Log unknown adherence values and add support for legacy adhering components to ShouldHonorClusterTLSProfile

[richardsonnick]

Adds logging for unknown TLSAdherencePolicy enum values and add support for legacy components to ShouldHonorClusterTLSProfile

Summary by CodeRabbit

• Refactor
  • Updated TLS policy evaluation logic to improve handling of legacy component configurations. Enhanced function now accepts additional parameters for more nuanced policy assessment.

[coderabbitai]

Walkthrough

ShouldHonorClusterTLSProfile in pkg/crypto/tls_adherence.go gains two new parameters (isLegacyAdheringComponent bool, logger klog.Logger) and returns true immediately when isLegacyAdheringComponent is set. The existing policy switch logic and default behavior are unchanged. A k8s.io/klog/v2 import is added.

Changes

TLS Adherence Policy Update

Layer / File(s)	Summary
ShouldHonorClusterTLSProfile signature and early-return logic pkg/crypto/tls_adherence.go	Adds isLegacyAdheringComponent bool and logger klog.Logger parameters; inserts an early return true when isLegacyAdheringComponent is set; adds k8s.io/klog/v2 import. Switch cases for NoOpinion, LegacyAdheringComponentsOnly, and StrictAllComponents are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: adding logging for unknown adherence values and supporting legacy adhering components in the ShouldHonorClusterTLSProfile function.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo tests present in the PR. The test file uses standard Go testing with table-driven tests, which don't have dynamic test names. Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains standard Go testing package tests, not Ginkgo tests. Custom check is for Ginkgo test quality (It/Describe/BeforeEach patterns), which is not applicable here.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The change only modifies the tls_adherence.go utility function; the check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only modifies pkg/crypto/tls_adherence.go (a library function) with standard Go unit tests. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a pure utility function (pkg/crypto/tls_adherence.go) for TLS policy decisions in library-go. No deployment manifests, operator code, controllers, or scheduling constraints are int...
Ote Binary Stdout Contract	✅ Passed	The PR adds a logger parameter but makes no actual klog logger calls, so no stdout writes occur. The OTE contract is not violated in its current state.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. It only modifies TLS configuration utility functions with standard Go unit tests, making the IPv6/disconnected network compatibility check not applicable.
No-Weak-Crypto	✅ Passed	The PR modifies tls_adherence.go with no cryptographic algorithms, custom crypto, or insecure comparisons; uses safe enum pattern matching via switch statements.
Container-Privileges	✅ Passed	PR modifies only Go source code (tls_adherence.go); no container or K8s manifests with privilege configurations present.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, PII, session IDs, hostnames, customer data) is logged. The code logs only TLSAdherencePolicy enum values, which are non-sensitive configuration settings.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richardsonnick
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/crypto/tls_adherence.go`:
- Line 17: The function signature for ShouldHonorClusterTLSProfile in
pkg/crypto/tls_adherence.go has been changed to accept three parameters
(tlsAdherence, isLegacyAdheringComponent, and logger), but the test file
pkg/crypto/tls_adherence_test.go still calls it with only one argument. Update
all call sites to ShouldHonorClusterTLSProfile to pass all three required
arguments: the TLSAdherencePolicy, the boolean flag for legacy adherence, and
the klog.Logger instance. Check both the test file and any other files that call
this function to ensure consistency.
- Around line 26-27: The default case in the switch statement (lines 26-27)
currently returns true for forward compatibility but does not use the logger
parameter to emit an observability log entry for unknown policy enum values. Add
a log statement in the default case using the logger parameter to record when an
unknown policy path is encountered, then return true. This ensures the new
logger parameter is actually utilized and provides the observability coverage
for unrecognized enum values as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b698934b-9e67-45a4-bb08-66fdfe935fc4

📥 Commits

Reviewing files that changed from the base of the PR and between bc9d405 and a6d8c95.

📒 Files selected for processing (1)

• pkg/crypto/tls_adherence.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Signature change at Line 17 breaks existing callers unless updated in the same PR.

ShouldHonorClusterTLSProfile now requires 3 args, but the provided pkg/crypto/tls_adherence_test.go snippet still calls it with one argument (ShouldHonorClusterTLSProfile(tt.tlsAdherence)), which will fail to compile until call sites are updated (or a compatibility wrapper is added).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/crypto/tls_adherence.go` at line 17, The function signature for
ShouldHonorClusterTLSProfile in pkg/crypto/tls_adherence.go has been changed to
accept three parameters (tlsAdherence, isLegacyAdheringComponent, and logger),
but the test file pkg/crypto/tls_adherence_test.go still calls it with only one
argument. Update all call sites to ShouldHonorClusterTLSProfile to pass all
three required arguments: the TLSAdherencePolicy, the boolean flag for legacy
adherence, and the klog.Logger instance. Check both the test file and any other
files that call this function to ensure consistency.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unknown policy path still does not log, so the new logger parameter is effectively unused.

Line 26-27 defaults to true for forward compatibility, but it should also emit a log entry for unknown enum values to satisfy the stated observability objective.

Suggested patch

 default:
+    logger.Info("unknown TLSAdherencePolicy value; defaulting to strict behavior", "tlsAdherence", tlsAdherence)
     return true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	default:
	return true
	default:
	logger.Info("unknown TLSAdherencePolicy value; defaulting to strict behavior", "tlsAdherence", tlsAdherence)
	return true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/crypto/tls_adherence.go` around lines 26 - 27, The default case in the
switch statement (lines 26-27) currently returns true for forward compatibility
but does not use the logger parameter to emit an observability log entry for
unknown policy enum values. Add a log statement in the default case using the
logger parameter to record when an unknown policy path is encountered, then
return true. This ensures the new logger parameter is actually utilized and
provides the observability coverage for unrecognized enum values as intended.

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	a6d8c95	link	true	/test unit
ci/prow/verify	a6d8c95	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[richardsonnick]

Will fix ci errors