-kmip-test

🔇 Additional comments (1)

pkg/system/phase2_creating.go (1)

576-586: Volume mount path changed to a directory – confirm the consuming code reads ${path}/ca-bundle.crt

Mounting the ConfigMap at /etc/ocp-injected-ca-bundle is fine, but make sure all consumers use the
/etc/ocp-injected-ca-bundle/ca-bundle.crt file path (not the directory itself).
util.CombineCaBundle does so via util.InjectedBundleCertCAFile; please double-check that constant matches the new layout.

No change requested – just a verification point.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/util/util.go (1)

94-95: CombinedCaBundlePath is still declared but not used

This constant remains unused as pointed out in the previous review. The CombineCaBundle function only modifies the in-memory GlobalCARefreshingTransport.TLSClientConfig.RootCAs and never writes to the file path specified by this constant.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d65e0c and 6e29f74.

📒 Files selected for processing (5)

• pkg/options/options.go (0 hunks)
• pkg/system/phase2_creating.go (4 hunks)
• pkg/system/phase4_configuring.go (4 hunks)
• pkg/system/reconciler.go (3 hunks)
• pkg/util/util.go (4 hunks)

💤 Files with no reviewable changes (1)

• pkg/options/options.go

✅ Files skipped from review due to trivial changes (1)

• pkg/system/phase2_creating.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/system/reconciler.go
• pkg/system/phase4_configuring.go

🧰 Additional context used

🪛 ast-grep (0.38.1)

pkg/util/util.go

[warning] 133-133: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: true}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

⏰ Context from checks skipped due to timeout of 90000ms (12)

• GitHub Check: cnpg-deployment-test
• GitHub Check: auto-update
• GitHub Check: run-operator-tests
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-admission-test
• GitHub Check: run-cli-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: run-kms-dev-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-tls-token-test

🔇 Additional comments (2)

pkg/util/util.go (2)

156-156: Good function rename for clarity

The rename from AddToRootCAs to CombineCaBundle better describes the function's purpose of combining certificate bundles.

---

163-163: Excellent improvements in implementation

Two positive changes:

• Using the InjectedBundleCertCAFile constant improves maintainability
• Fixed the typo in the log message ("Successfuly" → "Successfully")

These changes align well with the PR's objective of standardizing CA path handling.

Also applies to: 181-181

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/util/util.go (1)

94-95: CombinedCaBundlePath constant remains unused

This constant was flagged in previous reviews and still appears to be unused in the codebase. Dead code should be removed to avoid confusion about the actual CA bundle handling.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29b27dc and d506daf.

📒 Files selected for processing (1)

• pkg/util/util.go (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

pkg/util/util.go (1)

Learnt from: Neon-White
PR: noobaa/noobaa-operator#1636
File: pkg/backingstore/reconciler.go:718-724
Timestamp: 2025-06-25T15:28:44.080Z
Learning: In pkg/backingstore/reconciler.go, the switch refactor for S3Compatible.SignatureVersion and IBMCos.SignatureVersion maintains the same behavior as the original if-else if logic - when SignatureVersion is empty or unspecified, conn.AuthMethod is left unset. There was no default to V4 in the original code.

🪛 ast-grep (0.38.6)

pkg/util/util.go

[warning] 133-133: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: true}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

---

[warning] 138-138: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: true}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: cnpg-deployment-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-operator-tests
• GitHub Check: run-azure-vault-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-core-config-map-tests
• GitHub Check: golangci-lint

🔇 Additional comments (3)

pkg/util/util.go (3)

155-156: Good function rename for clarity

The rename from AddToRootCAs to CombineCaBundle better reflects the function's purpose of combining CA bundles.

---

163-163: Good use of constant instead of hardcoded path

Replacing the hardcoded path with the InjectedBundleCertCAFile constant improves maintainability and centralization of CA paths.

---

181-181: Appropriate log level change

The change from Printf to Infof is appropriate for this informational message and maintains consistency with the logging framework.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

pkg/util/util.go (2)

88-96: CA path constants are well-defined.

The new constants provide clear, centralized definitions for CA file paths:

• ServiceServingCertCAFile for the default OpenShift service CA
• InjectedBundleCertCAFile for the additional injected CA bundle
• CombinedCaBundlePath for the combined CA bundle output

These constants improve maintainability and consistency across the codebase.

---

132-140: Comment improvements enhance code clarity.

The updated comments for InsecureHTTPTransport and GlobalCARefreshingTransport provide clearer descriptions of their certificate verification behavior.

🧹 Nitpick comments (2)

.github/workflows/update-noobaa-core-tag.yml (1)

44-51: Guard against empty commits

If another race condition (or a manual change) deletes the diff between the “Check for changes” step and the commit step, git commit will exit with status 1 (“nothing to commit”) and abort the workflow. Protect against that:

git add pkg/options/options.go
-git commit -m "chore: update noobaa-core image tag to ${{ github.event.inputs.container_image_tag }}"
+if ! git diff --cached --quiet; then
+  git commit -m "chore: update noobaa-core image tag to ${{ github.event.inputs.container_image_tag }}"
+else
+  echo "Nothing to commit, skipping push"
+  exit 0
+fi

.githooks/pre-commit (1)

18-25: Consider adjusting the linting strategy for staged files.

The current implementation has a potential issue where --new-from-rev="$BASE" might not lint only the staged files, but rather all changed files since the base revision. This could include unstaged changes or miss some staged changes.

Consider this alternative approach:

-# Run golangci-lint on staged files
-echo "Running golangci-lint on staged files..."
-BASE=$(git rev-parse --verify HEAD 2>/dev/null || echo "")
-if [ -z "$BASE" ]; then
-  golangci-lint run $STAGED_FILES   # initial commit – lint everything staged
-else
-  golangci-lint run --new-from-rev="$BASE"
-fi
+# Run golangci-lint on staged files
+echo "Running golangci-lint on staged files..."
+golangci-lint run $STAGED_FILES

This ensures that only the staged files are linted, regardless of whether it's an initial commit or not.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b9584f and 1ad169b.

📒 Files selected for processing (14)

• .githooks/pre-commit (1 hunks)
• .github/workflows/update-noobaa-core-tag.yml (1 hunks)
• Makefile (2 hunks)
• deploy/internal/statefulset-core.yaml (1 hunks)
• deploy/operator.yaml (1 hunks)
• pkg/bundle/deploy.go (4 hunks)
• pkg/options/options.go (0 hunks)
• pkg/system/phase2_creating.go (5 hunks)
• pkg/system/phase4_configuring.go (4 hunks)
• pkg/system/reconciler.go (3 hunks)
• pkg/util/kms/kms_kmip.go (1 hunks)
• pkg/util/kms/kms_kmip_storage.go (9 hunks)
• pkg/util/kms/kms_version.go (1 hunks)
• pkg/util/util.go (4 hunks)

💤 Files with no reviewable changes (1)

• pkg/options/options.go

✅ Files skipped from review due to trivial changes (1)

• pkg/util/kms/kms_kmip.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/system/phase4_configuring.go
• pkg/system/phase2_creating.go
• pkg/system/reconciler.go

🧰 Additional context used

🧠 Learnings (5)

deploy/operator.yaml (2)

Learnt from: Neon-White
PR: noobaa/noobaa-operator#1587
File: pkg/system/reconciler.go:287-291
Timestamp: 2025-07-14T10:59:21.959Z
Learning: NooBaa operator design constraint: Multiple NooBaa instances are not supported in the same namespace, only across different namespaces. This means hard-coded resource names like ConfigMaps are acceptable within a namespace scope.

Learnt from: naveenpaul1
PR: noobaa/noobaa-operator#1607
File: pkg/bundle/deploy.go:0-0
Timestamp: 2025-07-02T04:34:47.006Z
Learning: Default values for `METRICS_AUTH_ENABLED` and `VERSION_AUTH_ENABLED` are set up under `noobaa-config` in the NooBaa operator.

pkg/util/kms/kms_version.go (1)

Learnt from: Neon-White
PR: noobaa/noobaa-operator#1636
File: pkg/backingstore/reconciler.go:718-724
Timestamp: 2025-06-25T15:28:44.080Z
Learning: In pkg/backingstore/reconciler.go, the switch refactor for S3Compatible.SignatureVersion and IBMCos.SignatureVersion maintains the same behavior as the original if-else if logic - when SignatureVersion is empty or unspecified, conn.AuthMethod is left unset. There was no default to V4 in the original code.

.githooks/pre-commit (1)

Learnt from: Neon-White
PR: noobaa/noobaa-operator#1637
File: Makefile:193-203
Timestamp: 2025-06-25T15:42:04.436Z
Learning: golangci-lint v2.x versions output the version with a leading "v" prefix (e.g., "golangci-lint has version v2.1.6..."), while v1.x versions output without the "v" prefix (e.g., "golangci-lint has version 1.64.8..."). Version detection logic should account for the specific version format being targeted.

pkg/bundle/deploy.go (3)

undefined

<retrieved_learning>
Learnt from: Neon-White
PR: #1636
File: pkg/backingstore/reconciler.go:718-724
Timestamp: 2025-06-25T15:28:44.080Z
Learning: In pkg/backingstore/reconciler.go, the switch refactor for S3Compatible.SignatureVersion and IBMCos.SignatureVersion maintains the same behavior as the original if-else if logic - when SignatureVersion is empty or unspecified, conn.AuthMethod is left unset. There was no default to V4 in the original code.
</retrieved_learning>

<retrieved_learning>
Learnt from: Neon-White
PR: #1587
File: pkg/system/reconciler.go:287-291
Timestamp: 2025-07-14T10:59:21.959Z
Learning: NooBaa operator design constraint: Multiple NooBaa instances are not supported in the same namespace, only across different namespaces. This means hard-coded resource names like ConfigMaps are acceptable within a namespace scope.
</retrieved_learning>

<retrieved_learning>
Learnt from: naveenpaul1
PR: #1607
File: pkg/bundle/deploy.go:0-0
Timestamp: 2025-07-02T04:34:47.006Z
Learning: Default values for METRICS_AUTH_ENABLED and VERSION_AUTH_ENABLED are set up under noobaa-config in the NooBaa operator.
</retrieved_learning>

pkg/util/util.go (1)

Learnt from: Neon-White
PR: noobaa/noobaa-operator#1636
File: pkg/backingstore/reconciler.go:718-724
Timestamp: 2025-06-25T15:28:44.080Z
Learning: In pkg/backingstore/reconciler.go, the switch refactor for S3Compatible.SignatureVersion and IBMCos.SignatureVersion maintains the same behavior as the original if-else if logic - when SignatureVersion is empty or unspecified, conn.AuthMethod is left unset. There was no default to V4 in the original code.

🧬 Code Graph Analysis (1)

pkg/util/kms/kms_kmip_storage.go (3)

pkg/util/util.go (1)

• KubeCheck (571-592)

pkg/util/kms/kms_kmip.go (2)

• NewKMIPUniqueID (17-17)
• NewActiveKeyID (18-18)

pkg/util/kms/kms_version.go (1)

• ActiveRootKey (96-96)

🪛 ast-grep (0.38.6)

pkg/util/util.go

[warning] 133-133: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{InsecureSkipVerify: true}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: run-cli-tests
• GitHub Check: run-core-config-map-tests
• GitHub Check: golangci-lint
• GitHub Check: run-operator-tests
• GitHub Check: cnpg-deployment-test
• GitHub Check: run-hac-test
• GitHub Check: run-kms-dev-test
• GitHub Check: run-admission-test
• GitHub Check: run-kms-kmip-test
• GitHub Check: run-kms-tls-sa-test
• GitHub Check: run-azure-vault-test
• GitHub Check: run-kms-key-rotate-test
• GitHub Check: run-kms-tls-token-test

🔇 Additional comments (15)

pkg/util/kms/kms_version.go (1)

141-141: LGTM!

The type conversion using toInterfaceMap is appropriate for passing to PutSecret.

Likely an incorrect or invalid review comment.

pkg/util/kms/kms_kmip_storage.go (5)

38-40: Good practice: Using a constant for cryptographic length.

Defining cryptographicLength = 256 as a constant improves maintainability and makes the expected key size explicit.

---

213-213: Improved error reporting with additional context.

Including ResultReason and ResultMessage provides valuable debugging information.

---

265-276: Well-implemented active key ID handling and validation.

The changes properly handle rotating secrets with active key IDs and add appropriate validation for cryptographic length. The error messages now include the secret name for better debugging.

Also applies to: 281-281, 319-321, 332-338

---

351-352: Correct implementation of rotating key storage pattern.

The changes properly handle the active key pattern and store necessary metadata in the secret for future retrieval.

Also applies to: 373-373, 397-398

---

419-419: Good defensive programming with pre-existence check.

Adding KubeCheck before accessing the secret and including the secret name in error messages improves robustness and debuggability.

Also applies to: 422-422

.github/workflows/update-noobaa-core-tag.yml (1)

65-75: gh pr checks --watch can hang indefinitely

If any check stalls or a required context never reports, this step will block for the full 90-minute timeout. Consider adding --interval + --wait parameters or your own timeout loop so the workflow fails fast and reports a clear cause.

Makefile (1)

122-122: LGTM! Good automation of Git hooks setup.

The changes properly automate the installation of Git hooks by:

• Making the gen target depend on install-hooks to ensure hooks are configured before code generation
• Adding proper checks to verify the directory is a Git repository
• Only setting the hooks path if it's not already configured to .githooks
• Using appropriate .PHONY marking for the target

This ensures the pre-commit hook will be automatically activated for developers.

Also applies to: 332-339

pkg/util/util.go (1)

155-185: Function renaming and logic improvements are good.

The renaming from AddToRootCAs to CombineCaBundle better reflects the function's purpose. The implementation correctly:

• Uses the new InjectedBundleCertCAFile constant instead of hardcoded paths
• Maintains the same logic for combining CA bundles
• Provides appropriate error handling and logging
• Updates the global CA pool for GlobalCARefreshingTransport

deploy/internal/statefulset-core.yaml (1)

55-58: Verify readiness probe change from HTTP GET to TCP socket

The readinessProbe in deploy/internal/statefulset-core.yaml was changed from an HTTP GET on /version to a simple TCP socket check on port 8080. This only confirms the port is open, not that the application is fully ready. Please confirm that:

• The core service no longer exposes or relies on an application-level endpoint at /version.
• A successful TCP connection on port 8080 reliably indicates the service is ready to handle traffic.
• This change aligns with your application’s startup and initialization behavior.

If any of these assumptions do not hold, consider restoring an HTTP-based probe against a lightweight readiness endpoint.

deploy/operator.yaml (1)

57-59: LGTM! Resource requests improve pod scheduling.

Adding resource requests alongside the existing limits is a good practice:

• CPU request of 100m (vs 250m limit) allows for reasonable baseline allocation
• Memory request of 256Mi (vs 512Mi limit) provides adequate guaranteed memory
• This helps the Kubernetes scheduler make better placement decisions
• Follows best practices for resource management in cluster environments

pkg/bundle/deploy.go (4)

6209-6211: Good addition of resource requests for better resource management.

Adding resource requests is a Kubernetes best practice that helps with:

• Proper pod scheduling based on available resources
• Quality of Service (QoS) class determination
• Resource planning and capacity management

The values (100m CPU, 256Mi memory) are reasonable and appropriately sized relative to the limits.

---

6151-6151: Verified: SHA256 checksum matches embedded operator YAML
The updated Sha256_deploy_operator_yaml constant (aa8da1c289a05b3c94b9393b04307d38814a67625ac6a8006dace4d09366f35b) matches the actual SHA256 hash of the File_deploy_operator_yaml content in pkg/bundle/deploy.go. No further action required.

---

5113-5116: Readiness probe change to TCP is consistent

I searched the codebase for other HTTP-based readinessProbe configurations and found none. The switch from an HTTP GET to a TCP socket probe on port 8080 in pkg/bundle/deploy.go (lines 5113–5116) appears intentional and does not leave any dangling HTTP probes that need coordination.

No further changes required.

---

5057-5057: Manual verification required for SHA256 checksum

I wasn’t able to automatically extract the embedded YAML block to compute its hash. Please confirm that the new
Sha256_deploy_internal_statefulset_core_yaml = "40aefcf8dbd77e40dfcbe3db3725b56a832c8a81c282c6ba4adc98ce8a65d470"
at pkg/bundle/deploy.go:5057 exactly matches the SHA-256 digest of the File_deploy_internal_statefulset_core_yaml content.

• File: pkg/bundle/deploy.go
• Line: 5057 (constant Sha256_deploy_internal_statefulset_core_yaml)