pkg/risk/adminack: Extract the first valid https:// URI from message

wking · wking · commit 7764ea6c6c15 · 2026-05-18T14:02:48.000-07:00
Conditional update risks require a URL [1]. I'd previously just used a placeholder FIXME while building out the broader logic. But now that the broader logic is setting in, I'm coming back to extract a useful URL from the admin-gate message. These admin-gate messages were already bubbling up into Upgradeable messages, and the web-console linkifies them using react-linkify [2], which in turn uses linkify-it [3], which has some fairly complex regular-expression handling [4]. Rather than port that logic to Go, I'm just assuming that admin-gate authors are considerate enough to leave whitespace after the URI, and that when they don't, users will be savvy enough to find the URI in the message themselves. The real-world gate I'm using to seed the new test-cases is from [5]. [1]: https://github.com/openshift/api/blob/73d7ca93df6d0a1b02f5533ce20f68d27869a1fe/config/v1/types_cluster_version.go#L909-L913 [2]: https://github.com/openshift/console/blob/c94391787806efd0ca67206cdf5cdb92f6f0e8a5/frontend/public/components/app.tsx#L16 [3]: https://github.com/tasti/react-linkify/blob/325cb5e43300d7ada5bdf8d2849783d98fcd3c2c/src/decorators/defaultMatchDecorator.js#L3 [4]: https://github.com/markdown-it/linkify-it/blob/8e887d5bace3f5b09b1d1f70492fa0364ef1793d/lib/re.mjs [5]: openshift/machine-config-operator@f249bea#diff-436a15d11f20b12603ca30029771a45151c594aa2860dc68ac1f7c79c7a5d123R16-R17
diff --git a/pkg/risk/adminack/adminack.go b/pkg/risk/adminack/adminack.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"regexp"
 	"slices"
 	"strings"
@@ -32,6 +33,7 @@ const (
 )
 
 var adminAckGateRegexp = regexp.MustCompile(adminAckGateFmt)
+var uriRegexp = regexp.MustCompile("https://[^[:space:]]*")
 
 type adminAck struct {
 	name             string
@@ -169,6 +171,7 @@ func gateApplicableToCurrentVersion(gateName string, currentVersion semver.Versi
 }
 
 func checkAdminGate(gateName string, gateValue string, riskNamePrefix string, currentVersion semver.Version, ackConfigmap *corev1.ConfigMap) *configv1.ConditionalUpdateRisk {
+	uri := "https://docs.redhat.com/en/documentation/openshift_container_platform/"
 	riskName := fmt.Sprintf("%s%s", riskNamePrefix, gateName)
 	if applies, err := gateApplicableToCurrentVersion(gateName, currentVersion); err == nil {
 		if !applies {
@@ -178,7 +181,7 @@ func checkAdminGate(gateName string, gateValue string, riskNamePrefix string, cu
 		return &configv1.ConditionalUpdateRisk{
 			Name:          riskName,
 			Message:       fmt.Sprintf("%s configmap gate %q is invalid: %v", internal.AdminGatesConfigMap, gateName, err),
-			URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
+			URL:           uri,
 			MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 		}
 
@@ -187,15 +190,32 @@ func checkAdminGate(gateName string, gateValue string, riskNamePrefix string, cu
 		return &configv1.ConditionalUpdateRisk{
 			Name:          riskName,
 			Message:       fmt.Sprintf("%s configmap gate %s must contain a non-empty value.", internal.AdminGatesConfigMap, gateName),
-			URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
+			URL:           uri,
 			MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 		}
 	}
+
+	for _, match := range uriRegexp.FindAllString(gateValue, -1) {
+		if _, err := url.Parse(match); err == nil {
+			uri = match
+			break
+		}
+	}
+
+	if ackConfigmap == nil {
+		return &configv1.ConditionalUpdateRisk{
+			Name:          riskName,
+			Message:       gateValue,
+			URL:           uri,
+			MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
+		}
+	}
+
 	if val, ok := ackConfigmap.Data[gateName]; !ok || val != "true" {
 		return &configv1.ConditionalUpdateRisk{
 			Name:          riskName,
 			Message:       gateValue,
-			URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+			URL:           uri,
 			MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 		}
 	}
diff --git a/pkg/risk/adminack/adminack_test.go b/pkg/risk/adminack/adminack_test.go
@@ -69,7 +69,7 @@ func Test_New(t *testing.T) {
 			expectedRisks: []configv1.ConditionalUpdateRisk{{
 				Name:          "AdminAck-ack-4.21-test",
 				Message:       "Description.",
-				URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+				URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 				MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 			}},
 		},
@@ -86,7 +86,7 @@ func Test_New(t *testing.T) {
 			expectedRisks: []configv1.ConditionalUpdateRisk{{
 				Name:          "AdminAck-ack-4.21-test",
 				Message:       "Description A.",
-				URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+				URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 				MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 			}},
 		},
@@ -104,7 +104,7 @@ func Test_New(t *testing.T) {
 				{
 					Name:          "AdminAck-ack-4.21-with-description",
 					Message:       "Description.",
-					URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+					URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 					MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 				},
 				{
@@ -130,20 +130,20 @@ func Test_New(t *testing.T) {
 				{
 					Name:          "AdminAck-ack-4.21-a",
 					Message:       "Description 1.",
-					URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+					URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 					MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 				},
 				{
 					Name:          "AdminAck-ack-4.21-b",
 					Message:       "Description 2.",
-					URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+					URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 					MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 				},
 
 				{
 					Name:          "AdminAck-ack-4.21-c",
 					Message:       "Description 3.",
-					URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+					URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 					MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 				},
 			},
@@ -176,7 +176,7 @@ func Test_New(t *testing.T) {
 			expectedRisks: []configv1.ConditionalUpdateRisk{{
 				Name:          "AdminAck-ack-4.21-b",
 				Message:       "Description 2.",
-				URL:           "https://example.com/FIXME-look-for-a-URI-in-the-message",
+				URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/",
 				MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
 			}},
 		},
@@ -452,6 +452,66 @@ func Test_gateApplicableToCurrentVersion(t *testing.T) {
 	}
 }
 
+func Test_checkAdminGate(t *testing.T) {
+	riskNamePrefix := "AdminAck-"
+	tests := []struct {
+		name           string
+		gateName       string
+		gateValue      string
+		currentVersion string
+		ackConfigmap   *corev1.ConfigMap
+		expectedRisk   *configv1.ConditionalUpdateRisk
+	}{
+		{
+			name:           "valid gate not acknowledged",
+			gateName:       "ack-4.20-sigstore-in-4.21",
+			gateValue:      "This cluster has mirrors configured. 4.21 will require Sigstore signatures for quay.io/openshift-release-dev/ocp-release release verification. Please ensure that any registries configured as mirrors of quay.io/openshift-release-dev/ocp-release images contain the Sigstore signature images associated with any release images before updating to 4.21. See https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/nodes/nodes-sigstore-using.html#nodes-sigstore-prepare-for-4.21_nodes-sigstore-using for more details.",
+			currentVersion: "4.20.15",
+			expectedRisk: &configv1.ConditionalUpdateRisk{
+				Name:          "AdminAck-ack-4.20-sigstore-in-4.21",
+				Message:       "This cluster has mirrors configured. 4.21 will require Sigstore signatures for quay.io/openshift-release-dev/ocp-release release verification. Please ensure that any registries configured as mirrors of quay.io/openshift-release-dev/ocp-release images contain the Sigstore signature images associated with any release images before updating to 4.21. See https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/nodes/nodes-sigstore-using.html#nodes-sigstore-prepare-for-4.21_nodes-sigstore-using for more details.",
+				URL:           "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/nodes/nodes-sigstore-using.html#nodes-sigstore-prepare-for-4.21_nodes-sigstore-using",
+				MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
+			},
+		},
+		{
+			name:           "valid gate not acknowledged, newline at end of URI",
+			gateName:       "ack-4.20-sigstore-in-4.21",
+			gateValue:      "This cluster has mirrors configured. See https://example.com/\nfor details.",
+			currentVersion: "4.20.15",
+			expectedRisk: &configv1.ConditionalUpdateRisk{
+				Name:          "AdminAck-ack-4.20-sigstore-in-4.21",
+				Message:       "This cluster has mirrors configured. See https://example.com/\nfor details.",
+				URL:           "https://example.com/",
+				MatchingRules: []configv1.ClusterCondition{{Type: "Always"}},
+			},
+		},
+		{
+			name:           "valid gate acknowledged",
+			gateName:       "ack-4.20-sigstore-in-4.21",
+			gateValue:      "This cluster has mirrors configured. 4.21 will require Sigstore signatures for quay.io/openshift-release-dev/ocp-release release verification. Please ensure that any registries configured as mirrors of quay.io/openshift-release-dev/ocp-release images contain the Sigstore signature images associated with any release images before updating to 4.21. See https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/nodes/nodes-sigstore-using.html#nodes-sigstore-prepare-for-4.21_nodes-sigstore-using for more details.",
+			currentVersion: "4.20.15",
+			ackConfigmap: &corev1.ConfigMap{
+				Data: map[string]string{"ack-4.20-sigstore-in-4.21": "true"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		{
+			t.Run(tt.name, func(t *testing.T) {
+				version, err := semver.Parse(tt.currentVersion)
+				if err != nil {
+					t.Fatalf("unable to parse version %q: %v", tt.currentVersion, err)
+				}
+				risk := checkAdminGate(tt.gateName, tt.gateValue, riskNamePrefix, version, tt.ackConfigmap)
+				if diff := cmp.Diff(tt.expectedRisk, risk); diff != "" {
+					t.Errorf("risk mismatch (-want +got):\n%s", diff)
+				}
+			})
+		}
+	}
+}
+
 // waits for admin ack configmap changes
 func waitForCm(t *testing.T, cmChan chan *corev1.ConfigMap) {
 	select {
