Skip to content

tls: extract injectTLSAnnotation constant and use double-quoted config keys #31125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gangwgr wants to merge 2 commits into
base: main
Choose a base branch
from
+30 −26
Open

tls: extract injectTLSAnnotation constant and use double-quoted config keys #31125

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c5b0f8c
tls: extract injectTLSAnnotation constant to reduce string duplication
gangwgr Apr 27, 2026
431a4b2
tls: use double-quoted strings for jsonpath config keys
gangwgr May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 30 additions & 26 deletions test/extended/tls/tls_observed_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ const (
// profile change. KAS (static pod) rollout typically takes 15-20 minutes;
// Deployment-based operators are usually faster. 25 minutes covers both.
operatorRolloutTimeout = 25 * time.Minute

// injectTLSAnnotation is the annotation key used by CVO to inject TLS
// security profile configuration into operator ConfigMaps.
injectTLSAnnotation = "config.openshift.io/inject-tls"
)

// tlsTarget describes a namespace/service that must honor the cluster APIServer
Expand Down Expand Up @@ -890,8 +894,8 @@ var _ = g.Describe("[sig-api-machinery][Feature:TLSObservedConfig][Serial][Disru
configKey = "config.yaml"
}
configData := cm.Data[configKey]
o.Expect(cm.Annotations).To(o.HaveKey("config.openshift.io/inject-tls"),
fmt.Sprintf("ConfigMap %s/%s is missing config.openshift.io/inject-tls annotation", cmNamespace, t.configMapName))
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation),
fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
o.Expect(configData).To(o.ContainSubstring("VersionTLS12"),
fmt.Sprintf("ConfigMap %s/%s should have VersionTLS12 for Custom profile", cmNamespace, t.configMapName))
e2e.Logf("PASS: ConfigMap %s/%s has VersionTLS12 for Custom profile", cmNamespace, t.configMapName)
Expand Down Expand Up @@ -1021,13 +1025,13 @@ func testConfigMapTLSInjection(oc *exutil.CLI, ctx context.Context, t tlsTarget)
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("failed to get ConfigMap %s/%s", cmNamespace, t.configMapName))

g.By("verifying config.openshift.io/inject-tls annotation is present")
injectTLSAnnotation, found := cm.Annotations["config.openshift.io/inject-tls"]
g.By("verifying " + injectTLSAnnotation + " annotation is present")
annotationValue, found := cm.Annotations[injectTLSAnnotation]
o.Expect(found).To(o.BeTrue(),
fmt.Sprintf("ConfigMap %s/%s is missing config.openshift.io/inject-tls annotation", cmNamespace, t.configMapName))
o.Expect(injectTLSAnnotation).To(o.Equal("true"),
fmt.Sprintf("ConfigMap %s/%s has inject-tls annotation but value is not 'true': %s", cmNamespace, t.configMapName, injectTLSAnnotation))
e2e.Logf("ConfigMap %s/%s has config.openshift.io/inject-tls=true annotation", cmNamespace, t.configMapName)
fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
o.Expect(annotationValue).To(o.Equal("true"),
fmt.Sprintf("ConfigMap %s/%s has inject-tls annotation but value is not 'true': %s", cmNamespace, t.configMapName, annotationValue))
e2e.Logf("ConfigMap %s/%s has %s=true annotation", cmNamespace, t.configMapName, injectTLSAnnotation)

// Get the config key (defaults to "config.yaml" if not specified).
configKey := t.configMapKey
Expand Down Expand Up @@ -1116,13 +1120,13 @@ func testAnnotationRestorationAfterDeletion(oc *exutil.CLI, ctx context.Context,
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("failed to get ConfigMap %s/%s", cmNamespace, t.configMapName))

_, found := cm.Annotations["config.openshift.io/inject-tls"]
_, found := cm.Annotations[injectTLSAnnotation]
o.Expect(found).To(o.BeTrue(),
fmt.Sprintf("ConfigMap %s/%s is missing config.openshift.io/inject-tls annotation", cmNamespace, t.configMapName))
fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))

// Delete the annotation.
g.By("deleting config.openshift.io/inject-tls annotation")
delete(cm.Annotations, "config.openshift.io/inject-tls")
g.By("deleting " + injectTLSAnnotation + " annotation")
delete(cm.Annotations, injectTLSAnnotation)
_, err = oc.AdminKubeClient().CoreV1().ConfigMaps(cmNamespace).Update(ctx, cm, metav1.UpdateOptions{})
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("failed to update ConfigMap %s/%s to delete annotation", cmNamespace, t.configMapName))
Expand All @@ -1138,7 +1142,7 @@ func testAnnotationRestorationAfterDeletion(oc *exutil.CLI, ctx context.Context,
return false, nil
}

val, found := cm.Annotations["config.openshift.io/inject-tls"]
val, found := cm.Annotations[injectTLSAnnotation]
if found && val == "true" {
e2e.Logf(" poll: annotation restored! inject-tls=%s", val)
return true, nil
Expand All @@ -1148,9 +1152,9 @@ func testAnnotationRestorationAfterDeletion(oc *exutil.CLI, ctx context.Context,
},
)
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("inject-tls annotation was not restored on ConfigMap %s/%s within timeout", cmNamespace, t.configMapName))
fmt.Sprintf("%s annotation was not restored on ConfigMap %s/%s within timeout", injectTLSAnnotation, cmNamespace, t.configMapName))

e2e.Logf("PASS: inject-tls annotation was restored after deletion on ConfigMap %s/%s", cmNamespace, t.configMapName)
e2e.Logf("PASS: %s annotation was restored after deletion on ConfigMap %s/%s", injectTLSAnnotation, cmNamespace, t.configMapName)
}

// testAnnotationRestorationWhenFalse verifies that if the inject-tls annotation
Expand All @@ -1174,13 +1178,13 @@ func testAnnotationRestorationWhenFalse(oc *exutil.CLI, ctx context.Context, t t
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("failed to get ConfigMap %s/%s", cmNamespace, t.configMapName))

_, annotationFound := cm.Annotations["config.openshift.io/inject-tls"]
_, annotationFound := cm.Annotations[injectTLSAnnotation]
o.Expect(annotationFound).To(o.BeTrue(),
fmt.Sprintf("ConfigMap %s/%s is missing config.openshift.io/inject-tls annotation", cmNamespace, t.configMapName))
fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))

// Set the annotation to "false".
g.By("setting config.openshift.io/inject-tls annotation to 'false'")
cm.Annotations["config.openshift.io/inject-tls"] = "false"
g.By("setting " + injectTLSAnnotation + " annotation to 'false'")
cm.Annotations[injectTLSAnnotation] = "false"
_, err = oc.AdminKubeClient().CoreV1().ConfigMaps(cmNamespace).Update(ctx, cm, metav1.UpdateOptions{})
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("failed to update ConfigMap %s/%s to set annotation to false", cmNamespace, t.configMapName))
Expand All @@ -1196,7 +1200,7 @@ func testAnnotationRestorationWhenFalse(oc *exutil.CLI, ctx context.Context, t t
return false, nil
}

val, found := cm.Annotations["config.openshift.io/inject-tls"]
val, found := cm.Annotations[injectTLSAnnotation]
if found && val == "true" {
e2e.Logf(" poll: annotation restored to 'true'!")
return true, nil
Expand All @@ -1206,9 +1210,9 @@ func testAnnotationRestorationWhenFalse(oc *exutil.CLI, ctx context.Context, t t
},
)
o.Expect(err).NotTo(o.HaveOccurred(),
fmt.Sprintf("inject-tls annotation was not restored to 'true' on ConfigMap %s/%s within timeout", cmNamespace, t.configMapName))
fmt.Sprintf("%s annotation was not restored to 'true' on ConfigMap %s/%s within timeout", injectTLSAnnotation, cmNamespace, t.configMapName))

e2e.Logf("PASS: inject-tls annotation was restored to 'true' after being set to 'false' on ConfigMap %s/%s", cmNamespace, t.configMapName)
e2e.Logf("PASS: %s annotation was restored to 'true' after being set to 'false' on ConfigMap %s/%s", injectTLSAnnotation, cmNamespace, t.configMapName)
}

// testServingInfoRestorationAfterRemoval verifies that if the servingInfo section
Expand Down Expand Up @@ -1587,8 +1591,8 @@ func verifyConfigMapsForTargets(oc *exutil.CLI, ctx context.Context, expectedVer
configKey = "config.yaml"
}
configData := cm.Data[configKey]
o.Expect(cm.Annotations).To(o.HaveKey("config.openshift.io/inject-tls"),
fmt.Sprintf("ConfigMap %s/%s is missing config.openshift.io/inject-tls annotation", cmNamespace, t.configMapName))
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation),
fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
o.Expect(configData).To(o.ContainSubstring(expectedVersion),
fmt.Sprintf("ConfigMap %s/%s should have %s after %s switch",
cmNamespace, t.configMapName, expectedVersion, profileLabel))
Expand Down Expand Up @@ -2116,8 +2120,8 @@ func verifyHCPConfigMaps(mgmtCLI *exutil.CLI, hcpNS, expectedVersion, profileLab
name string
configKey string
}{
{name: "kas-config", configKey: `config\.json`},
{name: "openshift-apiserver", configKey: `config\.yaml`},
{name: "kas-config", configKey: "config\\.json"},
Copy link
Copy Markdown
Member

@ingvagabund ingvagabund May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The backslash-dot escaping is needed for jsonpath key lookup and works with either quoting
style

Oh, in that case the originally escaped form is fine.

{name: "openshift-apiserver", configKey: "config\\.yaml"},
}

for _, cm := range hcpCMs {
Expand Down