Skip to content

ROX-34000: fix reencrypt route with custom cert#19866

Merged
stehessel merged 2 commits intomasterfrom
ROX-34000/fix-reencrypt-route-custom-cert
Apr 7, 2026
Merged

ROX-34000: fix reencrypt route with custom cert#19866
stehessel merged 2 commits intomasterfrom
ROX-34000/fix-reencrypt-route-custom-cert

Conversation

@stehessel
Copy link
Copy Markdown
Collaborator

@stehessel stehessel commented Apr 7, 2026

Description

This PR addresses a faulty Helm chart linter, which led to a valid reencrypt route configuration being rejected. The linter is supposed to fail configurations which specify only one of tls.certificate or tls.key, while leaving the other empty. However, the actual behavior is that valid configs, with both tls.certificate and tls.key specified, are also rejected.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

created a helm config with both cert and key and confirmed that it deploys successfully:

    route:
      enabled: true
      reencrypt:
        enabled: true
        tls:
          certificate: |
            -----BEGIN CERTIFICATE-----
            MIIDk...
            -----END CERTIFICATE-----
          key: |
            -----BEGIN PRIVATE KEY-----
            MIIEv...
            -----END PRIVATE KEY-----

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 7, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@stehessel stehessel added backport release-4.10 backport release-4.9 https://spaces.redhat.com/spaces/StackRox/pages/558727298 backport release-4.8 labels Apr 7, 2026
@stehessel stehessel marked this pull request as ready for review April 7, 2026 14:00
@stehessel stehessel requested a review from a team as a code owner April 7, 2026 14:00
@stehessel stehessel requested review from mclasmeier and removed request for a team April 7, 2026 14:00
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 27bf450. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-582-g27bf450c18

mclasmeier
mclasmeier approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mclasmeier mclasmeier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@stehessel @claude
Improve test name for clarity
93a6437 
Changed test name from "reencrypt route without custom certificate uses
OpenShift CA" to "reencrypt route without custom cert has empty cert
fields" to better describe what the test actually verifies.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@stehessel stehessel enabled auto-merge (squash) April 7, 2026 14:58
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.58%. Comparing base (b2a85fc) to head (93a6437).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19866      +/-   ##
==========================================
- Coverage   49.60%   49.58%   -0.02%     
==========================================
  Files        2763     2766       +3     
  Lines      208331   208530     +199     
==========================================
+ Hits       103340   103408      +68     
- Misses      97325    97449     +124     
- Partials     7666     7673       +7
Flag Coverage Δ
go-unit-tests 49.58% <ø> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@stehessel stehessel merged commit 27bf450 into master Apr 7, 2026
106 of 114 checks passed
@stehessel stehessel deleted the ROX-34000/fix-reencrypt-route-custom-cert branch April 7, 2026 17:01
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 7, 2026

The backport to release-4.8 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release-4.8 release-4.8
# Navigate to the new working tree
cd .worktrees/backport-release-4.8
# Create a new branch
git switch --create backport-19866-to-release-4.8
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 27bf450c18afa12d4908fe372271944264f6e955
# Push it to GitHub
git push --set-upstream origin backport-19866-to-release-4.8
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release-4.8

Then, create a pull request where the base branch is release-4.8 and the compare/head branch is backport-19866-to-release-4.8.

@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Apr 7, 2026

The backport to release-4.9 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release-4.9 release-4.9
# Navigate to the new working tree
cd .worktrees/backport-release-4.9
# Create a new branch
git switch --create backport-19866-to-release-4.9
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 27bf450c18afa12d4908fe372271944264f6e955
# Push it to GitHub
git push --set-upstream origin backport-19866-to-release-4.9
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release-4.9

Then, create a pull request where the base branch is release-4.9 and the compare/head branch is backport-19866-to-release-4.9.

rhacs-bot pushed a commit that referenced this pull request Apr 7, 2026
@stehessel @claude @github-actions
ROX-34000: fix reencrypt route with custom cert (#19866)
2576a81 
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
(cherry picked from commit 27bf450)
@rhacs-bot rhacs-bot mentioned this pull request Apr 7, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mclasmeier mclasmeier mclasmeier approved these changes

Assignees

No one assigned

Labels

area/helm backport release-4.8 backport release-4.9 https://spaces.redhat.com/spaces/StackRox/pages/558727298 backport release-4.10

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stehessel @rhacs-bot @mclasmeier