Implement OCP TLS profile compliance for cloud providers#2647
Implement OCP TLS profile compliance for cloud providers#2647tpantelis wants to merge 5 commits intostolostron:mainfrom
Conversation
tpantelis
force-pushed
the
tls_compliance
branch
from
9c57030 to
f9773d5
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds a TLS helper to derive TLS configs from the OpenShift APIServer TLSSecurityProfile and return configured HTTP clients; updates AWS/Azure/GCP/RHOS providers to reuse an event recorder and inject configured HTTP clients/transports; updates go.mod dependencies. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Provider as Cloud Provider
participant Dynamic as Kubernetes DynamicClient
participant TLSPkg as pkg/cloud/tls
participant HTTP as http.Client
participant SDK as Cloud SDK Client
Provider->>Dynamic: GET apiserver.config.openshift.io/cluster
Dynamic-->>Provider: APIServer (unstructured)
Provider->>TLSPkg: GetConfigFromAPIServer(ctx, dynamicClient, reporter, insecure)
TLSPkg->>TLSPkg: convert -> derive tls.Config (versions, ciphers)
TLSPkg-->>HTTP: return configured *http.Client (Transport.TLSClientConfig)
Provider->>SDK: construct SDK client with provided HTTP client/transport
SDK-->>Provider: client uses configured TLS for outbound calls
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
tpantelis
changed the title
tpantelis
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
pkg/cloud/gcp/gcp.go (1)
50-53:⚠️ Potential issue | 🔴 CriticalLogic bug:
instanceTypeassignment is inverted.The condition checks if
instanceType != ""(non-empty) but then overwrites it withgwInstanceType. This should check for empty string to apply the default.🐛 Proposed fix
instanceType := info.GatewayConfig.GCP.InstanceType - if instanceType != "" { + if instanceType == "" { instanceType = gwInstanceType }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/cloud/gcp/gcp.go` around lines 50 - 53, The assignment for instanceType is inverted: currently it overwrites a non-empty info.GatewayConfig.GCP.InstanceType with gwInstanceType; change the conditional to check for an empty string (info.GatewayConfig.GCP.InstanceType == "" or instanceType == "") and only assign gwInstanceType when the original value is empty so that instanceType uses the provided config value when present and falls back to gwInstanceType when absent.
🧹 Nitpick comments (2)
pkg/cloud/tls/config_test.go (1)
77-79: Remove unusedctxparameter fromBeforeEach.Several
BeforeEachfunctions acceptctx context.Contextbut don't use it. This applies to lines 77, 92, 119, and 134.♻️ Proposed fix for line 77
- BeforeEach(func(ctx context.Context) { + BeforeEach(func() { apiServer.Spec.TLSSecurityProfile.Type = configv1.TLSProfileModernType })Similar changes needed for lines 92, 119, and 134.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/cloud/tls/config_test.go` around lines 77 - 79, Remove the unused ctx parameter from the test BeforeEach closures in pkg/cloud/tls/config_test.go: change the BeforeEach(func(ctx context.Context) { ... }) blocks to BeforeEach(func() { ... }) for each occurrence (the closures that set apiServer.Spec.TLSSecurityProfile.Type and the other three similar BeforeEach blocks), and ensure any inner code does not reference ctx; update the function signatures so they match the Ginkgo BeforeEach without parameters.pkg/cloud/cloud.go (1)
48-64: Consider propagating context throughProviderFnsignature.All provider registrations use
context.TODO()because theProviderFntype doesn't accept a context. SinceGet()is called during request handling (where a proper context exists), consider updatingProviderFnto acceptcontext.Context:type ProviderFn func(context.Context, *provider.Info) (Provider, error)This would allow proper context propagation from the caller rather than using
context.TODO().🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/cloud/cloud.go` around lines 48 - 64, Update the ProviderFn signature to accept a context (change type ProviderFn to func(context.Context, *provider.Info) (Provider, error)), then update all RegisterProvider invocations (the AWS/GCP/OpenStack/Azure registrations) to pass the incoming context instead of using context.TODO(), update the implementation callers such as Get() to accept/forward a context when invoking ProviderFn, and ensure any provider constructors (e.g., aws.NewProvider, gcp.NewProvider, rhos.NewProvider, azure.NewProvider) calls match the new signature so context is properly propagated to Provider creation.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/cloud/gcp/gcp.go`:
- Around line 157-158: Run gofumpt on the file to fix the formatting lint
failure for the newClient signature: reformat the function declaration for
newClient(ctx context.Context, dynamicClient dynamic.Interface, rep
submreporter.Interface, credentialsSecret *corev1.Secret) so parameter alignment
and spacing match gofumpt's rules (or run `gofumpt -w` on the file); ensure the
signature and surrounding braces/indentation conform to the formatter so the
linter error is resolved.
In `@pkg/cloud/rhos/rhos.go`:
- Around line 206-208: The code unsafely type-asserts
http.DefaultTransport.(*http.Transport) which can panic if DefaultTransport has
been replaced; change the block to perform a safe type assertion (t, ok :=
http.DefaultTransport.(*http.Transport)) and if ok use t.Clone(), otherwise
create a new &http.Transport{} as a fallback, then set TLSClientConfig =
tlsConfig and assign providerClient.HTTPClient = http.Client{Transport:
transport}; reference symbols: http.DefaultTransport, *http.Transport, Clone(),
tlsConfig, transport, providerClient.HTTPClient.
---
Outside diff comments:
In `@pkg/cloud/gcp/gcp.go`:
- Around line 50-53: The assignment for instanceType is inverted: currently it
overwrites a non-empty info.GatewayConfig.GCP.InstanceType with gwInstanceType;
change the conditional to check for an empty string
(info.GatewayConfig.GCP.InstanceType == "" or instanceType == "") and only
assign gwInstanceType when the original value is empty so that instanceType uses
the provided config value when present and falls back to gwInstanceType when
absent.
---
Nitpick comments:
In `@pkg/cloud/cloud.go`:
- Around line 48-64: Update the ProviderFn signature to accept a context (change
type ProviderFn to func(context.Context, *provider.Info) (Provider, error)),
then update all RegisterProvider invocations (the AWS/GCP/OpenStack/Azure
registrations) to pass the incoming context instead of using context.TODO(),
update the implementation callers such as Get() to accept/forward a context when
invoking ProviderFn, and ensure any provider constructors (e.g.,
aws.NewProvider, gcp.NewProvider, rhos.NewProvider, azure.NewProvider) calls
match the new signature so context is properly propagated to Provider creation.
In `@pkg/cloud/tls/config_test.go`:
- Around line 77-79: Remove the unused ctx parameter from the test BeforeEach
closures in pkg/cloud/tls/config_test.go: change the BeforeEach(func(ctx
context.Context) { ... }) blocks to BeforeEach(func() { ... }) for each
occurrence (the closures that set apiServer.Spec.TLSSecurityProfile.Type and the
other three similar BeforeEach blocks), and ensure any inner code does not
reference ctx; update the function signatures so they match the Ginkgo
BeforeEach without parameters.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 131bf7a1-b1f5-4ea1-9915-fb8220a4485e
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (9)
go.modpkg/cloud/aws/aws.gopkg/cloud/azure/azure.gopkg/cloud/cloud.gopkg/cloud/gcp/gcp.gopkg/cloud/rhos/rhos.gopkg/cloud/tls/config.gopkg/cloud/tls/config_test.gopkg/cloud/tls/tls_suite_test.go
tpantelis
force-pushed
the
tls_compliance
branch
2 times, most recently
from
fdbd762 to
56c60ac
Compare
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
pkg/cloud/rhos/rhos.go (1)
189-199:⚠️ Potential issue | 🟠 MajorConfigure the RHOS transport before Keystone authentication.
Line 189 calls
openstack.AuthenticatedClient(), which performs the initial Keystone authentication (version discovery and token request) before lines 194–199 create and assign the custom HTTP client. This means the first network operation uses the default transport, bypassingcloud.Verifyand the cluster's TLS profile settings. Useopenstack.NewClient()followed by assigning the configured HTTP client, then callopenstack.Authenticate()to ensure the custom transport handles all authentication requests.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/cloud/rhos/rhos.go` around lines 189 - 199, The code currently calls openstack.AuthenticatedClient which performs Keystone auth before the custom transport is set, causing initial requests to bypass TLS settings; replace that flow by creating the client with openstack.NewClient, set providerClient.HTTPClient to the HTTP client returned by tls.GetConfiguredHTTPClient (honoring cloud.Verify / TLS profile), then call openstack.Authenticate to perform authentication using the configured transport. Locate and update usage of openstack.AuthenticatedClient, tls.GetConfiguredHTTPClient, providerClient.HTTPClient and switch to openstack.NewClient + openstack.Authenticate so all auth network calls use the custom transport.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@pkg/cloud/rhos/rhos.go`:
- Around line 189-199: The code currently calls openstack.AuthenticatedClient
which performs Keystone auth before the custom transport is set, causing initial
requests to bypass TLS settings; replace that flow by creating the client with
openstack.NewClient, set providerClient.HTTPClient to the HTTP client returned
by tls.GetConfiguredHTTPClient (honoring cloud.Verify / TLS profile), then call
openstack.Authenticate to perform authentication using the configured transport.
Locate and update usage of openstack.AuthenticatedClient,
tls.GetConfiguredHTTPClient, providerClient.HTTPClient and switch to
openstack.NewClient + openstack.Authenticate so all auth network calls use the
custom transport.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0f8ee93d-66aa-428f-95e7-4bc91731a602
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (9)
go.modpkg/cloud/aws/aws.gopkg/cloud/azure/azure.gopkg/cloud/cloud.gopkg/cloud/gcp/gcp.gopkg/cloud/rhos/rhos.gopkg/cloud/tls/config.gopkg/cloud/tls/config_test.gopkg/cloud/tls/tls_suite_test.go
✅ Files skipped from review due to trivial changes (1)
- pkg/cloud/gcp/gcp.go
🚧 Files skipped from review as they are similar to previous changes (5)
- pkg/cloud/cloud.go
- pkg/cloud/tls/tls_suite_test.go
- pkg/cloud/tls/config_test.go
- go.mod
- pkg/cloud/azure/azure.go
tpantelis
force-pushed
the
tls_compliance
branch
from
56c60ac to
2224a0b
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/cloud/tls/config.go`:
- Around line 51-65: The code can silently fall back to Go's default ciphers
when openshifttls.NewTLSConfigFromProfile filters out all pre-TLS1.3 suites:
after calling tlsConfigFunc(tlsConfig) check the profile/tls version intent and
the resulting tlsConfig.CipherSuites; if the requested MinVersion is < TLS1.3
(i.e. profile expects TLS1.0–1.2) and tlsConfig.CipherSuites is empty (or all
were listed in unsupportedCiphers), surface a hard failure via reporter.Error
(or return an error) instead of proceeding — use the returned unsupportedCiphers
slice and tlsConfig.CipherSuites to detect this condition and include
identifying context in the error message so the caller can fail fast rather than
silently using Go's defaults.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f6015932-2d6c-4682-8023-0174a52abef8
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (9)
go.modpkg/cloud/aws/aws.gopkg/cloud/azure/azure.gopkg/cloud/cloud.gopkg/cloud/gcp/gcp.gopkg/cloud/rhos/rhos.gopkg/cloud/tls/config.gopkg/cloud/tls/config_test.gopkg/cloud/tls/tls_suite_test.go
✅ Files skipped from review due to trivial changes (2)
- pkg/cloud/tls/tls_suite_test.go
- pkg/cloud/tls/config_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
- pkg/cloud/cloud.go
- pkg/cloud/azure/azure.go
- go.mod
- pkg/cloud/gcp/gcp.go
Add TLS profile fetching from the OpenShift API Server and apply it to the RHOS cloud provider's HTTP client to ensure compliance with cluster TLS security policies. Implementation: - Created pkg/cloud/tls package to fetch TLS profiles from apiserver.config.openshift.io/cluster - Uses controller-runtime-common/pkg/tls for profile spec extraction and conversion - Respects InsecureSkipVerify from clouds.yaml while applying TLS restrictions - Updated RHOS provider to use TLS helper instead of hardcoded InsecureSkipVerify - Added comprehensive unit tests covering all profile types Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Apply cluster TLS profile to AWS SDK HTTP client to ensure compliance with OCP TLS profile requirements. Implementation: - Reuse existing pkg/cloud/tls package to Fetch the TLS profile from the API server - Create HTTP client with cluster TLS configuration - Pass custom HTTP client to AWS SDK via config.WithHTTPClient() The AWS SDK v2 accepts custom HTTP clients via LoadOptions, allowing us to inject the cluster TLS profile without modifying the cloud-prepare library. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
...and avoid gocyclo linter error. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
tpantelis
force-pushed
the
tls_compliance
branch
from
2224a0b to
40547ac
Compare
|
/override ci/prow/sonarcloud |
|
@tpantelis: Overrode contexts on behalf of tpantelis: ci/prow/sonarcloud DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
pkg/cloud/gcp/gcp.go (1)
156-180:⚠️ Potential issue | 🔴 CriticalThe current implementation will fail all GCP API calls with 401 authentication errors at runtime.
tls.GetConfiguredHTTPClient()returns a bare *http.Client with TLS settings only—no authentication. Per official google.golang.org/api documentation,option.WithHTTPClienttakes precedence and causesoption.WithCredentials(creds)to be ignored entirely. The service account credentials are dropped, leaving only the TLS-configured client with no auth capability.To fix this, create the TLS client first, then wrap its transport with
oauth2.Transportto apply authentication while preserving TLS settings, and pass only the wrapped client viaoption.WithHTTPClient(removeoption.WithCredentials).Suggested fix
- creds, err := google.CredentialsFromJSONWithType(ctx, authJSON, google.ServiceAccount, dns.CloudPlatformScope) - if err != nil { - return "", nil, errors.Wrap(err, "error retrieving credentials") - } - - httpClient, err := tls.GetConfiguredHTTPClient(ctx, dynamicClient, rep, false) + baseHTTPClient, err := tls.GetConfiguredHTTPClient(ctx, dynamicClient, rep, false) if err != nil { return "", nil, errors.Wrap(err, "unable to create HTTP client") } + + oauthCtx := context.WithValue(ctx, oauth2.HTTPClient, baseHTTPClient) + creds, err := google.CredentialsFromJSONWithType(oauthCtx, authJSON, google.ServiceAccount, dns.CloudPlatformScope) + if err != nil { + return "", nil, errors.Wrap(err, "error retrieving credentials") + } + + httpClient := *baseHTTPClient + httpClient.Transport = &oauth2.Transport{ + Base: baseHTTPClient.Transport, + Source: creds.TokenSource, + } // Create a GCP client with the credentials and custom HTTP client. computeClient, err := gcpclient.NewClient(ctx, creds.ProjectID, []option.ClientOption{ - option.WithCredentials(creds), - option.WithHTTPClient(httpClient), + option.WithHTTPClient(&httpClient), })Add
"golang.org/x/oauth2"to imports.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/cloud/gcp/gcp.go` around lines 156 - 180, The GCP client is losing authentication because option.WithHTTPClient overrides option.WithCredentials; in newClient, call tls.GetConfiguredHTTPClient first to get httpClient, then wrap its Transport with an oauth2.Transport using creds.TokenSource(ctx) (ensure you import "golang.org/x/oauth2"), set httpClient.Transport = &oauth2.Transport{Source: creds.TokenSource(ctx), Base: httpClient.Transport}, and then call gcpclient.NewClient with only option.WithHTTPClient(httpClient) (remove option.WithCredentials). This preserves TLS config from tls.GetConfiguredHTTPClient while applying the service account auth from creds.pkg/cloud/azure/azure.go (1)
62-89:⚠️ Potential issue | 🟠 MajorWire the TLS transport into Azure auth as well.
This only applies the custom client to ARM requests.
azidentity.NewEnvironmentCredential(nil)still builds its own pipeline for AAD token acquisition, so the auth path won't honor the cluster TLS profile. Create the credential afterhttpClientand pass the same transport viaEnvironmentCredentialOptions.Possible fix
- credentials, err := azidentity.NewEnvironmentCredential(nil) - if err != nil { - return nil, errors.Wrap(err, "unable to create the Azure credentials") - } - rep := reporter.NewEventRecorderWrapper("AzureCloudProvider", info.EventRecorder) httpClient, err := tls.GetConfiguredHTTPClient(ctx, info.DynamicClient, rep, false) if err != nil { return nil, errors.Wrap(err, "unable to create HTTP client") } + + credentials, err := azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{ + ClientOptions: policy.ClientOptions{ + Transport: httpClient, + }, + }) + if err != nil { + return nil, errors.Wrap(err, "unable to create the Azure credentials") + }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/cloud/azure/azure.go` around lines 62 - 89, The credential is being created before wiring the custom TLS HTTP transport so azidentity.NewEnvironmentCredential(nil) will not honor the cluster TLS profile; move creation of the credential to after tls.GetConfiguredHTTPClient(...) and call azidentity.NewEnvironmentCredential with an EnvironmentCredentialOptions that injects the same httpClient/transport you got from tls.GetConfiguredHTTPClient (so TokenCredential in azure.CloudInfo uses the custom transport). Update references to azidentity.NewEnvironmentCredential, tls.GetConfiguredHTTPClient, the credentials variable, and azure.CloudInfo.TokenCredential accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@pkg/cloud/azure/azure.go`:
- Around line 62-89: The credential is being created before wiring the custom
TLS HTTP transport so azidentity.NewEnvironmentCredential(nil) will not honor
the cluster TLS profile; move creation of the credential to after
tls.GetConfiguredHTTPClient(...) and call azidentity.NewEnvironmentCredential
with an EnvironmentCredentialOptions that injects the same httpClient/transport
you got from tls.GetConfiguredHTTPClient (so TokenCredential in azure.CloudInfo
uses the custom transport). Update references to
azidentity.NewEnvironmentCredential, tls.GetConfiguredHTTPClient, the
credentials variable, and azure.CloudInfo.TokenCredential accordingly.
In `@pkg/cloud/gcp/gcp.go`:
- Around line 156-180: The GCP client is losing authentication because
option.WithHTTPClient overrides option.WithCredentials; in newClient, call
tls.GetConfiguredHTTPClient first to get httpClient, then wrap its Transport
with an oauth2.Transport using creds.TokenSource(ctx) (ensure you import
"golang.org/x/oauth2"), set httpClient.Transport = &oauth2.Transport{Source:
creds.TokenSource(ctx), Base: httpClient.Transport}, and then call
gcpclient.NewClient with only option.WithHTTPClient(httpClient) (remove
option.WithCredentials). This preserves TLS config from
tls.GetConfiguredHTTPClient while applying the service account auth from creds.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 94d2b77b-8904-41cd-a609-79c913f7385b
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (9)
go.modpkg/cloud/aws/aws.gopkg/cloud/azure/azure.gopkg/cloud/cloud.gopkg/cloud/gcp/gcp.gopkg/cloud/rhos/rhos.gopkg/cloud/tls/config.gopkg/cloud/tls/config_test.gopkg/cloud/tls/tls_suite_test.go
✅ Files skipped from review due to trivial changes (1)
- pkg/cloud/tls/config_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
- pkg/cloud/cloud.go
- pkg/cloud/tls/tls_suite_test.go
- go.mod
- pkg/cloud/rhos/rhos.go
Apply cluster TLS profile to GCP SDK HTTP client to ensure compliance with OCP TLS profile requirements. Implementation: - Reuse existing pkg/cloud/tls package to fetch the TLS profile from the API server - Create HTTP client with cluster TLS configuration - Pass custom HTTP client to GCP SDK via option.WithHTTPClient() The GCP SDK accepts custom HTTP clients via ClientOption, allowing us to inject the cluster TLS profile without modifying the cloud-prepare library. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Apply cluster TLS profile to Azure SDK HTTP client to ensure compliance with OCP TLS profile requirements. Implementation: - Reuse existing pkg/cloud/tls package to fetch the TLS profile from the API server - Create HTTP client with cluster TLS configuration - Pass custom HTTP client to Azure SDK via ClientOptions.Transport The Azure SDK accepts custom HTTP clients via policy.ClientOptions, allowing us to inject the cluster TLS profile without modifying the cloud-prepare library. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
tpantelis
force-pushed
the
tls_compliance
branch
from
40547ac to
2ac06bb
Compare
|
/override ci/prow/sonarcloud |
|
@tpantelis: Overrode contexts on behalf of tpantelis: ci/prow/sonarcloud DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cc @aswinsuryan |
|
changes looks good , but we will need to test this in each provider once this goes in, |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: aswinsuryan The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/cc @vthapar |
2 participants
Add TLS profile fetching from the OpenShift API Server and apply it to each cloud provider's HTTP client (AWS, AZURE, GCP AND RHOS) to ensure compliance with cluster TLS security policies.
See commits for details.
Related to https://redhat.atlassian.net/browse/ACM-30182
Summary by CodeRabbit
New Features
Bug Fixes
Tests
Chores