OCPBUGS-87205: Add configuration override for X-SSL strip#1465
Conversation
openshift-ci-robot
added
jira/severity-important
|
@rikatz: This pull request references Jira Issue OCPBUGS-87205, which is valid. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThis PR adds support for a new mutualTLSHeaderFilter override in unsupportedConfigOverrides. It introduces the exported constant RouterMutualTLSHeaderFilter, extends the unsupportedConfigOverrides struct to include MutualTLSHeaderFilter, and updates desiredRouterDeployment to parse that field and inject ROUTER_MUTUAL_TLS_HEADER_FILTER=false into the router container only when the override parses successfully to false. A table-driven unit test covers no override, "false", "true", and invalid values. 🚥 Pre-merge checks | ✅ 13 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (13 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/operator/controller/ingress/deployment_test.go (1)
1551-1557: ⚡ Quick winUse
assertfor this test’s error checks and short-circuit follow-on assertions.Line 1551 and Line 1556 use
t.Error, which keeps running after an unexpected setup failure. Preferassert.NoErrorhere to match repo test conventions and avoid cascading failures.Suggested update
- deployment, err := desiredRouterDeployment(ic, &Config{IngressControllerImage: ingressControllerImage}, &configv1.Ingress{}, &configv1.Infrastructure{}, &configv1.APIServer{}, &configv1.Network{}, nil, false, false, nil, &configv1.Proxy{}) - if err != nil { - t.Error(err) - } - - if err := checkDeploymentEnvironment(t, deployment, tc.expectedEnv); err != nil { - t.Error(err) - } + deployment, err := desiredRouterDeployment(ic, &Config{IngressControllerImage: ingressControllerImage}, &configv1.Ingress{}, &configv1.Infrastructure{}, &configv1.APIServer{}, &configv1.Network{}, nil, false, false, nil, &configv1.Proxy{}) + if assert.NoError(t, err) { + assert.NoError(t, checkDeploymentEnvironment(t, deployment, tc.expectedEnv)) + }As per coding guidelines,
**/*_test.goshould usegithub.com/stretchr/testify/assertfor assertions.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/operator/controller/ingress/deployment_test.go` around lines 1551 - 1557, Replace the non-fatal t.Error checks in this test with testify assertions that short-circuit: import "github.com/stretchr/testify/assert" in pkg/operator/controller/ingress/deployment_test.go, then change the error checks around the Deployment setup and verification to use assert.NoError(t, err, ...) so the test stops on setup failures and subsequent assertions (like the call to checkDeploymentEnvironment) are not executed after an unexpected error; keep the call to checkDeploymentEnvironment but wrap its error check as assert.NoError(t, err) as well to follow repo test conventions.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@pkg/operator/controller/ingress/deployment_test.go`:
- Around line 1551-1557: Replace the non-fatal t.Error checks in this test with
testify assertions that short-circuit: import
"github.com/stretchr/testify/assert" in
pkg/operator/controller/ingress/deployment_test.go, then change the error checks
around the Deployment setup and verification to use assert.NoError(t, err, ...)
so the test stops on setup failures and subsequent assertions (like the call to
checkDeploymentEnvironment) are not executed after an unexpected error; keep the
call to checkDeploymentEnvironment but wrap its error check as assert.NoError(t,
err) as well to follow repo test conventions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: b3db2192-6a76-446a-aeaf-869982fede6b
📒 Files selected for processing (2)
pkg/operator/controller/ingress/deployment.gopkg/operator/controller/ingress/deployment_test.go
Miciah
left a comment
Miciah
left a comment
There was a problem hiding this comment.
Looks good, just one suggested minor cleanup.
/approve
/lgtm
| if err != nil { | ||
| t.Error(err) | ||
| } | ||
|
|
||
| if err := checkDeploymentEnvironment(t, deployment, tc.expectedEnv); err != nil { | ||
| t.Error(err) | ||
| } |
There was a problem hiding this comment.
| if err != nil { | |
| t.Error(err) | |
| } | |
| if err := checkDeploymentEnvironment(t, deployment, tc.expectedEnv); err != nil { | |
| t.Error(err) | |
| } | |
| assert.NoError(t, err) | |
| assert.NoError(t, checkDeploymentEnvironment(t, deployment, tc.expectedEnv)) |
Edit: Sorry, CodeRabbit already made the same suggestion here: #1465 (review)
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
|
/hold cancel |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
@rikatz: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thanks! |
3 participants
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
This PR should be merged after openshift/router#787