OCPBUGS-77830: skip redirect when validating endpoint accessibility

[tthvo]

The installer uses HTTP HEAD to validate if user-provided service endpoint URLs are reachable. However, in some cases, the request results in a redirect to AWS doc URL, which can causes install failure in disconnected environment. The users should not be required to open access to AWS docs to install.

For example:

$ curl --head https://sts.ap-southeast-1.amazonaws.com HTTP/1.1 302 Found
Location: https://aws.amazon.com/iam

Summary by CodeRabbit

• Bug Fixes
  • Improved AWS endpoint accessibility validation to properly manage HTTP response resources and handle redirect behavior correctly during installation configuration checks.

[openshift-ci-robot]

@tthvo: This pull request explicitly references no jira issue.

Details

In response to this:

The installer uses HTTP HEAD to validate if user-provided service endpoint URLs are reachable. However, in some cases, the request results in a redirect to AWS doc URL, which can causes install failure in disconnected environment. The users should not be required to open access to AWS docs to install.

For example:

$ curl --head https://sts.ap-southeast-1.amazonaws.com HTTP/1.1 302 Found
Location: https://aws.amazon.com/iam

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign patrickdillon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/asset/installconfig/aws/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tthvo]

/cc @barbacbd

[tthvo]

For more information, we are having an internal discussion here: https://redhat-internal.slack.com/archives/C68TNFWA2/p1772550190769159

[tthvo]

/test images

[tthvo]

/payload-job periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-usgov-ipi-private-ep-fips-f7

[openshift-ci]

@tthvo: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-usgov-ipi-private-ep-fips-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/f0f1aa00-1817-11f1-9934-a73d804ad55f-0

[tthvo]

/retitle OCPBUGS-77830: skip redirect when validating endpoint accessibility

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-77830, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The installer uses HTTP HEAD to validate if user-provided service endpoint URLs are reachable. However, in some cases, the request results in a redirect to AWS doc URL, which can causes install failure in disconnected environment. The users should not be required to open access to AWS docs to install.

For example:

$ curl --head https://sts.ap-southeast-1.amazonaws.com HTTP/1.1 302 Found
Location: https://aws.amazon.com/iam

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tthvo]

/jira refresh

[openshift-ci-robot]

@tthvo: This pull request references Jira Issue OCPBUGS-77830, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yunjiang29

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Modified HTTP endpoint accessibility checks in AWS validation by replacing a direct http.Head call with a custom http.Client configured to disable redirects and properly defer response body closure for improved resource management.

Changes

Cohort / File(s)	Summary
HTTP Client Configuration pkg/asset/installconfig/aws/validation.go	Replaces direct http.Head call with custom http.Client that disables redirects via CheckRedirect returning http.ErrUseLastResponse, adds deferred response body closure, and preserves existing error handling.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: skipping redirects when validating endpoint accessibility, which directly addresses the changeset's modification to the HTTP client configuration.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only the implementation of validateEndpointAccessibility function in a non-test file and does not add, modify, or create any Ginkgo tests.
Test Structure And Quality	✅ Passed	PR modifies only production code in validation.go; existing tests use standard Go testing, not Ginkgo; no test code changes introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/asset/installconfig/aws/validation.go (1)

867-877: LGTM! Redirect handling is correctly implemented.

The use of CheckRedirect returning http.ErrUseLastResponse is the idiomatic Go pattern to stop following redirects while still receiving the response. The defer resp.Body.Close() is correctly placed after the error check, avoiding nil pointer issues.

One optional enhancement: consider adding a timeout to the client to prevent indefinite hangs in slow network environments:

,

💡 Optional: Add timeout for improved reliability

 	client := &http.Client{
+		Timeout: 30 * time.Second,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse // Don't follow redirects
 		},
 	}

This would require adding "time" to the imports.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/asset/installconfig/aws/validation.go` around lines 867 - 877, Add a
timeout to the HTTP client used when checking the service endpoint to avoid
indefinite hangs: set client := &http.Client{Timeout: time.Second *
<reasonable_duration>, CheckRedirect: func(req *http.Request, via
[]*http.Request) error { return http.ErrUseLastResponse }} and import "time";
update the instantiation around the existing client variable and its
CheckRedirect handler in the same block so Head(endpointURL) uses the timed
client.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/asset/installconfig/aws/validation.go`:
- Around line 867-877: Add a timeout to the HTTP client used when checking the
service endpoint to avoid indefinite hangs: set client := &http.Client{Timeout:
time.Second * <reasonable_duration>, CheckRedirect: func(req *http.Request, via
[]*http.Request) error { return http.ErrUseLastResponse }} and import "time";
update the instantiation around the existing client variable and its
CheckRedirect handler in the same block so Head(endpointURL) uses the timed
client.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9a4a0338-e02b-45b3-827f-027826d33a74

📥 Commits

Reviewing files that changed from the base of the PR and between a6ba91c and 1d50dff.

📒 Files selected for processing (1)

• pkg/asset/installconfig/aws/validation.go

[tthvo]

For local testing, I set the environment variable GODEBUG=http2debug=2 to enable http client debug with:

platform:
  aws:
    region: ap-southeast-1
    serviceEndpoints:
    - name: sts
      url: https://sts.ap-southeast-1.amazonaws.com

GODEBUG=http2debug=2 ./openshift-install create manifests

From the debug logs, there should never be a connection to aws.amazon.com:443 (previously this was the case).

[openshift-ci]

@tthvo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones	1d50dff	link	false	/test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-aws-ovn-single-node	1d50dff	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-heterogeneous	1d50dff	link	false	/test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-byo-subnet-role-security-groups	1d50dff	link	false	/test e2e-aws-byo-subnet-role-security-groups
ci/prow/e2e-aws-ovn-edge-zones	1d50dff	link	false	/test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.