🌱 OPRUN-4550: Replace generated mozilla_data.go with go:embed + runtime parsing#2634
🌱 OPRUN-4550: Replace generated mozilla_data.go with go:embed + runtime parsing#2634tmshort wants to merge 1 commit intooperator-framework:mainfrom
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR replaces the generated mozilla_data.go file with an embedded JSON approach, simplifying the TLS profile management. Instead of generating Go code from the Mozilla SSL/TLS Configuration Guidelines, the PR embeds the JSON data and parses it at runtime during package initialization. This eliminates the dependency on gojq and makes profile updates clearer through simple JSON diffs.
Changes:
- Embed
mozilla_data.jsonusinggo:embedand parse at init() time instead of generating Go code - Simplify
update-tls-profiles.shto just download the JSON file, removing all jq-based code generation - Add
TestNoSkippedCiphersto validate that all ciphers in the Mozilla data are supported by Go's crypto/tls - Remove
gojqdependency from the Makefile
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
internal/shared/util/tlsprofiles/mozilla_data.go |
Rewritten to embed and parse mozilla_data.json at runtime, with helper functions to convert Mozilla cipher/curve names to Go TLS identifiers |
internal/shared/util/tlsprofiles/mozilla_data.json |
New embedded JSON file containing Mozilla TLS profile configurations for "modern" and "intermediate" profiles |
hack/tools/update-tls-profiles.sh |
Simplified from 131 lines to 12 lines - now just downloads JSON from Mozilla instead of generating Go code |
Makefile |
Removed gojq dependency from the update-tls-profiles target |
internal/shared/util/tlsprofiles/tlsprofiles_test.go |
Added TestNoSkippedCiphers to ensure all ciphers in the embedded data are supported by Go |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2634 +/- ##
==========================================
+ Coverage 68.93% 68.94% +0.01%
==========================================
Files 139 140 +1
Lines 9891 9931 +40
==========================================
+ Hits 6818 6847 +29
- Misses 2563 2569 +6
- Partials 510 515 +5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
tmshort
changed the title
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rashmigottipati The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
|
||
| .PHONY: update-tls-profiles | ||
| update-tls-profiles: $(GOJQ) #EXHELP Update TLS profiles from the Mozilla wiki | ||
| env JQ=$(GOJQ) hack/tools/update-tls-profiles.sh |
There was a problem hiding this comment.
Seems to me here we drop the only usage of gojq, but we keep it still in bingo files (.bingo/gojq.mod, .bingo/Variables.mk, ...).
Should we drop it also from bingo?
Should be something like:
bingo-v0.9.0 get gojq@none
There was a problem hiding this comment.
Good catch, if not used anywhere else, we should remove it from bingo files as well.
There was a problem hiding this comment.
Done, and rebased, please re-review @pedjak
Embed mozilla_data.json and parse it at init() time using the existing cipherSuiteId()/curveId() helpers. Unsupported ciphers are skipped and recorded in skippedCiphers, validated by TestNoSkippedCiphers. Simplify update-tls-profiles.sh to a curl download and drop the gojq dependency. When the profile changes, `make verify` will show a diff of the profile. The build will still complete using the old data. The updated profile will need to be commited in order for it to be included in the build. Remove gojq from bingo. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Todd Short <tshort@redhat.com>
tmshort
force-pushed
the
use-embed-to-update-profiles
branch
from
d3e0d27 to
26ad8ee
Compare
pedjak
left a comment
pedjak
left a comment
There was a problem hiding this comment.
Overall this is a great simplification — removes fragile shell code-gen and a dependency (gojq) in favor of go:embed + runtime parsing with existing helpers. A couple of inline suggestions below.
| } | ||
| cipherNums = append(cipherNums, id) | ||
| } | ||
|
|
There was a problem hiding this comment.
Unsupported ciphers are tracked in skippedCiphers and validated by TestNoSkippedCiphers — nice. But unsupported curves (where curveId() returns 0) are silently dropped here with no tracking or test.
If Mozilla adds a new curve that Go does not yet support, this would silently weaken the profile. Consider adding a skippedCurves slice with a corresponding test, mirroring the cipher handling:
id := curveId(c)
if id == 0 {
skipped = append(skipped, "curve:"+c)
continue
}(Or a separate skippedCurves list if you prefer to keep them distinct.)
| if err := json.Unmarshal(mozillaDataJSON, &spec); err != nil { | ||
| panic(fmt.Sprintf("tlsprofiles: failed to parse embedded mozilla_data.json: %v", err)) | ||
| } | ||
|
|
There was a problem hiding this comment.
The init() panics are reasonable since the JSON is embedded at compile time — if it is invalid the binary should not start. Just confirming this is intentional and the team is comfortable with startup panics vs. lazy error returns.
| .PHONY: update-tls-profiles | ||
| update-tls-profiles: $(GOJQ) #EXHELP Update TLS profiles from the Mozilla wiki | ||
| env JQ=$(GOJQ) hack/tools/update-tls-profiles.sh | ||
| update-tls-profiles: #EXHELP Update TLS profiles from the Mozilla wiki |
There was a problem hiding this comment.
The PR description mentions that make verify will show a diff when the profile changes. How does that work? I don't see a new verify target or diff-checking logic added here. Is there an existing mechanism that re-runs update-tls-profiles and diffs the checked-in mozilla_data.json against the fresh download? Worth confirming this path works as described.
| func TestNoSkippedCiphers(t *testing.T) { | ||
| require.Empty(t, skippedCiphers, | ||
| "cipher(s) in mozilla_data.json are not supported by Go's crypto/tls and were omitted: %v", skippedCiphers) | ||
| } |
There was a problem hiding this comment.
Good test — catches newly-added ciphers that Go does not support yet.
Consider also adding a basic smoke test that asserts the parsed profile values match expectations (e.g. modernTLSProfile.minTLSVersion == tls.VersionTLS13, intermediate has ≥9 ciphers). This would catch upstream JSON schema changes that parse without error but produce wrong data. The existing tests exercise the profiles indirectly, so this is a nice-to-have rather than a blocker.
Embed mozilla_data.json and parse it at init() time using the existing cipherSuiteId()/curveId() helpers. Unsupported ciphers are skipped and recorded in skippedCiphers, validated by TestNoSkippedCiphers. Simplify update-tls-profiles.sh to a curl download and drop the gojq dependency.
When the profile changes,
make verifywill show a diff of the profile. The build will still complete using the old data. The updated profile will need to be commited in order for it to be included in the build.Description
Reviewer Checklist