CNTRLPLANE-3429: Respect configured cipher order for inject-tls

[vincentdephily]

Cipher order is meaningful, don't sort alphabetically.

• Remove unwanted string sort
• Adjust unittests
• Tweak logs

Summary by CodeRabbit

• Bug Fixes

  • TLS cipher suite injection now preserves the order from the APIServer TLS profile configuration instead of reordering them.

• Tests

  • Updated test fixtures to validate TLS injection behavior with preserved cipher suite ordering.

[openshift-ci-robot]

@vincentdephily: This pull request explicitly references no jira issue.

Details

In response to this:

Cipher order is meaningful, don't sort alphabetically.

• Remove unwanted string sort
• Adjust unittests
• Tweak logs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

TLS injection logic in ConfigMap handling now captures and logs the detected RNode kind separately for GenericOperatorConfig and GenericControllerConfig, and removes cipher suite sorting to preserve the order from the observed APIServer TLS profile data.

Changes

TLS Injection Logic & Cipher Suite Ordering

Layer / File(s)	Summary
Core Logic lib/resourcebuilder/core.go	RNode kind is captured into rnodeKind and used in logging and kind-filtering logic. Cipher suite sorting step is removed so cipherSuites preserves the order from the TLS profile data.
Test Helpers & Fixtures lib/resourcebuilder/core_test.go	Test helper changed from sorted to unsorted cipher suite retrieval; sort import removed. Cipher suite fixtures updated; "TLS already injected / cipher order" test case now expects injection when cipher order differs, validating the new unsorted-preservation behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test titles in the modified PR are static and deterministic. No dynamic identifiers, timestamps, UUIDs, pod/node names, or random suffixes detected in test names.
Test Structure And Quality	✅ Passed	The custom check requests review of "Ginkgo test code". However, lib/resourcebuilder/core_test.go uses standard Go testing (testing.T), not Ginkgo. The check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. Changes are limited to standard Go unit tests in core_test.go, not subject to MicroShift compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. It modifies production code and unit tests using standard Go testing only. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only TLS cipher handling in ConfigMap injection. No scheduling constraints, deployment manifests, pod affinity, node selectors, or topology logic introduced.
Ote Binary Stdout Contract	✅ Passed	Library code modified (not binary entry-point). Uses klog.V().Infof() to stderr by default. No fmt.Print/Println or stdout writes. No process-level code (main, init, TestMain, BeforeSuite) modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR only modifies unit tests in lib/resourcebuilder/core_test.go using standard Go testing.T pattern, not Ginkgo. Check does not apply to unit tests.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: removing the cipher sort operation to preserve the configured order, which is the primary objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vincentdephily
Once this PR has been reviewed and has the lgtm label, please assign fao89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vincentdephily]

/retest

[openshift-ci]

@vincentdephily: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ingvagabund]

Why not just drop the sort.Strings statement?

[vincentdephily]

Because crypto.DefaultCiphers() and configv1.TLSProfiles[crypto.DefaultTLSProfileType] return the same ciphers but in a different order. The new TLS1.3 ciphers have a higher precedence in os library-go than in golang crypto.

Ideally I would have taken the cipher suite by calling apiserver.ObserveTLSSecurityProfile(), but the context args made that akward. So instead I extracted the core logic for the 'default case', and added a comment. If the apiserver code drifts, we'll have to update this test.

[ingvagabund]

Can this change be made on the original lines? To simplify the diff.

[vincentdephily]

I changed the order because having related suites together felt more readable to me (in particular to notice same ciphers with different IDs), but if you feel otherwise I can keep the old order and reword the comments ?

[ingvagabund]

nit: bu -> by

[openshift-ci-robot]

@vincentdephily: This pull request references CNTRLPLANE-3429 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "5.0.0" version, but multiple target versions were set.

Details

In response to this:

Cipher order is meaningful, don't sort alphabetically.

• Remove unwanted string sort
• Adjust unittests
• Tweak logs

Summary by CodeRabbit

• Bug Fixes

• TLS cipher suite injection now preserves the order from the APIServer TLS profile configuration instead of reordering them.

• Tests

• Updated test fixtures to validate TLS injection behavior with preserved cipher suite ordering.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[DavidHurta]

/cc