feat: support Developer Portal ConsoleCLIDownload URLs#76
Conversation
Update the openshift strategy to handle ConsoleCLIDownload links pointing to the Red Hat Developer Portal content gateway (.tar.gz archives) in addition to the existing cli-server format (.gz files). The URL matching in cliDownloads.go now supports both /clients/<os>/ (old) and _<os>_<arch> (new) patterns. The download logic branches on URL suffix: .tar.gz uses archive extraction with binary name resolution, .gz uses the existing gunzip path. This is fully backward-compatible with older operator versions. Implements SECURESIGN-2158 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Sachin Sampras M <sampras343@gmail.com>
Verification Report for SECURESIGN-4910 (commit cf83ae4)
Overall: WARNCommit traceability references the parent operator task SECURESIGN-2158 rather than the companion task SECURESIGN-4910, which was created after the PR. This is an acceptable deviation given the retroactive task creation — the Jira link between the two tasks provides bidirectional traceability. This comment was AI-generated by sdlc-workflow/verify-pr v0.8.2. |
Adversarial Council ReviewAn independent 4-agent review council was run against this PR. Findings below, ranked by priority. Confirmed Bugs
Must Fix (before merge)
Should Fix
Verification Report CorrectionsThe automated verification report posted earlier has three inaccuracies:
Backward CompatibilityThe "fully backward-compatible" claim holds for all realistic deployment scenarios (CRs have either old-format or new-format links, never both). However, the URL matching predicate was broadened from Nice to Have
This comment was generated by an adversarial review council (4 independent agents: correctness, backward compatibility, report audit, architecture). |
- Extract cgwNameOverride, ContentGatewayName, and FindBinary to shared pkg/support/cgw.go to eliminate DRY violation between cgw and openshift strategies - Return descriptive error from ConsoleCLIDownload when no link matches the running OS/arch instead of returning empty string with nil error - Add delimiter guards to matchArch (use _<arch>. and -<arch>. patterns) for consistency with matchOS - Use url.Parse before .tar.gz suffix check to handle URLs with query parameters - Add TestStrategyErrorNoMatchingLink test covering the empty-link scenario Implements SECURESIGN-2158 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Sachin Sampras M <sampras343@gmail.com>
Council Verification — Fix Commit ReviewA follow-up council (3 agents: fix verification, goal alignment, regression risk) reviewed the fix commit Fix Status
Regression Risk: NO_RISK
Goal Alignment: ALIGNED
Remaining ItemThe Windows This comment was generated by a council verification review (3 agents: fix verification, goal alignment, regression risk assessment). |
Summary
cliDownloads.goURL matching to support both old cli-server (/clients/<os>/) and new Developer Portal (_<os>_<arch>) URL formats.tar.gzarchive handling to the openshift strategy with binary name resolution (includingcgwNameOverrideforgitsign→gitsign_cli).gzURLs continue to work via the existingDownloadFromLinkpathCompanion to securesign/secure-sign-operator#1988 which moves ConsoleCLIDownload management from the operator controller to static OLM manifests pointing to the Red Hat Developer Portal.
Implements SECURESIGN-2158
Backward compatibility
https://<cli-server>/clients/linux/cosign-amd64.gz/linux/, downloads viaDownloadFromLink(plain .gz) — unchangedhttps://developers.redhat.com/.../cosign_linux_amd64.tar.gz_linux_, downloads viadownloadTarGz(tar.gz extraction) — new pathTest plan
TestStrategyCliServer— old cli-server format still worksTestStrategyContentGateway— new content gateway format worksTestStrategyContentGatewayNameOverride— gitsign → gitsign_cli name mapping worksTestStrategyError— nonexistent CR returns errorgo test ./pkg/...pass