OTA-1836: Honor the centralized TLS configuration by DavidHurta · Pull Request #1338 · openshift/cluster-version-operator

DavidHurta · 2026-03-07T22:46:00Z

Honor the centralized TLS configuration.

A follow-up PR openshift/hypershift#8013 after this one merges.

Summary by CodeRabbit

New Features
- Added --tls-min-version and --tls-cipher-suites CLI flags for metrics TLS.
- Metrics server now applies APIServer TLS profiles with user overrides and requires APIServer informer readiness.
- Startup now waits for config caches to sync before initializing metrics/controllers.
Tests
- Added comprehensive TLS profile/override tests and improved integration polling for leader events.
Chores
- Updated dependencies across test, OpenShift, Kubernetes, and core Go modules.

openshift-ci · 2026-03-07T22:46:04Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

DavidHurta · 2026-03-07T22:46:10Z

/test ?

coderabbitai · 2026-03-07T22:46:18Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Adds APIServer informer propagation to the CVO, implements a TLS profile manager that applies APIServer TLS profiles to the metrics server (with CLI-configurable overrides), validates override inputs at startup, and expands tests to cover profile application, overrides, and informer-driven updates.

Changes

Cohort / File(s)	Summary
Dependency Management `go.mod`	Refreshed dependency graph: bumped Kubernetes/OpenShift modules, added `controller-runtime-common`, updated various `golang.org/x/*` and indirect libraries (`evanphx/json-patch/v5`, `google/btree`, etc.).
CVO Core Structure `pkg/cvo/cvo.go`	Threaded `APIServerInformer` into `Operator` via `New(...)`, added `APIServerInformer()` accessor, and added informer cache sync to controller readiness checks.
TLS Profile & Metrics `pkg/cvo/metrics.go`	Added TLS profile manager that reads APIServer TLS profile via informer, applies central profile + CLI overrides per-handshake, added `TLSMinVersionOverride` and `TLSCipherSuitesOverride` to `MetricsOptions`, and changed `RunMetrics` signature to accept APIServer informer and validate overrides.
System Initialization `pkg/start/start.go`	Wired APIServer informer into CVO construction and passed it to `RunMetrics`; added config informer WaitForCacheSync call during startup.
CLI Configuration `cmd/cluster-version-operator/start.go`	Added persistent flags `--tls-min-version` and `--tls-cipher-suites` to populate metrics TLS override options and updated help text generation.
Test Coverage `pkg/cvo/metrics_test.go`, `pkg/start/start_integration_test.go`	Added extensive tests for TLS profile manager behavior (profile application, overrides, validation, informer events) and adjusted integration test to poll for leadership events with retry logic.

Sequence Diagram

sequenceDiagram
    actor User
    participant CLI
    participant Start
    participant CVO
    participant Informer
    participant TLSMgr
    participant Metrics

    User->>CLI: launch with flags (--tls-min-version, --tls-cipher-suites)
    CLI->>Start: populate MetricsOptions
    Start->>CVO: New(..., APIServerInformer)
    CVO->>Informer: register Add/Update/Delete handlers
    Start->>Metrics: RunMetrics(ctx, restConfig, APIServerInformer, options)
    Metrics->>Informer: WaitForCacheSync
    Informer-->>Metrics: cache synced
    Metrics->>TLSMgr: initialize (read central profile)
    Informer->>TLSMgr: Add/Update/Delete events
    TLSMgr->>Metrics: provide per-handshake tls.Config (central profile + overrides)
    Metrics-->>User: serve metrics with resolved TLS config

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 76.19% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Microshift Test Compatibility	❓ Inconclusive	Cannot access test files mentioned in PR summary (pkg/cvo/metrics_test.go, pkg/start/start_integration_test.go) to verify MicroShift compatibility of new Ginkgo e2e tests.	Provide access to the actual test files added/modified in this PR to assess compatibility with MicroShift's available APIs and resources.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'OTA-1836: Honor the centralized TLS configuration' directly summarizes the main objective of the PR, which is to implement centralized TLS configuration support.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 72 test cases across modified files use stable, static, descriptive names with no dynamic values, timestamps, UUIDs, or variable interpolation.
Test Structure And Quality	✅ Passed	Tests demonstrate strong quality: table-driven tests with descriptive names, proper defer-based cleanup, comprehensive timeouts (10-60s), diagnostic assertion messages, and consistency with repository patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds unit/integration tests to pkg/cvo/metrics_test.go and pkg/start/start_integration_test.go using Go's standard testing package, not Ginkgo e2e tests. SNO compatibility assessment applies only to Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no scheduling constraints affecting pod placement across OpenShift topologies; changes are purely internal TLS configuration logic.
Ote Binary Stdout Contract	✅ Passed	The pull request does not introduce any violations of the OTE Binary Stdout Contract. Modified files contain no new fmt.Print/Println/Printf calls in process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit and integration tests using testing.T with no Ginkgo or Gomega imports, so the IPv6 and disconnected network compatibility check for Ginkgo e2e tests is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-03-07T22:46:23Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DavidHurta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [DavidHurta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

DavidHurta · 2026-03-07T22:47:29Z

/test e2e-agnostic-operator
/test e2e-agnostic-ovn
/test e2e-hypershift
/test gofmt
/test images
/test lint
/test unit
/test verify-update
/test verify-yaml

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

pkg/start/start.go (1)

358-363: ⚠️ Potential issue | 🟠 Major

Wait for the APIServer informer before starting metrics.

RunMetrics now reads the TLS profile through controllerCtx.CVO.APIServerLister(), but this path still only blocks on ClusterVersionInformerFactory.WaitForCacheSync above. The APIServer informer is created later in NewControllerContext, so on a fresh leader transition its cache can still be cold here and the first handshakes will race an empty/NotFound profile. Please gate metrics startup on the APIServer informer, or the full ConfigInformerFactory, being synced when RespectCentralTLSProfile is enabled.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/start/start.go` around lines 358 - 363, The metrics server is started
without ensuring the APIServer informer (or the full ConfigInformerFactory) has
synced, causing races when RunMetrics reads TLS profiles via
controllerCtx.CVO.APIServerLister(); update the metrics startup to, when
RespectCentralTLSProfile is enabled, wait for the APIServer informer (or
controllerCtx.ConfigInformerFactory) to be synced before spawning the goroutine
that calls cvo.RunMetrics (check o.MetricsOptions.ListenAddress and
o.RespectCentralTLSProfile, then call the appropriate WaitForCacheSync on the
APIServer informer or ConfigInformerFactory from controllerCtx and only start
the metrics goroutine after that returns true).

pkg/cvo/metrics.go (2)

353-360: ⚠️ Potential issue | 🟠 Major

Reject missing apiServerLister at startup.

If RespectCentralTLSProfile is true and apiServerLister is nil, the process won't fail until Line 485, where the first handshake dereferences it. Please turn that into an early configuration error.

Suggested fix

 func RunMetrics(runContext context.Context, shutdownContext context.Context, restConfig *rest.Config, apiServerLister configlistersv1.APIServerLister, options MetricsOptions) error {
 	if options.ListenAddress == "" {
 		return errors.New("listen address is required to serve metrics")
 	}
 
 	if options.DisableAuthentication && !options.DisableAuthorization {
 		return errors.New("invalid configuration: cannot enable authorization without authentication")
 	}
+	if options.RespectCentralTLSProfile && apiServerLister == nil {
+		return errors.New("apiServerLister is required when RespectCentralTLSProfile is enabled")
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cvo/metrics.go` around lines 353 - 360, Add an early validation in
RunMetrics to reject a nil apiServerLister when options.RespectCentralTLSProfile
is true: after the existing ListenAddress and auth checks, check if
options.RespectCentralTLSProfile && apiServerLister == nil and return a clear
configuration error (e.g. "apiServerLister is required when
RespectCentralTLSProfile is true"). This prevents the later nil dereference in
TLS handshake code that relies on apiServerLister.

467-490: ⚠️ Potential issue | 🔴 Critical

Synchronize lastValidProfile in the TLS callback.

lastValidProfile is captured by GetConfigForClient and then read and overwritten on each handshake without synchronization. That is a data race, and concurrent handshakes can also write back an older snapshot after a profile change.

Suggested fix

 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"slices"
+	"sync"
 	"time"
@@
-	var lastValidProfile *cachedTLSProfile
+	var (
+		lastValidProfile   *cachedTLSProfile
+		lastValidProfileMu sync.Mutex
+	)
@@
 			if options.RespectCentralTLSProfile {
+				lastValidProfileMu.Lock()
 				profile, err := getAPIServerTLSProfile(apiServerLister, lastValidProfile)
+				if err == nil {
+					lastValidProfile = profile
+				}
+				lastValidProfileMu.Unlock()
 				if err != nil {
 					return nil, fmt.Errorf("failed to get TLS profile for metrics server: %w", err)
 				}
-				lastValidProfile = profile
 				profile.apply(config)
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cvo/metrics.go` around lines 467 - 490, The TLS callback captures and
mutates lastValidProfile unsafely; add synchronization (e.g., a package-local
sync.RWMutex like lastValidProfileMu) and use RLock when reading and Lock when
updating to prevent data races and stale overwrites in GetConfigForClient; wrap
the call to getAPIServerTLSProfile and the assignment lastValidProfile = profile
(and the subsequent profile.apply(config) if it relies on the stored state)
inside the mutex so readers/writers are serialized and the cachedTLSProfile is
updated atomically.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cvo/metrics.go`:
- Around line 176-180: The log at the klog.Infof call prints profile.Ciphers
using %s which causes invalid formatting; update the klog.Infof in the TLS
profile change block (after tlsprofile.NewTLSConfigFromProfile and the
unsupportedCiphers check) to format the cipher list correctly by using a verbs
that match the type (e.g., %v) or join the slice into a string (e.g.,
strings.Join(profile.Ciphers, ",")). Ensure you import strings if you choose
Join and keep the rest of the message unchanged.

---

Outside diff comments:
In `@pkg/cvo/metrics.go`:
- Around line 353-360: Add an early validation in RunMetrics to reject a nil
apiServerLister when options.RespectCentralTLSProfile is true: after the
existing ListenAddress and auth checks, check if
options.RespectCentralTLSProfile && apiServerLister == nil and return a clear
configuration error (e.g. "apiServerLister is required when
RespectCentralTLSProfile is true"). This prevents the later nil dereference in
TLS handshake code that relies on apiServerLister.
- Around line 467-490: The TLS callback captures and mutates lastValidProfile
unsafely; add synchronization (e.g., a package-local sync.RWMutex like
lastValidProfileMu) and use RLock when reading and Lock when updating to prevent
data races and stale overwrites in GetConfigForClient; wrap the call to
getAPIServerTLSProfile and the assignment lastValidProfile = profile (and the
subsequent profile.apply(config) if it relies on the stored state) inside the
mutex so readers/writers are serialized and the cachedTLSProfile is updated
atomically.

In `@pkg/start/start.go`:
- Around line 358-363: The metrics server is started without ensuring the
APIServer informer (or the full ConfigInformerFactory) has synced, causing races
when RunMetrics reads TLS profiles via controllerCtx.CVO.APIServerLister();
update the metrics startup to, when RespectCentralTLSProfile is enabled, wait
for the APIServer informer (or controllerCtx.ConfigInformerFactory) to be synced
before spawning the goroutine that calls cvo.RunMetrics (check
o.MetricsOptions.ListenAddress and o.RespectCentralTLSProfile, then call the
appropriate WaitForCacheSync on the APIServer informer or ConfigInformerFactory
from controllerCtx and only start the metrics goroutine after that returns
true).

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4b2ebb59-479e-4c67-b71f-fec6dbcfc90e

📥 Commits

Reviewing files that changed from the base of the PR and between 7092376 and 3f595e0.

⛔ Files ignored due to path filters (291)

go.sum is excluded by !**/*.sum
vendor/github.com/evanphx/json-patch/v5/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/fold.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/fuzz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/indent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/scanner.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/tables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/tags.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/merge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/evanphx/json-patch/v5/patch.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/btree.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/btree/btree_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/pprof/profile/merge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/pprof/profile/profile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/pprof/profile/proto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/pprof/profile/prune.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/internal/assertion.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/internal/duration_bundle.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/internal/gomega.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/internal/polling_signal_error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/internal/vetoptdesc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/and.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_a_directory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_false_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_identical_to.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_true_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/consist_of.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/equal_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_each_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_exact_elements.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_field.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_len_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/have_value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_iter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/internal/miter/type_support_noiter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/match_error_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/match_json_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/not.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/or.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/panic_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/receive_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/succeed_matcher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/type_support.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/matchers/with_transform.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/onsi/gomega/types/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_30_cluster-api_01_clusterapis-CustomNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_30_cluster-api_01_clusterapis-DevPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.crd-manifests/0000_30_cluster-api_01_clusterapis-TechPreviewNoUpgrade.crd.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/openshift/library-go/pkg/manifest/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/api/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/desc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/labels.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/vec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/client_golang/prometheus/wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/config/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/config/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/config/http_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/expfmt.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/fuzz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/openmetrics_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_create.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/expfmt/text_parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/alert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/labels.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/labelset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/time.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/value_histogram.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/common/model/value_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/Makefile.common is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/arp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fs_statfs_notype.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/fscache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/fs/fs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/internal/util/sysreadfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/mountstats.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_dev_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_ip_socket.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_protocols.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_tcp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/net_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_cgroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_io.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_netstat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_smaps.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_snmp6.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_status.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/proc_sys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/prometheus/procfs/softirqs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/bool_func.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/count.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/flag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/func.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/golangflag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/ipnet_slice.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/string_to_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/spf13/pflag/time.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/clientcredentials/clientcredentials.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/internal/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/internal/oauth2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/internal/token.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/internal/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/PATENTS is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
vendor/gomodules.xyz/jsonpatch/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/gomodules.xyz/jsonpatch/v2/jsonpatch.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protowire/wire.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/presence.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/api_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/message_opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/presence.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/strs/strings_unsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/strs/strings_unsafe_go120.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/proto/merge.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/reflect/protoreflect/source_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/reflect/protoreflect/value_unsafe_go120.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/gofeaturespb/go_features.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/anypb/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/durationpb/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/structpb/struct.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/types/known/wrapperspb/wrappers.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/gopkg.in/evanphx/json-patch.v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/evanphx/json-patch.v4/patch.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v2/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v2/LICENSE.libyaml is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v2/apic.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v2/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/gopkg.in/yaml.v2/emitterc.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (9)

go.mod
lib/manifest/manifest.go
pkg/cvo/cvo.go
pkg/cvo/featuregate_integration_test.go
pkg/cvo/metrics.go
pkg/cvo/sync_worker.go
pkg/payload/payload.go
pkg/payload/render.go
pkg/start/start.go

openshift-ci-robot · 2026-03-17T00:24:08Z

@DavidHurta: This pull request references OTA-1764 which is a valid jira issue.

Details

In response to this:

Summary by CodeRabbit

New Features

Added support for dynamic TLS profile handling in the metrics server, enabling centralized TLS configuration management from the cluster's APIServer.

Introduced a new configuration option to control TLS profile synchronization behavior.

Chores

Updated multiple Go module dependencies to newer versions, including logging, testing, Kubernetes, Prometheus, and related utilities.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta · 2026-03-17T01:28:18Z

/test all

DavidHurta · 2026-03-17T01:28:40Z

@coderabbitai review

coderabbitai · 2026-03-17T01:28:46Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 2

🧹 Nitpick comments (1)

pkg/cvo/metrics.go (1)
164-170: Remove or clarify the dead code block.

The if false block with the TODO comment is unreachable and will never execute. If this is a placeholder for future API changes, consider using a build tag or feature flag instead, or remove it entirely until the API changes are ready.
♻️ Suggested approach

Either remove the dead code block entirely:
-	if false { // TODO: Add TLS adherence logic when API changes merge
-		return &cachedTLSProfile{
-			spec:       nil,
-			apply:      func(config *tls.Config) {}, // do nothing
-			generation: apiServer.Generation,
-		}, nil
-	}
-
Or if keeping it as a placeholder, add a clearer skip mechanism:
+	// TODO(OTA-XXXX): Add TLS adherence logic when API changes merge
+	// When implemented, check apiServer.Spec.TLSSecurityProfile adherence field here
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/cvo/metrics.go` around lines 164 - 170, The unreachable "if false" block
should be removed or replaced with a proper toggle; delete the dead branch that
returns a cachedTLSProfile with spec nil/apply noop (references:
cachedTLSProfile, apiServer.Generation, tls.Config) or, if you need a
placeholder, replace it with a clear feature flag/build-tag guard (not "if
false") and document the intent; ensure any retained placeholder still compiles
and preserves the intended return shape for the surrounding function.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 29-36: The go.mod shows a mismatch: most k8s modules are v0.35.1
while k8s.io/kube-aggregator remains v0.34.1; verify compatibility and align
versions by either upgrading k8s.io/kube-aggregator to a v0.35.x release if
available, or downgrade the other k8s modules to the kube-aggregator compatible
version (e.g., v0.34.x), or add a go.mod replace to force a tested compatible
commit; update the k8s module entries (k8s.io/kube-aggregator and the other
k8s.io/* lines) so all Kubernetes component modules use a mutually compatible
version set and run go mod tidy and go test to ensure no API/type mismatches.
- Line 3: The go.mod contains an invalid Go version "go 1.25.0"; update the
module's go directive to a valid released version (e.g., "go 1.25.8" or "go
1.26.1") by replacing the current go directive value so the go directive in
go.mod reflects an actual Go release.

---

Nitpick comments:
In `@pkg/cvo/metrics.go`:
- Around line 164-170: The unreachable "if false" block should be removed or
replaced with a proper toggle; delete the dead branch that returns a
cachedTLSProfile with spec nil/apply noop (references: cachedTLSProfile,
apiServer.Generation, tls.Config) or, if you need a placeholder, replace it with
a clear feature flag/build-tag guard (not "if false") and document the intent;
ensure any retained placeholder still compiles and preserves the intended return
shape for the surrounding function.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b19eb2ef-b766-4f59-b7e5-9d3710e2fd62

📥 Commits

Reviewing files that changed from the base of the PR and between 3f595e0 and f9d748d.

⛔ Files ignored due to path filters (113)

go.sum is excluded by !**/*.sum
vendor/github.com/evanphx/json-patch/v5/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/fold.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/fuzz.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/indent.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/scanner.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/stream.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/tables.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/tags.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/patch.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/btree.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/btree_generic.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/profile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/proto.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/prune.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/format/format.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/internal/assertion.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/internal/duration_bundle.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/internal/gomega.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/internal/polling_signal_error.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/internal/vetoptdesc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/and.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/assignable_to_type_of_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_a_directory.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_a_regular_file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_an_existing_file.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_closed_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_element_of_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_empty_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_equivalent_to_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_false_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_identical_to.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_key_of_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_nil_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_numerically_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_sent_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_temporally_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_true_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/be_zero_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/consist_of.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/contain_element_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/contain_elements_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/contain_substring_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/equal_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_cap_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_each_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_exact_elements.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_existing_field_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_field.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_http_body_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_http_header_with_value_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_http_status_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_len_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_occurred_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_prefix_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_suffix_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_value.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_error_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_json_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_regexp_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_xml_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/not.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/or.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/panic_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/receive_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/satisfy_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/semi_structured_data_support.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/succeed_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/bipartitegraph/bipartitegraph.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/node/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/type_support.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/with_transform.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/types/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_authentications-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_infrastructures-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_insightsdatagathers-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (9)

go.mod
lib/manifest/manifest.go
pkg/cvo/cvo.go
pkg/cvo/featuregate_integration_test.go
pkg/cvo/metrics.go
pkg/cvo/sync_worker.go
pkg/payload/payload.go
pkg/payload/render.go
pkg/start/start.go

🚧 Files skipped from review as they are similar to previous changes (3)

pkg/cvo/featuregate_integration_test.go
lib/manifest/manifest.go
pkg/payload/render.go

coderabbitai · 2026-03-17T01:33:06Z

 module github.com/openshift/cluster-version-operator

-go 1.24.0
+go 1.25.0


⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Description: Check the latest stable Go releases from golang.org # Fetch the list of available Go versions curl -s 'https://go.dev/dl/?mode=json' | jq -r '.[].version' | head -10 # Check if go1.25.0 exists in the official releases curl -s 'https://go.dev/dl/?mode=json' | jq -r '.[].version' | grep -q 'go1.25.0' && echo "go1.25.0 exists" || echo "go1.25.0 does NOT exist"

Repository: openshift/cluster-version-operator

Length of output: 119

Update Go version to a valid release.

Go 1.25.0 does not exist as an official release. Valid alternatives include go1.24.x, go1.25.8, or go1.26.1. Update go 1.25.0 to a valid version:

-go 1.25.0 +go 1.25.8

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

go 1.25.0

go 1.25.8

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 3, The go.mod contains an invalid Go version "go 1.25.0"; update the module's go directive to a valid released version (e.g., "go 1.25.8" or "go 1.26.1") by replacing the current go directive value so the go directive in go.mod reflects an actual Go release.

DavidHurta · 2026-03-17T13:12:23Z

/test ?

DavidHurta · 2026-03-17T13:17:30Z

/test tls-scanner
/test all

DavidHurta · 2026-03-18T00:29:23Z

/test tls-scanner
/test all

DavidHurta · 2026-03-18T12:59:59Z

/test tls-scanner

DavidHurta · 2026-03-19T02:32:07Z

/test tls-scanner
/test all

DavidHurta · 2026-03-19T13:59:16Z

/hold

Waiting for other PRs in the repository to merge due to dependency bumps and linting warnings.

However, the core of the PR, the last two commits, are ready for feedback.

openshift-ci-robot · 2026-03-19T14:01:58Z

@DavidHurta: This pull request references OTA-1764 which is a valid jira issue.

Details

In response to this:

Honor the centralized TLS configuration.

Summary by CodeRabbit

New Features

Added support for dynamic TLS profile handling in the metrics server, enabling centralized TLS configuration management from the cluster's APIServer.

Introduced a new configuration option to control TLS profile synchronization behavior.

Chores

Updated multiple Go module dependencies to newer versions, including logging, testing, Kubernetes, Prometheus, and related utilities.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta · 2026-03-19T14:02:29Z

@coderabbitai review

coderabbitai · 2026-03-19T14:02:35Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

openshift-ci-robot · 2026-03-19T14:03:40Z

@DavidHurta: This pull request references OTA-1836 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Honor the centralized TLS configuration.

Summary by CodeRabbit

New Features

Added support for dynamic TLS profile handling in the metrics server, enabling centralized TLS configuration management from the cluster's APIServer.

Introduced a new configuration option to control TLS profile synchronization behavior.

Chores

Updated multiple Go module dependencies to newer versions, including logging, testing, Kubernetes, Prometheus, and related utilities.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-19T14:05:08Z

@DavidHurta: This pull request references OTA-1836 which is a valid jira issue.

Details

In response to this:

Honor the centralized TLS configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-19T15:35:28Z

@DavidHurta: This pull request references OTA-1836 which is a valid jira issue.

Details

In response to this:

Honor the centralized TLS configuration.

A follow-up PR in openshift/hypershift#8013 after this one merges.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-19T15:35:43Z

@DavidHurta: This pull request references OTA-1836 which is a valid jira issue.

Details

In response to this:

Honor the centralized TLS configuration.

A follow-up PR openshift/hypershift#8013 after this one merges.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

DavidHurta · 2026-03-23T13:04:49Z

/hold
Checking updated docs.

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cvo/metrics.go`:
- Line 450: RunMetrics currently dereferences apiServerInformer without checking
for nil, which can panic; add a nil guard at the start of RunMetrics (the
function) to validate apiServerInformer and return a descriptive error if it's
nil before any use (including code paths that access
apiServerInformer.Informer() or apiServerInformer.Lister() later in the
function). Ensure the check covers all execution paths that reference
apiServerInformer (the paths around the existing uses at the APIServer informer
handling) and return an error rather than proceeding to avoid a runtime panic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: aefadc1b-4bb6-480e-90c5-13053e84cb5f

📥 Commits

Reviewing files that changed from the base of the PR and between 203183d and ee6f9e8.

⛔ Files ignored due to path filters (41)

go.sum is excluded by !**/*.sum, !go.sum
vendor/github.com/evanphx/json-patch/v5/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/fold.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/fuzz.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/indent.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/scanner.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/stream.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/tables.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/internal/json/tags.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/evanphx/json-patch/v5/patch.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/btree.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/btree/btree_generic.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/profile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/proto.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/google/pprof/profile/prune.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/format/format.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_dns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (7)

cmd/cluster-version-operator/start.go
go.mod
pkg/cvo/cvo.go
pkg/cvo/metrics.go
pkg/cvo/metrics_test.go
pkg/start/start.go
pkg/start/start_integration_test.go

✅ Files skipped from review due to trivial changes (1)

go.mod

DavidHurta · 2026-04-28T11:31:24Z

/test e2e-agnostic-ovn-upgrade-into-change
/test e2e-agnostic-ovn-upgrade-out-of-change

DavidHurta · 2026-04-28T15:13:17Z

/test ?

DavidHurta · 2026-04-28T15:13:34Z

/test tls-scanner

Honor the central TLS profile [1] with event-driven dynamic updates. Implementation uses an APIServer informer with event handlers to proactively cache TLS settings, eliminating per-handshake lister calls while maintaining dynamic reconfiguration capability. The cached settings are applied during TLS handshakes via GetConfigForClient. The commit aims to focus on availability over strict consistency on errors, such as an error fetching the API server object. The CVO provides critical metrics and as such, I am inclined towards availability instead of strict TLS configuration consistency. The TLS adherence feature is currently in Tech Preview. Components do not need to check the feature gate explicitly though [2]: > Component Interaction with the Feature Gate: The feature gate controls > whether the tlsAdherence field is accepted by the API server — > components themselves do not need to check the feature gate. > Because the field is optional (+optional, omitempty), components only > need to handle the field's value when unmarshaling the APIServer config > ... > This means components do not need to set up feature gate watching or > add feature-gate-specific code paths. The ShouldHonorClusterTLSProfile > helper in library-go encapsulates all of this logic. The ShouldHonorClusterTLSProfile helper from library-go encapsulates this logic. Configuration precedence: crypto defaults → central profile → overrides (override support added in next commit for HyperShift compatibility). [1]: https://github.com/openshift/enhancements/blob/master/enhancements/security/centralized-tls-config.md [2]: https://github.com/openshift/enhancements/blob/master/enhancements/security/centralized-tls-config.md#feature-gate Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

…perShift Add --tls-min-version and --tls-cipher-suites flags based on recommendations from the centralized TLS config enhancement [1] to support HyperShift deployments: > When these flags are set by the CPO, they take precedence over any > value the component would read from > apiservers.config.openshift.io/cluster. When they are not set, the > component falls back to its normal behavior of watching the cluster config. This allows hosted control planes components, which are deployed in the management cluster, to have different TLS setting or for the components to not need to read the management cluster Kubernetes API server. [1]: https://github.com/openshift/enhancements/blob/master/enhancements/security/centralized-tls-config.md Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

openshift-ci · 2026-05-04T18:29:22Z

@DavidHurta: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-hypershift	`d2f5f50`	link	true	`/test e2e-hypershift`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 7, 2026

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2026

coderabbitai Bot reviewed Mar 7, 2026

View reviewed changes

Comment thread pkg/cvo/metrics.go Outdated

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 11, 2026

DavidHurta force-pushed the central-tls-profile branch from 3f595e0 to 1362d3f Compare March 17, 2026 00:23

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 17, 2026

DavidHurta changed the title ~~WIP: Central tls profile~~ OTA-1764: Respect Central TLS Profile in Standalone Mar 17, 2026

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 17, 2026

DavidHurta force-pushed the central-tls-profile branch 2 times, most recently from 9990e0a to f9d748d Compare March 17, 2026 01:27

coderabbitai Bot reviewed Mar 17, 2026

View reviewed changes

DavidHurta mentioned this pull request Mar 17, 2026

OTA-1764: CVO: Add an Optional TLS Scanner Presubmit Job openshift/release#76044

Merged

DavidHurta force-pushed the central-tls-profile branch from f9d748d to 8553636 Compare March 17, 2026 13:12

DavidHurta force-pushed the central-tls-profile branch from 8553636 to 7b9c98f Compare March 18, 2026 00:29

DavidHurta changed the title ~~OTA-1764: Respect Central TLS Profile in Standalone~~ OTA-1764: Support centralized TLS configuration Mar 19, 2026

DavidHurta force-pushed the central-tls-profile branch from 70099c9 to 29e1401 Compare March 19, 2026 02:30

DavidHurta mentioned this pull request Mar 19, 2026

OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags openshift/hypershift#8013

Draft

4 tasks

DavidHurta force-pushed the central-tls-profile branch 2 times, most recently from e7776e4 to 203183d Compare March 19, 2026 13:57

DavidHurta marked this pull request as ready for review March 19, 2026 13:59

openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Mar 19, 2026

DavidHurta changed the title ~~OTA-1764: Support centralized TLS configuration~~ OTA-1836: Honor the centralized TLS configuration Mar 19, 2026

openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 23, 2026

DavidHurta force-pushed the central-tls-profile branch from 203183d to ee6f9e8 Compare April 28, 2026 01:49

openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 28, 2026

coderabbitai Bot reviewed Apr 28, 2026

View reviewed changes

Comment thread pkg/cvo/metrics.go

DavidHurta and others added 3 commits May 4, 2026 16:19

deps: Run go mod tidy and go mod vendor

d2f5f50

DavidHurta force-pushed the central-tls-profile branch from 5f9f7d9 to d2f5f50 Compare May 4, 2026 14:21

Conversation

DavidHurta commented Mar 7, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci Bot commented Mar 7, 2026

Uh oh!

DavidHurta commented Mar 7, 2026

Uh oh!

coderabbitai Bot commented Mar 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Sequence Diagram

Estimated code review effort

❌ Failed checks (1 warning, 1 inconclusive)

Uh oh!

openshift-ci Bot commented Mar 7, 2026

Uh oh!

DavidHurta commented Mar 7, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 17, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

DavidHurta commented Mar 17, 2026

Uh oh!

DavidHurta commented Mar 17, 2026

Uh oh!

coderabbitai Bot commented Mar 17, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

DavidHurta commented Mar 17, 2026

Uh oh!

DavidHurta commented Mar 17, 2026

Uh oh!

DavidHurta commented Mar 18, 2026

Uh oh!

DavidHurta commented Mar 18, 2026

Uh oh!

DavidHurta commented Mar 19, 2026

Uh oh!

DavidHurta commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 19, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

DavidHurta commented Mar 19, 2026

Uh oh!

coderabbitai Bot commented Mar 19, 2026

Uh oh!

openshift-ci-robot commented Mar 19, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Mar 19, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 19, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 19, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

DavidHurta commented Mar 23, 2026

Uh oh!

coderabbitai Bot left a comment

DavidHurta commented Mar 7, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Mar 7, 2026 •

edited

Loading

openshift-ci-robot commented Mar 17, 2026 •

edited by openshift-ci Bot

Loading

DavidHurta commented Mar 19, 2026 •

edited

Loading

openshift-ci-robot commented Mar 19, 2026 •

edited by openshift-ci Bot

Loading

openshift-ci-robot commented Mar 19, 2026 •

edited by openshift-ci Bot

Loading

openshift-ci-robot commented Mar 19, 2026 •

edited by openshift-ci Bot

Loading

openshift-ci-robot commented Mar 19, 2026 •

edited by openshift-ci Bot

Loading

openshift-ci-robot commented Mar 19, 2026 •

edited by openshift-ci Bot

Loading