CNTRLPLANE-2847: Support PKI customization

[rh-roman]

Add support for ConfigurablePKI in both operational and installer paths:

• Thread PKIProfileProvider through EtcdCertSignerController for runtime certificate rotation, reading configuration from cluster PKI CR
• Add getPKIProfileProvider in render command to extract PKI config from install-config for bootstrap certificate generation

Switch createCertForNode from ServingRotation with a manual CertificateExtensionFn to PeerRotation, which handles dual ClientAuth+ServerAuth ExtKeyUsages internally. PeerRotation also enables proper PKI profile resolution using CertificateTypePeer (stronger of serving and client key configs).

When ConfigurablePKI is disabled or unconfigured, falls back to library-go defaults.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Feature-gated configurable PKI was added: install-config PKI extraction, a pkiProfile provider threaded through render functions, and PKIProfileProvider plumbing into the etcd cert signer controller and certificate creation. go.mod updated dependency versions for openshift/api and library-go.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Bumped direct versions for github.com/openshift/api and github.com/openshift/library-go (pseudo-versions updated); no other require/replace edits.
Render Certificate Functions pkg/cmd/render/certs.go, pkg/cmd/render/certs_test.go	createCertSecrets and createBootstrapCertSecrets signatures now accept pki.PKIProfileProvider and forward it into etcd cert signer construction; tests updated to include FeatureGateConfigurablePKI in disabled set and call new arity (passing nil).
Render Configuration & PKI extraction pkg/cmd/render/render.go	Added getPKIProfileProvider(installConfig) to parse install-config["pki"] into a PKI profile (supports RSA and ECDSA mapping), newTemplateData conditionally obtains the provider when FeatureGateConfigurablePKI is enabled and passes it to bootstrap cert creation.
Etcd Cert Signer Controller pkg/operator/etcdcertsigner/etcdcertsignercontroller.go, ..._test.go	EtcdCertSignerController gains pkiProfileProvider field; NewEtcdCertSignerController signature accepts a pki.PKIProfileProvider plus variadic additional informers. Certificates created by the controller now carry CertificateName and PKIProfileProvider. Tests updated to pass nil provider and adjust disabled gates.
Operator Initialization pkg/operator/starter.go	Operator startup re-reads feature gates and, when ConfigurablePKI is enabled, constructs a cluster PKI provider and includes PKI informers; passes pkiProfileProvider and additionalInformers... into NewEtcdCertSignerController.
TLS Helpers & Tests pkg/tlshelpers/tlshelpers.go, pkg/tlshelpers/target_cert_creator_test.go	Test helper NewCertificate signature extended to accept a crypto.KeyPairGenerator; test stub implements CertificateType(); createCertForNode now uses certrotation.PeerRotation, removes custom ExtKeyUsage override, and sets UserInfo for certificate creator.
Render Tests / PKI unit tests pkg/cmd/render/render_test.go	Added fixture and tests validating custom PKI (ECDSA P-521) flows and unit tests for getPKIProfileProvider behavior (defaults, RSA/ECDSA mapping, and invalid configs).

Sequence Diagrams

sequenceDiagram
    participant Renderer as Render (newTemplateData)
    participant InstallConfig as Install Config
    participant PKIExtractor as getPKIProfileProvider
    participant Bootstrap as createBootstrapCertSecrets
    participant StaticProvider as NewStaticPKIProfileProvider
    participant CertCreator as EtcdCertSignerController / Cert Configs

    Renderer->>InstallConfig: check FeatureGateConfigurablePKI
    alt enabled
        Renderer->>PKIExtractor: extract PKI profile from install-config
        PKIExtractor-->>Renderer: pkiProfileProvider (static)
    else disabled
        Renderer->>Renderer: pkiProfileProvider = nil
    end
    Renderer->>Bootstrap: call createBootstrapCertSecrets(..., pkiProfileProvider)
    alt pkiProfileProvider non-nil
        Bootstrap->>StaticProvider: wrap profile into provider
        StaticProvider-->>CertCreator: supply PKIProfileProvider for cert configs
    else nil
        Bootstrap->>CertCreator: create cert configs without static provider
    end
    CertCreator-->>Bootstrap: secrets & configmaps

Loading

sequenceDiagram
    participant Starter as Operator Starter
    participant FeatureGate as FeatureGate sync
    participant StarterLogic as starter.RunOperator
    participant ControllerCtor as NewEtcdCertSignerController
    participant ConfigInformer as PKI Config Informer
    participant Controller as EtcdCertSignerController

    Starter->>FeatureGate: ensure initial feature gates
    Starter->>FeatureGate: re-read current gates
    FeatureGate-->>StarterLogic: FeatureGateConfigurablePKI enabled?
    alt enabled
        StarterLogic->>ConfigInformer: obtain PKIs lister/informer
        StarterLogic->>ControllerCtor: pass cluster PKI provider, additional informers
    else disabled
        StarterLogic->>ControllerCtor: pass nil provider, no additional informers
    end
    ControllerCtor-->>Controller: Controller constructed with pkiProfileProvider
    Controller->>Controller: build cert configs with PKIProfileProvider metadata

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 21.05% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Tests lack meaningful failure messages and mix success/error cases in single table-driven test, violating single responsibility principle.	Improve assertion messages with specific context and split Test_getPKIProfileProvider into separate success and error scenario tests.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are static and deterministic. Test functions use descriptive names like TestTemplateDataWithCustomPKI and Test_getPKIProfileProvider. Subtests use static names from predefined maps without dynamic values.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests found; changes contain only standard Go unit tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only standard Go unit tests, not Ginkgo e2e tests, so custom check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies certificate signing and PKI profile configuration without introducing Pod/Deployment manifests, affinity rules, nodeSelectors, tolerations, or scheduling constraints incompatible with SNO, Two-Node, TNA, or HyperShift topologies.
Ote Binary Stdout Contract	✅ Passed	getPKIProfileProvider uses unchecked type assertions that could panic, but these occur only within non-process-level function calls during template data generation, not at startup.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies only standard Go unit tests in pkg/ directory; no Ginkgo e2e tests are added or modified.
Title check	✅ Passed	The title accurately summarizes the main change: adding support for PKI customization throughout the codebase, which is the primary objective reflected in all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 163: Remove the personal fork replace directive in go.mod that maps
github.com/openshift/library-go to github.com/sanchezl/library-go (the replace
line shown in the diff); either revert that replace to the upstream
github.com/openshift/library-go at the intended commit or remove the replace
entirely and add a comment/PR note documenting and justifying the fork if it is
truly required for this change, then run `go mod tidy` to ensure module graph is
consistent (look for the replace entry in go.mod to edit and verify with go
tooling).

In `@pkg/cmd/render/render.go`:
- Around line 834-869: getPKIConfig currently only unmarshals signerCertificates
into a localPKI struct from pkiJSON, causing valid non-signer PKI sections to be
ignored and an empty algorithm to trigger an unsupported-algorithm error; fix by
unmarshalling the entire PKI profile (into the appropriate
configv1alpha1.PKIProfile or a full local struct matching all pki fields) from
pkiJSON instead of the narrow signer-only struct, then merge/override only the
provided fields onto pki.DefaultPKIProfile() (e.g., replace
profile.SignerCertificates, profile.ServingCertificates,
profile.ClientCertificates, profile.PeerCertificates, profile.Defaults when
present) and avoid treating an absent signer algorithm as an error.

In `@pkg/tlshelpers/tlshelpers.go`:
- Around line 242-248: createCertForNode currently constructs
certrotation.PeerRotation for all certificate types, causing CertificateType()
to always return peer and making ConfigurablePKI resolve serving certs against
the peer profile; update createCertForNode to choose the rotation type based on
the requested certificate: when invoked for CreatePeerCertificate keep using
certrotation.PeerRotation, but for CreateServingCertificate and
CreateMetricsServingCertificate instantiate certrotation.ServingRotation (or
branch to return ServingRotation for serving/metrics types) so CertificateType()
returns the correct serving type and PKI profile resolution works as intended;
reference the functions createCertForNode, CreatePeerCertificate,
CreateServingCertificate, CreateMetricsServingCertificate and the types
certrotation.PeerRotation / certrotation.ServingRotation when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e4f8108b-e324-4e18-a890-c34cab4f0a37

📥 Commits

Reviewing files that changed from the base of the PR and between 3698b93 and 3291755.

⛔ Files ignored due to path filters (14)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (9)

• go.mod
• pkg/cmd/render/certs.go
• pkg/cmd/render/certs_test.go
• pkg/cmd/render/render.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/operator/starter.go
• pkg/tlshelpers/target_cert_creator_test.go
• pkg/tlshelpers/tlshelpers.go

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

pkg/cmd/render/render.go (1)

834-869: ⚠️ Potential issue | 🟠 Major

Parse the full PKI profile instead of only signerCertificates.

This still drops valid pki.defaults, pki.servingCertificates, and pki.clientCertificates input, and it still errors when those sections are present without an explicit signerCertificates.key.algorithm. Bootstrap rendering will ignore part of the requested PKI profile.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cmd/render/render.go` around lines 834 - 869, Unmarshal the entire PKI
profile instead of the ad-hoc localPKI so we don't drop pki.defaults,
pki.servingCertificates, or pki.clientCertificates; change the json.Unmarshal
target from the localPKI struct to the canonical configv1alpha1.PKIProfile (or a
struct matching its JSON), then convert that unmarshaled PKI into the
pki.Profile returned by this function: preserve pki.defaults,
servingCertificates, and clientCertificates fields, and construct
profile.SignerCertificates from the PKIProfile.SignerCertificates.Key
(detect/validate algorithm and map RSA/ECDSA fields to configv1alpha1.KeyConfig
as you already do), but if signerCertificates.key.algorithm is missing, do not
error—use the default signer key from pki.DefaultPKIProfile() or otherwise
derive a safe default before returning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cmd/render/render.go`:
- Around line 823-827: When FeatureGateConfigurablePKI is enabled and
installConfig omits "pki", don't return nil; instead return the cluster default
PKI profile so bootstrap behavior matches in-cluster ListerPKIProfileProvider.
In the block where pkiData, found := installConfig["pki"] is checked, detect the
gate (FeatureGateConfigurablePKI) and return pki.DefaultPKIProfile() (or
equivalent default profile object) rather than nil; this ensures
createCertSecrets sees a non-nil pkiProfile (so it will create a
StaticPKIProfileProvider) and matches the
ListerPKIProfileProvider/DefaultPKIProfile behavior. Ensure the change
references the same symbols: FeatureGateConfigurablePKI, pki.DefaultPKIProfile,
createCertSecrets, and StaticPKIProfileProvider.

In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller.go`:
- Around line 171-179: The PKI lister-backed provider created via
pki.NewClusterPKIProfileProvider(configInformer.Config().V1alpha1().PKIs().Lister())
is used without registering its informer, so the controller may start before the
PKI cache is synced and PKI changes won't trigger reconciliation; fix this by
adding the corresponding informer
(configInformer.Config().V1alpha1().PKIs().Informer()) to the controller's
WithInformers(...) call so the factory waits for the PKI informer sync and PKI
resource events will drive reconciliations.

---

Duplicate comments:
In `@pkg/cmd/render/render.go`:
- Around line 834-869: Unmarshal the entire PKI profile instead of the ad-hoc
localPKI so we don't drop pki.defaults, pki.servingCertificates, or
pki.clientCertificates; change the json.Unmarshal target from the localPKI
struct to the canonical configv1alpha1.PKIProfile (or a struct matching its
JSON), then convert that unmarshaled PKI into the pki.Profile returned by this
function: preserve pki.defaults, servingCertificates, and clientCertificates
fields, and construct profile.SignerCertificates from the
PKIProfile.SignerCertificates.Key (detect/validate algorithm and map RSA/ECDSA
fields to configv1alpha1.KeyConfig as you already do), but if
signerCertificates.key.algorithm is missing, do not error—use the default signer
key from pki.DefaultPKIProfile() or otherwise derive a safe default before
returning.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 534d2019-f67f-4645-a4e7-f47d937d9821

📥 Commits

Reviewing files that changed from the base of the PR and between 3291755 and bb43ee0.

📒 Files selected for processing (6)

• pkg/cmd/render/certs.go
• pkg/cmd/render/certs_test.go
• pkg/cmd/render/render.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/operator/starter.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/operator/starter.go
• pkg/cmd/render/certs_test.go

[coderabbitai]

♻️ Duplicate comments (3)

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go (1)

171-179: ⚠️ Potential issue | 🟠 Major

Register the PKI informer when you use the lister-backed provider.

NewClusterPKIProfileProvider(configInformer.Config().V1alpha1().PKIs().Lister()) depends on the PKI informer cache, but WithInformers() never includes PKIs().Informer(). That makes the first sync race cache warm-up, and PKI CR changes only show up on the 1-minute resync. Please append the PKI informer conditionally in the cluster-backed path.

#!/bin/bash
set -euo pipefail

sed -n '171,245p' pkg/operator/etcdcertsigner/etcdcertsignercontroller.go
rg -n -C2 'PKIs\(\)\.(Lister|Informer)\(' pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

Also applies to: 236-243

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller.go` around lines 171 -
179, The PKI lister-backed provider is being created via
NewClusterPKIProfileProvider(configInformer.Config().V1alpha1().PKIs().Lister())
but the PKI informer (configInformer.Config().V1alpha1().PKIs().Informer()) is
not being registered with WithInformers(), causing cache warm-up and missed
updates; when staticPKIProvider is nil and
featureGates.Enabled(features.FeatureGateConfigurablePKI) is true, add the PKI
informer to the controller informers list (i.e., append
configInformer.Config().V1alpha1().PKIs().Informer() in the same branch where
you construct the NewClusterPKIProfileProvider) so the informer cache is started
and synced for the lister-backed provider.

pkg/cmd/render/render.go (2)

833-867: ⚠️ Potential issue | 🟠 Major

Don't truncate install-config PKI down to signerCertificates only.

This helper ignores defaults, peerCertificates, servingCertificates, and clientCertificates. Valid configs that only set those sections either fail on an empty signer algorithm or render with the wrong effective profile. Unmarshal the full PKI shape and merge the provided sections onto pki.DefaultPKIProfile() instead of rebuilding only SignerCertificates.

#!/bin/bash
set -euo pipefail

sed -n '833,867p' pkg/cmd/render/render.go
rg -n -A40 'type PKIProfile struct' vendor/github.com/openshift/api/config/v1alpha1/types_pki.go
rg -n 'Defaults|SignerCertificates|ServingCertificates|ClientCertificates|PeerCertificates' \
  vendor/github.com/openshift/api/config/v1alpha1/types_pki.go

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cmd/render/render.go` around lines 833 - 867, The current code only
unmarshals a tiny localPKI (signerCertificates) and reconstructs
profile.SignerCertificates, which drops defaults and other sections (defaults,
peerCertificates, servingCertificates, clientCertificates); instead unmarshal
the full PKI shape into a struct matching the complete PKI profile (use
configv1alpha1.PKIProfile or a local struct with all top-level PKI fields), then
start with profile := pki.DefaultPKIProfile() and merge/overwrite only the
provided fields from the unmarshaled object onto profile (preserving defaults
for missing fields) before returning; update usages of
pkiJSON/localPKI/keyConfig to read from the merged profile and keep the same
validation/error handling for unsupported algorithms.

---

821-825: ⚠️ Potential issue | 🟠 Major

Return DefaultPKIProfile() when pki is omitted.

When FeatureGateConfigurablePKI is enabled, Line 825 returns nil, so bootstrap rendering skips the static provider path. The in-cluster provider resolves that case to pki.DefaultPKIProfile(), which can leave bootstrap certs on a different profile than the steady-state controller.

Suggested fix

 	if !found {
-		// no PKI config specified, let library-go choose defaults
-		return nil, nil
+		profile := pki.DefaultPKIProfile()
+		return &profile, nil
 	}

#!/bin/bash
set -euo pipefail

sed -n '821,867p' pkg/cmd/render/render.go
rg -n -C3 'DefaultPKIProfile|NewStaticPKIProfileProvider|pkiProfile != nil' \
  pkg/cmd/render/certs.go \
  vendor/github.com/openshift/library-go/pkg/pki/provider.go

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cmd/render/render.go` around lines 821 - 825, getPKIConfig currently
returns nil when installConfig["pki"] is absent which causes bootstrap to skip
the static provider path; change getPKIConfig so that if the "pki" key is not
found it returns the default profile (call DefaultPKIProfile() and return its
value as *configv1alpha1.PKIProfile) instead of nil to match the in-cluster
provider behavior; this keeps NewStaticPKIProfileProvider/pkiProfile != nil
logic consistent and prevents diverging bootstrap vs steady-state PKI profiles.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/cmd/render/render.go`:
- Around line 833-867: The current code only unmarshals a tiny localPKI
(signerCertificates) and reconstructs profile.SignerCertificates, which drops
defaults and other sections (defaults, peerCertificates, servingCertificates,
clientCertificates); instead unmarshal the full PKI shape into a struct matching
the complete PKI profile (use configv1alpha1.PKIProfile or a local struct with
all top-level PKI fields), then start with profile := pki.DefaultPKIProfile()
and merge/overwrite only the provided fields from the unmarshaled object onto
profile (preserving defaults for missing fields) before returning; update usages
of pkiJSON/localPKI/keyConfig to read from the merged profile and keep the same
validation/error handling for unsupported algorithms.
- Around line 821-825: getPKIConfig currently returns nil when
installConfig["pki"] is absent which causes bootstrap to skip the static
provider path; change getPKIConfig so that if the "pki" key is not found it
returns the default profile (call DefaultPKIProfile() and return its value as
*configv1alpha1.PKIProfile) instead of nil to match the in-cluster provider
behavior; this keeps NewStaticPKIProfileProvider/pkiProfile != nil logic
consistent and prevents diverging bootstrap vs steady-state PKI profiles.

In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller.go`:
- Around line 171-179: The PKI lister-backed provider is being created via
NewClusterPKIProfileProvider(configInformer.Config().V1alpha1().PKIs().Lister())
but the PKI informer (configInformer.Config().V1alpha1().PKIs().Informer()) is
not being registered with WithInformers(), causing cache warm-up and missed
updates; when staticPKIProvider is nil and
featureGates.Enabled(features.FeatureGateConfigurablePKI) is true, add the PKI
informer to the controller informers list (i.e., append
configInformer.Config().V1alpha1().PKIs().Informer() in the same branch where
you construct the NewClusterPKIProfileProvider) so the informer cache is started
and synced for the lister-backed provider.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5dcd118e-fa23-42e6-9291-90b8cbc23a93

📥 Commits

Reviewing files that changed from the base of the PR and between bb43ee0 and e456c5c.

📒 Files selected for processing (6)

• pkg/cmd/render/certs.go
• pkg/cmd/render/certs_test.go
• pkg/cmd/render/render.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/operator/starter.go

✅ Files skipped from review due to trivial changes (1)

• pkg/cmd/render/certs_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/operator/starter.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/cmd/render/certs.go

[coderabbitai]

♻️ Duplicate comments (2)

pkg/cmd/render/render.go (2)

822-826: ⚠️ Potential issue | 🟠 Major

Return the default PKI profile when pki is omitted.

Line 824 still returns nil, which means pkg/cmd/render/certs.go:31-47 will skip creating a static PKI provider during bootstrap render. With FeatureGateConfigurablePKI enabled, that makes render-time cert generation diverge from the in-cluster path, which resolves the default profile rather than “unmanaged”. Return pki.DefaultPKIProfile() here so both paths stay aligned.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cmd/render/render.go` around lines 822 - 826, The current branch returns
nil when "pki" is absent (pkiData not found), causing downstream code (certs.go
bootstrap static PKI provider creation) to skip default profile handling and
diverge under FeatureGateConfigurablePKI; update the branch that checks
installConfig["pki"] (where pkiData and found are used) to return
pki.DefaultPKIProfile() instead of nil so render-time cert generation uses the
same default PKI profile as the in-cluster path, leaving the error/second return
value as before.

---

833-867: ⚠️ Potential issue | 🟠 Major

Parse the full PKI profile, not just signerCertificates.

This helper only unmarshals signerCertificates.key. As written, valid configs that set defaults, servingCertificates, or clientCertificates are ignored, and a profile that omits signerCertificates entirely will hit Line 856 with an empty algorithm and fail as unsupported. Unmarshal the full PKI profile and merge it onto pki.DefaultPKIProfile() instead of narrowing the install-config to signer-only fields.

🧹 Nitpick comments (1)

pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go (1)

608-625: Add at least one test that enables configurable PKI.

This shared setup now hard-disables FeatureGateConfigurablePKI and passes nil for both provider inputs, so the suite still only covers the legacy branch in NewEtcdCertSignerController. Since this PR adds provider-resolution behavior, it would be good to add one focused test variant with the gate enabled and a static or informer-backed provider.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go` around lines
608 - 625, The test setup currently hard-disables FeatureGateConfigurablePKI via
disabledFeatureGates and passes nil for configInformer and staticPKIProvider to
NewEtcdCertSignerController; add a separate test case that enables
FeatureGateConfigurablePKI (include it in enabledFeatureGates or remove it from
disabledFeatureGates), construct a non-nil provider (e.g., a static PKI provider
mock or an informer-backed provider) and/or a configInformer mock, and pass that
provider/configInformer into NewEtcdCertSignerController so the
provider-resolution branch is exercised (refer to disabledFeatureGates,
featureGateAccessor, NewEtcdCertSignerController, staticPKIProvider,
configInformer, FeatureGateConfigurablePKI).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/cmd/render/render.go`:
- Around line 822-826: The current branch returns nil when "pki" is absent
(pkiData not found), causing downstream code (certs.go bootstrap static PKI
provider creation) to skip default profile handling and diverge under
FeatureGateConfigurablePKI; update the branch that checks installConfig["pki"]
(where pkiData and found are used) to return pki.DefaultPKIProfile() instead of
nil so render-time cert generation uses the same default PKI profile as the
in-cluster path, leaving the error/second return value as before.

---

Nitpick comments:
In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go`:
- Around line 608-625: The test setup currently hard-disables
FeatureGateConfigurablePKI via disabledFeatureGates and passes nil for
configInformer and staticPKIProvider to NewEtcdCertSignerController; add a
separate test case that enables FeatureGateConfigurablePKI (include it in
enabledFeatureGates or remove it from disabledFeatureGates), construct a non-nil
provider (e.g., a static PKI provider mock or an informer-backed provider)
and/or a configInformer mock, and pass that provider/configInformer into
NewEtcdCertSignerController so the provider-resolution branch is exercised
(refer to disabledFeatureGates, featureGateAccessor,
NewEtcdCertSignerController, staticPKIProvider, configInformer,
FeatureGateConfigurablePKI).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: d24bc686-1e98-4d14-b684-f918ec80822e

📥 Commits

Reviewing files that changed from the base of the PR and between e456c5c and cb9bcfd.

⛔ Files ignored due to path filters (15)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (9)

• go.mod
• pkg/cmd/render/certs.go
• pkg/cmd/render/certs_test.go
• pkg/cmd/render/render.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/operator/starter.go
• pkg/tlshelpers/target_cert_creator_test.go
• pkg/tlshelpers/tlshelpers.go

✅ Files skipped from review due to trivial changes (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/operator/starter.go
• pkg/tlshelpers/tlshelpers.go
• pkg/cmd/render/certs_test.go
• pkg/tlshelpers/target_cert_creator_test.go
• pkg/cmd/render/certs.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rh-roman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rh-roman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

♻️ Duplicate comments (1)

pkg/cmd/render/render.go (1)

830-859: ⚠️ Potential issue | 🟠 Major

Parse the full PKI profile here and fail with an error, not a panic.

This helper still only reads pki.signerCertificates.key via chained type assertions. Valid configs that only set defaults, peerCertificates, servingCertificates, or clientCertificates are dropped or rejected, and malformed nested data will panic the render path instead of surfacing a normal validation error. Unmarshal the whole PKI section into a typed profile and merge it onto pki.DefaultPKIProfile() instead of indexing through map[string]any.

#!/bin/bash
# Verify that PKIProfile exposes more sections than this helper currently parses,
# then compare that with the implementation under review.
rg -n 'type PKIProfile struct|Defaults|SignerCertificates|PeerCertificates|ServingCertificates|ClientCertificates' \
  vendor/github.com/openshift/api/config/v1alpha1/types_pki.go

sed -n '819,862p' pkg/cmd/render/render.go

🧹 Nitpick comments (1)

pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go (1)

609-624: Add one enabled-ConfigurablePKI controller case.

This fixture hard-disables the new gate and passes nil for pkiProfileProvider, so the controller changes in pkg/operator/etcdcertsigner/etcdcertsignercontroller.go are still only exercised through the legacy path. One case with a static non-default profile would cover the new signer and leaf certificate plumbing.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go` around lines
609 - 624, Add a test case that enables the ConfigurablePKI feature and supplies
a non-nil static pkiProfileProvider so the new configurable-PKI path in
NewEtcdCertSignerController is exercised: create an enabledFeatureGates set
containing features.FeatureGateConfigurablePKI (instead of only creating
disabledFeatureGates), construct featureGateAccessor with that enabled set, and
pass a simple static implementation of the pkiProfileProvider (returning a
non-default profile) into NewEtcdCertSignerController (the pkiProfileProvider
parameter currently set to nil in the fixture) so the controller uses the new
signer/leaf certificate plumbing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go`:
- Around line 609-624: Add a test case that enables the ConfigurablePKI feature
and supplies a non-nil static pkiProfileProvider so the new configurable-PKI
path in NewEtcdCertSignerController is exercised: create an enabledFeatureGates
set containing features.FeatureGateConfigurablePKI (instead of only creating
disabledFeatureGates), construct featureGateAccessor with that enabled set, and
pass a simple static implementation of the pkiProfileProvider (returning a
non-default profile) into NewEtcdCertSignerController (the pkiProfileProvider
parameter currently set to nil in the fixture) so the controller uses the new
signer/leaf certificate plumbing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b946aafd-3c60-49af-9ad3-8eec9f604b2a

📥 Commits

Reviewing files that changed from the base of the PR and between cb9bcfd and 93fe36e.

⛔ Files ignored due to path filters (29)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clustermonitorings.crd.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_30_cluster-api_01_clusterapis.crd.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/library-go/pkg/controller/controllercmd/cmd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (10)

• go.mod
• pkg/cmd/render/certs.go
• pkg/cmd/render/certs_test.go
• pkg/cmd/render/render.go
• pkg/cmd/render/render_test.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller.go
• pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
• pkg/operator/starter.go
• pkg/tlshelpers/target_cert_creator_test.go
• pkg/tlshelpers/tlshelpers.go

✅ Files skipped from review due to trivial changes (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/tlshelpers/tlshelpers.go
• pkg/operator/starter.go
• pkg/cmd/render/certs.go

[hasbro17]

/test e2e-aws-etcd-certrotation

[hasbro17]

/test e2e-aws-etcd-certrotation
/retest-required

[hasbro17]

/payload-aggregate e2e-aws-etcd-certrotation 5

[openshift-ci]

@hasbro17: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[openshift-ci-robot]

@rh-roman: This pull request references CNTRLPLANE-2847 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features

• Install-config can specify a configurable PKI profile (RSA or ECDSA signer); when the ConfigurablePKI feature is enabled, that profile is used for certificate provisioning and signing.

• Refactor

• Certificate rotation switched to a peer-focused strategy and node certificate identity handling was improved.

• Tests

• Expanded tests cover configurable-PKI parsing, RSA/ECDSA selection (including P-521), and the adjusted certificate/provider interfaces.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hasbro17]

/test e2e-aws-etcd-certrotation
/retest-required

Not sure why e2e-operator is failing bootstrap.
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-etcd-operator/1593/pull-ci-openshift-cluster-etcd-operator-main-e2e-operator/2047746054585061376

level=error msg=Cluster operator authentication Degraded is True with IngressStateEndpoints_MissingSubsets::OAuthServerServiceEndpointAccessibleController_SyncError::OAuthServerServiceEndpointsEndpointAccessibleController_SyncError: IngressStateEndpointsDegraded: No subsets found for the endpoints of oauth-server

[hasbro17]

/test e2e-aws-etcd-certrotation
/test e2e-aws-etcd-recovery

[rh-roman]

/retest

[openshift-ci]

@rh-roman: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-etcd-recovery	3832b5f	link	false	/test e2e-aws-etcd-recovery
ci/prow/e2e-operator	972f944	link	true	/test e2e-operator
ci/prow/e2e-gcp-operator-disruptive	972f944	link	true	/test e2e-gcp-operator-disruptive

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sanchezl]

Add configInformers.Start(ctx.Done()) here.

[sanchezl]

I think the failing jobs are because this informer is registered after the call to configInformers.Start() above. Add configInformers.Start() amongst the other informer factory starts at the end of this method.

[rh-roman]

Will take a look on Monday, but a little worried about moving configInformers.Start() given Vadim's comment just above.