Skip to content

fix(tlsutils): fix nil error wrapping and wrong env var in TLS config#6198

Merged
k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
gofogo:fix/tlsutils-bugs-and-clarity
Feb 20, 2026
Merged

fix(tlsutils): fix nil error wrapping and wrong env var in TLS config#6198
k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
gofogo:fix/tlsutils-bugs-and-clarity

Conversation

@ivankatliarchuk
Copy link
Copy Markdown
Member

@ivankatliarchuk ivankatliarchuk commented Feb 14, 2026
edited
Loading

What does it do ?

  • loadRoots wrapped a nil err with %w when PEM parsing failed, producing "could not read root certs: "
  • Test set %s_INSECURE but code reads %s_TLS_INSECURE, so insecure path was never tested
  • defaultMinVersion = 0 replaced with tls.VersionTLS12, as it's current defaul min version
  • Added parentheses in cert/key boolean check

Motivation

  • The nil-wrap bug hides the root cause when a CA file contains invalid PEM data
  • The env var mismatch means insecure TLS mode has had zero test coverage
  • Explicit TLS version makes intent clear instead of relying on implicit Go behavior

More

  • Yes, this PR title follows Conventional Commits
  • Yes, I added unit tests
  • Yes, I updated end user documentation accordingly

@k8s-ci-robot k8s-ci-robot added the tls Issues or PRs related to tls label Feb 14, 2026
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 14, 2026
@coveralls
Copy link
Copy Markdown

coveralls commented Feb 14, 2026
edited
Loading

Pull Request Test Coverage Report for Build 22020176200

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.001%) to 79.152%
Totals Coverage Status
Change from base Build 21942518735: -0.001%
Covered Lines: 16037
Relevant Lines: 20261
💛 - Coveralls

@ivankatliarchuk
fix(tlsutils): fix nil error wrapping and wrong env var in TLS config
542d187 
Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
@ivankatliarchuk ivankatliarchuk force-pushed the fix/tlsutils-bugs-and-clarity branch from 9023fd4 to 542d187 Compare February 14, 2026 15:54
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 14, 2026
vflaux
vflaux reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vflaux vflaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 19, 2026
@ivankatliarchuk
Copy link
Copy Markdown
Member Author

ivankatliarchuk commented Feb 20, 2026

/approve

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 20, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ivankatliarchuk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 20, 2026
@k8s-ci-robot k8s-ci-robot merged commit d5b942d into kubernetes-sigs:master Feb 20, 2026
19 checks passed
@ivankatliarchuk ivankatliarchuk deleted the fix/tlsutils-bugs-and-clarity branch February 21, 2026 10:02
ivankatliarchuk added a commit to gofogo/k8s-sigs-external-dns-fork that referenced this pull request Mar 10, 2026
@ivankatliarchuk
Merge branch 'master' into feat-metric-skipped_records_owner_mismatch…
c125f07 
…_total

* master: (21 commits)
  refactor(testutils): extract log test helpers into subpackage to fix (kubernetes-sigs#6236)
  chore(deps): bump mkdocs-material (kubernetes-sigs#6237)
  feat(endpoint): reject alias property on unsupported record types (kubernetes-sigs#6188)
  fix(charts): Skip cluster-scope RBAC on namespaced (kubernetes-sigs#5843)
  chore(deps): bump the dev-dependencies group across 1 directory with 3 updates (kubernetes-sigs#6226)
  feat(pdns): add --[no-]prefer-alias flag and alias annotation support (kubernetes-sigs#6129)
  fix(ci): failed to download the coveralls binary from GitHub releases (kubernetes-sigs#6228)
  docs: add external-dns-pscloud-webhook to New providers list (kubernetes-sigs#6214)
  fix(crd): allow trailing dot in CNAME targets (kubernetes-sigs#6218)
  docs: added deep wiki badge (kubernetes-sigs#6215)
  feat(crd): Support MX record with trailing dot (kubernetes-sigs#6163)
  chore(source): standardize sources with merge endpionts and deduplicate targets (kubernetes-sigs#6174)
  chore(store): Added RESTConfig() to ClientGenerator (kubernetes-sigs#6177)
  chore(ingress): clarify that both IP and Hostname are collected from LoadBalancer status (kubernetes-sigs#6138)
  chore(endpoint): added empty checks (kubernetes-sigs#6157)
  chore(linter): enable unparam (kubernetes-sigs#6160)
  fix(tlsutils): fix nil error wrapping and wrong env var in TLS config (kubernetes-sigs#6198)
  chore(endpoint): harden crypto (kubernetes-sigs#6197)
  feat(fqdn): Deduplicate and sort ExecTemplate output. Add functions (kubernetes-sigs#6173)
  benchmark(endpoint): endpoint benchmarks (kubernetes-sigs#6156)
  ...
ivankatliarchuk added a commit to gofogo/k8s-sigs-external-dns-fork that referenced this pull request Mar 10, 2026
@ivankatliarchuk
Merge branch 'master' into chore-standartize-source-constructors
81ec0af 
* master: (23 commits)
  refactor(testutils): extract log test helpers into subpackage to fix (kubernetes-sigs#6236)
  chore(deps): bump mkdocs-material (kubernetes-sigs#6237)
  feat(endpoint): reject alias property on unsupported record types (kubernetes-sigs#6188)
  fix(charts): Skip cluster-scope RBAC on namespaced (kubernetes-sigs#5843)
  chore(deps): bump the dev-dependencies group across 1 directory with 3 updates (kubernetes-sigs#6226)
  feat(pdns): add --[no-]prefer-alias flag and alias annotation support (kubernetes-sigs#6129)
  fix(ci): failed to download the coveralls binary from GitHub releases (kubernetes-sigs#6228)
  docs: add external-dns-pscloud-webhook to New providers list (kubernetes-sigs#6214)
  fix(crd): allow trailing dot in CNAME targets (kubernetes-sigs#6218)
  docs: added deep wiki badge (kubernetes-sigs#6215)
  feat(crd): Support MX record with trailing dot (kubernetes-sigs#6163)
  chore(source): standardize sources with merge endpionts and deduplicate targets (kubernetes-sigs#6174)
  chore(store): Added RESTConfig() to ClientGenerator (kubernetes-sigs#6177)
  chore(ingress): clarify that both IP and Hostname are collected from LoadBalancer status (kubernetes-sigs#6138)
  chore(endpoint): added empty checks (kubernetes-sigs#6157)
  chore(linter): enable unparam (kubernetes-sigs#6160)
  fix(tlsutils): fix nil error wrapping and wrong env var in TLS config (kubernetes-sigs#6198)
  chore(endpoint): harden crypto (kubernetes-sigs#6197)
  feat(fqdn): Deduplicate and sort ExecTemplate output. Add functions (kubernetes-sigs#6173)
  benchmark(endpoint): endpoint benchmarks (kubernetes-sigs#6156)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mloiseleur mloiseleur Awaiting requested review from mloiseleur

1 more reviewer

@vflaux vflaux vflaux left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@vflaux vflaux

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tls Issues or PRs related to tls

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ivankatliarchuk @coveralls @k8s-ci-robot @vflaux