TLS flags refactoring

[nunnatsa]

Move the TLS flags logic to the new config package.

Summary by CodeRabbit

• Chores
  • TLS settings are now loaded from configuration (not CLI flags); startup validates and applies TLS values and will fail on invalid config.
• Tests
  • Added unit tests covering TLS configuration parsing and error handling.
• Chores
  • CI now runs unit tests across all sub-packages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

Hi @nunnatsa. Thanks for your PR.

I'm waiting for a kubevirt-ui member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces a new config package that parses TLS-related flags into a typed Config (with TLSConfig) and refactors main to load and apply TLS settings from that package; adds unit tests and expands CI test scope to all subpackages.

Changes

Cohort / File(s)	Summary
Config package config/config.go, config/config_test.go	Adds Config and TLSConfig types, GetConfig() constructor, getters GetMinTLSVersion() and GetTLSCipherSuites(), flag parsing for tls-min-version and tls-cipher-suites, validation/error propagation, and unit tests covering valid and invalid inputs.
Application entrypoint main.go	Removes direct TLS flag parsing and init() logic; imports config; loads config via config.GetConfig() at startup and applies MinVersion and CipherSuites to server.TLSConfig; surfaces config load errors with log.Fatal.
CI workflow .github/workflows/ci_checks.yml	Broadens test invocation from go test . to go test ./... to run tests across all module subpackages.

Sequence Diagram(s)

sequenceDiagram
    participant Main as Main
    participant Config as Config Package
    participant Server as Server

    Main->>Config: GetConfig()
    Config-->>Main: Config (minVersion, cipherSuites) / error
    alt config OK
        Main->>Server: set TLSConfig.MinVersion = cfg.GetMinTLSVersion()
        Main->>Server: set TLSConfig.CipherSuites = cfg.GetTLSCipherSuites()
        Main->>Server: start server
    else config error
        Main-->>Main: log.Fatal(err)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Allow setting TLS Security Configurations #38: related TLS flag/config handling changes in main.go.

Suggested labels

lgtm, approved

Poem

🐇 I hopped through flags to tidy the lair,

Ciphers sorted, versions set with care.
One config basket holds the TLS keys,
No scattered flags — just calm and ease.
Hooray! 🥕🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'TLS flags refactoring' directly describes the main change: moving TLS flag handling logic from main.go to a new config package.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[metalice]

/lgtm

[metalice]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: metalice, nunnatsa

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[metalice]

/ok-to-test

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@config/config.go`:
- Around line 24-48: GetConfig currently casts *minTLSVersionFlag to uint16
without bounds checking which can truncate values >65535; add an explicit bounds
check in GetConfig: if *minTLSVersionFlag > math.MaxUint16 return a clear error
(or validate and clamp per project policy) before assigning to
cfg.TLS.minTLSVersion, then safely convert to uint16; reference GetConfig,
minTLSVersionFlag and cfg.TLS.minTLSVersion when making the change.

🧹 Nitpick comments (2)

config/config.go (2)

19-22: Consider documenting expected cipher format.

The tls-cipher-suites flag expects numeric cipher IDs (e.g., 49195,49199), which may not be intuitive. Users might expect cipher names like TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. Consider clarifying this in the usage string.

📝 Suggested improvement

 var (
 	minTLSVersionFlag   = flag.Uint("tls-min-version", 0, "The minimum TLS version to use")
-	tlsCipherSuitesFlag = flag.String("tls-cipher-suites", "", "A comma-separated list of cipher suites to use")
+	tlsCipherSuitesFlag = flag.String("tls-cipher-suites", "", "A comma-separated list of cipher suite IDs (numeric) to use")
 )

---

35-42: Consider trimming whitespace from cipher strings.

If users provide input like "49195, 49199" (with spaces after commas), parsing will fail. Trimming whitespace improves usability.

📝 Suggested improvement

 		for _, cipherStr := range ciphers {
+			cipherStr = strings.TrimSpace(cipherStr)
 			cipher, err := strconv.ParseUint(cipherStr, 10, 16)
 			if err != nil {
 				return nil, fmt.Errorf("can't parse cipher %q; %w", cipherStr, err)
 			}

 			tlsCipherSuites = append(tlsCipherSuites, uint16(cipher))
 		}

[openshift-ci]

New changes are detected. LGTM label has been removed.