feat: set certificate size limits in CTLog

[fghanmi]

Summary by Sourcery

Add configurable maximum certificate chain size support for CTLog by introducing a new CRD parameter and passing it to the CTFE deployment.

New Features:

• Introduce MaxCertChainSize field in CTLogSpec with a default of 153600 bytes
• Extend CTLog and SecureSign CRDs to include maxCertChainSize with default value
• Modify the controller to append --max_cert_chain_size flag to the CTFE container arguments based on the new field

[sourcery-ai]

Reviewer's Guide

Introduce a configurable maximum certificate chain size in CTLog by adding a new spec field, updating CRD schemas, and passing the flag into the deployment container arguments.

ER diagram for CTlog CRD schema update

erDiagram
    CTlogSpec {
        int64 maxCertChainSize
    }

Loading

Class diagram for updated CTlogSpec struct

classDiagram
    class CTlogSpec {
        TLS TLS
        +int64 MaxCertChainSize
    }

Loading

File-Level Changes

Change	Details	Files
Add MaxCertChainSize field to CTlogSpec struct	Declared MaxCertChainSize as an optional *int64 with default annotation Added json tag json:"maxCertChainSize,omitempty"	api/v1alpha1/ctlog_types.go
Expose maxCertChainSize in CRD schemas with default and description	Inserted maxCertChainSize property under spec for both CTlog and SecureSign CRDs Set default value, description, format, and type in each schema	config/crd/bases/rhtas.redhat.com_ctlogs.yaml config/crd/bases/rhtas.redhat.com_securesigns.yaml
Inject --max_cert_chain_size flag into CTLog deployment args	Appended "--max_cert_chain_size" and the formatted Spec.MaxCertChainSize value to container.Args	internal/controller/ctlog/actions/deployment.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @fghanmi - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `internal/controller/ctlog/actions/deployment.go:152` </location>
<code_context>
 		}

 		container.Args = appArgs
+		container.Args = append(container.Args, "--max_cert_chain_size", fmt.Sprintf("%d", *instance.Spec.MaxCertChainSize))

 		volumeMount := kubernetes.FindVolumeMountByNameOrCreate(container, volumeName)
</code_context>

<issue_to_address>
Potential nil pointer dereference for MaxCertChainSize.

Add a nil check for MaxCertChainSize before dereferencing, or use a default value if it is nil, to prevent a runtime panic.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Potential nil pointer dereference for MaxCertChainSize.

Add a nil check for MaxCertChainSize before dereferencing, or use a default value if it is nil, to prevent a runtime panic.

[osmman]

Please add a nil check before dereferencing values. We've encountered bugs previously due to improper handling of nil values like this. The simplest approach would be to conditionally add the --max... statement only when the value is not nil.

[sourcery-ai]

You're absolutely right—since MaxCertChainSize is a pointer, it can be nil if not set in the CR, even though the CRD and Go struct specify a default. The safest approach is to only append the --max_cert_chain_size argument if MaxCertChainSize is not nil. Here’s a suggested code snippet for the nil check:

if instance.Spec.MaxCertChainSize != nil {
    container.Args = append(container.Args, "--max_cert_chain_size", fmt.Sprintf("%d", *instance.Spec.MaxCertChainSize))
}

This will prevent any nil pointer dereference and runtime panics. If you want to always set a value, you could also provide a fallback default in the else branch, but the above is the minimal and safest fix. Let me know if you need a more defensive pattern or want to discuss defaulting strategies!

[fghanmi]

I thought that since we have a default value of MaxCertChainSize, it won't be nil.

[sourcery-ai]

That's a great question! While the CRD does specify a default for maxCertChainSize, this default is only applied by the Kubernetes API server when a resource is created or updated through the API. In the Go struct, MaxCertChainSize is a pointer (*int64), and if the field is omitted in the YAML or the object is created programmatically (e.g., in tests or by direct instantiation), the pointer can still be nil.

So, unless you can guarantee that every instance of the struct always comes from the API server (with defaulting applied), it's safest to check for nil before dereferencing. This is a common pattern in Kubernetes controllers to avoid panics from nil pointers.

Let me know if you'd like more details on how defaulting works or how to handle this defensively in your code!