COO-1749: ObservabilityInstaller: do not require TLS spec for https

[pavolloffay]

This PRs enables HTTPS/TLS in TempoStack when https:// is specified in the object storage endpoint.

Before this PR the HTTPS could be be enabled with the following CR:

apiVersion: observability.openshift.io/v1alpha1
kind: ObservabilityInstaller
metadata:
  name: tracing
  namespace: observability
spec:
  capabilities:
    tracing:
      enabled: true
      operators:
        install: true
      storage:
        objectStorage:
          tls: {}    # <-- add this, empty struct will instruct to use HTTPS in TempoStack                                                                                                        
          s3:                                                                                                              
            bucket: hlab                                                                                                           
            endpoint: https://hel1.your-objectstorage.com/                                                                          
            accessKeyID: <redacted>                                                                                                
            accessKeySecret:                                                                                                       
              name: s3-access-secret                                                                                               
              key: access_key_secret                                                                                               
            region: eu-central                                                                                                     

[openshift-ci-robot]

@pavolloffay: This pull request references COO-1749 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PRs enables HTTPS/TLS in TempoStack when https:// is specified in the object storage endpoint.

Before this PR the HTTPS could be be enabled with the following CR:

apiVersion: observability.openshift.io/v1alpha1
kind: ObservabilityInstaller
metadata:
 name: tracing
 namespace: observability
spec:
 capabilities:
   tracing:
     enabled: true
     operators:
       install: true
     storage:
       objectStorage:
         tls: {}    # <-- add this, empty struct will instruct to use HTTPS in TempoStack                                                                                                        
         s3:                                                                                                              
           bucket: hlab                                                                                                           
           endpoint: https://hel1.your-objectstorage.com/                                                                          
           accessKeyID: <redacted>                                                                                                
           accessKeySecret:                                                                                                       
             name: s3-access-secret                                                                                               
             key: access_key_secret                                                                                               
           region: eu-central                                                                                                     

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pavolloffay
Once this PR has been reviewed and has the lgtm label, please assign jgbernalp for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 414b0770-bc84-4ff3-a230-360abf0a094c

📥 Commits

Reviewing files that changed from the base of the PR and between a4f6d14 and c61b9c4.

📒 Files selected for processing (1)

• pkg/controllers/observability/tempo_components.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/controllers/observability/tempo_components.go

---

📝 Walkthrough

Walkthrough

Tempo TLS enablement in the controller was modified: TLS is now activated when an explicit TLS block is present or when the S3 object storage endpoint URL begins with "https://". A new helper detects HTTPS endpoints; when TLS is enabled solely by the endpoint, CA/cert/min-version fields remain unset.

Changes

Cohort / File(s)	Summary
Tempo TLS logic pkg/controllers/observability/tempo_components.go	Adjusted tempoStack() to enable tempo.Spec.Storage.TLS.Enabled when ObjectStorageSpec.TLS exists OR S3 endpoint starts with https:// (new s3hasHTTPSEndpoint() using strings). If TLS is enabled only via HTTPS endpoint and the TLS block is nil, CA/cert/min-version fields are not populated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: enabling HTTPS/TLS in TempoStack based on endpoint prefix detection, without requiring explicit TLS spec configuration.
Description check	✅ Passed	The description is directly related to the changeset, providing context about enabling HTTPS/TLS in TempoStack when https:// is specified in the S3 endpoint, with a concrete example.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controllers/observability/tempo_components.go`:
- Around line 78-80: The TLS cert reference is inconsistent:
tempo.Spec.Storage.TLS.Cert is set to tempoStorageSecretName(instance.Name)
while the actual secret created in tempoStackSecrets uses
tempoSecretName(instance.Name). Update the reference so both use the same
helper; e.g., change the assignment to tempo.Spec.Storage.TLS.Cert =
tempoSecretName(instance.Name) (or alternatively change tempoStackSecrets to
emit tempoStorageSecretName) so tempo.Spec.Storage.TLS.Cert, tempoStackSecrets,
tempoSecretName and tempoStorageSecretName are consistent.
- Around line 107-109: The function s3hasHTTPSEndpoint currently checks
storageSpec.S3.Endpoint with a case-sensitive HasPrefix; update
s3hasHTTPSEndpoint to first guard storageSpec.S3 and storageSpec.S3.Endpoint for
nil/empty, then TrimSpace on storageSpec.S3.Endpoint and perform a
case-insensitive prefix check for "https://" (e.g.,
strings.HasPrefix(strings.ToLower(trimmedEndpoint), "https://")) so inputs like
" HTTPS://..." or "https://..." are correctly recognized as HTTPS endpoints.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8200a183-47dd-46c7-b533-64de21e0fa23

📥 Commits

Reviewing files that changed from the base of the PR and between d4dcc62 and 8b36879.

📒 Files selected for processing (1)

• pkg/controllers/observability/tempo_components.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

TLS cert secret reference does not match the generated TLS secret name

At Line 79, TempoStack is configured to read certs from tempoStorageSecretName(instance.Name), but the TLS secret built in tempoStackSecrets uses tempoSecretName(instance.Name) (Line 168). This mismatch can break TLS cert mounting at runtime.

Proposed fix

--- a/pkg/controllers/observability/tempo_components.go
+++ b/pkg/controllers/observability/tempo_components.go
@@
 			objectStorageTLSSecret = &corev1.Secret{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Secret",
 					APIVersion: corev1.SchemeGroupVersion.String(),
 				},
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      tempoSecretName(instance.Name),
+					Name:      tempoStorageSecretName(instance.Name),
 					Namespace: instance.Namespace,
 				},
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/observability/tempo_components.go` around lines 78 - 80, The
TLS cert reference is inconsistent: tempo.Spec.Storage.TLS.Cert is set to
tempoStorageSecretName(instance.Name) while the actual secret created in
tempoStackSecrets uses tempoSecretName(instance.Name). Update the reference so
both use the same helper; e.g., change the assignment to
tempo.Spec.Storage.TLS.Cert = tempoSecretName(instance.Name) (or alternatively
change tempoStackSecrets to emit tempoStorageSecretName) so
tempo.Spec.Storage.TLS.Cert, tempoStackSecrets, tempoSecretName and
tempoStorageSecretName are consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

HTTPS detection is too strict and can miss valid HTTPS endpoints

strings.HasPrefix(endpoint, "https://") is case-sensitive and does not trim whitespace. Inputs like HTTPS://... or " https://..." won’t enable TLS, even though they are logically HTTPS endpoints.

Proposed fix

 func s3hasHTTPSEndpoint(storageSpec obsv1alpha1.TracingObjectStorageSpec) bool {
-	if storageSpec.S3 != nil && strings.HasPrefix(storageSpec.S3.Endpoint, "https://") {
-		return true
-	}
-	return false
+	if storageSpec.S3 == nil {
+		return false
+	}
+	endpoint := strings.TrimSpace(storageSpec.S3.Endpoint)
+	return strings.HasPrefix(strings.ToLower(endpoint), "https://")
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func s3hasHTTPSEndpoint(storageSpec obsv1alpha1.TracingObjectStorageSpec) bool {
	if storageSpec.S3 != nil && strings.HasPrefix(storageSpec.S3.Endpoint, "https://") {
	return true
	func s3hasHTTPSEndpoint(storageSpec obsv1alpha1.TracingObjectStorageSpec) bool {
	if storageSpec.S3 == nil {
	return false
	}
	endpoint := strings.TrimSpace(storageSpec.S3.Endpoint)
	return strings.HasPrefix(strings.ToLower(endpoint), "https://")
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/observability/tempo_components.go` around lines 107 - 109,
The function s3hasHTTPSEndpoint currently checks storageSpec.S3.Endpoint with a
case-sensitive HasPrefix; update s3hasHTTPSEndpoint to first guard
storageSpec.S3 and storageSpec.S3.Endpoint for nil/empty, then TrimSpace on
storageSpec.S3.Endpoint and perform a case-insensitive prefix check for
"https://" (e.g., strings.HasPrefix(strings.ToLower(trimmedEndpoint),
"https://")) so inputs like " HTTPS://..." or "https://..." are correctly
recognized as HTTPS endpoints.

[IshwarKanse]

Test Results: ObservabilityInstaller S3 HTTPS endpoint fix

Commit: f526580 (fix: ObservabilityInstaller: do not require TLS spec for https)
Cluster: OpenShift 4.x with COO built from the fix commit, tempo-operator v0.20.4

Setup

• MinIO deployed as S3-compatible storage in coo-test namespace
• ObservabilityInstaller CR created for each scenario, verified the generated TempoStack spec.storage.tls and the Tempo ConfigMap storage.trace.s3.insecure field

Results

#	Scenario	TLS.Enabled	insecure	Result
1	https:// endpoint, no tls block	true	false	✅ PASS
2	http:// endpoint, no tls block	false	true	✅ PASS
3	https:// endpoint, tls: {minVersion: VersionTLS13}	true	false	✅ PASS
4	http:// endpoint, tls: {minVersion: VersionTLS12}	true	false	✅ PASS
5	https:// endpoint, empty tls: {}	true	false	✅ PASS
6	No scheme in endpoint, no tls block	false	true	✅ PASS

Details

• Test 1 (bug fix): Previously failed because TLS.Enabled was false when no tls block was provided, causing Tempo to connect over HTTP. Now the COO detects https:// in the S3 endpoint and sets TLS.Enabled = true automatically.
• Test 2 (no regression): http:// endpoints without TLS config remain insecure as expected.
• Test 3 (no regression): Explicit tls block with minVersion works as before, with https:// also triggering TLS enablement.
• Test 4 (no regression): Explicit tls block overrides the http:// scheme, enabling TLS. This is existing behavior preserved.
• Test 5 (no regression): Empty tls: {} workaround still works. Both tls != nil and s3hasHTTPSEndpoint() trigger TLS.
• Test 6 (edge case): Endpoint without a scheme is treated as insecure (HTTP), consistent with the tempo-operator's getS3Params() behavior.

Note on Azure / GCS

The fix only checks S3 endpoints (s3hasHTTPSEndpoint). This is correct because:

• Azure and GCS always connect over HTTPS using the system CA trust store
• The tempo-operator rejects TLS.Enabled = true for Azure and GCS with: "custom TLS settings are not supported for Azure/Google Cloud Storage"
• No changes needed for non-S3 storage backends

[jan--f]

Just one small question, otherwise this looks good.

[jan--f]

nit: Should this perhaps use the url package?