Drop roxctl dependency [mc]#238
Conversation
Replace the roxctl subprocess call for generating Cluster Registration Secrets with a direct HTTP POST to Central's REST API endpoint (/v1/cluster-init/crs). This eliminates the requirement for users to install a matching roxctl binary. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 29 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughCRS generation now uses Central’s HTTPS REST API with retries and custom TLS verification instead of roxctl. The deployer no longer requires roxctl, and workflow and README prerequisites now reference roxie. ChangesCentral CRS migration
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Deployer
participant CentralHTTPClient
participant Central
participant TLSVerifier
Deployer->>CentralHTTPClient: Create configured client
Deployer->>Central: POST /v1/cluster-init/crs
Central->>TLSVerifier: Verify Central certificate
TLSVerifier-->>Central: Accept configured or Central service CA
Central-->>Deployer: Return CRS JSON
Deployer->>Deployer: Trim, validate, or retry CRS generation
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
internal/deployer/crs.go (1)
97-97: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueOptional: set an explicit TLS
MinVersion.The
tls.ConfigomitsMinVersion; while the client default is TLS 1.2, pinningMinVersion: tls.VersionTLS12(or 1.3) makes the security posture explicit.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@internal/deployer/crs.go` at line 97, Explicitly set the minimum TLS version when constructing the tls.Config in the relevant client setup, using MinVersion: tls.VersionTLS12 (or tls.VersionTLS13 if supported), rather than relying on the default.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Line 11: Mark github.com/pkg/errors v0.9.1 as an indirect dependency in
go.mod, preserving the existing dependency classification since no Go source
imports it directly.
In `@internal/deployer/crs.go`:
- Around line 79-92: Update the retry/error handling in the CRS generation loop
so retryable errors on the final attempt are recorded and exit the loop instead
of being returned as non-retryable. Use the existing lastErr handling and final
“failed after attempts” return, while preserving immediate returns for genuinely
non-retryable errors; adjust the logic around the retry condition in the CRS
generation method.
- Around line 116-117: Update centralVerifyFunc and its call site in the TLS
setup to accept an explicit hostname argument, passing the request host with its
port removed; use that argument for certificate DNSName validation instead of
reading conf.ServerName from the captured tls.Config.
---
Nitpick comments:
In `@internal/deployer/crs.go`:
- Line 97: Explicitly set the minimum TLS version when constructing the
tls.Config in the relevant client setup, using MinVersion: tls.VersionTLS12 (or
tls.VersionTLS13 if supported), rather than relying on the default.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Enterprise
Run ID: 972615fb-6a05-44b8-9f2e-4c85014d9ac9
📒 Files selected for processing (6)
.github/workflows/e2e-tests.ymlREADME.mdgo.modinternal/deployer/crs.gointernal/deployer/deployer.gointernal/deployer/roxctl.go
💤 Files with no reviewable changes (3)
- internal/deployer/roxctl.go
- README.md
- .github/workflows/e2e-tests.yml
b7105dd to
170535c
Compare
Modified version of #234.
Summary by CodeRabbit
New Features
Improvements
roxctlCLI; onlykubectlis required.roxieCLI.Bug Fixes