CNTRLPLANE-2012: Wire signer certs to read PKI config via SignerKeyParams

[hasbro17]

Summary

Part 3 of splitting #10396 into smaller PRs. Depends on #10593 and #10594.

Wires all 11 signer certificates to read PKI configuration for configurable key algorithms

Problem

The challenge is that 6 of these signers previously had zero dependencies — adding InstallConfig as a dependency
would break agent-based installer (ABI) codepaths that generate signer certs without an install-config on disk (e.g. agent create certificates used by set-node-zero.sh, node-joiner add-nodes). It would
also pull in standard InstallConfig validation, rejecting configs that are valid under the agent flow's more lenient OptionalInstallConfig rules (e.g. vSphere without credentials).

Solution

To solve this, we introduce SignerKeyParams — a WritableAsset with zero dependencies that reads install-config.yaml directly from disk, extracts only the PKI and FeatureSet fields, and resolves the
effective PKI config via EffectiveSignerPKIConfig(). When no install-config is found, Load() returns (false, nil) so the asset store falls back to the state file between multi-step invocations (e.g.
create manifests followed by create cluster, where install-config.yaml is consumed after the first step). In the agent flow where neither file nor state exists, Generate() leaves PKIConfig nil
(RSA-2048).

6 previously zero-dep signers — now depend on SignerKeyParams:

• AdminKubeConfigSignerCertKey
• KubeAPIServerLocalhostSignerCertKey
• KubeAPIServerLBSignerCertKey
• RootCA
• KubeletBootstrapCertSigner

5 signers that already depended on InstallConfig — now use EffectiveSignerPKIConfig() to resolve the effective PKI config including feature gate defaults:

• KubeAPIServerToKubeletSignerCertKey
• AggregatorCA
• AggregatorSignerCertKey
• KubeControlPlaneSignerCertKey
• KubeletCSRSignerCertKey

With TechPreview enabled and no explicit pki config, all signer certs are generated with RSA-4096 (the current DefaultPKIProfile default). Without TechPreview, all certs remain RSA-2048.

PR chain

1. CNTRLPLANE-2012: Add PKI config types, validation, and CR manifest generation #10593 — PKI types, validation, CRD, feature gate, PKI CR manifest
2. CNTRLPLANE-2012: Refactor TLS cert generation to support configurable key algorithms #10594 — TLS engine refactoring
3. This PR — Wire signer certs + SignerKeyParams
4. Documentation

Summary by CodeRabbit

• New Features
  • Added optional, feature-gated PKI settings to install configuration so signer certificate key algorithm and size/curve can be configured.
  • Generated manifests now include PKI-related configuration output when enabled.
• Bug Fixes
  • Improved certificate/key generation to support RSA and ECDSA consistently.
  • Tightened validation for PKI settings to prevent unsupported algorithms, invalid key sizes, and mismatched key options.
  • Fixed private-key encoding and parsing error handling for more reliable certificate generation.

[openshift-ci-robot]

@hasbro17: This pull request references CNTRLPLANE-2012 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.22" instead.

Details

In response to this:

Summary

Part 3 of splitting #10396 into smaller PRs. Depends on #10593 and #10594.

Wires all 11 signer certificates to read PKI configuration for configurable key algorithms

Problem

The challenge is that 6 of these signers previously had zero dependencies — adding InstallConfig as a dependency
would break agent-based installer (ABI) codepaths that generate signer certs without an install-config on disk (e.g. agent create certificates used by set-node-zero.sh, node-joiner add-nodes). It would
also pull in standard InstallConfig validation, rejecting configs that are valid under the agent flow's more lenient OptionalInstallConfig rules (e.g. vSphere without credentials).

Solution

To solve this, we introduce SignerKeyParams — a WritableAsset with zero dependencies that reads install-config.yaml directly from disk, extracts only the PKI and FeatureSet fields, and resolves the
effective PKI config via EffectiveSignerPKIConfig(). When no install-config is present, it defaults to nil (RSA-2048).

6 previously zero-dep signers — now depend on SignerKeyParams:

• AdminKubeConfigSignerCertKey
• KubeAPIServerLocalhostSignerCertKey
• KubeAPIServerLBSignerCertKey
• RootCA
• KubeletBootstrapCertSigner

5 signers that already depended on InstallConfig — now use EffectiveSignerPKIConfig() to resolve the effective PKI config including feature gate defaults:

• KubeAPIServerToKubeletSignerCertKey
• AggregatorCA
• AggregatorSignerCertKey
• KubeControlPlaneSignerCertKey
• KubeletCSRSignerCertKey

With TechPreview enabled and no explicit pki config, all signer certs are generated with RSA-4096 (the current DefaultPKIProfile default). Without TechPreview, all certs remain RSA-2048.

PR chain

1. CNTRLPLANE-2012: Add PKI config types, validation, and CR manifest generation #10593 — PKI types, validation, CRD, feature gate, PKI CR manifest
2. CNTRLPLANE-2012: Refactor TLS cert generation to support configurable key algorithms #10594 — TLS engine refactoring
3. This PR — Wire signer certs + SignerKeyParams
4. Documentation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jhixson74 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a feature-gated pki install-config surface, generates a PKI manifest from the resolved signer settings, generalizes TLS key generation for RSA and ECDSA, and updates signer asset call sites and tests to pass PKI config through.

Changes

Configurable PKI and TLS generation

Layer / File(s)	Summary
PKI schema and validation data/data/install.openshift.io_installconfigs.yaml, pkg/types/installconfig.go, pkg/types/pki/validation.go, pkg/types/validation/*, pkg/explain/printer_test.go	Adds the feature-gated pki install-config schema, public PKI types, field validation, and the matching feature-gate and printer updates.
Default signer config and manifest output pkg/types/pki/defaults.go, pkg/types/pki/defaults_test.go, pkg/asset/tls/signerkey_params.go, pkg/asset/manifests/pki.go, pkg/asset/manifests/operators.go, pkg/asset/manifests/pki_test.go	Adds default PKI profile helpers, resolves effective signer PKI config from install-config.yaml, and emits cluster-pki-02-config.yaml through the operator manifest asset.
PEM and certificate helpers pkg/asset/tls/utils.go, pkg/asset/tls/keypair.go, pkg/asset/tls/tls.go, pkg/asset/tls/utils_test.go, pkg/asset/tls/tls_test.go	Updates key generation, PEM conversion, and self-signed certificate creation for RSA and ECDSA keys, with unit coverage for the new code paths.
Certificate asset wrappers pkg/asset/tls/certkey.go, pkg/asset/tls/boundsasigningkey.go, pkg/asset/imagebased/configimage/ingressoperatorsigner.go, pkg/asset/tls/certkey_test.go	Updates signed and self-signed cert assets to use the new key handling, adds RSA-only parsing for bound service account keys, and checks PEM encoding errors in the ingress operator signer asset.
Signer asset wiring pkg/asset/tls/root.go, pkg/asset/tls/kubecontrolplane.go, pkg/asset/tls/kubelet.go, pkg/asset/tls/apiserver.go, pkg/asset/tls/adminkubeconfig.go, pkg/asset/tls/aggregator.go, pkg/asset/tls/ironictls.go, pkg/asset/ignition/machine/*_test.go	Updates signer assets to read SignerKeyParams, remove explicit key usages, pass PKI config into self-signed generation, and adjust ignition tests for the new root CA parents.

Sequence Diagram(s)

PKI manifest generation

sequenceDiagram
  participant Manifests
  participant PKIConfiguration
  participant InstallConfig
  participant EffectiveSignerPKIConfig
  participant DefaultPKIProfile
  Manifests->>PKIConfiguration: Generate(...)
  PKIConfiguration->>InstallConfig: load installconfig.InstallConfig
  PKIConfiguration->>EffectiveSignerPKIConfig: resolve signer PKIConfig
  EffectiveSignerPKIConfig->>DefaultPKIProfile: derive default signer values
  Manifests->>PKIConfiguration: Files()

Loading

Signer certificate generation

sequenceDiagram
  participant RootCA
  participant SignerKeyParams
  participant SelfSignedCertKey
  participant GenerateSelfSignedCertificate
  participant PrivateKeyToPem
  RootCA->>SignerKeyParams: read PKIConfig
  RootCA->>SelfSignedCertKey: Generate(..., PKIConfig)
  SelfSignedCertKey->>GenerateSelfSignedCertificate: create key and certificate
  SelfSignedCertKey->>PrivateKeyToPem: encode generated key

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90+ minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Weak-Crypto	❌ Error	FAIL: the PR touches code paths that use sha1.Sum (pkg/asset/tls/tls.go:237), which is on the weak-crypto denylist.	Replace SHA-1-based subject-key-id hashing with an approved alternative or add an explicit exception if SHA-1 is intentional.
Docstring Coverage	⚠️ Warning	Docstring coverage is 56.60% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: wiring signer certificates to read PKI config through SignerKeyParams.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo titles were added; the new tests use static t.Run names like PKI config present with TechPreviewNoUpgrade - passes and RSA 4096.
Test Structure And Quality	✅ Passed	No Ginkgo tests were added or changed; the modified tests are standard Go unit tests, so the Ginkgo-specific quality checks are not applicable.
Microshift Test Compatibility	✅ Passed	PR changes are unit tests and assets only; no new Ginkgo/e2e specs or MicroShift-unsupported APIs/features were added in the touched files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changed tests are plain Go unit tests under pkg/* using testing.T, with no SNO-unsafe assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Only PKI/crypto plumbing was added; I found no new pod specs, replicas, affinities, tolerations, node selectors, or topology-spread constraints.
Ote Binary Stdout Contract	✅ Passed	No stdout writes or suite hooks were added in main/init/TestMain/BeforeSuite paths; the only fmt.Println is inside a unit test body.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PASS: The modified tests are plain testing.T unit tests; no Ginkgo It/Describe/When, IPv4 literals, or external-host/network calls were found in the changed files.
Container-Privileges	✅ Passed	Touched files are PKI/TLS/schema changes; targeted searches found no privileged:true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation:true, or runAsUser:0 in the PR paths.
No-Sensitive-Data-In-Logs	✅ Passed	No new logs print secrets; added debug/warn messages only emit generic parse/generation errors, and new PKI files contain no logging.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[hasbro17]

/hold

Blocked by #10593 and #10594

Also need to retest and check the ABI codepaths for the SignerKeyParams dependency (Integration tests should show that) and see if the new signers generate correctly.

[hasbro17]

/test e2e-aws-ovn-pki-default-techpreview
/test e2e-aws-ovn-pki-rsa-techpreview

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/types/pki/defaults.go`:
- Around line 36-53: EffectiveSignerPKIConfig currently returns ic.PKI before
checking the ConfigurablePKI feature gate, allowing user PKI to be honored even
when the gate is off; change the logic in EffectiveSignerPKIConfig so it first
checks ic.Enabled(features.FeatureGateConfigurablePKI) and if the gate is
disabled return nil, and only when the gate is enabled honor ic.PKI (return it)
or fall back to the default SignerCertificates config; update references in
EffectiveSignerPKIConfig to enforce the gate-first behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b8a25289-d43e-4637-8509-4498d6ba55cf

📥 Commits

Reviewing files that changed from the base of the PR and between d3fba60 and 0e262ca.

⛔ Files ignored due to path filters (1)

• pkg/types/zz_generated.deepcopy.go is excluded by !**/zz_generated*

📒 Files selected for processing (39)

• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
• pkg/asset/ignition/machine/arbiter_test.go
• pkg/asset/ignition/machine/master_ignition_customizations_test.go
• pkg/asset/ignition/machine/master_test.go
• pkg/asset/ignition/machine/worker_ignition_customizations_test.go
• pkg/asset/ignition/machine/worker_test.go
• pkg/asset/imagebased/configimage/ingressoperatorsigner.go
• pkg/asset/manifests/operators.go
• pkg/asset/manifests/pki.go
• pkg/asset/manifests/pki_test.go
• pkg/asset/tls/adminkubeconfig.go
• pkg/asset/tls/aggregator.go
• pkg/asset/tls/apiserver.go
• pkg/asset/tls/boundsasigningkey.go
• pkg/asset/tls/certkey.go
• pkg/asset/tls/certkey_test.go
• pkg/asset/tls/ironictls.go
• pkg/asset/tls/keypair.go
• pkg/asset/tls/kubecontrolplane.go
• pkg/asset/tls/kubelet.go
• pkg/asset/tls/root.go
• pkg/asset/tls/signerkey_params.go
• pkg/asset/tls/tls.go
• pkg/asset/tls/tls_test.go
• pkg/asset/tls/utils.go
• pkg/asset/tls/utils_test.go
• pkg/explain/printer_test.go
• pkg/types/defaults/installconfig.go
• pkg/types/installconfig.go
• pkg/types/pki/conversion.go
• pkg/types/pki/defaults.go
• pkg/types/pki/defaults_test.go
• pkg/types/pki/validation.go
• pkg/types/pki/validation_test.go
• pkg/types/validation/featuregate_test.go
• pkg/types/validation/featuregates.go
• pkg/types/validation/installconfig.go
• pkg/types/validation/installconfig_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Honor ConfigurablePKI before applying user PKI config.

Line 37 returns ic.PKI even when the feature gate is off. pkg/asset/tls/signerkey_params.go:64-81 calls this helper on a raw install-config.yaml without running install-config validation, so zero-dependency signer assets can still generate custom signer keys from a gated field. Return nil when ConfigurablePKI is disabled and only honor ic.PKI once the gate is enabled.

Suggested fix

 func EffectiveSignerPKIConfig(ic *types.InstallConfig) *types.PKIConfig {
-	if ic.PKI != nil {
-		return ic.PKI
-	}
-
-	if ic.Enabled(features.FeatureGateConfigurablePKI) {
-		// Default signer config matches DefaultPKIProfile().SignerCertificates
-		return &types.PKIConfig{
-			SignerCertificates: types.CertificateConfig{
-				Key: types.KeyConfig{
-					Algorithm: types.KeyAlgorithmRSA,
-					RSA:       types.RSAKeyConfig{KeySize: 4096},
-				},
-			},
-		}
-	}
-
-	return nil
+	if ic == nil || !ic.Enabled(features.FeatureGateConfigurablePKI) {
+		return nil
+	}
+
+	if ic.PKI != nil {
+		return ic.PKI
+	}
+
+	// Default signer config matches DefaultPKIProfile().SignerCertificates
+	return &types.PKIConfig{
+		SignerCertificates: types.CertificateConfig{
+			Key: types.KeyConfig{
+				Algorithm: types.KeyAlgorithmRSA,
+				RSA:       types.RSAKeyConfig{KeySize: 4096},
+			},
+		},
+	}
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func EffectiveSignerPKIConfig(ic *types.InstallConfig) *types.PKIConfig {
	if ic.PKI != nil {
	return ic.PKI
	}
	if ic.Enabled(features.FeatureGateConfigurablePKI) {
	// Default signer config matches DefaultPKIProfile().SignerCertificates
	return &types.PKIConfig{
	SignerCertificates: types.CertificateConfig{
	Key: types.KeyConfig{
	Algorithm: types.KeyAlgorithmRSA,
	RSA: types.RSAKeyConfig{KeySize: 4096},
	},
	},
	}
	}
	return nil
	func EffectiveSignerPKIConfig(ic *types.InstallConfig) *types.PKIConfig {
	if ic == nil || !ic.Enabled(features.FeatureGateConfigurablePKI) {
	return nil
	}
	if ic.PKI != nil {
	return ic.PKI
	}
	// Default signer config matches DefaultPKIProfile().SignerCertificates
	return &types.PKIConfig{
	SignerCertificates: types.CertificateConfig{
	Key: types.KeyConfig{
	Algorithm: types.KeyAlgorithmRSA,
	RSA: types.RSAKeyConfig{KeySize: 4096},
	},
	},
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/types/pki/defaults.go` around lines 36 - 53, EffectiveSignerPKIConfig
currently returns ic.PKI before checking the ConfigurablePKI feature gate,
allowing user PKI to be honored even when the gate is off; change the logic in
EffectiveSignerPKIConfig so it first checks
ic.Enabled(features.FeatureGateConfigurablePKI) and if the gate is disabled
return nil, and only when the gate is enabled honor ic.PKI (return it) or fall
back to the default SignerCertificates config; update references in
EffectiveSignerPKIConfig to enforce the gate-first behavior.

[hasbro17]

/test e2e-aws-ovn-pki-default-techpreview
/test e2e-aws-ovn-pki-rsa-techpreview

[hasbro17]

Okay the e2e tests pass now:
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/10595/pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa-techpreview/2062305090953285632

So the SignerKeyParams helps walk the line between IPI and ABI for those signers.

[hasbro17]

/test e2e-aws-ovn-pki-default-techpreview
/test e2e-aws-ovn-pki-rsa-techpreview

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/asset/manifests/pki.go`:
- Around line 42-48: The Generate method on PKIConfiguration exits early when
the FeatureGateConfigurablePKI is disabled but doesn't clear previously
generated state; ensure you reset p.FileList (e.g., set to nil or an empty
slice) before the early return in PKIConfiguration.Generate so stale PKI
manifests aren't retained across runs when the feature gate is off.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2313bdbb-b13e-49c2-89f3-c0d815a13343

📥 Commits

Reviewing files that changed from the base of the PR and between 0a3fbe6 and 9d66374.

⛔ Files ignored due to path filters (1)

• pkg/types/zz_generated.deepcopy.go is excluded by !**/zz_generated*

📒 Files selected for processing (40)

• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
• pkg/asset/ignition/machine/arbiter_test.go
• pkg/asset/ignition/machine/master_ignition_customizations_test.go
• pkg/asset/ignition/machine/master_test.go
• pkg/asset/ignition/machine/worker_ignition_customizations_test.go
• pkg/asset/ignition/machine/worker_test.go
• pkg/asset/imagebased/configimage/ingressoperatorsigner.go
• pkg/asset/manifests/operators.go
• pkg/asset/manifests/pki.go
• pkg/asset/manifests/pki_test.go
• pkg/asset/tls/adminkubeconfig.go
• pkg/asset/tls/aggregator.go
• pkg/asset/tls/apiserver.go
• pkg/asset/tls/boundsasigningkey.go
• pkg/asset/tls/certkey.go
• pkg/asset/tls/certkey_test.go
• pkg/asset/tls/ironictls.go
• pkg/asset/tls/keypair.go
• pkg/asset/tls/kubecontrolplane.go
• pkg/asset/tls/kubelet.go
• pkg/asset/tls/root.go
• pkg/asset/tls/signerkey_params.go
• pkg/asset/tls/tls.go
• pkg/asset/tls/tls_test.go
• pkg/asset/tls/utils.go
• pkg/asset/tls/utils_test.go
• pkg/explain/printer_test.go
• pkg/types/defaults/installconfig.go
• pkg/types/installconfig.go
• pkg/types/pki/conversion.go
• pkg/types/pki/conversion_test.go
• pkg/types/pki/defaults.go
• pkg/types/pki/defaults_test.go
• pkg/types/pki/validation.go
• pkg/types/pki/validation_test.go
• pkg/types/validation/featuregate_test.go
• pkg/types/validation/featuregates.go
• pkg/types/validation/installconfig.go
• pkg/types/validation/installconfig_test.go

✅ Files skipped from review due to trivial changes (5)

• pkg/asset/ignition/machine/arbiter_test.go
• pkg/explain/printer_test.go
• pkg/types/defaults/installconfig.go
• pkg/asset/manifests/pki_test.go
• pkg/types/validation/featuregates.go

🚧 Files skipped from review as they are similar to previous changes (30)

• pkg/asset/imagebased/configimage/ingressoperatorsigner.go
• pkg/asset/tls/ironictls.go
• pkg/asset/tls/utils_test.go
• pkg/asset/ignition/machine/worker_test.go
• pkg/asset/ignition/machine/master_test.go
• pkg/types/validation/featuregate_test.go
• pkg/asset/ignition/machine/arbiter_ignition_customizations_test.go
• pkg/types/validation/installconfig_test.go
• pkg/types/validation/installconfig.go
• pkg/types/pki/validation.go
• pkg/types/pki/defaults.go
• pkg/types/pki/defaults_test.go
• pkg/asset/tls/boundsasigningkey.go
• pkg/types/installconfig.go
• data/data/install.openshift.io_installconfigs.yaml
• pkg/asset/tls/keypair.go
• pkg/asset/tls/kubecontrolplane.go
• pkg/asset/tls/apiserver.go
• pkg/asset/tls/certkey.go
• pkg/asset/tls/tls_test.go
• pkg/asset/tls/adminkubeconfig.go
• pkg/asset/tls/signerkey_params.go
• pkg/asset/tls/kubelet.go
• pkg/asset/tls/aggregator.go
• pkg/asset/ignition/machine/worker_ignition_customizations_test.go
• pkg/asset/tls/utils.go
• pkg/asset/tls/root.go
• pkg/asset/tls/certkey_test.go
• pkg/types/pki/validation_test.go
• pkg/asset/tls/tls.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reset generated state before the feature-gate early return.

On Line 47, Generate exits when the gate is disabled but does not clear p.FileList. Reusing the same asset instance can retain stale PKI manifest output from a previous enabled run.

Suggested fix

 func (p *PKIConfiguration) Generate(_ context.Context, dependencies asset.Parents) error {
+	p.FileList = nil
+
 	installConfig := &installconfig.InstallConfig{}
 	dependencies.Get(installConfig)
 
 	if !installConfig.Config.Enabled(features.FeatureGateConfigurablePKI) {
 		return nil
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func (p *PKIConfiguration) Generate(_ context.Context, dependencies asset.Parents) error {
	installConfig := &installconfig.InstallConfig{}
	dependencies.Get(installConfig)
	if !installConfig.Config.Enabled(features.FeatureGateConfigurablePKI) {
	return nil
	}
	func (p *PKIConfiguration) Generate(_ context.Context, dependencies asset.Parents) error {
	p.FileList = nil
	installConfig := &installconfig.InstallConfig{}
	dependencies.Get(installConfig)
	if !installConfig.Config.Enabled(features.FeatureGateConfigurablePKI) {
	return nil
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/asset/manifests/pki.go` around lines 42 - 48, The Generate method on
PKIConfiguration exits early when the FeatureGateConfigurablePKI is disabled but
doesn't clear previously generated state; ensure you reset p.FileList (e.g., set
to nil or an empty slice) before the early return in PKIConfiguration.Generate
so stale PKI manifests aren't retained across runs when the feature gate is off.

[hasbro17]

/test e2e-aws-ovn-pki-default-techpreview
/test e2e-aws-ovn-pki-rsa-techpreview

[openshift-ci]

@hasbro17: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	fcfc32e	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-metal-ovn-two-node-arbiter	fcfc32e	link	false	/test e2e-metal-ovn-two-node-arbiter
ci/prow/e2e-metal-ipi-ovn-swapped-hosts	fcfc32e	link	false	/test e2e-metal-ipi-ovn-swapped-hosts
ci/prow/e2e-metal-ipi-ovn	fcfc32e	link	false	/test e2e-metal-ipi-ovn
ci/prow/e2e-metal-ipi-ovn-virtualmedia	fcfc32e	link	false	/test e2e-metal-ipi-ovn-virtualmedia
ci/prow/e2e-metal-single-node-live-iso	fcfc32e	link	false	/test e2e-metal-single-node-live-iso
ci/prow/e2e-metal-ovn-two-node-fencing	fcfc32e	link	false	/test e2e-metal-ovn-two-node-fencing
ci/prow/e2e-metal-assisted	fcfc32e	link	false	/test e2e-metal-assisted
ci/prow/e2e-metal-ipi-ovn-dualstack	fcfc32e	link	false	/test e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-aws-ovn-pki-default-techpreview	fcfc32e	link	false	/test e2e-aws-ovn-pki-default-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.