CM-1113: Replace unsafe.Pointer casts with Kubernetes conversion functions

[sebrandon1]

Summary

• Replaces all 8 raw unsafe.Pointer casts between corev1.* and core.* types with Kubernetes auto-generated conversion functions from k8s.io/kubernetes/pkg/apis/core/v1
• Removes "unsafe" import from 3 files
• Adds ToCoreTolerations and ToV1Tolerations helpers in pkg/controller/common/validation.go to avoid repeating the conversion loop pattern

Why

The operator uses Kubernetes internal validation functions (corevalidation.ValidateTolerations, etc.) which require internal core.* types, but the public API uses corev1.* types. Previously, this was bridged with raw unsafe.Pointer casts like:

convTolerations := *(*[]core.Toleration)(unsafe.Pointer(&tolerations))

While the types are memory-layout compatible, raw unsafe casts are fragile and bypass Go's type system. Kubernetes already provides auto-generated conversion functions that handle this properly. The conversion functions still use unsafe.Pointer internally, but the cast is encapsulated, upstream-maintained, and follows the official Kubernetes conversion pattern.

Files changed

File	Before	After
pkg/controller/common/validation.go	3 unsafe casts	Conversion functions + exported helpers
pkg/controller/certmanager/deployment_helper.go	4 unsafe casts (3 in, 1 out)	common.ToCoreTolerations / common.ToV1Tolerations
pkg/controller/certmanager/deployment_overrides_validation.go	1 unsafe cast	common.ToCoreTolerations

Test plan

• go build ./... compiles cleanly
• make test passes
• make lint introduces no new issues
• CI e2e tests pass

Summary by CodeRabbit

• Refactor
  • Reworked internal conversion and validation logic for pod scheduling tolerations, affinity, and resource requirements to use safer, standardized conversion helpers instead of unsafe casts, improving reliability and correctness of scheduling and validation behavior.

[openshift-ci-robot]

@sebrandon1: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Replaces all 8 raw unsafe.Pointer casts between corev1.* and core.* types with Kubernetes auto-generated conversion functions from k8s.io/kubernetes/pkg/apis/core/v1
• Removes "unsafe" import from 3 files
• Adds ToCoreTolerations and ToV1Tolerations helpers in pkg/controller/common/validation.go to avoid repeating the conversion loop pattern

Why

The operator uses Kubernetes internal validation functions (corevalidation.ValidateTolerations, etc.) which require internal core.* types, but the public API uses corev1.* types. Previously, this was bridged with raw unsafe.Pointer casts like:

convTolerations := *(*[]core.Toleration)(unsafe.Pointer(&tolerations))

While the types are memory-layout compatible, raw unsafe casts are fragile and bypass Go's type system. Kubernetes already provides auto-generated conversion functions that handle this properly. The conversion functions still use unsafe.Pointer internally, but the cast is encapsulated, upstream-maintained, and follows the official Kubernetes conversion pattern.

Files changed

File	Before	After
pkg/controller/common/validation.go	3 unsafe casts	Conversion functions + exported helpers
pkg/controller/certmanager/deployment_helper.go	4 unsafe casts (3 in, 1 out)	common.ToCoreTolerations / common.ToV1Tolerations
pkg/controller/certmanager/deployment_overrides_validation.go	1 unsafe cast	common.ToCoreTolerations

Test plan

• go build ./... compiles cleanly
• make test passes
• make lint introduces no new issues
• CI e2e tests pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f05f6a40-8ae4-4b9a-8986-d2d20570a098

📥 Commits

Reviewing files that changed from the base of the PR and between e2a2be8 and 2904b5e.

📒 Files selected for processing (3)

• pkg/controller/certmanager/deployment_helper.go
• pkg/controller/certmanager/deployment_overrides_validation.go
• pkg/controller/common/validation.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/controller/certmanager/deployment_helper.go
• pkg/controller/common/validation.go
• pkg/controller/certmanager/deployment_overrides_validation.go

---

Walkthrough

This PR replaces unsafe.Pointer-based type conversions with explicit Kubernetes conversion functions and new toleration slice helpers. It updates common validation to use k8s conversion funcs and adjusts two certmanager call sites to convert tolerations via the new helpers before merging or validating.

Changes

Unsafe Pointer Conversions to Kubernetes Functions Refactor

Layer / File(s)	Summary
Conversion utilities and common validation refactor pkg/controller/common/validation.go	Imports Kubernetes corev1 conversion functions, removes unsafe dependency. ValidateTolerationsConfig, ValidateResourceRequirements, and ValidateAffinityRules now convert v1 types to core types using k8s conversion functions. Adds ToCoreTolerations([]corev1.Toleration) []core.Toleration and ToV1Tolerations([]core.Toleration) []corev1.Toleration.
Tolerations merging in deployment helper pkg/controller/certmanager/deployment_helper.go	Updates mergePodScheduling to convert source and override tolerations via common.ToCoreTolerations, merge with tolerations.MergeTolerations, then convert the merged result back with common.ToV1Tolerations. Import list updated to use pkg/controller/common.
Tolerations validation in deployment overrides pkg/controller/certmanager/deployment_overrides_validation.go	Updates validateScheduling to convert tolerations using common.ToCoreTolerations before calling corevalidation.ValidateTolerations. Removes the previous unsafe-based cast and updates imports.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	New conversion functions ToCoreTolerations and ToV1Tolerations in common/validation.go lack dedicated unit test coverage; unit test assertions lack meaningful failure messages.	Add validation_test.go with tests for ToCoreTolerations/ToV1Tolerations; add meaningful messages to Expect assertions in unit tests.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	trustmanager_test.go line 540 uses kubernetes.io/hostname topology key for pod anti-affinity without SNO protection, will fail on Single Node OpenShift.	Add [Skipped:SingleReplicaTopology] label to 'should apply custom affinity to deployment' test or guard with exutil.IsSingleNode() check.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: replacing unsafe.Pointer casts with Kubernetes conversion functions, which is the primary objective of the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are stable and deterministic, with no dynamic information like generated identifiers, timestamps, or variable interpolation in test titles.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to controller and validation helper code files that refactor unsafe pointer casts to use Kubernetes conversion functions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only refactors tolerations/resource requirements type conversions using Kubernetes functions. No scheduling constraints (anti-affinity, topology spread, replicas, node selectors, PDBs) are added.
Ote Binary Stdout Contract	✅ Passed	PR contains only production controller utility functions with no process-level code, stdout writes, klog usage, or logging configuration that could violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests. It's a refactoring PR that modifies only non-test files to replace unsafe.Pointer casts with Kubernetes conversion functions.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom implementations, or non-constant-time secret comparisons found. Changes are type conversions and validation logic only.
Container-Privileges	✅ Passed	PR modifies only Go controller code (validation.go, deployment_helper.go, deployment_overrides_validation.go) with no Kubernetes manifest changes; no privileged container settings introduced.
No-Sensitive-Data-In-Logs	✅ Passed	PR replaces unsafe.Pointer casts with proper Kubernetes conversion functions. No new logging statements or sensitive data exposure found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/common/validation.go`:
- Around line 22-23: The conversion functions ToCoreTolerations and
ToV1Tolerations must return (converted, error) instead of swallowing conversion
errors; update their signatures to return the error from
corev1conversion.Convert_* and change ValidateTolerationsConfig (and any callers
like the functions in deployment_overrides_validation.go and
deployment_helper.go) to accept the error, propagate it, and include conversion
errors in the returned validation.Aggregate (or wrap them into an appropriate
field error) so conversion failures are not silently ignored during
ValidateTolerations/ValidateTolerationsConfig flows.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e1b6f377-bc1b-484f-ac46-8a4699facf78

📥 Commits

Reviewing files that changed from the base of the PR and between db88f80 and e2a2be8.

📒 Files selected for processing (3)

• pkg/controller/certmanager/deployment_helper.go
• pkg/controller/certmanager/deployment_overrides_validation.go
• pkg/controller/common/validation.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="pkg/controller/common/validation.go"

echo "=== File exists? ==="
ls -la "$FILE" || exit 1

echo
echo "=== Lines 1-140 with numbers ==="
nl -ba "$FILE" | sed -n '1,140p'

echo
echo "=== Lines 140-260 with numbers ==="
nl -ba "$FILE" | sed -n '140,260p' || true

echo
echo "=== Find corev1conversion.Convert_* usage with ignored errors ==="
rg -n --hidden --no-ignore-vcs 'corev1conversion\.Convert_.*\(\s*[^)]*nil\)\s*$|_\s*=\s*corev1conversion\.Convert_|=\s*corev1conversion\.Convert_.*;?\s*$' "$FILE" || true

echo
echo "=== Find corev1conversion.Convert_* and see whether return is used ==="
rg -n --hidden --no-ignore-vcs 'corev1conversion\.Convert_[A-Za-z0-9_]*\(' "$FILE" || true

Repository: openshift/cert-manager-operator

Length of output: 277

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="pkg/controller/common/validation.go"

echo "=== Lines 1-140 with numbers (awk) ==="
awk '{printf "%d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'

echo
echo "=== Lines 140-260 with numbers (awk) ==="
awk '{printf "%d\t%s\n", NR, $0}' "$FILE" | sed -n '140,260p'

echo
echo "=== corev1conversion.Convert_* calls that may ignore errors ==="
rg -n --hidden --no-ignore-vcs 'corev1conversion\.Convert_.*\(' "$FILE" || true

echo
echo "=== Specifically look for '_' assignment to Convert_* ==="
rg -n --hidden --no-ignore-vcs '(_\s*=\s*)?corev1conversion\.Convert_.*' "$FILE" || true

Repository: openshift/cert-manager-operator

Length of output: 4672

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "ToCoreTolerations\(" pkg/controller || true
rg -n "ToV1Tolerations\(" pkg/controller || true
rg -n "ToCoreTolerations\(" . || true
rg -n "ToV1Tolerations\(" . || true

Repository: openshift/cert-manager-operator

Length of output: 1933

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect call sites mentioned by rg
sed -n '260,340p' pkg/controller/certmanager/deployment_overrides_validation.go
echo "----"
sed -n '80,160p' pkg/controller/certmanager/deployment_helper.go

Repository: openshift/cert-manager-operator

Length of output: 5464

---

Handle conversion errors instead of discarding them.

corev1conversion.Convert_* return errors are ignored in pkg/controller/common/validation.go (lines 29, 37, 58, 68), and ValidateTolerationsConfig passes the result of ToCoreTolerations without any error channel—this can silently validate partially/incorrectly converted data. Propagate these conversion errors back to callers; if changing ToCoreTolerations/ToV1Tolerations to return (…, error), update their call sites in pkg/controller/certmanager/deployment_overrides_validation.go and pkg/controller/certmanager/deployment_helper.go accordingly.

Proposed fix (pattern)

 import (
+	"fmt"
 	corev1 "k8s.io/api/core/v1"
 	apivalidation "k8s.io/apimachinery/pkg/api/validation"
 	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/apis/core"
 	corev1conversion "k8s.io/kubernetes/pkg/apis/core/v1"
 	corevalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 )
@@
 func ValidateTolerationsConfig(tolerations []corev1.Toleration, fldPath *field.Path) error {
-	return corevalidation.ValidateTolerations(ToCoreTolerations(tolerations), fldPath.Child("tolerations")).ToAggregate()
+	convTolerations, err := ToCoreTolerations(tolerations)
+	if err != nil {
+		return fmt.Errorf("convert tolerations: %w", err)
+	}
+	return corevalidation.ValidateTolerations(convTolerations, fldPath.Child("tolerations")).ToAggregate()
 }
@@
 func ValidateResourceRequirements(requirements corev1.ResourceRequirements, fldPath *field.Path) error {
 	var convRequirements core.ResourceRequirements
-	_ = corev1conversion.Convert_v1_ResourceRequirements_To_core_ResourceRequirements(&requirements, &convRequirements, nil)
+	if err := corev1conversion.Convert_v1_ResourceRequirements_To_core_ResourceRequirements(&requirements, &convRequirements, nil); err != nil {
+		return fmt.Errorf("convert resource requirements: %w", err)
+	}
 	return corevalidation.ValidateContainerResourceRequirements(&convRequirements, nil, fldPath.Child("resources"), corevalidation.PodValidationOptions{}).ToAggregate()
 }
@@
 func ValidateAffinityRules(affinity *corev1.Affinity, fldPath *field.Path) error {
 	var convAffinity core.Affinity
-	_ = corev1conversion.Convert_v1_Affinity_To_core_Affinity(affinity, &convAffinity, nil)
+	if err := corev1conversion.Convert_v1_Affinity_To_core_Affinity(affinity, &convAffinity, nil); err != nil {
+		return fmt.Errorf("convert affinity: %w", err)
+	}
 	return validateAffinity(&convAffinity, corevalidation.PodValidationOptions{}, fldPath.Child("affinity")).ToAggregate()
 }
@@
-func ToCoreTolerations(in []corev1.Toleration) []core.Toleration {
+func ToCoreTolerations(in []corev1.Toleration) ([]core.Toleration, error) {
 	out := make([]core.Toleration, len(in))
 	for i := range in {
-		_ = corev1conversion.Convert_v1_Toleration_To_core_Toleration(&in[i], &out[i], nil)
+		if err := corev1conversion.Convert_v1_Toleration_To_core_Toleration(&in[i], &out[i], nil); err != nil {
+			return nil, err
+		}
 	}
-	return out
+	return out, nil
 }
@@
-func ToV1Tolerations(in []corev1.Toleration) []corev1.Toleration {
+func ToV1Tolerations(in []corev1.Toleration) ([]corev1.Toleration, error) {
 	out := make([]corev1.Toleration, len(in))
 	for i := range in {
-		_ = corev1conversion.Convert_core_Toleration_To_v1_Toleration(&in[i], &out[i], nil)
+		if err := corev1conversion.Convert_core_Toleration_To_v1_Toleration(&in[i], &out[i], nil); err != nil {
+			return nil, err
+		}
 	}
-	return out
+	return out, nil
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/common/validation.go` around lines 22 - 23, The conversion
functions ToCoreTolerations and ToV1Tolerations must return (converted, error)
instead of swallowing conversion errors; update their signatures to return the
error from corev1conversion.Convert_* and change ValidateTolerationsConfig (and
any callers like the functions in deployment_overrides_validation.go and
deployment_helper.go) to accept the error, propagate it, and include conversion
errors in the returned validation.Aggregate (or wrap them into an appropriate
field error) so conversion failures are not silently ignored during
ValidateTolerations/ValidateTolerationsConfig flows.

Source: Coding guidelines

[sebrandon1]

These conversion functions are auto-generated by Kubernetes' conversion-gen and always return nil — they just copy fields between structurally identical types. You can verify by reading the implementations in vendor/k8s.io/kubernetes/pkg/apis/core/v1/zz_generated.conversion.go:

func autoConvert_v1_Toleration_To_core_Toleration(in *corev1.Toleration, out *core.Toleration, s conversion.Scope) error {
    out.Key = in.Key
    out.Operator = core.TolerationOperator(in.Operator)
    out.Value = in.Value
    out.Effect = core.TaintEffect(in.Effect)
    out.TolerationSeconds = (*int64)(unsafe.Pointer(in.TolerationSeconds))
    return nil  // always nil
}

Same pattern for Convert_v1_Affinity_To_core_Affinity and Convert_v1_ResourceRequirements_To_core_ResourceRequirements — all unconditionally return nil.

Adding if err != nil handling for errors that can never occur would add boilerplate for an impossible code path and obscure the actual logic. The _ = assignment explicitly acknowledges the return value while keeping the code clean.

[coderabbitai]

@sebrandon1, that's a convincing explanation — thank you for pointing to the actual vendor implementation. Since zz_generated.conversion.go unconditionally returns nil for these field-by-field struct copies, adding if err != nil guards would indeed be dead code that obscures the intent. The _ = idiom cleanly acknowledges the return value without pretending the error path is reachable. I'll withdraw this concern.

---

✏️ Learnings added

Learnt from: sebrandon1
Repo: openshift/cert-manager-operator PR: 438
File: pkg/controller/common/validation.go:22-23
Timestamp: 2026-06-10T18:07:19.810Z
Learning: In the openshift/cert-manager-operator repository, the Kubernetes auto-generated conversion functions used in `pkg/controller/common/validation.go` (e.g., `corev1conversion.Convert_v1_Toleration_To_core_Toleration`, `Convert_v1_Affinity_To_core_Affinity`, `Convert_v1_ResourceRequirements_To_core_ResourceRequirements`) are defined in `vendor/k8s.io/kubernetes/pkg/apis/core/v1/zz_generated.conversion.go` and unconditionally return nil — they simply copy fields between structurally identical types. Error handling (`if err != nil`) for these calls is unnecessary boilerplate; using `_ =` to explicitly discard the return value is the intentional and idiomatic pattern in this codebase.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1113 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Replaces all 8 raw unsafe.Pointer casts between corev1.* and core.* types with Kubernetes auto-generated conversion functions from k8s.io/kubernetes/pkg/apis/core/v1
• Removes "unsafe" import from 3 files
• Adds ToCoreTolerations and ToV1Tolerations helpers in pkg/controller/common/validation.go to avoid repeating the conversion loop pattern

Why

The operator uses Kubernetes internal validation functions (corevalidation.ValidateTolerations, etc.) which require internal core.* types, but the public API uses corev1.* types. Previously, this was bridged with raw unsafe.Pointer casts like:

convTolerations := *(*[]core.Toleration)(unsafe.Pointer(&tolerations))

While the types are memory-layout compatible, raw unsafe casts are fragile and bypass Go's type system. Kubernetes already provides auto-generated conversion functions that handle this properly. The conversion functions still use unsafe.Pointer internally, but the cast is encapsulated, upstream-maintained, and follows the official Kubernetes conversion pattern.

Files changed

File	Before	After
pkg/controller/common/validation.go	3 unsafe casts	Conversion functions + exported helpers
pkg/controller/certmanager/deployment_helper.go	4 unsafe casts (3 in, 1 out)	common.ToCoreTolerations / common.ToV1Tolerations
pkg/controller/certmanager/deployment_overrides_validation.go	1 unsafe cast	common.ToCoreTolerations

Test plan

• go build ./... compiles cleanly
• make test passes
• make lint introduces no new issues
• CI e2e tests pass

Summary by CodeRabbit

• Refactor
• Improved internal type conversion handling for pod scheduling tolerations and resource requirements validation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sebrandon1: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.