[cluster-proxy] Support setting tls profile

[tesshuflower]

---

Summary

Adds TLS profile support to all cluster-proxy HTTPS-serving components, implementing ocm#1447.

Each component watches the ocm-tls-profile ConfigMap in its deployed namespace using sdk-go/pkg/tls.StartTLSConfigMapWatcher. When the ConfigMap is absent, components use defaults (TLS 1.2,
Go default cipher suites) — preserving existing behavior. When the ConfigMap changes, the affected container restarts via os.Exit(0) and picks up the new settings.

Components updated

• cluster-proxy-manager & cluster-proxy-addon-user & service-proxy(spoke) watch ocm-tls-profile in the deployed namespace
• cluster-proxy-manager & cluster-proxy-addon-user & service-proxy(spoke) self-configure their own TLS
• cluster-proxy-manager & cluster-proxy-addon-user & service-proxy(spoke) exit on ConfigMap changes
• cluster-proxy-manager inject TLS flags into their managed deployments(anp-server)
  • partially done - only passing through --cipher-suites= so far as anp upstream still needs to be updated to allow passing through --tls-min-version
• anp-agent & cluster-proxy-addon-agent do not expose any https port, so do not need any changes

Notes/Special Considerations

• outbound communications have not been modified as we're relying on the servers to set these.

• On the ManagedProxyConfigurationReconciler a TLS config hash annotation on the Deployment ensures ensure() updates the deployment even when the ManagedProxyConfiguration CR generation hasn't changed. The ensure() function would otherwise not update the deployment unless the ManagedProxyConfiguration CR was modified. Note this may still be a concern, the various CRs can currently get out of sync if they are modified and ManagedProxyConfigurationCR is not touched.

• Note that the addon-manager didn't strictly need a restart following updates to the tls configmap as it only needs to update the deployment above - but used the common sdk-go/pkg/tls.StartTLSConfigMapWatcher for consistency rather than doing a watch on the confimap itself.

• Helm chart changes - Some helm charts were modified as components needed the pod's namespace in order to be able to lookup the tls configmap.

• Added POD_NAMESPACE env var (downward API) to manager-deployment.yaml, user-deployment.yaml, and addon-agent-deployment.yaml (spoke service-proxy container)

• Added RBAC for ConfigMap get/list/watch in the spoke addon-agent role

Not done yet:

• Add --tls-min-version and --tls-cipher-suites flags to anp-server(hub)

  • --tls-min-version for ANP proxy-server — upstream apiserver-network-proxy does not yet support this flag. Code is in place but commented out, ready to enable when upstream adds support.

  There is a PR upstream for anp-server to add the tls-min-version flag: feat: add --tls-min-version flag to proxy server kubernetes-sigs/apiserver-network-proxy#820

Testing

• Deployed to kind clusters (hub + managed cluster)
• Verified all components load TLS config on startup and restart when ConfigMap changes
• Verified proxy-server deployment gets updated with --cipher-suites args via hash annotation trigger
• Verified spoke service-proxy picks up ConfigMap independently

For: open-cluster-management-io/ocm#1447

Summary by CodeRabbit

• New Features

  • Dynamic TLS configuration via ConfigMaps with automatic restart on changes

• Improvements

  • Components gain runtime pod-namespace awareness via env var
  • Health probes and server TLS now use the dynamic TLS config
  • TLS change detection tracked via a TLS-config hash annotation
  • RBAC expanded to allow observing ConfigMaps

• Dependencies

  • Bumped several Kubernetes and test-related modules

[coderabbitai]

Walkthrough

Adds dynamic TLS ConfigMap watching and propagation: pods get POD_NAMESPACE, services load TLS profile (MinVersion, CipherSuites) from a namespaced ConfigMap, controllers annotate deployments with a TLS hash and include TLS-derived proxy args, and services restart on TLS changes; RBAC and tests updated, and dependencies bumped.

Changes

Cohort / File(s)	Summary
Deployment templates with POD_NAMESPACE charts/cluster-proxy/templates/manager-deployment.yaml, charts/cluster-proxy/templates/user-deployment.yaml, pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml	Added POD_NAMESPACE env var sourced from metadata.namespace to containers.
TLS annotation constant pkg/common/constants.go	Added AnnotationKeyTLSConfigHash = "proxy.open-cluster-management.io/tls-config-hash".
TLS ConfigMap watcher wiring (manager & services) cmd/addon-manager/main.go, pkg/serviceproxy/service_proxy.go, pkg/userserver/user_server.go	Start TLS ConfigMap watcher using POD_NAMESPACE; load MinVersion/CipherSuites, build tls.Config, log values, and exit process on changes to force restart; apply tlsConfig to servers.
Service health probe API pkg/utils/utils.go	ServeHealthProbes signature changed to accept tlsConfig *tls.Config and apply it to the http.Server.
Proxy-server deployment & args generation pkg/proxyserver/controllers/manifests.go, pkg/proxyserver/controllers/managedproxyconfiguration_controller.go	Thread tlsConfig into RegisterClusterManagementAddonReconciler and newProxyServerDeployment; compute a deterministic TLS hash tlsConfigHash, set annotation, and generate --cipher-suites= proxy args via new proxyServerArgs. Reconciler triggers updates when generation or TLS hash changes.
RBAC update for ConfigMap access pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-role.yaml	Added get, list, watch rules for configmaps to allow reading TLS ConfigMap.
Tests and integration update pkg/proxyserver/controllers/manifests_test.go, test/integration/controllers/suite_test.go	Added unit tests for proxy arg generation and TLS hash; updated integration suite to pass tlsConfig argument (nil) to reconciler registration.
Dependency bumps go.mod	Updated multiple dependencies (ginkgo/gomega, k8s.io modules, controller-runtime, OCM internal modules, and various indirect deps).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• [cluster-proxy] Support setting tls profile ocm#1447: Implements TLS profile watching, process restart on ConfigMap changes, TLS-derived flags/annotations, and wiring tlsConfig into controller/deployment generation as described in the issue.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.53% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[cluster-proxy] Support setting tls profile' clearly and specifically describes the main change: adding TLS profile support to the cluster-proxy components.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tesshuflower
Once this PR has been reviewed and has the lgtm label, please assign yue9944882 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tesshuflower]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (9)

test/integration/controllers/suite_test.go (1)

125-125: Integration test covers only the nil-TLSConfig path.

Passing nil for the new tlsConfig *sdktls.TLSConfig keeps the existing behavior but leaves the non-nil branch (which drives AnnotationKeyTLSConfigHash computation and deployment updates) untested at the integration level. Consider adding a case that passes a stub *sdktls.TLSConfig and asserts the hash annotation appears on the rendered proxy-server Deployment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/integration/controllers/suite_test.go` at line 125, Add an integration
test that exercises the non-nil tlsConfig branch used by
RegisterClusterManagementAddonReconciler: construct a stub sdktls.TLSConfig,
pass it instead of nil to RegisterClusterManagementAddonReconciler, trigger
reconciliation, then fetch the rendered proxy-server Deployment and assert that
the AnnotationKeyTLSConfigHash annotation is present and equals the expected
hash; locate the test around suite_test.go where
RegisterClusterManagementAddonReconciler is called and add the new case
verifying TLSConfig-driven annotation on the proxy-server Deployment.

cmd/addon-manager/main.go (1)

169-175: Minor: klog.Fatalf after defer cancel() skips the deferred cancel.

klog.Fatalf calls os.Exit(1), which bypasses the deferred cancel() above. Not functionally harmful here (the process is exiting), but for consistency with the error handling below (which uses setupLog.Error + os.Exit(1)), consider the same pattern:

-	podNamespace := os.Getenv("POD_NAMESPACE")
-	if len(podNamespace) == 0 {
-		klog.Fatalf("Pod namespace is empty, please set the ENV for POD_NAMESPACE")
-	}
+	podNamespace := os.Getenv("POD_NAMESPACE")
+	if len(podNamespace) == 0 {
+		setupLog.Error(nil, "POD_NAMESPACE env var must be set")
+		os.Exit(1)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/addon-manager/main.go` around lines 169 - 175, The current early exit
uses klog.Fatalf which bypasses the deferred cancel() (ctx, cancel) — instead,
replace the klog.Fatalf("Pod namespace is empty...") call with a non-fatal log
using setupLog.Error (or setupLog.ErrorS) to report the empty POD_NAMESPACE and
then call os.Exit(1) so the defer cancel() runs; locate the podNamespace check
around variables ctx and cancel and update the error path (replace klog.Fatalf
with setupLog.Error + os.Exit(1)) to match the pattern used elsewhere.

pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-role.yaml (1)

13-20: Narrow the configmap rule to the TLS ConfigMap using resourceNames.

The current rule permits get/list/watch on all configmaps in the namespace. The TLS watcher targets only ocm-tls-profile via a field-selector watch (metadata.name=ocm-tls-profile), so this can be tightened to:

  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      - ocm-tls-profile
    verbs:
      - get
      - list
      - watch

This narrows permissions to the specific ConfigMap and aligns with least-privilege RBAC principles.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-role.yaml`
around lines 13 - 20, The Role rule currently grants get/list/watch on all
configmaps; restrict it to the TLS ConfigMap by adding resourceNames with the
value "ocm-tls-profile" under the configmaps rule so the rule becomes limited to
the specific resource (keep apiGroups: [""], resources: ["configmaps"],
resourceNames: ["ocm-tls-profile"], verbs: ["get","list","watch"]); update the
rule in the addon-agent-role.yaml template where configmaps are defined.

pkg/proxyserver/controllers/manifests_test.go (1)

35-114: Good coverage of proxyServerArgs and tlsConfigHash behaviors.

Nice and focused. Optional: consider also adding a small test against newProxyServerDeployment itself that asserts common.AnnotationKeyTLSConfigHash ends up on the returned Deployment's ObjectMeta.Annotations only when a non-nil TLS config is supplied — that's the contract the reconciler in managedproxyconfiguration_controller.go (lines 277-280) actually relies on, and it isn't directly exercised by the current tests.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/proxyserver/controllers/manifests_test.go` around lines 35 - 114, Add a
unit test for newProxyServerDeployment that verifies it sets
common.AnnotationKeyTLSConfigHash in the returned
Deployment.ObjectMeta.Annotations only when a non-nil TLS config is passed: call
newProxyServerDeployment with a nil TLS config and assert the annotation is
absent, then call it with a populated sdktls.TLSConfig and assert the annotation
exists and is non-empty; reference newProxyServerDeployment and
common.AnnotationKeyTLSConfigHash to locate code and inspect the Deployment's
ObjectMeta.Annotations for the assertions.

pkg/userserver/user_server.go (2)

247-250: Minor: duplicate ctrl.GetConfigOrDie() call.

init(ctx) (line 151) already builds an addonClient from ctrl.GetConfigOrDie(). Constructing a second rest config here is harmless but easy to consolidate (e.g., build the rest.Config once in init() and reuse it for both clients).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/userserver/user_server.go` around lines 247 - 250, The code calls
ctrl.GetConfigOrDie() twice; consolidate by obtaining the REST config once in
init(ctx) and reuse it when creating both the addon client and the kube client.
Modify init(ctx) to assign ctrl.GetConfigOrDie() to a cfg variable (or a field)
used to create addonClient, and then replace the second ctrl.GetConfigOrDie() in
the kubernetes.NewForConfig call (used to create kubeClient) with that same cfg
so kubernetes.NewForConfig(cfg) reuses the single rest.Config instance.

---

251-257: Consider graceful shutdown instead of os.Exit(0) on TLS reload.

Calling os.Exit(0) from the watcher callback abruptly terminates the process while long-lived proxy connections (e.g., kubectl exec/port-forward through the tunnel) and in-flight HTTP responses are still in flight. A cleaner approach is to cancel a parent context and let http.Server.Shutdown drain existing connections before exiting; the kubelet will then restart the pod and the new TLS profile takes effect.

The same pattern is used in pkg/serviceproxy/service_proxy.go (lines 231-237) — both would benefit from the change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/userserver/user_server.go` around lines 251 - 257, Replace the abrupt
os.Exit(0) in the sdktls.StartTLSConfigMapWatcher callback with a graceful
shutdown: create a cancellable parent context (e.g., ctx, cancel :=
context.WithCancel(...)) used by the HTTP server, pass a callback that calls
cancel() instead of os.Exit(0), and ensure the main goroutine listens for
ctx.Done() and calls server.Shutdown(gracefulCtx) to drain connections before
exit; update the sdktls.StartTLSConfigMapWatcher invocation in user_server.go
(and mirror the same pattern from pkg/serviceproxy/service_proxy.go) to use
cancel() so TLS reload triggers a controlled shutdown rather than an immediate
process exit.

pkg/proxyserver/controllers/manifests.go (1)

262-270: Add a separator between hash inputs to avoid theoretical collision.

CipherSuitesToString(...) and VersionToString(...) are written back-to-back, so two distinct configs whose serializations happen to concatenate identically would hash the same. Real-world collision is extremely unlikely given the constrained formats, but injecting a delimiter is free and removes the ambiguity.

♻️ Proposed tweak

 func tlsConfigHash(tlsConfig *sdktls.TLSConfig) string {
   if tlsConfig == nil {
     return ""
   }
   h := sha256.New()
   h.Write([]byte(sdktls.CipherSuitesToString(tlsConfig.CipherSuites)))
+  h.Write([]byte{0})
   h.Write([]byte(sdktls.VersionToString(tlsConfig.MinVersion)))
   return fmt.Sprintf("%x", h.Sum(nil))[:16]
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/proxyserver/controllers/manifests.go` around lines 262 - 270, The
tlsConfigHash function currently concatenates
sdktls.CipherSuitesToString(tlsConfig.CipherSuites) and
sdktls.VersionToString(tlsConfig.MinVersion) without a separator which can
create a theoretical collision; update tlsConfigHash to write a clear delimiter
(e.g., a single byte like 0x00 or a character such as ':') between the two
writes to the SHA-256 hasher after the CipherSuites string and before the
Version string so the two fields cannot ambiguously concatenate.

pkg/proxyserver/controllers/managedproxyconfiguration_controller.go (1)

134-134: Minor: tlsConfig is both a field and a passed argument.

c.tlsConfig is stored on the reconciler in RegisterClusterManagementAddonReconciler (line 80), yet deployProxyServer accepts it as a parameter (line 172) and the only caller passes c.tlsConfig (line 134). Either drop the parameter and read c.tlsConfig inside deployProxyServer, or drop the field and keep the parameter — having both invites drift.

Also applies to: 172-172

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/proxyserver/controllers/managedproxyconfiguration_controller.go` at line
134, The code passes c.tlsConfig into deployProxyServer while also storing
tlsConfig as a reconciler field, which duplicates state; pick one approach — I
suggest removing the parameter from deployProxyServer and referencing the
reconciler field directly: update the deployProxyServer method signature to no
longer accept tlsConfig, replace any use of the parameter inside
deployProxyServer with c.tlsConfig, and update all callers (e.g., the call from
where isModified, err := c.deployProxyServer(config, c.tlsConfig) is made) to
call c.deployProxyServer(config) instead; alternatively, if you prefer the
parameter approach, remove the tlsConfig field set in
RegisterClusterManagementAddonReconciler and ensure callers pass the tlsConfig
explicitly.

pkg/utils/utils.go (1)

156-178: Document the currently-unused tlsConfig parameter on the exported function.

The inline comment on line 173 explains the situation, but ServeHealthProbes is exported and the new tlsConfig argument has no observable effect today (the server starts via ListenAndServe, not ListenAndServeTLS). Consider promoting the note to the function-level Godoc so callers don't assume passing a non-nil tlsConfig enables TLS for /healthz.

-// ServeHealthProbes serves health probes and configchecker.
+// ServeHealthProbes serves health probes and configchecker over HTTP.
+//
+// NOTE: tlsConfig is accepted for forward compatibility but is currently
+// unused, since the server is started via ListenAndServe(). It will take
+// effect when this function switches to ListenAndServeTLS.
 func ServeHealthProbes(healthProbeBindAddress string, tlsConfig *tls.Config, customChecks ...healthz.Checker) error {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/utils.go` around lines 156 - 178, Exported function
ServeHealthProbes currently accepts a tlsConfig parameter that is unused because
the function calls server.ListenAndServe(); update the function-level Godoc for
ServeHealthProbes to document that tlsConfig is currently ignored and does not
enable TLS (callers must use a different API or modify the function to call
ListenAndServeTLS if TLS is desired), and keep the existing inline comment or
remove it after adding the Godoc note; reference the tlsConfig parameter and the
server.ListenAndServe call in the comment so callers understand the current
behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 11: The go.mod currently pins the vulnerable module
"google.golang.org/grpc v1.76.0"; update that dependency to v1.79.3 or later
(replace the version string "google.golang.org/grpc v1.76.0" with
"google.golang.org/grpc v1.79.3" or higher), run `go get
google.golang.org/grpc@v1.79.3` (or `go get ./...`) to update go.sum, then run
`go mod tidy` and your test suite to ensure no breaking changes; ensure any CI
caching or vendoring is refreshed so the updated "google.golang.org/grpc"
version is used.

---

Nitpick comments:
In `@cmd/addon-manager/main.go`:
- Around line 169-175: The current early exit uses klog.Fatalf which bypasses
the deferred cancel() (ctx, cancel) — instead, replace the klog.Fatalf("Pod
namespace is empty...") call with a non-fatal log using setupLog.Error (or
setupLog.ErrorS) to report the empty POD_NAMESPACE and then call os.Exit(1) so
the defer cancel() runs; locate the podNamespace check around variables ctx and
cancel and update the error path (replace klog.Fatalf with setupLog.Error +
os.Exit(1)) to match the pattern used elsewhere.

In
`@pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-role.yaml`:
- Around line 13-20: The Role rule currently grants get/list/watch on all
configmaps; restrict it to the TLS ConfigMap by adding resourceNames with the
value "ocm-tls-profile" under the configmaps rule so the rule becomes limited to
the specific resource (keep apiGroups: [""], resources: ["configmaps"],
resourceNames: ["ocm-tls-profile"], verbs: ["get","list","watch"]); update the
rule in the addon-agent-role.yaml template where configmaps are defined.

In `@pkg/proxyserver/controllers/managedproxyconfiguration_controller.go`:
- Line 134: The code passes c.tlsConfig into deployProxyServer while also
storing tlsConfig as a reconciler field, which duplicates state; pick one
approach — I suggest removing the parameter from deployProxyServer and
referencing the reconciler field directly: update the deployProxyServer method
signature to no longer accept tlsConfig, replace any use of the parameter inside
deployProxyServer with c.tlsConfig, and update all callers (e.g., the call from
where isModified, err := c.deployProxyServer(config, c.tlsConfig) is made) to
call c.deployProxyServer(config) instead; alternatively, if you prefer the
parameter approach, remove the tlsConfig field set in
RegisterClusterManagementAddonReconciler and ensure callers pass the tlsConfig
explicitly.

In `@pkg/proxyserver/controllers/manifests_test.go`:
- Around line 35-114: Add a unit test for newProxyServerDeployment that verifies
it sets common.AnnotationKeyTLSConfigHash in the returned
Deployment.ObjectMeta.Annotations only when a non-nil TLS config is passed: call
newProxyServerDeployment with a nil TLS config and assert the annotation is
absent, then call it with a populated sdktls.TLSConfig and assert the annotation
exists and is non-empty; reference newProxyServerDeployment and
common.AnnotationKeyTLSConfigHash to locate code and inspect the Deployment's
ObjectMeta.Annotations for the assertions.

In `@pkg/proxyserver/controllers/manifests.go`:
- Around line 262-270: The tlsConfigHash function currently concatenates
sdktls.CipherSuitesToString(tlsConfig.CipherSuites) and
sdktls.VersionToString(tlsConfig.MinVersion) without a separator which can
create a theoretical collision; update tlsConfigHash to write a clear delimiter
(e.g., a single byte like 0x00 or a character such as ':') between the two
writes to the SHA-256 hasher after the CipherSuites string and before the
Version string so the two fields cannot ambiguously concatenate.

In `@pkg/userserver/user_server.go`:
- Around line 247-250: The code calls ctrl.GetConfigOrDie() twice; consolidate
by obtaining the REST config once in init(ctx) and reuse it when creating both
the addon client and the kube client. Modify init(ctx) to assign
ctrl.GetConfigOrDie() to a cfg variable (or a field) used to create addonClient,
and then replace the second ctrl.GetConfigOrDie() in the kubernetes.NewForConfig
call (used to create kubeClient) with that same cfg so
kubernetes.NewForConfig(cfg) reuses the single rest.Config instance.
- Around line 251-257: Replace the abrupt os.Exit(0) in the
sdktls.StartTLSConfigMapWatcher callback with a graceful shutdown: create a
cancellable parent context (e.g., ctx, cancel := context.WithCancel(...)) used
by the HTTP server, pass a callback that calls cancel() instead of os.Exit(0),
and ensure the main goroutine listens for ctx.Done() and calls
server.Shutdown(gracefulCtx) to drain connections before exit; update the
sdktls.StartTLSConfigMapWatcher invocation in user_server.go (and mirror the
same pattern from pkg/serviceproxy/service_proxy.go) to use cancel() so TLS
reload triggers a controlled shutdown rather than an immediate process exit.

In `@pkg/utils/utils.go`:
- Around line 156-178: Exported function ServeHealthProbes currently accepts a
tlsConfig parameter that is unused because the function calls
server.ListenAndServe(); update the function-level Godoc for ServeHealthProbes
to document that tlsConfig is currently ignored and does not enable TLS (callers
must use a different API or modify the function to call ListenAndServeTLS if TLS
is desired), and keep the existing inline comment or remove it after adding the
Godoc note; reference the tlsConfig parameter and the server.ListenAndServe call
in the comment so callers understand the current behavior.

In `@test/integration/controllers/suite_test.go`:
- Line 125: Add an integration test that exercises the non-nil tlsConfig branch
used by RegisterClusterManagementAddonReconciler: construct a stub
sdktls.TLSConfig, pass it instead of nil to
RegisterClusterManagementAddonReconciler, trigger reconciliation, then fetch the
rendered proxy-server Deployment and assert that the AnnotationKeyTLSConfigHash
annotation is present and equals the expected hash; locate the test around
suite_test.go where RegisterClusterManagementAddonReconciler is called and add
the new case verifying TLSConfig-driven annotation on the proxy-server
Deployment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 35361373-2260-493b-890a-f3898134d11c

📥 Commits

Reviewing files that changed from the base of the PR and between 7b33265 and 70a6ed8.

⛔ Files ignored due to path filters (286)

• go.sum is excluded by !**/*.sum
• vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/README.md is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/automaxprocs.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroup.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cgroups2.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_linux.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/cpu_quota_unsupported.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/errors.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/mountpoint.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/runtime.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/automaxprocs/subsys.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/around_node.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/failer.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_event_writer.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/reporters/gojson_reporter.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/internal/writer.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/gojson_report.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/around_node.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/label_filter.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/report_entry.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/semver_filter.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !vendor/**
• vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**
• vendor/github.com/onsi/gomega/format/format.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/internal/assertion.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/internal/duration_bundle.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/internal/gomega.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/internal/polling_signal_error.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/internal/vetoptdesc.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/and.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_a_directory.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_false_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_identical_to.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_true_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/consist_of.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/equal_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_each_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_exact_elements.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_field.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_len_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/have_value.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_error_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_json_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/not.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/or.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/panic_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/receive_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/succeed_matcher.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/type_support.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/matchers/with_transform.go is excluded by !vendor/**
• vendor/github.com/onsi/gomega/types/types.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/desc.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/labels.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/metric.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/vec.go is excluded by !vendor/**
• vendor/github.com/prometheus/client_golang/prometheus/wrap.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/encode.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/labels.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/labelset.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/metric.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/time.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/value.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/value_histogram.go is excluded by !vendor/**
• vendor/github.com/prometheus/common/model/value_type.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/Makefile.common is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/README.md is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/arp.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/fs.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/fscache.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/mountstats.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/net_unix.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_io.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_status.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !vendor/**
• vendor/github.com/prometheus/procfs/softirqs.go is excluded by !vendor/**
• vendor/golang.org/x/mod/LICENSE is excluded by !vendor/**
• vendor/golang.org/x/mod/PATENTS is excluded by !vendor/**
• vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**
• vendor/golang.org/x/net/context/context.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/gcexportdata/importer.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/doc.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/external.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/golist.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/golist_overlay.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/loadmode_string.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/packages/visit.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/imports.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/methodsetcache.go is excluded by !vendor/**
• vendor/golang.org/x/tools/go/types/typeutil/ui.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/core/fast.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/doc.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/event.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/keys/standard.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/keys/util.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/exportdata.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/gcimporter.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/predeclared.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/support.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/invoke.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/invoke_notunix.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/invoke_unix.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/vendor.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/gocommand/version.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/packagesinternal/packages.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/codes.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/decoder.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/doc.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/encoder.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/flags.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/reloc.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/support.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/sync.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/syncmarker_string.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/pkgbits/version.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !vendor/**

📒 Files selected for processing (14)

• charts/cluster-proxy/templates/manager-deployment.yaml
• charts/cluster-proxy/templates/user-deployment.yaml
• cmd/addon-manager/main.go
• go.mod
• pkg/common/constants.go
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
• pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-role.yaml
• pkg/proxyserver/controllers/managedproxyconfiguration_controller.go
• pkg/proxyserver/controllers/manifests.go
• pkg/proxyserver/controllers/manifests_test.go
• pkg/serviceproxy/service_proxy.go
• pkg/userserver/user_server.go
• pkg/utils/utils.go
• test/integration/controllers/suite_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Restart-on-change semantics rely on leader election / replica count.

os.Exit(0) on ConfigMap change is fine for a single-replica Deployment, but if replicas > 1 or leader election is enabled (--leader-elect=true per the chart), only the pod whose watcher fires will exit — other replicas may still run with stale TLS config for up to the informer resync interval. Since this addon-manager runs leader-elected and doesn't itself terminate TLS, the practical impact is low (it only influences the rendered proxy-server Deployment via the hash annotation, which each replica would recompute on its own watcher event). Worth a comment clarifying the assumption, or verifying all replicas observe the event promptly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
curl -s https://api.osv.dev/v1/query -d '{"package":{"name":"google.golang.org/grpc","ecosystem":"Go"},"version":"1.76.0"}' | jq '.vulns[] | {id, summary, affected: .affected[0].ranges}'

Repository: open-cluster-management-io/cluster-proxy

Length of output: 700

---

🏁 Script executed:

cat -n go.mod | head -20

Repository: open-cluster-management-io/cluster-proxy

Length of output: 933

---

Critical: grpc v1.76.0 has a known authorization bypass vulnerability.

google.golang.org/grpc v1.76.0 is affected by GO-2026-4762 / GHSA-p77j-4mvh-x3m3 (authorization bypass via missing leading slash in :path). Bump to v1.79.3 or later.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[CRITICAL] 11-11: google.golang.org/grpc 1.76.0: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

---

[CRITICAL] 11-11: google.golang.org/grpc 1.76.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 11, The go.mod currently pins the vulnerable module
"google.golang.org/grpc v1.76.0"; update that dependency to v1.79.3 or later
(replace the version string "google.golang.org/grpc v1.76.0" with
"google.golang.org/grpc v1.79.3" or higher), run `go get
google.golang.org/grpc@v1.79.3` (or `go get ./...`) to update go.sum, then run
`go mod tidy` and your test suite to ensure no breaking changes; ensure any CI
caching or vendoring is refreshed so the updated "google.golang.org/grpc"
version is used.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/proxyserver/controllers/manifests.go (1)

253-256: Link the upstream tracker directly in the commented-out block.

The existing TODO(ocm#1447) at lines 129–130 gives a good high-level pointer, but a reader landing on this commented block won't see it. Adding the upstream anp issue/PR number here would make it trivial to know when it's safe to uncomment.

✏️ Suggested comment tweak

-		// Uncomment once --tls-min-version is supported by the apiserver-network-proxy
+		// TODO(ocm#1447): Uncomment once --tls-min-version is supported by
+		// apiserver-network-proxy (tracking: <upstream-issue-or-PR-url>).
 		//if tlsConfig.MinVersion != 0 {
 		//	args = append(args, "--tls-min-version="+sdktls.VersionToString(tlsConfig.MinVersion))
 		//}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/proxyserver/controllers/manifests.go` around lines 253 - 256, Update the
commented-out TLS min-version block to include a direct link to the upstream
apiserver-network-proxy issue/PR so readers know when to re-enable it; locate
the block that references tlsConfig.MinVersion, args and sdktls.VersionToString
(the three commented lines) and append a short comment like "TODO(ocm#1447): see
https://github.com/kubernetes-sigs/apiserver-network-proxy/issues/NNN" (replace
NNN with the actual upstream issue/PR number) immediately above or within the
commented block.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/proxyserver/controllers/manifests.go`:
- Around line 236-260: The proxyServerArgs function is currently appending a
--cipher-suites flag when tlsConfig.CipherSuites is non-empty which the
proxy-server binary does not support; remove the code that appends
"--cipher-suites="+sdktls.CipherSuitesToString(tlsConfig.CipherSuites) (i.e.,
delete the if block that checks len(tlsConfig.CipherSuites) and its append) so
proxyServerArgs no longer injects an unsupported flag; keep the existing TODO
about --tls-min-version as a note for upstream support and do not add any other
TLS-related flags until the proxy-server binary gains support.

---

Nitpick comments:
In `@pkg/proxyserver/controllers/manifests.go`:
- Around line 253-256: Update the commented-out TLS min-version block to include
a direct link to the upstream apiserver-network-proxy issue/PR so readers know
when to re-enable it; locate the block that references tlsConfig.MinVersion,
args and sdktls.VersionToString (the three commented lines) and append a short
comment like "TODO(ocm#1447): see
https://github.com/kubernetes-sigs/apiserver-network-proxy/issues/NNN" (replace
NNN with the actual upstream issue/PR number) immediately above or within the
commented block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d58e823-2aa3-4964-b3d0-c524afe7926d

📥 Commits

Reviewing files that changed from the base of the PR and between 70a6ed8 and 08142ad.

📒 Files selected for processing (2)

• pkg/proxyserver/controllers/managedproxyconfiguration_controller.go
• pkg/proxyserver/controllers/manifests.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect the upstream anp flag names the project currently pins.
rg -nP -C2 '(apiserver-network-proxy|cipher-suites|tls-min-version|tls-cipher-suites)' go.mod go.sum 2>/dev/null
fd -t f -e go . vendor/sigs.k8s.io/apiserver-network-proxy 2>/dev/null | head -50
fd -t f -e go 'options' vendor/sigs.k8s.io/apiserver-network-proxy 2>/dev/null | xargs rg -nP -C1 '(cipher-suites|tls-min-version|CipherSuites|MinVersion|flag\.String|flags\.String)'

Repository: open-cluster-management-io/cluster-proxy

Length of output: 42555

---

🌐 Web query:

Does the apiserver-network-proxy proxy-serverbinary support a--cipher-suites command-line flag? What is the exact flag name?

💡 Result:

No. The apiserver-network-proxy proxy-server binary does not support a --cipher-suites flag. There is no --cipher-suites flag name in the project’s documented proxy-server arguments, and none appears in the CLI flag definitions for the server binary. Flag name: none (no --cipher-suites flag exists).

Citations:

• 1: https://github.com/kubernetes-sigs/apiserver-network-proxy
• 2: https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/master/README.md
• 3: https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/master/pkg/server/server.go

---

🏁 Script executed:

# Find the main proxy-server entry point and flag definitions
find vendor/sigs.k8s.io/apiserver-network-proxy -name "server.go" -o -name "main.go" | head -5

# Search for flag registrations in the proxy-server code
rg -A 3 "flags\.String|flag\.String" vendor/sigs.k8s.io/apiserver-network-proxy/pkg/server/ 2>/dev/null | head -100

# Look for "cipher" references in the entire ANP vendor tree
rg -i "cipher" vendor/sigs.k8s.io/apiserver-network-proxy/ 2>/dev/null | head -20

Repository: open-cluster-management-io/cluster-proxy

Length of output: 732

---

🏁 Script executed:

# Find the proxy-server main function and all flag definitions
find vendor/sigs.k8s.io/apiserver-network-proxy -type f -name "*.go" | xargs grep -l "func main\|flagset\|flag.String\|flag.Bool" | head -10

# Look at the server.go file directly
find vendor/sigs.k8s.io/apiserver-network-proxy/pkg/server -name "*.go" -exec grep -l "flagset\|flag\." {} \;

# Search for any command-line argument parsing in the server package
rg "flag\.|flagset|StringVar|BoolVar" vendor/sigs.k8s.io/apiserver-network-proxy/pkg/server/ -A 2 | head -80

Repository: open-cluster-management-io/cluster-proxy

Length of output: 268

---

🏁 Script executed:

# List the actual structure in the vendor directory
find vendor/sigs.k8s.io/apiserver-network-proxy -type d | head -20

# Find all Go files in the vendor directory
find vendor/sigs.k8s.io/apiserver-network-proxy -name "*.go" | head -20

# Look for any main() function
rg "func main\(" vendor/sigs.k8s.io/apiserver-network-proxy/ -l

# Search for all flag definitions across the entire ANP vendor tree
rg "StringVar|BoolVar|flag\.String|flag\.Bool" vendor/sigs.k8s.io/apiserver-network-proxy/ -B 2 -A 1 | head -100

Repository: open-cluster-management-io/cluster-proxy

Length of output: 1781

---

🏁 Script executed:

# The vendor directory only has client code. Let's check the flags.go file
cat vendor/sigs.k8s.io/apiserver-network-proxy/pkg/util/flags.go

# Also check net.go to understand cipher handling in ANP
cat vendor/sigs.k8s.io/apiserver-network-proxy/pkg/util/net.go

Repository: open-cluster-management-io/cluster-proxy

Length of output: 2774

---

🏁 Script executed:

# Check if there's any upstream PR or issue reference about --cipher-suites support
rg "TODO|FIXME|PR|upstream" pkg/proxyserver/controllers/manifests.go -B 2 -A 2

# Look at the actual implementation to understand what's happening
cat -n pkg/proxyserver/controllers/manifests.go | sed -n '236,260p'

# Check the test expectations
cat pkg/proxyserver/controllers/manifests_test.go | grep -A 30 "TestProxyServerArgs_WithCipherSuites"

Repository: open-cluster-management-io/cluster-proxy

Length of output: 2940

---

🏁 Script executed:

# Search for any references to proxy-server flag documentation in the repo
rg "proxy-server" . --type md | grep -i "flag\|arg" | head -10

# Check if there are any comments or documentation about supported flags
rg "server-count|proxy-strategies" . --type md

# Look for any recent changes or PRs related to cipher-suites
git log --oneline --all -S "cipher-suites" 2>/dev/null | head -5

# Check upstream ANP releases/tags to see if this flag was added
rg "cipher.suites|ciphersuites" . --type go -l | grep -v vendor | head -5

Repository: open-cluster-management-io/cluster-proxy

Length of output: 170

---

Remove the --cipher-suites flag—the proxy-server binary does not support it.

The apiserver-network-proxy proxy-server binary (v0.33.0, which this chart depends on) does not accept a --cipher-suites command-line flag. Passing this flag at line 250 will cause the Deployment to crash-loop on argument parsing whenever a TLS profile is set.

This mirrors the --tls-min-version situation already flagged in the TODO at line 129—the upstream project does not yet support TLS configuration flags on the proxy-server binary. Either remove the cipher suite injection entirely, or document that TLS profile enforcement on the proxy-server awaits an upstream enhancement.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/proxyserver/controllers/manifests.go` around lines 236 - 260, The
proxyServerArgs function is currently appending a --cipher-suites flag when
tlsConfig.CipherSuites is non-empty which the proxy-server binary does not
support; remove the code that appends
"--cipher-suites="+sdktls.CipherSuitesToString(tlsConfig.CipherSuites) (i.e.,
delete the if block that checks len(tlsConfig.CipherSuites) and its append) so
proxyServerArgs no longer injects an unsupported flag; keep the existing TODO
about --tls-min-version as a note for upstream support and do not add any other
TLS-related flags until the proxy-server binary gains support.

[tesshuflower]

This isn't correct - the Dockerfile actually uses v0.30.2 to build apiserver-network-binary, which does expose the --cipher-suites flag (as of PR kubernetes-sigs/apiserver-network-proxy#282). Additionally this was manually tested in my kind env.

[coderabbitai]

Only users with a collaborator, contributor, member, or owner role can interact with CodeRabbit.

[codecov]

Codecov Report

❌ Patch coverage is 31.94444% with 49 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.27%. Comparing base (7b33265) to head (08142ad).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/userserver/user_server.go	0.00%	19 Missing ⚠️
pkg/serviceproxy/service_proxy.go	0.00%	18 Missing ⚠️
pkg/proxyserver/controllers/manifests.go	79.31%	6 Missing ⚠️
...ontrollers/managedproxyconfiguration_controller.go	0.00%	4 Missing ⚠️
pkg/utils/utils.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #285      +/-   ##
==========================================
+ Coverage   17.60%   18.27%   +0.66%     
==========================================
  Files          36       36              
  Lines        2153     2200      +47     
==========================================
+ Hits          379      402      +23     
- Misses       1750     1774      +24     
  Partials       24       24              

Flag	Coverage Δ
unit	18.27% <31.94%> (+0.66%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mikeshng]

@qiujian16 @xuezhaojun the vendor folder file diffs is quite large 2k+ files. Is this normal?