Skip to content

OCPCLOUD-3346: tls: use centralized TLS#1456

Open
RadekManak wants to merge 13 commits intoopenshift:mainfrom
RadekManak:feature-centralized-tsl-endpoints
Open

OCPCLOUD-3346: tls: use centralized TLS#1456
RadekManak wants to merge 13 commits intoopenshift:mainfrom
RadekManak:feature-centralized-tsl-endpoints

Conversation

@RadekManak
Copy link
Contributor

@RadekManak RadekManak commented Jan 26, 2026
edited by coderabbitai bot
Loading

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
    • read APIServer/cluster TLS profile on startup,
    • configure min TLS/ciphers from that profile,
    • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
    • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
    • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
    • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
    • go-build.sh root-dir handling fix,
    • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Summary by CodeRabbit

  • New Features

    • Metrics now served securely over TLS on port 8443 with certificate mounting.
    • Operator watches cluster TLS profile and gracefully reloads to apply changes.
    • Webhook server gains configurable TLS cipher suites and minimum TLS version.

  • Chores

    • Removed sidecar proxy from deployment; simplified container layout and mounts.
    • RBAC expanded to allow reading cluster TLS profile.
    • Dependency upgrades and build script robustness improvements.

  • Tests

    • Enhanced tests to cover TLS argument generation and webhook/controller TLS behavior.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 26, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 26, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

  • Replace the MAO metrics kube‑rbac‑proxy sidecar with direct HTTPS in the operator binary, using the serving cert mounted from the MAO secret.
  • Watch the APIServer TLS profile and trigger a controlled shutdown so MAO restarts and picks up TLS changes.
  • Propagate the APIServer TLS profile into machine-api-controllers kube‑rbac‑proxy args (cipher suites + min TLS), with unit coverage.

Details

  • Direct MAO metrics TLS
  • MAO now listens on :8443 and serves /metrics via ListenAndServeTLS using /etc/tls/private/tls.crt|tls.key.
  • The deployment drops the kube‑rbac‑proxy sidecar, mounts the serving cert into /etc/tls/private, and exposes port 8443.
  • RBAC is updated to allow reading apiservers for TLS profile fetch.
  • TLS profile reload
  • MAO fetches the APIServer TLS profile at startup and builds a tls.Config.
  • A config informer watches APIServer updates and triggers shutdown on profile changes.
  • Centralized proxy TLS for controllers
  • OperatorConfig now carries the TLS profile.
  • machine-api-controllers kube‑rbac‑proxy args are generated from the profile (--tls-cipher-suites, --tls-min-version),
  • Tests updated to include APIServer presence and TLS profile expectations; a focused test validates proxy TLS args.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak
Copy link
Contributor Author

RadekManak commented Jan 26, 2026

/assign @damdo

damdo
damdo reviewed Jan 26, 2026
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good, a couple of minor points.

pkg/operator/operator.go Outdated
var tlsProfile *osconfigv1.TLSProfileSpec
apiServer, err := optr.osClient.ConfigV1().APIServers().Get(context.Background(), "cluster", metav1.GetOptions{})
if err != nil {
klog.Warningf("Failed to fetch APIServer, using default TLS profile: %v", err)
Copy link
Member

@damdo damdo Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we return here?
What would happen otherwise?

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 27, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from damdo. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 4e665c0 to 24eed11 Compare February 18, 2026 14:55
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 18, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 24eed11 to 6b35a05 Compare February 18, 2026 15:25
damdo
damdo reviewed Feb 23, 2026
View reviewed changes
Copy link
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this Radek!
I left a bunch of comments but it mostly looks good! TY

@damdo
Copy link
Member

damdo commented Feb 25, 2026

/retest

@RadekManak
Serve MAO metrics with direct TLS and profile reload.
d66f0a4 
Remove the kube-rbac-proxy sidecar, mount the serving cert, and
restart the operator on APIServer TLS profile changes.
@RadekManak
Propagate TLS profile to controller proxies.
664ba59 
Capture the APIServer TLS profile in operator config and use it to
configure kube-rbac-proxy TLS args, with unit coverage.
@RadekManak
Fix build script
01cd096
@RadekManak
Add tests for newKubeProxyContainer
c5538af 
Add unit tests to verify TLS configuration handling in
newKubeProxyContainer, including tests for TLS 1.2 with cipher suites
and TLS 1.3 without cipher suites.
@RadekManak
Vendor
c0164fe
@RadekManak
Use controller-runtime metrics server auth filter.
069efdc
@RadekManak
Fix lint
8c0632b
@RadekManak
Persist TLS profile for change detection
7ff42a6
@RadekManak
Compute TLS arguments once for kube-rbac-proxy containers
430a883 
Move TLS configuration computation from per-container to once per batch
in newKubeProxyContainers. This avoids redundant processing when creating
multiple kube-rbac-proxy containers with the same TLS profile.
@RadekManak
Add TLS configuration support for machineset controller webhooks
a89f6ef 
Introduce command-line flags for TLS cipher suites and minimum version in the machineset controller. Update the container creation logic to utilize these TLS settings
@RadekManak
Pass TLS settings to baremetal machine-controller webhooks.
fe1ce87 
This ensures Metal3 remediation webhooks use the configured TLS profile while keeping other controllers unchanged.
@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 9b911a2 to fe1ce87 Compare February 27, 2026 10:25
@coderabbitai
Copy link

coderabbitai bot commented Feb 27, 2026
edited by openshift-ci bot
Loading

Walkthrough

Replaces in-process HTTP metrics with a TLS-secured metrics server, adds APIServer TLSProfile retrieval and watcher to trigger reloads, removes kube-rbac-proxy from the deployment, wires TLS options through operator/webhook/container args, updates RBAC for apiservers, and upgrades dependencies.

Changes

Cohort / File(s) Summary
Metrics TLS & Leader Flow
cmd/machine-api-operator/start.go, install/0000_30_machine-api-operator_11_deployment.yaml		 Replaces HTTP Prometheus metrics with a secure TLS metrics server (port 8443), mounts TLS secret, starts metrics server under cancellable context tied to leader lifecycle, and removes the kube-rbac-proxy container. Adds TLS profile watcher to trigger graceful shutdown/reload on profile changes.
Operator TLS Config & Wiring
pkg/operator/config.go, pkg/operator/operator.go, pkg/operator/sync.go, pkg/operator/sync_test.go		 Adds TLSProfile to OperatorConfig, fetches APIServer TLS profile, builds TLS options/args (cipher suites, min TLS version), and propagates TLS args into controller and proxy container command-lines and pod templates.
Webhook TLS Options
cmd/machineset/main.go		 Adds flags for tls-cipher-suites and tls-min-version, constructs TLSProfile/TLS options, and injects TLS options into the webhook server initialization.
RBAC & Deployment Manifests
install/0000_30_machine-api-operator_09_rbac.yaml, install/0000_30_machine-api-operator_11_deployment.yaml		 Grants access to config.openshift.io/apiservers in Role and ClusterRole. Updates deployment to use TLS secret volume and expose metrics on 8443; removes kube-rbac-proxy container and related volumes.
Tests & Small Imports
pkg/operator/operator_test.go, pkg/operator/sync_test.go, pkg/controller/machine/machine_controller_test.go, pkg/webhooks/machine_webhook.go		 Updates tests to include APIServer fixture and TLSProfile assertions; adds/adjusts tests for TLS args and kube-proxy container behavior. Replaces some imports with standard library (context, slices) and updates config type aliases to configv1.
Dependencies & Build Script
go.mod, hack/go-build.sh		 Large dependency upgrades across Kubernetes/OpenShift and golang.org/x/* modules; adds temporary replace for filepath-securejoin. Fixes a brittle cd in build script to guard empty result.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Leader as LeaderElector
participant APIServer as APIServer (config.openshift.io)
participant Operator as machine-api-operator
participant Metrics as SecureMetricsServer
participant Controllers as Controllers
Leader->>Operator: onStartedLeading(ctx)
Operator->>APIServer: fetch TLSProfile
APIServer-->>Operator: TLSProfileSpec
Operator->>Operator: build TLS options / tlsArgs
Operator->>Metrics: start secure metrics server (async) with TLS
Operator->>Controllers: start controllers with tlsArgs
APIServer->>Operator: TLSProfile changed (informer event)
Operator->>Operator: cancel metrics/controllers context -> graceful shutdown
Leader->>Operator: onStoppedLeading -> ensure full shutdown

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 19.05% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality ⚠️ Warning New test functions TestNewKubeProxyContainers and TestNewContainersTLSArgs contain approximately 18-20 assertions lacking meaningful failure messages, reducing test debuggability despite some assertions having messages demonstrating developers understood the pattern. Add meaningful failure messages to all assertions without them, using test case names and container names for context, ensuring consistency across both new test functions.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'OCPCLOUD-3346: tls: use centralized TLS' accurately summarizes the main change: implementing centralized TLS configuration for the machine-api-operator instead of using individual kube-rbac-proxy sidecars.
Stable And Deterministic Test Names ✅ Passed All test names in modified files are static and deterministic with no dynamic values, random suffixes, UUIDs, timestamps, or variable concatenation.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 27, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Summary by CodeRabbit

Release Notes

  • New Features

  • Metrics are now exposed securely on port 8443 with TLS instead of HTTP, improving security.

  • Added dynamic TLS profile watching that automatically reloads configuration when cluster TLS settings change.

  • Chores

  • Simplified deployment by removing the kube-rbac-proxy container.

  • Updated RBAC permissions to support new TLS profile retrieval.

  • Upgraded dependencies for improved Kubernetes and OpenShift compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak
Copy link
Contributor Author

RadekManak commented Feb 27, 2026
edited
Loading

/hold This will crash baremetal until the PR merges.
openshift/cluster-api-provider-baremetal#248

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 27, 2026
coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/machine-api-operator/start.go`:
- Around line 247-251: The current goroutine fatals on any metricsServer.Start
error; change it to only treat context.Canceled as a non-fatal shutdown and exit
gracefully, while still fataling for other unexpected errors. Locate the
anonymous goroutine that calls metricsServer.Start(metricsServerCtx) and update
its error handling to check for errors.Is(err, context.Canceled) (allowing a
clean shutdown/log and not calling klog.Fatalf) and call klog.Fatalf only for
other error values; do not special-case http.ErrServerClosed because
metricsServer.Start already filters that.

In `@cmd/machineset/main.go`:
- Line 177: The call to utiltls.NewTLSConfigFromProfile is ignoring its error
(tlsOpts, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)); change this to
capture and handle the error (e.g., tlsOpts, err :=
utiltls.NewTLSConfigFromProfile(tlsProfile)) and if err != nil log the error via
the existing logger or fmt and exit/return a non-zero status so the webhook
server does not start with invalid TLS settings; update the initialization path
in main (where tlsProfile and tlsOpts are used) to propagate or handle the error
appropriately.

In `@pkg/operator/sync.go`:
- Around line 865-875: In getTLSArgs, capture the second return value from
utiltls.NewTLSConfigFromProfile (the unsupportedCiphers slice) instead of
discarding it, and emit a log containing those unsupported cipher names so
profile-to-flag translation mismatches are visible; specifically, change the
call to utiltls.NewTLSConfigFromProfile to receive (tlsConfigFn,
unsupportedCiphers), and then log unsupportedCiphers (mirroring the pattern used
in cmd/machine-api-operator/start.go) before continuing to build the tlsArgs.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8846555 and fe1ce87.

⛔ Files ignored due to path filters (287)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/BurntSushi/toml/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/encode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/lex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/meta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/methods.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/journal/journal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/COPYING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0 is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/codecov.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/deprecated_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/join.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/vfs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/merge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/profile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/proto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/prune.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gmeasure/experiment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/runtime-spec/specs-go/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/runtime-spec/specs-go/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/selinux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/chacha20/chacha_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/messages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/ssh_gss.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/streamlocal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/tcpip.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/modfile/print.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/modfile/read.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/context/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/websocket/hybi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/diagnostic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/atomicalign/atomicalign.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/httpresponse/httpresponse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/pkgfact/pkgfact.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/shift/shift.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/sortslice/analyzer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdversion/stdversion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/structtag/structtag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/waitgroup/waitgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/astutil/imports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/buildutil/allpackages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/buildutil/tags.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/cfg/builder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/cfg/cfg.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/visit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/builder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/emit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/func.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/instantiate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssa.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssautil/visit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/subst.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/imports/forward.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysisinternal/analysis.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/comment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/equal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/stringlit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/imports/fix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/imports/sortimports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/lookup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/symbols.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/moreiters/iters.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/packagepath/packagepath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/delete.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/edit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/imports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/refactor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/typeindex/typeindex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (13)
  • cmd/machine-api-operator/start.go
  • cmd/machineset/main.go
  • go.mod
  • hack/go-build.sh
  • install/0000_30_machine-api-operator_09_rbac.yaml
  • install/0000_30_machine-api-operator_11_deployment.yaml
  • pkg/controller/machine/machine_controller_test.go
  • pkg/operator/config.go
  • pkg/operator/operator.go
  • pkg/operator/operator_test.go
  • pkg/operator/sync.go
  • pkg/operator/sync_test.go
  • pkg/webhooks/machine_webhook.go

pkg/operator/sync.go
Comment on lines +865 to +875
func getTLSArgs(tlsProfile configv1.TLSProfileSpec) []string {
// Compute TLS arguments once from the profile
tlsConfigFn, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)
tlsConf := &tls.Config{}
tlsConfigFn(tlsConf)

tlsArgs := []string{}
// Only set CipherSuites if they are specified.
if len(tlsConf.CipherSuites) > 0 {
ianaCiphers := libgocrypto.CipherSuitesToNamesOrDie(tlsConf.CipherSuites)
tlsArgs = append(tlsArgs, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(ianaCiphers, ",")))
Copy link

@coderabbitai coderabbitai bot Feb 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find NewTLSConfigFromProfile usages
echo "=== NewTLSConfigFromProfile usages ==="
rg -n --type=go 'NewTLSConfigFromProfile\('

echo -e "\n=== unsupportedCiphers handling ==="
rg -n --type=go 'unsupportedCiphers'

echo -e "\n=== getTLSArgs function context ==="
rg -n --type=go -A 15 'func getTLSArgs'

Repository: openshift/machine-api-operator

Length of output: 2879

🏁 Script executed:

#!/bin/bash
# Find the utiltls package to check the function signature
find . -name "*.go" -type f | xargs grep -l "func NewTLSConfigFromProfile" | head -5

Repository: openshift/machine-api-operator

Length of output: 144

🏁 Script executed:

#!/bin/bash
# Check klog imports and usage in sync.go
grep -n "import\|klog" pkg/operator/sync.go | head -20

Repository: openshift/machine-api-operator

Length of output: 1591

Log unsupported ciphers when deriving TLS args for controllers/proxies.

The unsupportedCiphers return value from NewTLSConfigFromProfile is discarded (line 867), preventing visibility into any profile-to-flag translation mismatches. This makes debugging TLS configuration issues harder. The codebase already implements this pattern correctly in cmd/machine-api-operator/start.go (lines 270–272), which should be mirrored here.

♻️ Suggested adjustment 
 func getTLSArgs(tlsProfile configv1.TLSProfileSpec) []string {
 	// Compute TLS arguments once from the profile
-	tlsConfigFn, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)
+	tlsConfigFn, unsupportedCiphers := utiltls.NewTLSConfigFromProfile(tlsProfile)
+	if len(unsupportedCiphers) > 0 {
+		klog.Infof("TLS profile contains unsupported ciphers that will be ignored for controller/proxy args: %v", unsupportedCiphers)
+	}
 	tlsConf := &tls.Config{}
 	tlsConfigFn(tlsConf)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
func getTLSArgs(tlsProfile configv1.TLSProfileSpec) []string {
// Compute TLS arguments once from the profile
tlsConfigFn, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)
tlsConf := &tls.Config{}
tlsConfigFn(tlsConf)
tlsArgs := []string{}
// Only set CipherSuites if they are specified.
if len(tlsConf.CipherSuites) > 0 {
ianaCiphers := libgocrypto.CipherSuitesToNamesOrDie(tlsConf.CipherSuites)
tlsArgs = append(tlsArgs, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(ianaCiphers, ",")))
func getTLSArgs(tlsProfile configv1.TLSProfileSpec) []string {
// Compute TLS arguments once from the profile
tlsConfigFn, unsupportedCiphers := utiltls.NewTLSConfigFromProfile(tlsProfile)
if len(unsupportedCiphers) > 0 {
klog.Infof("TLS profile contains unsupported ciphers that will be ignored for controller/proxy args: %v", unsupportedCiphers)
}
tlsConf := &tls.Config{}
tlsConfigFn(tlsConf)
tlsArgs := []string{}
// Only set CipherSuites if they are specified.
if len(tlsConf.CipherSuites) > 0 {
ianaCiphers := libgocrypto.CipherSuitesToNamesOrDie(tlsConf.CipherSuites)
tlsArgs = append(tlsArgs, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(ianaCiphers, ",")))
🧰 Tools
🪛 ast-grep (0.41.0)

[warning] 867-867: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/sync.go` around lines 865 - 875, In getTLSArgs, capture the
second return value from utiltls.NewTLSConfigFromProfile (the unsupportedCiphers
slice) instead of discarding it, and emit a log containing those unsupported
cipher names so profile-to-flag translation mismatches are visible;
specifically, change the call to utiltls.NewTLSConfigFromProfile to receive
(tlsConfigFn, unsupportedCiphers), and then log unsupportedCiphers (mirroring
the pattern used in cmd/machine-api-operator/start.go) before continuing to
build the tlsArgs.

Copy link
Contributor Author

@RadekManak RadekManak Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional to avoid log spam.

Copy link

@coderabbitai coderabbitai bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RadekManak, understood — avoiding log spam during repeated reconciliations makes sense. Since getTLSArgs can be called multiple times when generating pod templates, keeping the logging only at startup (in start.go) is the right call.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 27, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Summary by CodeRabbit

  • New Features

  • Metrics now served securely over TLS on port 8443 with certificate mounting.

  • Operator watches cluster TLS profile and gracefully reloads to apply changes.

  • Webhook server gains configurable TLS cipher suites and minimum TLS version.

  • Chores

  • Removed sidecar proxy from deployment; simplified container layout and mounts.

  • RBAC expanded to allow reading cluster TLS profile.

  • Dependency upgrades and build script robustness improvements.

  • Tests

  • Enhanced tests to cover TLS argument generation and webhook/controller TLS behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/machine-api-operator/start.go`:
- Around line 299-316: The code must avoid converting a shutdown-triggered cache
sync failure into a hard crash: in the initMachineAPIInformers() path where
cache.WaitForCacheSync(...) is currently followed by klog.Fatal on false, change
the logic to detect a shutdown caused by
setupTLSProfileWatcher/handleTLSProfileEvent calling shutdown() (i.e., the stop
channel being closed or context cancelled) and return an error or nil to allow
graceful restart instead of calling klog.Fatal; update initMachineAPIInformers()
to check the stop channel or context before deciding to fatal, and ensure
setupTLSProfileWatcher/handleTLSProfileEvent continue to call shutdown() as
before.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between fe1ce87 and 1659685.

📒 Files selected for processing (2)
  • cmd/machine-api-operator/start.go
  • cmd/machineset/main.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • cmd/machineset/main.go

cmd/machine-api-operator/start.go
Comment on lines +299 to +316
func setupTLSProfileWatcher(ctx *ControllerContext, shutdown func()) error {
configClient := ctx.ClientBuilder.OpenshiftClientOrDie("tls-profile-watcher")
initialProfile, err := fetchAPIServerTLSProfileSpec(context.Background(), configClient)
if err != nil {
return err
}
klog.Fatal(server.ListenAndServe())

apiServerInformer := ctx.ConfigInformerFactory.Config().V1().APIServers().Informer()
_, err = apiServerInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(obj interface{}) {
handleTLSProfileEvent(obj, &initialProfile, shutdown)
},
UpdateFunc: func(_, newObj interface{}) {
handleTLSProfileEvent(newObj, &initialProfile, shutdown)
},
DeleteFunc: func(obj interface{}) {
handleTLSProfileEvent(obj, &initialProfile, shutdown)
},
Copy link

@coderabbitai coderabbitai bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify control flow: read the key sections mentioned in the review
echo "=== Section 1: Lines 96-140 (startup context) ==="
sed -n '96,140p' cmd/machine-api-operator/start.go

echo -e "\n=== Section 2: Lines 143-153 (cache sync with fatal) ==="
sed -n '143,153p' cmd/machine-api-operator/start.go

echo -e "\n=== Section 3: Lines 299-370 (setupTLSProfileWatcher) ==="
sed -n '299,370p' cmd/machine-api-operator/start.go

Repository: openshift/machine-api-operator

Length of output: 4655

Prevent fatal crash when TLS watcher triggers shutdown before cache sync completes.

shutdown() can be called from APIServer events after the TLS watcher is registered but before initMachineAPIInformers() cache sync finishes. This closes stopCh, causing cache.WaitForCacheSync() to return false, which unconditionally triggers klog.Fatal() at line 150—converting an intended graceful restart into a hard crash.

Suggested hardening 
func initMachineAPIInformers(ctx *ControllerContext) {
	mInformer := ctx.MachineInformerFactory.Machine().V1beta1().Machines().Informer()
	msInformer := ctx.MachineInformerFactory.Machine().V1beta1().MachineSets().Informer()
	ctx.MachineInformerFactory.Start(ctx.Stop)
	if !cache.WaitForCacheSync(ctx.Stop,
		mInformer.HasSynced,
		msInformer.HasSynced) {
+		select {
+		case <-ctx.Stop:
+			klog.V(2).Info("Skipping Machine API informer sync due to shutdown")
+			return
+		default:
+			klog.Fatal("Failed to sync caches for Machine api informers")
+		}
	}
	klog.Info("Synced up machine api informer caches")
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@cmd/machine-api-operator/start.go` around lines 299 - 316, The code must
avoid converting a shutdown-triggered cache sync failure into a hard crash: in
the initMachineAPIInformers() path where cache.WaitForCacheSync(...) is
currently followed by klog.Fatal on false, change the logic to detect a shutdown
caused by setupTLSProfileWatcher/handleTLSProfileEvent calling shutdown() (i.e.,
the stop channel being closed or context cancelled) and return an error or nil
to allow graceful restart instead of calling klog.Fatal; update
initMachineAPIInformers() to check the stop channel or context before deciding
to fatal, and ensure setupTLSProfileWatcher/handleTLSProfileEvent continue to
call shutdown() as before.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 27, 2026

@RadekManak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-metal-ipi 1659685 link true /test e2e-metal-ipi
ci/prow/e2e-metal-ipi-virtualmedia 1659685 link true /test e2e-metal-ipi-virtualmedia
ci/prow/e2e-metal-ipi-ovn-ipv6 1659685 link true /test e2e-metal-ipi-ovn-ipv6

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damdo damdo damdo left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

Assignees

@damdo damdo

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RadekManak @openshift-ci-robot @damdo