Consolidate TLS secret fetching into clientutil and simplify handlers#206
Open
felix-kaestner wants to merge 1 commit intomainironcore-dev/network-operator:mainfrom
refactor/provisioning-serverironcore-dev/network-operator:refactor/provisioning-serverCopy head branch name to clipboard
Open
Consolidate TLS secret fetching into clientutil and simplify handlers#206felix-kaestner wants to merge 1 commit intomainironcore-dev/network-operator:mainfrom refactor/provisioning-serverironcore-dev/network-operator:refactor/provisioning-serverCopy head branch name to clipboard
felix-kaestner wants to merge 1 commit intomainironcore-dev/network-operator:mainfrom
refactor/provisioning-serverironcore-dev/network-operator:refactor/provisioning-serverCopy head branch name to clipboard
Conversation
The provisioning HTTP handlers duplicated Kubernetes secret-fetching logic that already existed in the clientutil package. Additionally, HandleProvisioningRequest called deviceutil.GetDeviceConnection to obtain credentials, which unnecessarily loads TLS certificates when only BasicAuth username and password are needed. Introduce a lower-level TLSSecretPEM() method in clientutil that returns raw PEM bytes (tls.crt, tls.key, and optionally ca.crt) from a TLS secret, and refactor the existing Certificate() method to use it internally. This layered approach avoids breaking existing callers while enabling the provisioning handlers to access raw PEM data without parsing into tls.Certificate. Replace manual secret fetching in GetDeviceCertificate and GetMTLSClientCA with calls to TLSSecretPEM(). Replace the GetDeviceConnection call in HandleProvisioningRequest with a direct BasicAuth() call, adding a nil guard for the optional SecretRef pointer.
Merging this branch changes the coverage (1 decrease, 1 increase)
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. Changed unit test files
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The provisioning HTTP handlers duplicated Kubernetes secret-fetching logic that already existed in the clientutil package. Additionally, HandleProvisioningRequest called deviceutil.GetDeviceConnection to obtain credentials, which unnecessarily loads TLS certificates when only BasicAuth username and password are needed.
Introduce a lower-level TLSSecretPEM() method in clientutil that returns raw PEM bytes (tls.crt, tls.key, and optionally ca.crt) from a TLS secret, and refactor the existing Certificate() method to use it internally. This layered approach avoids breaking existing callers while enabling the provisioning handlers to access raw PEM data without parsing into tls.Certificate.
Replace manual secret fetching in GetDeviceCertificate and GetMTLSClientCA with calls to TLSSecretPEM(). Replace the GetDeviceConnection call in HandleProvisioningRequest with a direct BasicAuth() call, adding a nil guard for the optional SecretRef pointer.