WINC-1942: ensure org match in validation by jrvaldes · Pull Request #4215 · openshift/windows-machine-config-operator

jrvaldes · 2026-06-22T20:16:37Z

Summary by CodeRabbit

Bug Fixes
- Made CSR subject organization validation stricter: the CSR must include exactly one organization entry, and it must exactly match the expected certificate type group name.
- Updated validation errors to be more specific when the organization count or value is invalid.
Tests
- Added table-driven tests that generate CSRs for multiple certificate types and verify correct behavior for matching, missing/extra organizations, empty/nil values, and incorrect organization ordering.

openshift-ci · 2026-06-22T20:16:42Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

coderabbitai · 2026-06-22T20:16:47Z

📝 Walkthrough

Walkthrough

The CSR certificate-content validation logic in pkg/csr/validation/validation.go is tightened: instead of iterating through the subject organization list to find the required group name anywhere, it now requires the list to have exactly one element and uses reflect.DeepEqual to match it against v.certType.GroupName. Two new error messages ("invalid number of organizations" and "invalid subject organization") replace the prior single check. A new test file introduces a generateTestCSRPEM helper and a table-driven test (TestValidateCertificateContentOrganizationMatch) covering zero, correct, incorrect, and multiple organization inputs across certificate types.

🚥 Pre-merge checks | ✅ 18 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Best Practices & Build Tags	⚠️ Warning	CSR validation package lacks required build tags. As part of Windows Machine Config Operator, pkg/csr/validation contains operator controller code that runs on Linux. Per build tag requirements, Li...	Add //go:build !windows to validation.go and validation_test.go headers, as these files are imported by controllers (Linux-only operator components), not daemon (Windows-only).

✅ Passed checks (18 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security: Secrets, Ssh & Csr	✅ Passed	CSR validation now enforces strict organization matching (exactly 1 org matching certType.GroupName via DeepEqual), preventing privilege escalation (no system:masters/cluster-admin). Tests cover al...
Kubernetes Controller Patterns	✅ Passed	PR modifies only CSR validation utility code (pkg/csr/validation/), not controller implementations. Controller pattern checks are not applicable to validation libraries.
Windows Service Management	✅ Passed	The PR modifies only CSR validation logic (organization matching in certificate signing requests). The custom check for "Windows Service Management" is not applicable—no service priorities, depende...
Platform-Specific Requirements	✅ Passed	PR focuses on CSR organization validation logic with no platform-specific machine naming, service, or cloud-provider constraints. The changes are generic and apply uniformly across all platforms.
Stable And Deterministic Test Names	✅ Passed	All test names in the new test case are static and descriptive with no dynamic values (timestamps, UUIDs, pod/node names, etc.). The repo uses standard Go testing, not Ginkgo.
Test Structure And Quality	✅ Passed	Test file uses standard Go testing (func TestXxx(t *testing.T)), not Ginkgo. Custom check targets Ginkgo tests (It blocks, Describe, etc.) which don't apply here. Not applicable.
Microshift Test Compatibility	✅ Passed	The test added in this PR is a unit test using Go's standard testing package with testify assertions, not a Ginkgo e2e test. It contains no Ginkgo constructs (Describe/It/Context/When) and is locat...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New test is a standard Go unit test (testing.T), not a Ginkgo e2e test. It tests CSR org validation logic with no multi-node cluster assumptions or dependencies.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CSR certificate validation logic (organization matching), not deployment manifests, operator code, or pod scheduling constraints. Topology-aware check is not applicable.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes found in modified files. Code uses fmt.Errorf only for error returns, not output. Tests use standard testing.T framework with no Ginkgo suite setup.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests to pkg/csr/validation/validation_test.go using testing.T and testify, not Ginkgo e2e tests. No Ginkgo patterns (It, Describe, Context, When) found.
No-Weak-Crypto	✅ Passed	PR uses only strong cryptographic algorithms (ECDSA P-256), standard library crypto operations, and applies DeepEqual only to public certificate metadata (organization names), not secrets.
Container-Privileges	✅ Passed	PR modifies only Go source files (pkg/csr/validation/*.go) for CSR validation logic; no Kubernetes manifests or container configurations changed, so container-privileges check is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	All logging in the PR changes only exposes certificate metadata and Kubernetes resource names (CSR names, node names, RBAC groups). No passwords, tokens, API keys, PII, session IDs, or customer dat...
Title check	✅ Passed	The title 'WINC-1942: ensure org match in validation' clearly and accurately reflects the main change: implementing organization matching validation in CSR processing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands.}

openshift-ci · 2026-06-22T20:17:32Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jrvaldes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [jrvaldes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jrvaldes · 2026-06-22T20:18:36Z

/test ?

jrvaldes · 2026-06-22T20:19:57Z

/test vsphere-e2e-operator

jrvaldes · 2026-06-22T20:20:03Z

/test azure-e2e-operator

jrvaldes · 2026-06-23T01:49:30Z

/test vsphere-e2e-operator

mansikulkarni96 · 2026-06-23T15:35:45Z

Thanks for working on this!
/lgtm

jrvaldes · 2026-06-23T15:59:59Z

@coderabbitai full review

coderabbitai · 2026-06-23T16:00:08Z

✅ Action performed

Full review finished.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/csr/validation/validation_test.go`:
- Around line 22-25: In the test helper function containing the IP address
parsing loop, add a nil check immediately after calling net.ParseIP(ip) within
the for loop that iterates through the ips slice and appends to ipAddrs. When
net.ParseIP returns nil for an invalid IP address, fail the test immediately
using t.Fatalf with a descriptive message that indicates which IP literal was
malformed, rather than allowing nil values to be appended to the ipAddrs slice
where they will cause unclear errors later.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c04ccf86-3350-46e7-8b43-adf2df75b57b

📥 Commits

Reviewing files that changed from the base of the PR and between bba4cbe and 3df3195.

📒 Files selected for processing (2)

pkg/csr/validation/validation.go
pkg/csr/validation/validation_test.go

openshift-merge-bot · 2026-06-23T16:52:15Z

/retest-required

Remaining retests: 0 against base HEAD c18bdd8 and 2 for PR HEAD 3df3195 in total

openshift-merge-bot · 2026-06-23T17:52:28Z

/retest-required

Remaining retests: 0 against base HEAD 50e3896 and 1 for PR HEAD 3df3195 in total

this commit requires exact single-org match using reflect.DeepEqual, mirroring the kubelet client path in isNodeClientCert().

openshift-ci-robot · 2026-06-23T19:38:21Z

@jrvaldes: No Jira issue with key WINC-1942 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary by CodeRabbit

Bug Fixes

Made CSR subject organization validation stricter: the CSR must include exactly one organization entry, and it must exactly match the expected certificate type group name.

Updated validation errors to be more specific when the organization count or value is invalid.

Tests

Added table-driven tests that generate CSRs for multiple certificate types and verify correct behavior for matching, missing/extra organizations, empty/nil values, and incorrect organization ordering.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

mansikulkarni96 · 2026-06-23T19:42:43Z

/lgtm

jrvaldes · 2026-06-23T19:49:01Z

/cherry-pick release-4.22

openshift-cherrypick-robot · 2026-06-23T19:49:05Z

@jrvaldes: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-merge-bot · 2026-06-23T23:06:53Z

/retest-required

Remaining retests: 0 against base HEAD ffebd9d and 2 for PR HEAD 441feb7 in total

jrvaldes · 2026-06-24T01:33:58Z

/override ci/prow/vsphere-disconnected-e2e-operator

job failing across CI

openshift-ci · 2026-06-24T01:34:15Z

@jrvaldes: Overrode contexts on behalf of jrvaldes: ci/prow/vsphere-disconnected-e2e-operator

Details

In response to this:

/override ci/prow/vsphere-disconnected-e2e-operator

job failing across CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jrvaldes · 2026-06-24T01:34:44Z

/test platform-none-vsphere-e2e-operator

template windows-golden-images/windows-server-2022-template-ipv6-disabled not found in vCenter

jrvaldes · 2026-06-24T01:35:17Z

/test nutanix-e2e-operator

jrvaldes · 2026-06-24T12:10:27Z

/override ci/prow/platform-none-vsphere-e2e-operator

template not found

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_windows-machine-config-operator/4215/pull-ci-openshift-windows-machine-config-operator-master-platform-none-vsphere-e2e-operator/2069595068565557248

openshift-ci · 2026-06-24T12:11:34Z

@jrvaldes: Overrode contexts on behalf of jrvaldes: ci/prow/platform-none-vsphere-e2e-operator

Details

In response to this:

/override ci/prow/platform-none-vsphere-e2e-operator

template not found

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_windows-machine-config-operator/4215/pull-ci-openshift-windows-machine-config-operator-master-platform-none-vsphere-e2e-operator/2069595068565557248

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jrvaldes · 2026-06-24T15:04:50Z

/retest-required

jrvaldes · 2026-06-24T19:28:54Z

/retest-required

jrvaldes · 2026-06-24T20:28:29Z

/override ci/prow/vsphere-proxy-e2e-operator

passed before
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_windows-machine-config-operator/4215/pull-ci-openshift-windows-machine-config-operator-master-vsphere-proxy-e2e-operator/2069504121525768192

openshift-ci · 2026-06-24T20:29:02Z

@jrvaldes: Overrode contexts on behalf of jrvaldes: ci/prow/vsphere-proxy-e2e-operator

Details

In response to this:

/override ci/prow/vsphere-proxy-e2e-operator

passed before
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_windows-machine-config-operator/4215/pull-ci-openshift-windows-machine-config-operator-master-vsphere-proxy-e2e-operator/2069504121525768192

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jrvaldes · 2026-06-24T23:30:04Z

/override ci/prow/vsphere-proxy-e2e-operator

openshift-ci · 2026-06-24T23:30:20Z

@jrvaldes: Overrode contexts on behalf of jrvaldes: ci/prow/vsphere-proxy-e2e-operator

Details

In response to this:

/override ci/prow/vsphere-proxy-e2e-operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jrvaldes · 2026-06-24T23:30:36Z

/override ci/prow/gcp-e2e-operator

passed before
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_windows-machine-config-operator/4215/pull-ci-openshift-windows-machine-config-operator-master-gcp-e2e-operator/2069504103217631232

openshift-ci · 2026-06-24T23:31:01Z

@jrvaldes: Overrode contexts on behalf of jrvaldes: ci/prow/gcp-e2e-operator

Details

In response to this:

/override ci/prow/gcp-e2e-operator

passed before
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_windows-machine-config-operator/4215/pull-ci-openshift-windows-machine-config-operator-master-gcp-e2e-operator/2069504103217631232

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2026-06-24T23:31:02Z

@jrvaldes: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-cherrypick-robot · 2026-06-24T23:36:43Z

@jrvaldes: new pull request created: #4225

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 22, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 22, 2026

openshift-ci Bot assigned mansikulkarni96 Jun 23, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 23, 2026

jrvaldes marked this pull request as ready for review June 23, 2026 15:59

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 23, 2026

openshift-ci Bot requested a review from mansikulkarni96 June 23, 2026 16:00

coderabbitai Bot reviewed Jun 23, 2026

View reviewed changes

Comment thread pkg/csr/validation/validation_test.go Outdated

[csr] ensure org match in validation

441feb7

this commit requires exact single-org match using reflect.DeepEqual, mirroring the kubelet client path in isNodeClientCert().

jrvaldes marked this pull request as draft June 23, 2026 19:20

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 23, 2026

jrvaldes force-pushed the f001 branch from 3df3195 to 441feb7 Compare June 23, 2026 19:21

openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 23, 2026

jrvaldes marked this pull request as ready for review June 23, 2026 19:33

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 23, 2026

jrvaldes changed the title ~~[csr] ensure org match in validation~~ WINC-1942: ensure org match in validation Jun 23, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 23, 2026

openshift-merge-bot Bot merged commit b6068dc into openshift:master Jun 24, 2026
19 checks passed

openshift-cherrypick-robot mentioned this pull request Jun 24, 2026

[release-4.22] ensure org match in validation #4225

Open

Uh oh!

Conversation

jrvaldes commented Jun 22, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci Bot commented Jun 22, 2026

Uh oh!

coderabbitai Bot commented Jun 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

❌ Failed checks (2 warnings)

Uh oh!

openshift-ci Bot commented Jun 22, 2026

Uh oh!

jrvaldes commented Jun 22, 2026

Uh oh!

jrvaldes commented Jun 22, 2026

Uh oh!

jrvaldes commented Jun 22, 2026

Uh oh!

jrvaldes commented Jun 23, 2026

Uh oh!

mansikulkarni96 commented Jun 23, 2026

Uh oh!

jrvaldes commented Jun 23, 2026

Uh oh!

coderabbitai Bot commented Jun 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-merge-bot Bot commented Jun 23, 2026

Uh oh!

openshift-merge-bot Bot commented Jun 23, 2026

Uh oh!

openshift-ci-robot commented Jun 23, 2026

Summary by CodeRabbit

Uh oh!

mansikulkarni96 commented Jun 23, 2026

Uh oh!

jrvaldes commented Jun 23, 2026

Uh oh!

openshift-cherrypick-robot commented Jun 23, 2026

Uh oh!

openshift-merge-bot Bot commented Jun 23, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 24, 2026

Uh oh!

jrvaldes commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 24, 2026

Uh oh!

Uh oh!

jrvaldes commented Jun 22, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 22, 2026 •

edited

Loading

coderabbitai Bot commented Jun 23, 2026 •

edited

Loading