20108931282

Committed 10 Dec 2025 06:19PM UTC coverage: 76.573% (-0.2%) from 76.787%

Build # 20108931282

Build Type

push

github

Committed by

web-flow

Commit Message

CNV-61721: Add ValidatingAdmissionPolicy to validate the HyperConverged namespace (#3912)

* Add the new admission policy controller

The current implementation of preventing the creation of the
HyperConverged CR in non-allowed namespace, is not working in Openshift,
where becasue of a race condition, the webhook's namespace selector is
removed by OLM.

This commit adds a new controller, to create and reconcile a
ValidatingAdmissionPolicy and the related
ValidatingAdmissionPolicyBinding, to perform the same validation.

The reason we're doing it in a new controller, is because we need the
ValidatingAdmissionPolicy to be set, even if the HyperConverged CR is
not deployed, while our main controller only reconciles resources if
the HyperConverged CR is deployed.

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

* Register the admission policy controller on boot

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

* Remove the current validation

Remove the existing validation of the HyperConverged CR namespace from
the validation webhook, as it is now done by the policy, created by the
admission policy controller.

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

* Don't remove the namespace selector from the validation wh

OLM adds a namespace selection on the validation webhook CR, causing the
namespace validation to be not relevant.

The webhook setup logic removes this selector, but actually this is
reconciled by OLM, and eventually, user can still create the
HyperConverged CR in any namespace.

The issue is now handled by a ValidationgAdmissionPolicy, and so we
don't need this logic anymore, and so this commit removes it.

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

---------

Signed-off-by: Nahshon Unna Tsameret <nahsh.ut@gmail.com>

Coverage Stats

115 of 189 new or added lines in 4 files covered. (60.85%)

5 existing lines in 1 file now uncovered.

8201 of 10710 relevant lines covered (76.57%)

1.81 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.63

/pkg/webhooks/validator/validator.go

package validator

import (
        "context"
        "errors"
        "fmt"
        "net/http"
        "reflect"
        "strings"
        "time"

        "github.com/go-logr/logr"
        openshiftconfigv1 "github.com/openshift/api/config/v1"
        "github.com/samber/lo"
        xsync "golang.org/x/sync/errgroup"
        admissionv1 "k8s.io/api/admission/v1"
        corev1 "k8s.io/api/core/v1"
        apierrors "k8s.io/apimachinery/pkg/api/errors"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
        "k8s.io/utils/strings/slices"
        "sigs.k8s.io/controller-runtime/pkg/client"
        "sigs.k8s.io/controller-runtime/pkg/webhook/admission"

        networkaddonsv1 "github.com/kubevirt/cluster-network-addons-operator/pkg/apis/networkaddonsoperator/v1"
        kubevirtcorev1 "kubevirt.io/api/core/v1"
        cdiv1beta1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
        sspv1beta3 "kubevirt.io/ssp-operator/api/v1beta3"

        "github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1"
        "github.com/kubevirt/hyperconverged-cluster-operator/controllers/handlers"
        "github.com/kubevirt/hyperconverged-cluster-operator/pkg/nodeinfo"
        hcoutil "github.com/kubevirt/hyperconverged-cluster-operator/pkg/util"
)

const (
        updateDryRunTimeOut = time.Second * 3
)

type ValidationWarning struct {
        warnings []string
}

func newValidationWarning(warnings []string) *ValidationWarning {
        return &ValidationWarning{
                warnings: warnings,
        }
}

func (v *ValidationWarning) Error() string {
        return ""
}

func (v *ValidationWarning) Warnings() []string {
        return v.warnings
}

type WebhookHandler struct {
        logger      logr.Logger
        cli         client.Client
        namespace   string
        isOpenshift bool
        decoder     admission.Decoder
}

var hcoTLSConfigCache *openshiftconfigv1.TLSSecurityProfile

func NewWebhookHandler(logger logr.Logger, cli client.Client, decoder admission.Decoder, namespace string, isOpenshift bool, hcoTLSSecurityProfile *openshiftconfigv1.TLSSecurityProfile) *WebhookHandler {
        hcoTLSConfigCache = hcoTLSSecurityProfile
        return &WebhookHandler{
                logger:      logger,
                cli:         cli,
                namespace:   namespace,
                isOpenshift: isOpenshift,
                decoder:     decoder,
        }
}

func (wh *WebhookHandler) Handle(ctx context.Context, req admission.Request) admission.Response {

        ctx = admission.NewContextWithRequest(ctx, req)

        // Get the object in the request
        obj := &v1beta1.HyperConverged{}

        dryRun := req.DryRun != nil && *req.DryRun

        var err error
        switch req.Operation {
        case admissionv1.Create:
                if err := wh.decoder.Decode(req, obj); err != nil {
                        return admission.Errored(http.StatusBadRequest, err)
                }

                err = wh.ValidateCreate(ctx, dryRun, obj)
        case admissionv1.Update:
                oldObj := &v1beta1.HyperConverged{}
                if err := wh.decoder.DecodeRaw(req.Object, obj); err != nil {
                        return admission.Errored(http.StatusBadRequest, err)
                }
                if err := wh.decoder.DecodeRaw(req.OldObject, oldObj); err != nil {
                        return admission.Errored(http.StatusBadRequest, err)
                }

                err = wh.ValidateUpdate(ctx, dryRun, obj, oldObj)
        case admissionv1.Delete:
                // In reference to PR: https://github.com/kubernetes/kubernetes/pull/76346
                // OldObject contains the object being deleted
                if err := wh.decoder.DecodeRaw(req.OldObject, obj); err != nil {
                        return admission.Errored(http.StatusBadRequest, err)
                }

                err = wh.ValidateDelete(ctx, dryRun, obj)
        default:
                return admission.Errored(http.StatusBadRequest, fmt.Errorf("unknown operation request %q", req.Operation))
        }

        // Check the error message first.
        if err != nil {
                var apiStatus apierrors.APIStatus
                if errors.As(err, &apiStatus) {
                        return validationResponseFromStatus(false, apiStatus.Status())
                }

                var vw *ValidationWarning
                if errors.As(err, &vw) {
                        return admission.Allowed("").WithWarnings(vw.Warnings()...)
                }

                return admission.Denied(err.Error())
        }

        // Return allowed if everything succeeded.
        return admission.Allowed("")
}

func (wh *WebhookHandler) ValidateCreate(_ context.Context, dryrun bool, hc *v1beta1.HyperConverged) error {
        wh.logger.Info("Validating create", "name", hc.Name, "namespace:", hc.Namespace)

        if err := wh.validateCertConfig(hc); err != nil {
                return err
        }

        if err := wh.validateDataImportCronTemplates(hc); err != nil {
                return err
        }

        if err := wh.validateTLSSecurityProfiles(hc); err != nil {
                return err
        }

        if err := wh.validateMediatedDeviceTypes(hc); err != nil {
                return err
        }

        if err := wh.validateFeatureGatesOnCreate(hc); err != nil {
                return err
        }

        if err := wh.validateTuningPolicy(hc); err != nil {
                return err
        }

        if err := wh.validateAffinity(hc); err != nil {
                return err
        }

        if _, err := handlers.NewKubeVirt(hc); err != nil {
                return err
        }

        if _, err := handlers.NewCDI(hc); err != nil {
                return err
        }

        if _, err := handlers.NewNetworkAddons(hc); err != nil {
                return err
        }

        if _, _, err := handlers.NewSSP(hc); err != nil {
                return err
        }

        if !dryrun {
                hcoTLSConfigCache = hc.Spec.TLSSecurityProfile
        }

        return nil
}

func (wh *WebhookHandler) getOperands(requested *v1beta1.HyperConverged) (*kubevirtcorev1.KubeVirt, *cdiv1beta1.CDI, *networkaddonsv1.NetworkAddonsConfig, error) {
        if err := wh.validateCertConfig(requested); err != nil {
                return nil, nil, nil, err
        }

        kv, err := handlers.NewKubeVirt(requested)
        if err != nil {
                return nil, nil, nil, err
        }

        cdi, err := handlers.NewCDI(requested)
        if err != nil {
                return nil, nil, nil, err
        }

        cna, err := handlers.NewNetworkAddons(requested)
        if err != nil {
                return nil, nil, nil, err
        }

        return kv, cdi, cna, nil
}

// ValidateUpdate is the ValidateUpdate webhook implementation. It calls all the resources in parallel, to dry-run the
// upgrade.
func (wh *WebhookHandler) ValidateUpdate(ctx context.Context, dryrun bool, requested *v1beta1.HyperConverged, exists *v1beta1.HyperConverged) error {
        wh.logger.Info("Validating update", "name", requested.Name)

        if err := wh.validateDataImportCronTemplates(requested); err != nil {
                return err
        }

        if err := wh.validateTLSSecurityProfiles(requested); err != nil {
                return err
        }

        if err := wh.validateMediatedDeviceTypes(requested); err != nil {
                return err
        }

        if err := wh.validateFeatureGatesOnUpdate(requested, exists); err != nil {
                return err
        }

        if err := wh.validateTuningPolicy(requested); err != nil {
                return err
        }

        if err := wh.validateAffinity(requested); err != nil {
                return err
        }

        // If no change is detected in the spec nor the annotations - nothing to validate
        if reflect.DeepEqual(exists.Spec, requested.Spec) &&
                reflect.DeepEqual(exists.Annotations, requested.Annotations) {
                return nil
        }

        kv, cdi, cna, err := wh.getOperands(requested)
        if err != nil {
                return err
        }

        toCtx, cancel := context.WithTimeout(ctx, updateDryRunTimeOut)
        defer cancel()

        eg, egCtx := xsync.WithContext(toCtx)
        opts := &client.UpdateOptions{DryRun: []string{metav1.DryRunAll}}

        resources := []client.Object{
                kv,
                cdi,
                cna,
        }

        if wh.isOpenshift {
                origGetControlPlaneArchitectures := nodeinfo.GetControlPlaneArchitectures
                origGetWorkloadsArchitectures := nodeinfo.GetWorkloadsArchitectures
                defer func() {
                        nodeinfo.GetControlPlaneArchitectures = origGetControlPlaneArchitectures
                        nodeinfo.GetWorkloadsArchitectures = origGetWorkloadsArchitectures
                }()

                nodeinfo.GetControlPlaneArchitectures = func() []string {
                        return requested.Status.NodeInfo.ControlPlaneArchitectures
                }
                nodeinfo.GetWorkloadsArchitectures = func() []string {
                        return requested.Status.NodeInfo.WorkloadsArchitectures
                }

                ssp, _, err := handlers.NewSSP(requested)
                if err != nil {
                        return err
                }
                resources = append(resources, ssp)
        }

        for _, obj := range resources {
                func(o client.Object) {
                        eg.Go(func() error {
                                return wh.updateOperatorCr(egCtx, requested, o, opts)
                        })
                }(obj)
        }

        err = eg.Wait()
        if err != nil {
                return err
        }

        if !dryrun {
                hcoTLSConfigCache = requested.Spec.TLSSecurityProfile
        }

        return nil
}

func (wh *WebhookHandler) updateOperatorCr(ctx context.Context, hc *v1beta1.HyperConverged, exists client.Object, opts *client.UpdateOptions) error {
        err := hcoutil.GetRuntimeObject(ctx, wh.cli, exists)
        if err != nil {
                wh.logger.Error(err, "failed to get object from kubernetes", "kind", exists.GetObjectKind())
                return err
        }

        switch existing := exists.(type) {
        case *kubevirtcorev1.KubeVirt:
                required, err := handlers.NewKubeVirt(hc)
                if err != nil {
                        return err
                }
                required.Spec.DeepCopyInto(&existing.Spec)

        case *cdiv1beta1.CDI:
                required, err := handlers.NewCDI(hc)
                if err != nil {
                        return err
                }
                required.Spec.DeepCopyInto(&existing.Spec)

        case *networkaddonsv1.NetworkAddonsConfig:
                required, err := handlers.NewNetworkAddons(hc)
                if err != nil {
                        return err
                }
                required.Spec.DeepCopyInto(&existing.Spec)

        case *sspv1beta3.SSP:
                required, _, err := handlers.NewSSP(hc)
                if err != nil {
                        return err
                }
                required.Spec.DeepCopyInto(&existing.Spec)
        }

        if err = wh.cli.Update(ctx, exists, opts); err != nil {
                wh.logger.Error(err, "failed to dry-run update the object", "kind", exists.GetObjectKind())
                return err
        }

        wh.logger.Info("dry-run update the object passed", "kind", exists.GetObjectKind())
        return nil
}

func (wh *WebhookHandler) ValidateDelete(ctx context.Context, dryrun bool, hc *v1beta1.HyperConverged) error {
        wh.logger.Info("Validating delete", "name", hc.Name, "namespace", hc.Namespace)

        kv := handlers.NewKubeVirtWithNameOnly(hc)
        cdi := handlers.NewCDIWithNameOnly(hc)

        for _, obj := range []client.Object{
                kv,
                cdi,
        } {
                _, err := hcoutil.EnsureDeleted(ctx, wh.cli, obj, hc.Name, wh.logger, true, false, true)
                if err != nil {
                        wh.logger.Error(err, "Delete validation failed", "GVK", obj.GetObjectKind().GroupVersionKind())
                        return err
                }
        }
        if !dryrun {
                hcoTLSConfigCache = nil
        }
        return nil
}

func (wh *WebhookHandler) validateCertConfig(hc *v1beta1.HyperConverged) error {
        minimalDuration := metav1.Duration{Duration: 10 * time.Minute}

        ccValues := make(map[string]time.Duration)
        ccValues["spec.certConfig.ca.duration"] = hc.Spec.CertConfig.CA.Duration.Duration
        ccValues["spec.certConfig.ca.renewBefore"] = hc.Spec.CertConfig.CA.RenewBefore.Duration
        ccValues["spec.certConfig.server.duration"] = hc.Spec.CertConfig.Server.Duration.Duration
        ccValues["spec.certConfig.server.renewBefore"] = hc.Spec.CertConfig.Server.RenewBefore.Duration

        for key, value := range ccValues {
                if value < minimalDuration.Duration {
                        return fmt.Errorf("%v: value is too small", key)
                }
        }

        if hc.Spec.CertConfig.CA.Duration.Duration < hc.Spec.CertConfig.CA.RenewBefore.Duration {
                return errors.New("spec.certConfig.ca: duration is smaller than renewBefore")
        }

        if hc.Spec.CertConfig.Server.Duration.Duration < hc.Spec.CertConfig.Server.RenewBefore.Duration {
                return errors.New("spec.certConfig.server: duration is smaller than renewBefore")
        }

        if hc.Spec.CertConfig.CA.Duration.Duration < hc.Spec.CertConfig.Server.Duration.Duration {
                return errors.New("spec.certConfig: ca.duration is smaller than server.duration")
        }

        return nil
}

func (wh *WebhookHandler) validateDataImportCronTemplates(hc *v1beta1.HyperConverged) error {

        for _, dict := range hc.Spec.DataImportCronTemplates {
                val, ok := dict.Annotations[hcoutil.DataImportCronEnabledAnnotation]
                val = strings.ToLower(val)
                if ok && val != "false" && val != "true" {
                        return fmt.Errorf(`the %s annotation of a dataImportCronTemplate must be either "true" or "false"`, hcoutil.DataImportCronEnabledAnnotation)
                }

                enabled := !ok || val == "true"

                if enabled && dict.Spec == nil {
                        return fmt.Errorf("dataImportCronTemplate spec is empty for an enabled DataImportCronTemplate")
                }
        }

        return nil
}

func (wh *WebhookHandler) validateTLSSecurityProfiles(hc *v1beta1.HyperConverged) error {
        tlsSP := hc.Spec.TLSSecurityProfile

        if tlsSP == nil || tlsSP.Custom == nil {
                return nil
        }

        if !isValidTLSProtocolVersion(tlsSP.Custom.MinTLSVersion) {
                return fmt.Errorf("invalid value for spec.tlsSecurityProfile.custom.minTLSVersion")
        }

        if tlsSP.Custom.MinTLSVersion < openshiftconfigv1.VersionTLS13 && !hasRequiredHTTP2Ciphers(tlsSP.Custom.Ciphers) {
                return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)")
        } else if tlsSP.Custom.MinTLSVersion == openshiftconfigv1.VersionTLS13 && len(tlsSP.Custom.Ciphers) > 0 {
                return fmt.Errorf("custom ciphers cannot be selected when minTLSVersion is VersionTLS13")
        }

        return nil
}

func (wh *WebhookHandler) validateMediatedDeviceTypes(hc *v1beta1.HyperConverged) error {
        mdc := hc.Spec.MediatedDevicesConfiguration
        if mdc != nil {
                if len(mdc.MediatedDevicesTypes) > 0 && len(mdc.MediatedDeviceTypes) > 0 && !slices.Equal(mdc.MediatedDevicesTypes, mdc.MediatedDeviceTypes) { //nolint SA1019
                        return fmt.Errorf("mediatedDevicesTypes is deprecated, please use mediatedDeviceTypes instead")
                }
                for _, nmdc := range mdc.NodeMediatedDeviceTypes {
                        if len(nmdc.MediatedDevicesTypes) > 0 && len(nmdc.MediatedDeviceTypes) > 0 && !slices.Equal(nmdc.MediatedDevicesTypes, nmdc.MediatedDeviceTypes) { //nolint SA1019
                                return fmt.Errorf("mediatedDevicesTypes is deprecated, please use mediatedDeviceTypes instead")
                        }
                }
        }
        return nil
}

func (wh *WebhookHandler) validateTuningPolicy(hc *v1beta1.HyperConverged) error {
        if hc.Spec.TuningPolicy == v1beta1.HyperConvergedHighBurstProfile { //nolint SA1019
                return newValidationWarning([]string{"spec.tuningPolicy: the highBurst profile is deprecated as of v1.16.0 and will be removed in a future release"})
        }
        return nil
}

const (
        fgMovedWarning       = "spec.featureGates.%[1]s is deprecated and ignored. It will removed in a future version; use spec.%[1]s instead"
        fgDeprecationWarning = "spec.featureGates.%s is deprecated and ignored. It will be removed in a future version;"
)

func (wh *WebhookHandler) validateFeatureGatesOnCreate(hc *v1beta1.HyperConverged) error {
        warnings := wh.validateDeprecatedFeatureGates(hc)
        warnings = validateOldFGOnCreate(warnings, hc)

        if len(warnings) > 0 {
                return newValidationWarning(warnings)
        }

        return nil
}

func (wh *WebhookHandler) validateFeatureGatesOnUpdate(requested, exists *v1beta1.HyperConverged) error {
        warnings := wh.validateDeprecatedFeatureGates(requested)
        warnings = validateOldFGOnUpdate(warnings, requested, exists)

        if len(warnings) > 0 {
                return newValidationWarning(warnings)
        }

        return nil
}

func (wh *WebhookHandler) validateDeprecatedFeatureGates(hc *v1beta1.HyperConverged) []string {
        var warnings []string

        //nolint:staticcheck
        if hc.Spec.FeatureGates.WithHostPassthroughCPU != nil {
                warnings = append(warnings, fmt.Sprintf(fgDeprecationWarning, "withHostPassthroughCPU"))
        }

        //nolint:staticcheck
        if hc.Spec.FeatureGates.DeployTektonTaskResources != nil {
                warnings = append(warnings, fmt.Sprintf(fgDeprecationWarning, "deployTektonTaskResources"))
        }

        //nolint:staticcheck
        if hc.Spec.FeatureGates.NonRoot != nil {
                warnings = append(warnings, fmt.Sprintf(fgDeprecationWarning, "nonRoot"))
        }

        //nolint:staticcheck
        if hc.Spec.FeatureGates.EnableManagedTenantQuota != nil {
                warnings = append(warnings, fmt.Sprintf(fgDeprecationWarning, "enableManagedTenantQuota"))
        }

        return warnings
}

func (wh *WebhookHandler) validateAffinity(hc *v1beta1.HyperConverged) error {
        if hc.Spec.Workloads.NodePlacement != nil {
                if err := validateAffinity(hc.Spec.Workloads.NodePlacement.Affinity); err != nil {
                        return fmt.Errorf("invalid workloads node placement affinity: %v", err.Error())
                }
        }

        if hc.Spec.Infra.NodePlacement != nil {
                if err := validateAffinity(hc.Spec.Infra.NodePlacement.Affinity); err != nil {
                        return fmt.Errorf("invalid infra node placement affinity: %v", err.Error())
                }
        }

        return nil
}

func validateAffinity(affinity *corev1.Affinity) error {
        if affinity == nil || affinity.NodeAffinity == nil || affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution == nil {
                return nil
        }

        _, err := nodeaffinity.NewNodeSelector(affinity.NodeAffinity.RequiredDuringSchedulingIgnoredDuringExecution)

        return err
}

func validateOldFGOnCreate(warnings []string, hc *v1beta1.HyperConverged) []string {
        //nolint:staticcheck
        if hc.Spec.FeatureGates.EnableApplicationAwareQuota != nil {
                warnings = append(warnings, fmt.Sprintf(fgMovedWarning, "enableApplicationAwareQuota"))
        }

        //nolint:staticcheck
        if hc.Spec.FeatureGates.EnableCommonBootImageImport != nil {
                warnings = append(warnings, fmt.Sprintf(fgMovedWarning, "enableCommonBootImageImport"))
        }

        //nolint:staticcheck
        if hc.Spec.FeatureGates.DeployVMConsoleProxy != nil {
                warnings = append(warnings, fmt.Sprintf(fgMovedWarning, "deployVmConsoleProxy"))
        }

        return warnings
}

func validateOldFGOnUpdate(warnings []string, hc, prevHC *v1beta1.HyperConverged) []string {
        //nolint:staticcheck
        if oldFGChanged(hc.Spec.FeatureGates.EnableApplicationAwareQuota, prevHC.Spec.FeatureGates.EnableApplicationAwareQuota) {
                warnings = append(warnings, fmt.Sprintf(fgMovedWarning, "enableApplicationAwareQuota"))
        }

        //nolint:staticcheck
        if oldFGChanged(hc.Spec.FeatureGates.EnableCommonBootImageImport, prevHC.Spec.FeatureGates.EnableCommonBootImageImport) {
                warnings = append(warnings, fmt.Sprintf(fgMovedWarning, "enableCommonBootImageImport"))
        }

        //nolint:staticcheck
        if oldFGChanged(hc.Spec.FeatureGates.DeployVMConsoleProxy, prevHC.Spec.FeatureGates.DeployVMConsoleProxy) {
                warnings = append(warnings, fmt.Sprintf(fgMovedWarning, "deployVmConsoleProxy"))
        }

        return warnings
}

func oldFGChanged(newFG, prevFG *bool) bool {
        return newFG != nil && (prevFG == nil || *newFG != *prevFG)
}

func hasRequiredHTTP2Ciphers(ciphers []string) bool {
        var requiredHTTP2Ciphers = []string{
                "ECDHE-RSA-AES128-GCM-SHA256",
                "ECDHE-ECDSA-AES128-GCM-SHA256",
        }

        // lo.Some returns true if at least 1 element of a subset is contained into a collection
        return lo.Some[string](requiredHTTP2Ciphers, ciphers)
}

// validationResponseFromStatus returns a response for admitting a request with provided Status object.
func validationResponseFromStatus(allowed bool, status metav1.Status) admission.Response {
        resp := admission.Response{
                AdmissionResponse: admissionv1.AdmissionResponse{
                        Allowed: allowed,
                        Result:  &status,
                },
        }
        return resp
}

func SelectCipherSuitesAndMinTLSVersion() ([]string, openshiftconfigv1.TLSProtocolVersion) {
        ci := hcoutil.GetClusterInfo()
        profile := ci.GetTLSSecurityProfile(hcoTLSConfigCache)

        if profile.Custom != nil {
                return profile.Custom.Ciphers, profile.Custom.MinTLSVersion
        }

        return openshiftconfigv1.TLSProfiles[profile.Type].Ciphers, openshiftconfigv1.TLSProfiles[profile.Type].MinTLSVersion
}

func isValidTLSProtocolVersion(pv openshiftconfigv1.TLSProtocolVersion) bool {
        switch pv {
        case
                openshiftconfigv1.VersionTLS10,
                openshiftconfigv1.VersionTLS11,
                openshiftconfigv1.VersionTLS12,
                openshiftconfigv1.VersionTLS13:
                return true
        }
        return false
}

kubevirt / hyperconverged-cluster-operator / 20108931282

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous