Skip to content

CNTRLPLANE-3652: Add TLS ownership for 5 unowned artifacts#31348

Open
oceanc80 wants to merge 4 commits into
openshift:mainfrom
redhat-chai-bot:tls-ownership-fix
Open

CNTRLPLANE-3652: Add TLS ownership for 5 unowned artifacts#31348
oceanc80 wants to merge 4 commits into
openshift:mainfrom
redhat-chai-bot:tls-ownership-fix

Conversation

@oceanc80

@oceanc80 oceanc80 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Add ownership information for 5 TLS artifacts that were listed as missing owners in the TLS registry:

  • ns/openshift-ingress secret/router-certs-default → Networking / router
  • ns/openshift-ingress-operator secret/router-ca → Networking / router
  • ns/kube-system configmap/extension-apiserver-authentication → kube-apiserver
  • ns/openshift-config-managed configmap/default-ingress-cert → Networking / router
  • ns/openshift-console configmap/default-ingress-cert → Networking / router

Updates ownership.json, ownership.md, all raw-data files, and empties the ownership-violations.json file.

Ref: CNTRLPLANE-3652

Summary by CodeRabbit

  • Documentation

    • Updated TLS ownership and inventory documentation to reflect current certificate ownership and descriptions.
    • Replaced unknown-owner entries with clearer ownership for router-related and API server-related certificate artifacts.
  • Bug Fixes

    • Filled in missing metadata for several certificate bundles and key pairs, improving traceability and reducing incomplete records.
    • Updated counts and listings so the documented TLS inventory now matches the latest set of artifacts.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 29, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 29, 2026

Copy link
Copy Markdown

@oceanc80: This pull request references CNTRLPLANE-3652 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add ownership information for 5 TLS artifacts that were listed as missing owners in the TLS registry:

  • ns/openshift-ingress secret/router-certs-default → Networking / router
  • ns/openshift-ingress-operator secret/router-ca → Networking / router
  • ns/kube-system configmap/extension-apiserver-authentication → kube-apiserver
  • ns/openshift-config-managed configmap/default-ingress-cert → Networking / router
  • ns/openshift-console configmap/default-ingress-cert → Networking / router

Updates ownership.json, ownership.md, all raw-data files, and empties the ownership-violations.json file.

Ref: CNTRLPLANE-3652

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b5046197-a941-447a-92d9-cb10e46a255c

📥 Commits

Reviewing files that changed from the base of the PR and between ebb24c7 and 1ed2b76.

📒 Files selected for processing (5)
  • tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md
  • tls/descriptions/descriptions.md
  • tls/ownership/ownership.md
  • tls/refresh-period/refresh-period.md
  • tls/testcase/testcase.md

Walkthrough

This PR populates previously-empty owningJiraComponent and description metadata fields for extension-apiserver-authentication, default-ingress-cert, router-ca, and router-certs-default TLS artifacts across all ownership/description/testcase/refresh-period JSON files and per-platform raw-data artifacts, nulls the ownership-violations list, and updates generated markdown documentation to reclassify these entries from "Unknown Owner"/"Missing Owners" into "kube-apiserver" and new "Networking / router" sections with renumbered counts.

Changes

TLS ownership metadata population

Layer / File(s) Summary
Core reference JSON metadata
tls/ownership/ownership.json, tls/descriptions/descriptions.json, tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json, tls/refresh-period/refresh-period.json, tls/testcase/testcase.json
Sets owningJiraComponent (kube-apiserver or Networking / router) and non-empty description for the extension-apiserver-authentication CA bundle, two default-ingress-cert CA bundles, router-certs-default, and router-ca cert key pairs, replacing prior empty strings.
Per-platform raw-data artifacts
tls/raw-data/raw-tls-artifacts-*.json (14 files)
Applies the same metadata population pattern to the corresponding CA bundle and cert key pair entries across all ha/single, default/techpreviewnoupgrade, and cloud-platform variants (aws, azure, gcp, metal, openstack, vsphere).
Ownership violations cleared
tls/violations/ownership/ownership-violations.json
Replaces populated certificateAuthorityBundles and certKeyPairs violation arrays with null.
Documentation reclassification and renumbering
tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md, tls/descriptions/descriptions.md, tls/ownership/ownership.md, tls/refresh-period/refresh-period.md, tls/testcase/testcase.md
Removes "Unknown Owner"/"Missing Owners" sections, adds new "Networking / router" sections with router certificate and CA bundle entries, inserts extension-apiserver-authentication into kube-apiserver CA bundle lists, and renumbers TOC and list entries accordingly.

Estimated code review effort: 2 (Simple) | ~12 minutes

Sequence Diagram(s)

Not applicable — this PR consists of metadata field population and documentation renumbering with no new control flow or component interactions.

Estimated code review effort: 2 (Simple) | ~12 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding TLS ownership for five previously unowned artifacts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test titles were changed; the PR only edits TLS ownership JSON/MD docs plus a markdown helper, and scans found no It/Describe/Context/When in changed files.
Test Structure And Quality ✅ Passed Only TLS ownership JSON/MD data files changed; no Ginkgo test code was touched, so the checklist is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes JSON/MD ownership data and a vendor markdown helper.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PASS: The PR only changes TLS ownership metadata/docs plus a markdown helper; no new Ginkgo tests or SNO-sensitive test logic were added.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: The PR only edits TLS ownership/description JSON and markdown; no deployment manifests, operators, controllers, or scheduling fields were changed.
Ote Binary Stdout Contract ✅ Passed No process-level code changed; only docs and a markdown helper writing to buffers, with no stdout logging in main/init/test setup.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only updates TLS ownership JSON/MD data and ownership-violations, with no It/Describe/Context blocks or network code.
No-Weak-Crypto ✅ Passed Changed files are TLS ownership docs/data only; scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom-crypto/comparison code.
Container-Privileges ✅ Passed PASS: The touched files are markdown/vendor/deps only; no changed K8s/container manifests, and no modified files contain privileged, hostPID, hostNetwork, hostIPC, or allowPrivilegeEscalation setti...
No-Sensitive-Data-In-Logs ✅ Passed Touched files are TLS ownership JSON/MD docs only; no log statements or log files were added, and scans found no sensitive-data exposure.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from deads2k and sjenning June 29, 2026 11:11
@openshift-ci openshift-ci Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jun 29, 2026

@oceanc80 oceanc80 left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@oceanc80: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oceanc80
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Set owningJiraComponent and description for:
- ns/kube-system configmap/extension-apiserver-authentication (kube-apiserver)
- ns/openshift-config-managed configmap/default-ingress-cert (Networking / router)
- ns/openshift-console configmap/default-ingress-cert (Networking / router)
- ns/openshift-ingress secret/router-certs-default (Networking / router)
- ns/openshift-ingress-operator secret/router-ca (Networking / router)

Ownership info updated in raw-data files and all derived files
regenerated via `go run -mod vendor ./cmd/update-tls-artifacts generate-ownership`.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tls/ownership/ownership.md`:
- Around line 23-25: The table of contents links use manually written
title-cased anchor fragments that do not match the generated markdown heading
IDs, so update the TOC entries to use the actual lowercase slug format. Fix the
links for the relevant headings in ownership.md, including the entries
associated with Networking / router and kube-apiserver, and keep the fragment
text consistent with the rendered markdown anchors so the TOC resolves
correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 28e46bfa-6e01-4e2b-89f3-66924722bb99

📥 Commits

Reviewing files that changed from the base of the PR and between 9a99e04 and a9a7155.

📒 Files selected for processing (24)
  • tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json
  • tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md
  • tls/descriptions/descriptions.json
  • tls/descriptions/descriptions.md
  • tls/ownership/ownership.json
  • tls/ownership/ownership.md
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/refresh-period/refresh-period.json
  • tls/refresh-period/refresh-period.md
  • tls/testcase/testcase.json
  • tls/testcase/testcase.md
  • tls/violations/ownership/ownership-violations.json
✅ Files skipped from review due to trivial changes (10)
  • tls/ownership/ownership.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json
🚧 Files skipped from review as they are similar to previous changes (4)
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json
  • tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json
  • tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json

Comment thread tls/ownership/ownership.md
The markdown TOC generator was producing title-cased anchor fragments
(e.g. #Certificates-2, #Certificate-Authority-Bundles-2) that don't
match the lowercase heading IDs rendered by GitHub/markdown processors
(e.g. #certificates-2, #certificate-authority-bundles-2).

Add strings.ToLower() to the tocLink generation in the vendored
library-go markdown package and regenerate all TLS ownership markdown.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the vendor-update Touching vendor dir or related files label Jul 2, 2026
Register the strings.ToLower() carry patch in
vendor/github.com/openshift/library-go/pkg/markdown/markdown.go
as an approved vendor override in deps.diff so that the
verify-deps CI check passes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deps.diff`:
- Around line 1-3: Keep the lowercasing in the TOC helper: the markdown slug
generation in markdown.go’s TOC logic should continue to call
strings.ToLower(tocLink) so mixed-case headings like those in ownership docs
still produce matching fragment links. Restore or preserve this behavior in the
TOC helper path that builds tocLink, and ensure any related slug normalization
remains case-insensitive.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 60d477f8-6d44-4108-8ef2-df68ba72a5f1

📥 Commits

Reviewing files that changed from the base of the PR and between 196a8c5 and ebb24c7.

📒 Files selected for processing (1)
  • deps.diff

Comment thread deps.diff Outdated
Remove the strings.ToLower() vendor modification from
library-go/pkg/markdown/markdown.go and clear deps.diff.
Regenerate all TLS ownership markdown files to reflect the
original title-cased TOC anchors.

The ownership data additions for the 5 TLS artifacts
(extension-apiserver-authentication, default-ingress-cert,
router-certs-default, router-ca) are preserved intact.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@oceanc80: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-ovn 1ed2b76 link true /test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review vendor-update Touching vendor dir or related files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants