Skip to content

Refactor CA cert pool handling#725

Merged
selzoc merged 1 commit intomainfrom
refactor-cert-pool
May 6, 2026
Merged

Refactor CA cert pool handling#725
selzoc merged 1 commit intomainfrom
refactor-cert-pool

Conversation

@selzoc
Copy link
Copy Markdown
Member

@selzoc selzoc commented May 6, 2026

No description provided.

@selzoc
Refactor CA cert pool handling
2f35526 
ai-assisted=yes
[TNZ-94638]
[TNZ-94639]
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 6, 2026
edited
Loading

Caution

Review failed

Failed to post review comments

Walkthrough

This pull request enhances TLS certificate handling across the deployment system. Changes include: replacing insecure TLS client creation with CA-based certificate pool initialization in deployment deletion and preparation flows; adding a new SecureTLSClientMatcher() test helper to enforce TLS verification in mock expectations; introducing a CACertPool() method to the Certificate type for PEM-based certificate pool construction; and updating test suites to use the new matcher for stricter TLS validation.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ❓ Inconclusive No description was provided by the author, making it impossible to assess whether it relates to the changeset. Add a description explaining the purpose of this refactoring, such as why CA cert pool handling was changed and what benefits it provides.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Refactor CA cert pool handling' directly and clearly summarizes the main change: refactoring how CA certificate pools are handled throughout the codebase.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor-cert-pool

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@aramprice aramprice requested a review from Copilot May 6, 2026 18:20
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors installation-manifest CA handling by centralizing CA parsing into a reusable helper and switching blobstore HTTP clients from InsecureSkipVerify to verified TLS using either system roots or a manifest-provided CA bundle.

Changes:

  • Add Certificate.CACertPool() to parse the installation manifest’s PEM CA into an *x509.CertPool (or return nil to use system roots).
  • Update deployment prepare/delete flows to create blobstore clients with CreateDefaultClient(certPool) instead of CreateDefaultClientInsecureSkipVerify().
  • Add/adjust tests: new unit tests for CACertPool, plus a gomock matcher and test updates to assert blobstore clients are configured with TLS verification enabled.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
installation/manifest/manifest.go Introduces CACertPool() helper to parse PEM CA into an *x509.CertPool.
installation/manifest/certificate_test.go Adds unit coverage for CACertPool() (empty CA, valid PEM, invalid PEM).
cmd/suite_test.go Adds a gomock matcher used by cmd tests to assert blobstore clients are configured for secure TLS verification.
cmd/deployment_preparer.go Switches blobstore client creation to verified TLS, using CA cert pool from the installation manifest.
cmd/deployment_deleter.go Switches blobstore client creation to verified TLS, using CA cert pool derived from the provided CA string.
cmd/deployment_deleter_test.go Updates blobstore factory expectations to require a secure TLS client.
cmd/create_env_test.go Updates blobstore factory expectations to require a secure TLS client and sets installationManifest.Cert.CA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cmd/suite_test.go
@selzoc selzoc merged commit 3752eea into main May 6, 2026
50 checks passed
@selzoc selzoc deleted the refactor-cert-pool branch May 6, 2026 18:35
@KauzClay KauzClay mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aramprice aramprice aramprice approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@selzoc @aramprice