ROX-33958: Revert BusyBox-style binary consolidation for main image#19982
Merged
ROX-33958: Revert BusyBox-style binary consolidation for main image#19982
Conversation
Contributor
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- In central,
authProviderBackendFactoriesis now initialized at package level usingtlsconfig.ManagerInstance(), but the previous comment instartGRPCServerexplicitly noted this should be done lazily at runtime to ensure required certificate files exist; consider keeping this initialization inside a function (e.g.,startGRPCServeror a dedicated initializer) to avoid potential issues in environments/tests where certs are not yet available at import time.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In central, `authProviderBackendFactories` is now initialized at package level using `tlsconfig.ManagerInstance()`, but the previous comment in `startGRPCServer` explicitly noted this should be done lazily at runtime to ensure required certificate files exist; consider keeping this initialization inside a function (e.g., `startGRPCServer` or a dedicated initializer) to avoid potential issues in environments/tests where certs are not yet available at import time.
## Individual Comments
### Comment 1
<location path="central/main.go" line_range="238-243" />
<code_context>
var (
log = logging.CreateLogger(logging.CurrentModule(), 0)
+ authProviderBackendFactories = map[string]authproviders.BackendFactoryCreator{
+ oidc.TypeName: oidc.NewFactory,
+ "auth0": oidc.NewFactory, // legacy
+ saml.TypeName: saml.NewFactory,
+ authProviderUserpki.TypeName: authProviderUserpki.NewFactoryFactory(tlsconfig.ManagerInstance()),
+ iap.TypeName: iap.NewFactory,
+ }
+
</code_context>
<issue_to_address>
**question (bug_risk):** Reintroducing package-level initialization for auth provider factories may re-create the original TLS dependency issue
The earlier comment in `startGRPCServer` noted that this must not run at package init because `tlsconfig.ManagerInstance()` depends on certificate files that may not exist for all entry points. Even without the BusyBox-style dispatcher, this still executes before `main()` can validate TLS config or handle errors. Consider constructing this map in `startGRPCServer` (or another explicit init function) so `ManagerInstance()` failures occur in a controlled part of startup and don’t affect tests or tools that merely import this package.
</issue_to_address>
### Comment 2
<location path="scripts/check-image-version.sh" line_range="6" />
<code_context>
tmpfile="$(mktemp)"
trap 'rm -f "${tmpfile}"' EXIT
-git grep -E -o -h '(stackrox|scanner)-(build|test)-[0-9]+\.[0-9]+\.[0-9].*' | grep -E -o '[0-9]+\.[0-9]+\.[0-9]' | sort -u >"$tmpfile"
+git grep -E -o -h '(stackrox|scanner)-(build|test)-[0-9]+\.[0-9]+\.[0-9]' | grep -E -o '[0-9]+\.[0-9]+\.[0-9]' | sort -u >"$tmpfile"
if [[ "$( wc -w < "$tmpfile" )" -eq 1 ]]
</code_context>
<issue_to_address>
**question:** The updated grep might miss versions suffixed with extra metadata (e.g., -rc.1)
Because the regex now enforces the string to end at `X.Y.Z` and removes `.*`, tags like `stackrox-build-3.75.0-rc.1` will no longer be matched. If those tags must be supported, consider either restoring `.*` in the first grep and tightening the second, or updating the first pattern to allow an optional suffix after `X.Y.Z`.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Contributor
📝 WalkthroughSummary by CodeRabbitRelease Notes
WalkthroughThis pull request decouples multiple components from a unified binary dispatch pattern where several applications (compliance, config-controller, migrator, roxctl, admission-control, kubernetes-sensor, upgrader, roxagent) shared a consolidated entry point via symlinks. Instead, each component now builds and deploys as an independent binary. The changes involve removing Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes 🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
migrator/main.go (2)
30-41: Consider adding timeouts to the profiling HTTP server.The HTTP server on
:6060lacks read/write timeouts, which could make it vulnerable to slowloris-style attacks. While this is an internal debug server, adding timeouts is a defensive practice.💡 Suggested improvement
func startProfilingServer() { handler := http.NewServeMux() for path, debugHandler := range routes.DebugRoutes { handler.Handle(path, debugHandler) } - srv := &http.Server{Addr: ":6060", Handler: handler} + srv := &http.Server{ + Addr: ":6060", + Handler: handler, + ReadTimeout: 30 * time.Second, + WriteTimeout: 30 * time.Second, + } go func() { if err := srv.ListenAndServe(); err != nil { log.WriteToStderrf("Closing profiling server: %v", err) } }() }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@migrator/main.go` around lines 30 - 41, The profiling server created in startProfilingServer currently constructs srv := &http.Server{Addr: ":6060", Handler: handler} without timeouts; update the server configuration (the srv variable) to include sensible ReadTimeout, ReadHeaderTimeout, WriteTimeout (and optionally IdleTimeout) values to mitigate slowloris-style attacks, then start it the same way (ListenAndServe) while keeping the existing error handling and use of routes.DebugRoutes and handler.
118-132: Redundant external database check.The
pgconfig.IsExternalDatabase()check on line 124 is redundant sinceensureDatabaseExists()is only called when!pgconfig.IsExternalDatabase()on line 62. The function always returnsnilfor external databases due to the check at line 124, but this code path is unreachable.♻️ Suggested simplification
func ensureDatabaseExists() error { sourceMap, adminConfig, err := pgconfig.GetPostgresConfig() if err != nil { return err } - if !pgconfig.IsExternalDatabase() { - return retry.WithRetry(func() error { - return dbCheck(sourceMap, adminConfig) - }, retry.Tries(60), retry.BetweenAttempts(func(_ int) { - time.Sleep(5 * time.Second) - })) - } - return nil + return retry.WithRetry(func() error { + return dbCheck(sourceMap, adminConfig) + }, retry.Tries(60), retry.BetweenAttempts(func(_ int) { + time.Sleep(5 * time.Second) + })) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@migrator/main.go` around lines 118 - 132, The function ensureDatabaseExists currently re-checks pgconfig.IsExternalDatabase() redundantly and returns nil for external DBs; remove that internal IsExternalDatabase() conditional and always perform the retry.WithRetry call that invokes dbCheck using the sourceMap and adminConfig from pgconfig.GetPostgresConfig(), returning any error from the retry; in short, delete the inner external-database branch so ensureDatabaseExists simply gets config (sourceMap, adminConfig) and runs retry.WithRetry(... dbCheck ...) and returns its result.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@scripts/check-image-version.sh`:
- Line 6: The grep regex in scripts/check-image-version.sh truncates multi-digit
patch numbers; update both regexes used in the pipeline—the one inside the first
grep -E -o -h '(stackrox|scanner)-(build|test)-[0-9]+\.[0-9]+\.[0-9]' and the
subsequent grep -E -o '[0-9]+\.[0-9]+\.[0-9]'—to allow one-or-more digits for
the patch (use [0-9]+ for the patch segment), so versions like 4.6.10 are
captured fully (e.g., change the patch token to [0-9]+ in both places).
---
Nitpick comments:
In `@migrator/main.go`:
- Around line 30-41: The profiling server created in startProfilingServer
currently constructs srv := &http.Server{Addr: ":6060", Handler: handler}
without timeouts; update the server configuration (the srv variable) to include
sensible ReadTimeout, ReadHeaderTimeout, WriteTimeout (and optionally
IdleTimeout) values to mitigate slowloris-style attacks, then start it the same
way (ListenAndServe) while keeping the existing error handling and use of
routes.DebugRoutes and handler.
- Around line 118-132: The function ensureDatabaseExists currently re-checks
pgconfig.IsExternalDatabase() redundantly and returns nil for external DBs;
remove that internal IsExternalDatabase() conditional and always perform the
retry.WithRetry call that invokes dbCheck using the sourceMap and adminConfig
from pgconfig.GetPostgresConfig(), returning any error from the retry; in short,
delete the inner external-database branch so ensureDatabaseExists simply gets
config (sourceMap, adminConfig) and runs retry.WithRetry(... dbCheck ...) and
returns its result.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: f7362ae2-2e57-4803-a23a-568914ad742e
📒 Files selected for processing (26)
Makefilecentral/main.gocompliance/cmd/compliance/app/app.gocompliance/cmd/compliance/main.gocompliance/virtualmachines/roxagent/app/app.gocompliance/virtualmachines/roxagent/main.goconfig-controller/app/app.goconfig-controller/main.goimage/rhel/Dockerfileimage/rhel/konflux.Dockerfilemigrator/app/app.gomigrator/main.gomigrator/upgrade.gomigrator/upgrade_test.goroxctl/app/app.goroxctl/main.goroxctl/main_test.goscripts/check-image-version.shsensor/admission-control/app/app.gosensor/admission-control/certs.gosensor/admission-control/main.gosensor/kubernetes/app/app.gosensor/kubernetes/main.gosensor/upgrader/app/app.gosensor/upgrader/main.gotools/roxvet/analyzers/validateimports/analyzer.go
💤 Files with no reviewable changes (10)
- compliance/virtualmachines/roxagent/app/app.go
- tools/roxvet/analyzers/validateimports/analyzer.go
- migrator/app/app.go
- roxctl/app/app.go
- compliance/cmd/compliance/app/app.go
- config-controller/app/app.go
- sensor/upgrader/app/app.go
- sensor/admission-control/app/app.go
- sensor/kubernetes/app/app.go
- roxctl/main_test.go
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #19982 +/- ##
==========================================
+ Coverage 49.56% 49.61% +0.04%
==========================================
Files 2764 2765 +1
Lines 208442 208616 +174
==========================================
+ Hits 103323 103500 +177
+ Misses 97464 97460 -4
- Partials 7655 7656 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
🚀 Build Images ReadyImages are ready for commit c6c06ec. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-656-gc6c06eccfc |
davdhacs
approved these changes
Apr 14, 2026
4d4fbf9 to
a2ec764
Compare
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
Contributor
|
/konflux-retest main-on-push |
Contributor
|
/konflux-retest operator-bundle-on-push |
2 similar comments
Contributor
|
/konflux-retest operator-bundle-on-push |
Contributor
|
/konflux-retest operator-bundle-on-push |
|
@janisz: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After consolidation
initfunctions fires for all components increasing memory usage. Before reapplying we need to convertinitfunctions to explicit call in components code.Reverts: