Test helm chart for CRL

[jkralik]

No description provided.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Several services related to certificate authority, HTTP routing, and TLS configuration were updated. The authorization rules are now instantiated with multiple API paths, incorporating a deprecated constant. CRL enablement is centralized, and signing record revocation skips invalid entries. Helm charts gained new helper functions to configure CRL and certificate settings. Routing endpoints were modified to reflect updated paths. Additionally, certificate validation in both client and server code now accepts a client flag, with new logic ensuring consistent checks for certificate file pairs, and the authorization rule creation now supports a variadic API paths argument.

Changes

File(s)	Change Summary
certificate-authority/service/{http/service.go, service.go, uri/uri.go}	Updated authorization rules instantiation to include a deprecated API; centralized CRL enablement; added DeprecatedAPI constant.
certificate-authority/store/mongodb/signingRecords.go	Introduced a check to skip processing signing records with an empty issuerID.
charts/plgd-hub/templates/_helpers.tpl	Added multiple Helm template functions for external/internal certificate and CRL configurations, and updated CA pool volume/mount checks.
http-gateway/web/{packages/mock-server/src/routes/devices.js, src/containers/Certificates/constants.ts, src/containers/Devices/hooks.ts}	Modified endpoint paths from /api/v1/signing/records to /certificate-authority/api/v1/signing/records.
pkg/net/http/auth.go	Changed NewDefaultAuthorizationRules to accept variadic API paths; consolidated authorization rule creation using a loop.
pkg/security/certManager/general/{certManager.go, clientCertManager.go, server/certManager.go} and pkg/security/tls/client.go	Enhanced certificate manager and TLS validation: Validate now accepts a client flag, added isSetClientCertificate, and refined client certificate checks requiring both CertFile and KeyFile.
pkg/security/tls/crl.go	Updated CRLConfig's HTTP field JSON/YAML tags to include omitempty so that unset values are omitted.

Sequence Diagram(s)

sequenceDiagram
    participant Svc as HTTP Service New
    participant Auth as NewDefaultAuthorizationRules
    Svc->>Auth: Call with (uri.API, uri.DeprecatedAPI)
    loop For each API path
        Auth->>Auth: Compile AuthArgs with regex
    end
    Auth-->>Svc: Return authorization rules map

Loading

sequenceDiagram
    participant CM as CertManager
    participant V as Config.Validate
    participant TLS as GetClientTLSConfig
    CM->>V: Validate(client flag)
    alt client flag is true
        Note over CM: Skip CertFile/KeyFile errors
    else client flag is false
        Note over CM: Require both CertFile and KeyFile present
    end
    CM->>CM: isSetClientCertificate check
    CM->>TLS: Assemble TLS config with client certificate if set

Loading

Poem

I’m a rabbit dancing through the code,
Leaping over changes in a boundless mode.
Deprecated paths now join in the fun,
CRL and TLS shine like the sun.
With each hop, the structure grows neat—
Carrots and code make my day complete!

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[jkralik]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

pkg/security/certManager/server/certManager.go (2)

32-55: ⚠️ Potential issue

Method signature in server/certManager.go is out of sync with general package

The Validate method in this file doesn't have the optional parameter, but it's being called with a boolean parameter. This indicates that the method signature here hasn't been updated to match the one in the general package.

The method in this file should be updated to match the signature in the general package:

-func (c *Config) Validate() error {
+func (c *Config) Validate(optional bool) error {
   if c.validated {
     return nil
   }
   caPoolArray, ok := strings.ToStringArray(c.CAPool)
   if !ok {
     return fmt.Errorf("caPool('%v') - unsupported", c.CAPool)
   }
   c.caPoolArray = urischeme.ToURISchemeArray(caPoolArray)
-  if !c.CAPoolIsOptional && len(caPoolArray) == 0 {
+  if !optional && !c.CAPoolIsOptional && len(caPoolArray) == 0 {
     return fmt.Errorf("caPool('%v') - is empty", c.CAPool)
   }
   if c.CertFile == "" {
     return fmt.Errorf("certFile('%v')", c.CertFile)
   }
   if c.KeyFile == "" {
     return fmt.Errorf("keyFile('%v')", c.KeyFile)
   }
   if err := c.CRL.Validate(); err != nil {
     return fmt.Errorf("CRL configuration is invalid: %w", err)
   }
   c.validated = true
   return nil
}

---

85-89: ⚠️ Potential issue

Invalid call to Validate method without parameter

The code is calling the local config.Validate() method without a parameter, but later calls cfg.Validate(false) with a parameter. This inconsistency could lead to compatibility issues.

Update the call to include the appropriate parameter:

  if !config.validated {
-    if err := config.Validate(); err != nil {
+    if err := config.Validate(false); err != nil {
      return nil, err
    }
  }

🧹 Nitpick comments (8)

certificate-authority/service/service.go (1)

161-163: Centralized CRL enablement logic improves consistency

The change centralizes the CRL enablement determination by setting it once based on clear conditions and immediately updating the relevant configuration property. This is better than having this logic scattered across the code.

Consider adding a comment explaining the conditions required for CRL to be enabled, as this is a critical security feature:

+ // CRL is enabled only when externalAddress is set and the database storage supports revocation list
  crlEnabled := externalAddress != "" && dbStorage.SupportsRevocationList()
  config.Signer.CRL.Enabled = crlEnabled

pkg/security/tls/client.go (1)

36-37: Improved validation logic for certificate and key files

The validation now correctly ensures that both key and certificate files are either both present or both absent, replacing the previous separate checks. This enforces proper certificate-key pair configuration.

However, note that the AI summary mentioned a new parameter client bool being added to the Validate method signature, but it's not visible in this code segment. Verify if this parameter should be implemented as part of this change.

pkg/security/certManager/general/certManager.go (1)

240-244: Thread-safe check for client certificates
Locking within isSetClientCertificate ensures concurrency safety. Consider renaming the method (e.g., isClientCertConfiguredLocked) to reflect the locking explicitly.

charts/plgd-hub/templates/_helpers.tpl (5)

123-129: Maintain consistency for internal CRL config
internalCRLConfig parallels the external certificate config. Double-check that both internal and external configurations share consistent naming and structure for clarity.

---

220-235: CRL authorization config extends logic
crlAuthorizationConfig merges local CRL definitions with global ones. Consider documenting how local vs. global CRL settings merge to avoid confusion among chart users.

---

274-289: Unified approach for internal CRL
crlInternalConfig merges both local and global internal CRL definitions. Align naming (e.g., internalCRLConfig vs. crlInternalConfig) for consistency across all CRL definitions.

---

681-688: Dynamic CA pool key resolution
crlHttpTlsCaPoolKey returns "ca.crt" if a custom CA pool key is provided. This is simple and direct; consider verifying or logging the resolved filenames to assist debugging.

---

697-704: tls.key resolution
crlHttpTlsKeyKey analogously returns "tls.key". If there's potential for multiple keys, consider a naming pattern or documentation for large-scale usage.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 983b8cc and 8ec4871.

⛔ Files ignored due to path filters (45)

• .github/workflows/golangci-lint.yml is excluded by !**/*.yml
• certificate-authority/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/certificate-authority/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/certificate-authority/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/certs/authorization/ca-pool.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/certs/authorization/crl.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/certs/coap/crl.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/certs/internal/crl.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/coap-gateway/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/coap-gateway/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/device-provisioning-service/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/device-provisioning-service/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/grpc-gateway/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/grpc-gateway/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/grpc-reflection/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/grpc-reflection/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/http-gateway/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/http-gateway/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/identity-store/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/identity-store/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/m2m-oauth-server/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/m2m-oauth-server/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/mock-oauth-server/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/mock-oauth-server/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/mongodb-standby-tool/job.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/resource-aggregate/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/resource-aggregate/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/resource-directory/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/snippet-service/config.yaml is excluded by !**/*.yaml
• charts/plgd-hub/templates/snippet-service/deployment.yaml is excluded by !**/*.yaml
• charts/plgd-hub/values.yaml is excluded by !**/*.yaml
• cloud2cloud-connector/config.yaml is excluded by !**/*.yaml
• cloud2cloud-gateway/config.yaml is excluded by !**/*.yaml
• coap-gateway/config.yaml is excluded by !**/*.yaml
• device-provisioning-service/config.yaml is excluded by !**/*.yaml
• grpc-gateway/config.yaml is excluded by !**/*.yaml
• http-gateway/config.yaml is excluded by !**/*.yaml
• http-gateway/web/package-lock.json is excluded by !**/package-lock.json, !**/*.json
• identity-store/config.yaml is excluded by !**/*.yaml
• m2m-oauth-server/config.yaml is excluded by !**/*.yaml
• resource-aggregate/config.yaml is excluded by !**/*.yaml
• resource-directory/config.yaml is excluded by !**/*.yaml
• snippet-service/config.yaml is excluded by !**/*.yaml
• test/helm/mock.plgd.cloud.yaml is excluded by !**/*.yaml
• tools/grpc-reflection/config.yaml is excluded by !**/*.yaml

📒 Files selected for processing (14)

• certificate-authority/service/http/service.go (1 hunks)
• certificate-authority/service/service.go (1 hunks)
• certificate-authority/service/uri/uri.go (1 hunks)
• certificate-authority/store/mongodb/signingRecords.go (1 hunks)
• charts/plgd-hub/templates/_helpers.tpl (4 hunks)
• http-gateway/web/packages/mock-server/src/routes/devices.js (1 hunks)
• http-gateway/web/src/containers/Certificates/constants.ts (1 hunks)
• http-gateway/web/src/containers/Devices/hooks.ts (1 hunks)
• pkg/net/http/auth.go (1 hunks)
• pkg/security/certManager/general/certManager.go (4 hunks)
• pkg/security/certManager/general/clientCertManager.go (1 hunks)
• pkg/security/certManager/server/certManager.go (1 hunks)
• pkg/security/tls/client.go (1 hunks)
• pkg/security/tls/crl.go (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

certificate-authority/store/mongodb/signingRecords.go (1)

Learnt from: Danielius1922
PR: plgd-dev/hub#1383
File: certificate-authority/store/mongodb/signingRecords.go:139-141
Timestamp: 2024-11-12T08:47:34.608Z
Learning: In `certificate-authority/store/mongodb/signingRecords.go`, within the `RevokeSigningRecords` method, expired signing records are deleted but not added to the revocation list.

🔇 Additional comments (24)

http-gateway/web/src/containers/Certificates/constants.ts (1)

2-2:

Details

✅ Verification successful

API path updated to include service prefix - ensure consistent usage across codebase

The certificate endpoint URL has been updated to include the certificate-authority prefix. This change aligns with a broader restructuring of API paths in the application.

---

🏁 Script executed:

#!/bin/bash
# Verify consistent usage of the new certificate authority endpoint across the codebase

# Check for references to the old endpoint that might need updating
rg -A 2 -B 2 "/api/v1/signing/records" --type ts --type js

Length of output: 1481

---

API Path Consistency Verified

• The certificate endpoint now correctly uses the /certificate-authority/api/v1/signing/records path.
• Verification across constants.ts, devices.js, and hooks.ts confirms consistent usage of the new endpoint.
• No additional modifications are required.

certificate-authority/store/mongodb/signingRecords.go (1)

158-161: Handle legacy records with empty issuerIDs correctly

This is a good defensive change to skip processing records with empty issuerIDs during revocation. This ensures that only valid records are included in revocation lists, preventing potential errors when adding to the revocation list.

The comment adequately explains the purpose of this check, making the code more maintainable.

certificate-authority/service/uri/uri.go (1)

8-8:

Details

✅ Verification successful

Clear labeling of deprecated API path - ensure consistent transition strategy

Explicitly marking the old API path as deprecated is a good practice for managing API transitions. This constant will help maintain backward compatibility while the system transitions to the new path structure.

---

🏁 Script executed:

#!/bin/bash
# Check how the DeprecatedAPI constant is used across the codebase
# to ensure consistent handling of the API deprecation

rg -A 2 -B 2 "DeprecatedAPI" --type go

Length of output: 877

---

Deprecated API transition strategy confirmed

The constant DeprecatedAPI is clearly defined in certificate-authority/service/uri/uri.go as "/api/v1" and its usage—particularly in the authorization rules setup in certificate-authority/service/http/service.go—demonstrates a consistent approach to API deprecation. No further changes are needed.

http-gateway/web/src/containers/Devices/hooks.ts (1)

131-131:

Details

❓ Verification inconclusive

Updated certificate endpoint to use new path structure

This change correctly implements the new API path structure for certificate-related operations, consistent with the changes in other parts of the application.

However, note that the provisioning record endpoint on line 144 still uses the old path structure (${url}/api/v1/provisioning-records). Consider whether this endpoint should also be updated for consistency.

---

🏁 Script executed:

#!/bin/bash
# Check if other provisioning-related endpoints still use the old path pattern
# or if they should also be updated

rg -A 2 -B 2 "/api/v1/provisioning-records" --type ts --type js

Length of output: 1416

---

Action: Confirm Endpoint Consistency

The certificate endpoint update to /certificate-authority/api/v1/signing/records has been verified and is correct. However, our search confirms that the provisioning records endpoint still uses the legacy /api/v1/provisioning-records in multiple parts of the codebase (e.g., in http-gateway/web/src/containers/DeviceProvisioning/constants.ts, the hooks file, and in the mock server routes). Please verify whether the provisioning records endpoint should remain unchanged or if it also needs to be updated to a new path structure for consistency.

pkg/security/tls/crl.go (1)

113-113:

Details

❓ Verification inconclusive

Added omitempty tag for more efficient serialization

Adding the omitempty tag to the HTTP field ensures that nil values aren't serialized to JSON/YAML, resulting in cleaner output and reduced payload size when CRL's HTTP configuration isn't needed.

Let's check if there are other fields in this package that might benefit from similar omitempty tag additions:

---

🏁 Script executed:

#!/bin/bash
# Find other struct fields in this package that could benefit from omitempty tags
rg -A 1 -B 1 "type \w+Config struct" pkg/security/tls/
rg "json:\"[^,]+\"" pkg/security/tls/ | grep -v "omitempty"

Length of output: 2396

---

Serializer Tags Consistency: Review Additional Candidates for omitempty

The recent change to add the omitempty tag for the HTTP field in CRLConfig improves serialization when that configuration isn’t supplied. A search of the package revealed several other fields that currently lack the omitempty tag and might similarly benefit from it:

• In pkg/security/tls/client.go within ClientConfig:

  • CAPool (json:"caPool") – Consider adding omitempty since this value may be nil.
  • KeyFile (json:"keyFile") – Evaluate if omitting empty strings is appropriate.
  • CertFile (json:"certFile") – Ditto as above.
  • UseSystemCAPool (json:"useSystemCaPool") – Assess if a false default should be omitted.
  • CRL (json:"crl") – Determine if its absence should result in omission.

• In pkg/security/tls/crl.go:

  • Several fields (e.g., MaxIdleConns, MaxConnsPerHost, MaxIdleConnsPerHost, IdleConnTimeout, Timeout, and possibly others within related config structs) are defined without omitempty. Please review whether omitting these fields when they are set to zero is desirable for your serialization use cases.

Please review and confirm that adding omitempty to these fields won’t inadvertently affect consumers relying on the current behavior.

http-gateway/web/packages/mock-server/src/routes/devices.js (1)

166-166:

Details

✅ Verification successful

API path updated for better service organization

The endpoint has been updated to follow a more structured approach by prefixing the path with the service name (certificate-authority). This change aligns with API best practices for better discoverability and organization.

Let's check if this endpoint change is consistent with other client code that might need to be updated:

---

🏁 Script executed:

#!/bin/bash
# Search for references to the old API path that might need updating
rg "/api/v1/signing/records" --type js --type ts
# Compare with new path to ensure this change is consistent
rg "/certificate-authority/api/v1/signing/records" --type js --type ts

Length of output: 955

---

Verification Complete: Endpoint References Consistent

The updated endpoint /certificate-authority/api/v1/signing/records is used consistently across the codebase:

• Defined in http-gateway/web/packages/mock-server/src/routes/devices.js
• Referenced in both http-gateway/web/src/containers/Certificates/constants.ts and http-gateway/web/src/containers/Devices/hooks.ts

No further changes are required.

pkg/security/certManager/server/certManager.go (1)

99-99:

Details

✅ Verification successful

Validate method signature updated to support conditional validation

The update to pass false to the Validate method indicates that the validation logic has been enhanced to support conditional validation. This allows for more flexibility in certificate validation across different contexts.

Let's examine the changes to the Validate method signature and implementation to understand the meaning of this new parameter:

---

🏁 Script executed:

#!/bin/bash
# Search for the updated Validate method in the general package
rg -A 20 "func \(c \*Config\) Validate\(optional bool\)" pkg/security/certManager/general/
# Look for all calls to this method to ensure consistency
rg "Validate\((true|false)\)" pkg/security/certManager/

Length of output: 340

---

Action Required: Confirming Conditional Validation Usage

The updated signature of the Validate method now accepts a boolean parameter to control conditional validation. Our investigation confirms that:

• In pkg/security/certManager/general/clientCertManager.go, the method is correctly called as cfg.Validate(true).
• In pkg/security/certManager/server/certManager.go, the method is correctly called as cfg.Validate(false).

This consistent usage across both client and server contexts verifies that the update supports flexible certificate validation as intended.

certificate-authority/service/http/service.go (1)

40-40:

Details

✅ Verification successful

Added support for deprecated API paths in authorization rules

The change correctly adds uri.DeprecatedAPI to the authorization rules, ensuring backward compatibility while moving to new API paths.

---

🏁 Script executed:

#!/bin/bash
# Verify that DeprecatedAPI constant exists and is used properly
echo "Checking for DeprecatedAPI constant definition..."
fd --type f "\.go$" | xargs grep -l "DeprecatedAPI.*=" 
echo "Checking for usages of DeprecatedAPI:"
rg "DeprecatedAPI" -A 2 -B 2

Length of output: 1159

---

Verified: Deprecated API constant usage is correct

The changes add backward compatibility as intended. The constant DeprecatedAPI is properly defined in certificate-authority/service/uri/uri.go and is correctly used in certificate-authority/service/http/service.go with the call to pkgHttp.NewDefaultAuthorizationRules(uri.API, uri.DeprecatedAPI). No further modifications are needed.

pkg/net/http/auth.go (2)

21-30: Improved authorization rules to support multiple API paths

The function has been enhanced to accept multiple API paths via a variadic parameter, making it more flexible. The implementation correctly handles each API path and adds proper error handling for empty API paths.

---

32-36: Refactored return statement to reduce code redundancy

The return statement has been simplified to reuse the same authorization arguments slice for all HTTP methods, which follows the DRY principle and makes the code more maintainable.

pkg/security/certManager/general/clientCertManager.go (1)

53-53:

Details

✅ Verification successful

Updated Validate method call with client flag parameter

The code now passes true to the Validate method, indicating this is a client certificate configuration. This aligns with changes in the certificate validation system.

---

🏁 Script executed:

#!/bin/bash
# Verify that the Validate method in Config accepts a bool parameter
echo "Checking for Validate method implementation with bool parameter:"
rg "func \(\w+\s+\*?Config\) Validate\(.*bool" -A 5

Length of output: 729

---

Client Certificate Validation Confirmed

The verification confirms that the Validate method in pkg/security/certManager/general/certManager.go accepts a boolean parameter. The update to pass true in pkg/security/certManager/general/clientCertManager.go correctly signals a client certificate configuration. No further modifications are necessary.

pkg/security/certManager/general/certManager.go (3)

41-55: Revisit the optional certificate logic in Validate(client bool)
By making CertFile and KeyFile optional only when client == true, the current approach implies that client certificates are always optional but server certificates are strictly required. Verify that this behavior aligns with actual requirements for mutual TLS, as client certificates might also need enforcement in some contexts.

---

191-195: Conditional client certificate assignment looks correct
Proactively assigning GetClientCertificate based on whether the client certificate is set is a good approach. This avoids unnecessary loading of certificates when they are not present.

---

272-272: Double-check the AND condition when loading certs
Line 272 checks if a.config.KeyFile == "" && a.config.CertFile == "". This omits certificate loading if both are empty, meaning one non-empty file triggers loading. Confirm that partial certificate data is intentional and does not break mutual TLS.

charts/plgd-hub/templates/_helpers.tpl (10)

116-121: Ensure alignment of external certificate logic
The new externalCertificateConfig references .Values.extraCAPool.external. Confirm that external CA pools or file paths exist where required.

---

185-188: Conditional CRL inclusion
The CRL block is only included if $httpTls.crl is defined. Ensure you have test scenarios where CRL is absent to confirm the fallback logic works properly.

---

190-219: Centralized CRL configuration
Defining plgd-hub.CRLConfig to handle CRL parameters in one place is neat. Verify that all CRL values (e.g., timeouts, concurrency) are tested with realistic Helm values to catch misconfigurations early.

---

237-252: Fallback to certificate authority config
CRLConfigFromCertificateAuthority provides a fallback if CRL is not explicitly enabled. Ensure that using default coap-based timeouts for CRL is acceptable or documented.

---

254-272: Conditional CoAP CRL configuration
crlCoapConfig first checks if CRL is enabled, then falls back to either CRLConfig or certificate authority. Confirm there's no unintended double fallback or conflicting CRL.

---

672-679: Guard check for CRL authorization
crlAuthorizationEnabled checks for a valid CA pool. Confirm that a missing CA pool gracefully disables CRL, and that the user is aware CRL won't be enforced.

---

689-696: tls.crt resolution
Similar approach for crlHttpTlsCrtKey returns "tls.crt". Confirm no overlap with possibly existing user-defined certificate naming conventions in multi-tenant deployments.

---

705-712: Check for internal CRL pool
crlInternalEnabled is consistent with the rest of the CRL detection. Verify that enabling internal CRL doesn't conflict with other certificate managers or CRL settings.

---

714-721: CoAP-level CRL enablement
crlCoapEnabled funnels the logic for CoAP CRL. Ensure that downstream references to this toggle handle partial or incomplete CRL data.

---

774-781: CRL volume and mount definitions
crlVolume and crlMount re-use the existing extra CA pool logic. This approach is DRY and coherent. Good job.

[jkralik]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
90.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud