CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (02-Apr-2026)#688
Open
jzding wants to merge 23 commits intoopenshift:mainfrom
Open
CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (02-Apr-2026)#688jzding wants to merge 23 commits intoopenshift:mainfrom
jzding wants to merge 23 commits intoopenshift:mainfrom
Conversation
The operator now honors the cluster-wide TLS security profile from the APIServer CR, so declare this capability via the OLM feature annotation. Signed-off-by: Jack Ding <jackding@gmail.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Configure AWS timeout to 2 hours for long jobs
Set tls-profiles feature annotation to true in CSV
Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
Move builder image to non-docker image so that we do not get hit with pull limits
…mage Update Dockerfile builder image
… (OCPBUGS-59883, OCPBUGS-66407)
This is needed for TLSAdherence support. - Upgrade from Go 1.24 to Go 1.25.0 - Update openshift/api to v0.0.0-20260318185450-1f2fa3f09f4e - Update openshift/library-go to v0.0.0-20260318142011-72bf34f474bc - Update openshift/controller-runtime-common to v0.0.0-20260318085703-1812aed6dbd2 - Upgrade sigs.k8s.io/controller-runtime from v0.22.5 to v0.23.3 - Upgrade k8s.io dependencies from v0.34.3 to v0.35.2 - Update l2discovery-lib from v0.0.21 to v0.1.0 - Update l2discovery image in CI test - Fix webhook registrations for controller-runtime v0.23 generic API Signed-off-by: Jack Ding <jackding@gmail.com>
Upgrade to Go 1.25 and update dependencies
…-locked-after-degrading PTP CI: Add BC clock class recovery test for upstream link outage
Add must-gather collection to CI pipeline
Signed-off-by: Jack Ding <jackding@gmail.com>
CNF-19617: Add test coverage for clockClass verification when locking PTP source
Expose system-level and base board hardware details in NodePtpDevice Status
Read the tlsAdherence policy from the APIServer CR and use ShouldHonorClusterTLSProfile to conditionally apply the cluster TLS profile. In Legacy mode (default), Go TLS defaults are used. In Strict mode, the cluster-wide TLS profile is enforced on the operator's webhook/metrics servers and on the daemon's kube-rbac-proxy. The SecurityProfileWatcher now also monitors adherence policy changes and triggers a graceful restart when the policy changes. Signed-off-by: Jack Ding <jackding@gmail.com>
Replace the separate TLSAdherencePolicy field on the reconciler with a nil *TLSProfileSpec pointer pattern. When the pointer is nil, legacy hardcoded ciphers are used. When non-nil, the cluster TLS profile is applied. The adherence decision is made once in main.go and expressed through the pointer value. Signed-off-by: Jack Ding <jackding@gmail.com>
update OWNERS
CNF-21768: Add TLS adherence support
openshift-ci
bot
added
the
needs-rebase
openshift-ci-robot
added
jira/severity-important
Contributor
|
@jzding: This pull request references CNF-19617 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-21768 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-21832 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-22018 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references Jira Issue OCPBUGS-59883, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. This pull request references Jira Issue OCPBUGS-66407, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
@jzding: This pull request references CNF-19617 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-21768 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-21832 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-22018 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references Jira Issue OCPBUGS-59883, which is invalid:
Comment This pull request references Jira Issue OCPBUGS-66407, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jzding The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Important Review skippedAuto reviews are limited based on label configuration. 🚫 Review skipped — only excluded labels are configured. (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThe pull request updates the PTP operator to support SMBIOS system and baseboard information in NodePtpDevice status, upgrades Go from 1.24 to 1.25, refactors TLS profile handling with legacy adherence support, updates webhook registration APIs, introduces clock class verification tests, adds must-gather debugging capability, and updates various base images and Kubernetes manifests. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~85 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
openshift-ci
bot
removed
the
needs-rebase
jzding
changed the title
openshift-ci-robot
removed
jira/severity-important
Contributor
|
@jzding: This pull request references CNF-19617 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-21768 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-21832 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. This pull request references CNF-22018 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
github-actions
bot
force-pushed
the
upstream-sync-2026-04-02
branch
from
9527173 to
ef75480
Compare
openshift-ci
bot
added
the
needs-rebase
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
scripts/run-tests.sh (1)
28-43:⚠️ Potential issue | 🟠 Major
DEBUG_IMAGEvariable is used without initialization.The
DEBUG_IMAGEvariable is used at line 127 but is never initialized with a default value. If--debug-imageflag is not provided, the variable will be unset, causing the script to fail underset -u(nounset) at line 17.🐛 Proposed fix to initialize DEBUG_IMAGE
LINUXPTP_DAEMON_IMAGE="" MUST_GATHER_IMAGE="" +DEBUG_IMAGE="" while [[ $# -gt 0 ]]; do🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/run-tests.sh` around lines 28 - 43, Initialize DEBUG_IMAGE to a safe default (e.g., empty string) so it is always defined under set -u; add DEBUG_IMAGE="" alongside MUST_GATHER_IMAGE="" near the top initialization block and ensure the existing --debug-image case in the argument parser still assigns to DEBUG_IMAGE, or alternatively add a guard/fallback check before any use of DEBUG_IMAGE (referencing the DEBUG_IMAGE variable and the --debug-image case in the argument parsing logic).
🧹 Nitpick comments (4)
ptp-tools/Dockerfile.cep (1)
14-22: Consider adding a non-root USER directive in the runtime stage.The runtime stage runs as root by default. Other similar Dockerfiles in this PR (e.g.,
ptp-tools/Dockerfile.krp) properly setUSER 65534for the runtime stage.🔒 Proposed fix to run as non-root
FROM quay.io/centos/centos:stream9 COPY --from=builder /go/src/github.com/redhat-cne/cloud-event-proxy/build/cloud-event-proxy / COPY --from=builder /go/src/github.com/redhat-cne/cloud-event-proxy/plugins/*.so /plugins/ LABEL io.k8s.display-name="Cloud Event Proxy" \ io.k8s.description="This is a component of OpenShift Container Platform and provides a side car to handle cloud events." \ io.openshift.tags="openshift" \ maintainer="PTP Team <ptp-dev@redhat.com>" +USER 65534 ENTRYPOINT ["./cloud-event-proxy"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ptp-tools/Dockerfile.cep` around lines 14 - 22, The runtime stage currently runs as root; add a non-root user directive (e.g., USER 65534) in the runtime stage to match other Dockerfiles: place the USER 65534 line after the COPY directives (after copying /cloud-event-proxy and /plugins/) and before ENTRYPOINT ["./cloud-event-proxy"]; ensure the binary and /plugins are readable/executable by that UID (adjust ownership or permissions in the build stage or via chown/chmod before switching user) so the service runs as non-root.Dockerfile (1)
9-20: Runtime stage runs as root - consider adding a non-root USER directive.The runtime stage lacks a USER directive, so the container runs as root. This is flagged by static analysis (DS-0002). Adding a non-root user improves security posture.
🔒 Proposed fix to run as non-root
FROM quay.io/centos/centos:stream9 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/ptp-operator/build/_output/bin/ptp-operator /usr/local/bin/ COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/ptp-operator/manifests /manifests COPY bindata /bindata LABEL io.k8s.display-name="OpenShift ptp-operator" \ io.k8s.description="This is a component that manages cluster PTP configuration." \ io.openshift.tags="openshift,ptp" \ com.redhat.delivery.appregistry=true \ maintainer="PTP Team <ptp-dev@redhat.com>" +USER 65534 ENTRYPOINT ["/usr/local/bin/ptp-operator"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile` around lines 9 - 20, The Dockerfile runtime stage currently runs as root (no USER set) which triggers DS-0002; create a non-root user (e.g., ptpuser) and group in the runtime stage, chown the copied artifacts (/usr/local/bin/ptp-operator, /manifests, /bindata) to that user, and add a USER ptpuser directive before the ENTRYPOINT to run /usr/local/bin/ptp-operator without root privileges; update any file permissions as needed so the operator can read/execute its files under the new user.ptp-tools/Dockerfile.ptpop (1)
2-2: Consider adding--no-install-recommendsflag.Adding
--no-install-recommendsreduces image size by skipping optional packages.♻️ Proposed improvement
-RUN apt-get update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y --no-install-recommends binutils-gold && rm -rf /var/lib/apt/lists/*🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ptp-tools/Dockerfile.ptpop` at line 2, Update the Dockerfile RUN line that currently reads "RUN apt-get update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/*" to include the --no-install-recommends flag so optional packages aren't pulled in; keep the apt-get update and the existing cleanup (rm -rf /var/lib/apt/lists/*) intact and ensure the flag is placed after apt-get install -y (i.e., apt-get install -y --no-install-recommends binutils-gold).ptp-tools/Dockerfile.lptpd (1)
9-20: Consider adding a non-root user (optional).Static analysis flags that the container runs as root. However, given this is a PTP daemon requiring privileged hardware access (PHC devices, network interfaces), running as root may be intentional. If the daemon can operate with reduced privileges for any operations, consider adding a non-root user.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ptp-tools/Dockerfile.lptpd` around lines 9 - 20, The Dockerfile currently runs the ptp daemon as root via CMD ["/usr/local/bin/ptp"]; add a non-root user and switch to it where possible by creating a user/group (e.g., ptpuser), chowning the installed binary and any runtime dirs to that user, and adding a USER ptpuser directive before CMD; ensure you preserve required privileged access (PHC/network) by only switching to non-root if /usr/local/bin/ptp and its runtime resources are owned by ptpuser or if capabilities are set appropriately so the daemon can still bind to needed devices.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@api/v1/ptpoperatorconfig_webhook.go`:
- Around line 37-42: Update the webhook registration to stop using the
deprecated WithCustomValidator and switch to WithValidator: in the
SetupWebhookWithManager function of PtpOperatorConfig replace the call to
WithCustomValidator(&ptpOperatorConfigValidator{}) with
WithValidator(&ptpOperatorConfigValidator{}), and make the analogous change in
api/v1/ptpconfig_webhook.go (the SetupWebhookWithManager there) replacing
WithCustomValidator usage for its validator with WithValidator to match
controller-runtime v0.23.3.
In `@controllers/tls_profile_test.go`:
- Around line 133-137: The test's hard-coded TLS cipher list in
tls_profile_test.go (data.Data["TLSCipherSuites"]) does not match the
legacyCipherSuites constant in controllers/ptpoperatorconfig_controller.go (the
5th entry differs); update the test to use the same values as
legacyCipherSuites—either by importing/reference that constant into the test or
by replacing the hard-coded entries so they exactly match legacyCipherSuites
(and do the same replacement for the second occurrence around lines 167-172) to
prevent drift.
In `@ptp-tools/Dockerfile.ptpop`:
- Line 4: The Dockerfile contains a suspicious COPY instruction "COPY .. ." that
copies the parent directory into the build context; replace it with "COPY . ."
so the current build context is copied instead (locate the COPY .. . line in the
Dockerfile.ptpop and update it to COPY . .). Ensure the build context actually
contains the intended files and that no parent-dir artifacts are required before
committing the change.
In `@test/conformance/serial/ptp.go`:
- Around line 2098-2099: The test uses waitForClockClass which returns as soon
as any ptp4l instance reaches 6, allowing DualNICBoundaryClock* to pass while
the other BC is still degraded; replace the single waitForClockClass(fullConfig,
...) call with the per-config helpers in test/pkg/ptptesthelper/ptptesthelper.go
so you explicitly assert each boundary-clock config recovers to ClockClass6
(i.e., call the ptptesthelper check for each BC instance or loop over both
configs), ensuring both NIC instances reach fbprotocol.ClockClass6 rather than
relying on a single global success.
---
Outside diff comments:
In `@scripts/run-tests.sh`:
- Around line 28-43: Initialize DEBUG_IMAGE to a safe default (e.g., empty
string) so it is always defined under set -u; add DEBUG_IMAGE="" alongside
MUST_GATHER_IMAGE="" near the top initialization block and ensure the existing
--debug-image case in the argument parser still assigns to DEBUG_IMAGE, or
alternatively add a guard/fallback check before any use of DEBUG_IMAGE
(referencing the DEBUG_IMAGE variable and the --debug-image case in the argument
parsing logic).
---
Nitpick comments:
In `@Dockerfile`:
- Around line 9-20: The Dockerfile runtime stage currently runs as root (no USER
set) which triggers DS-0002; create a non-root user (e.g., ptpuser) and group in
the runtime stage, chown the copied artifacts (/usr/local/bin/ptp-operator,
/manifests, /bindata) to that user, and add a USER ptpuser directive before the
ENTRYPOINT to run /usr/local/bin/ptp-operator without root privileges; update
any file permissions as needed so the operator can read/execute its files under
the new user.
In `@ptp-tools/Dockerfile.cep`:
- Around line 14-22: The runtime stage currently runs as root; add a non-root
user directive (e.g., USER 65534) in the runtime stage to match other
Dockerfiles: place the USER 65534 line after the COPY directives (after copying
/cloud-event-proxy and /plugins/) and before ENTRYPOINT ["./cloud-event-proxy"];
ensure the binary and /plugins are readable/executable by that UID (adjust
ownership or permissions in the build stage or via chown/chmod before switching
user) so the service runs as non-root.
In `@ptp-tools/Dockerfile.lptpd`:
- Around line 9-20: The Dockerfile currently runs the ptp daemon as root via CMD
["/usr/local/bin/ptp"]; add a non-root user and switch to it where possible by
creating a user/group (e.g., ptpuser), chowning the installed binary and any
runtime dirs to that user, and adding a USER ptpuser directive before CMD;
ensure you preserve required privileged access (PHC/network) by only switching
to non-root if /usr/local/bin/ptp and its runtime resources are owned by ptpuser
or if capabilities are set appropriately so the daemon can still bind to needed
devices.
In `@ptp-tools/Dockerfile.ptpop`:
- Line 2: Update the Dockerfile RUN line that currently reads "RUN apt-get
update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/*" to
include the --no-install-recommends flag so optional packages aren't pulled in;
keep the apt-get update and the existing cleanup (rm -rf /var/lib/apt/lists/*)
intact and ensure the flag is placed after apt-get install -y (i.e., apt-get
install -y --no-install-recommends binutils-gold).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 65ed3265-a92f-4d02-a673-b03acf2ea072
⛔ Files ignored due to path filters (267)
go.sumis excluded by!**/*.sumvendor/github.com/gogo/protobuf/AUTHORSis excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/CONTRIBUTORSis excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/LICENSEis excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/Makefileis excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/clone.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/custom_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/decode.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/deprecated.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/discard.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/duration.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/duration_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/encode.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/encode_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/equal.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/extensions.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/extensions_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/lib.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/lib_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/message_set.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/pointer_reflect.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/pointer_unsafe.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/properties.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/properties_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/skip_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/table_marshal.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/table_merge.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/table_unmarshal.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/text.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/text_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/text_parser.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/timestamp.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/timestamp_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/wrappers.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/proto/wrappers_gogo.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/gogo/protobuf/sortkeys/sortkeys.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_apiserver.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_authentication.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_cluster_version.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_infrastructure.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_ingress.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_insights.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_network.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yamlis excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/register.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_backup.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_insights.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/types_pki.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yamlis excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha2/types_insights.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yamlis excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.gois excluded by!vendor/**,!**/vendor/**vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/encoding/tag/tag.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/encoding/text/decode.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/filedesc/desc.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/filedesc/desc_init.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/filedesc/editions.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/impl/codec_map.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/impl/decode.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/impl/validate.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/internal/version/version.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/proto/decode.gois excluded by!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admission/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1alpha1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1alpha1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1alpha1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1beta1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1beta1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/admissionregistration/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apidiscovery/v2beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apiserverinternal/v1alpha1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apiserverinternal/v1alpha1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/apps/v1beta2/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1alpha1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1alpha1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1alpha1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1alpha1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authentication/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/authorization/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta2/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta2/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta2/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/autoscaling/v2beta2/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/batch/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/register.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/register.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1alpha2/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1alpha2/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1alpha2/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1alpha2/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/coordination/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/toleration.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/zz_generated.deepcopy.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/core/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/types.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/types_swagger_doc_generated.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/discovery/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/events/v1beta1/zz_generated.model_name.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/extensions/v1beta1/doc.gois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/extensions/v1beta1/generated.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**vendor/k8s.io/api/extensions/v1beta1/generated.protois excluded by!vendor/**,!**/vendor/**vendor/k8s.io/api/extensions/v1beta1/generated.protomessage.pb.gois excluded by!**/*.pb.go,!vendor/**,!**/vendor/**
📒 Files selected for processing (33)
.github/workflows/aws-ci.yamlDockerfileOWNERSapi/v1/nodeptpdevice_types.goapi/v1/ptpconfig_webhook.goapi/v1/ptpoperatorconfig_webhook.goapi/v1/zz_generated.deepcopy.gobindata/linuxptp/ptp-daemon.yamlbundle/manifests/ptp-operator.clusterserviceversion.yamlbundle/manifests/ptp.openshift.io_nodeptpdevices.yamlconfig/crd/bases/ptp.openshift.io_nodeptpdevices.yamlconfig/manifests/bases/ptp-operator.clusterserviceversion.yamlconfig/prometheus/monitor.yamlcontrollers/ptpoperatorconfig_controller.gocontrollers/tls_profile_test.gocontrollers/tls_watcher_test.gogo.modmain.gomanifests/stable/ptp-operator.clusterserviceversion.yamlmanifests/stable/ptp.openshift.io_nodeptpdevices.yamlmust-gather/collection-scripts/gatherptp-tools/Dockerfile.cepptp-tools/Dockerfile.debugptp-tools/Dockerfile.krpptp-tools/Dockerfile.lptpdptp-tools/Dockerfile.ptpopptp-tools/Makefilescripts/k8s-start.shscripts/run-on-vm.shscripts/run-tests.shtest/conformance/serial/ptp.gotest/pkg/ptptesthelper/ptptesthelper.gotest/pkg/testconfig/testconfig.go
Comment on lines
37
to
42
| func (r *PtpOperatorConfig) SetupWebhookWithManager(mgr ctrl.Manager, client client.Client) error { | ||
| k8sclient = client | ||
| return ctrl.NewWebhookManagedBy(mgr). | ||
| For(r). | ||
| WithValidator(&ptpOperatorConfigValidator{}). | ||
| return ctrl.NewWebhookManagedBy(mgr, r). | ||
| WithCustomValidator(&ptpOperatorConfigValidator{}). | ||
| Complete() | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify controller-runtime version supports this API pattern
echo "=== Checking controller-runtime version ==="
grep -E 'sigs.k8s.io/controller-runtime' go.mod | head -5
echo ""
echo "=== Verify CustomValidator interface usage in codebase ==="
rg -n 'WithCustomValidator' --type go -C2Repository: openshift/ptp-operator
Length of output: 3193
Replace deprecated WithCustomValidator with WithValidator.
The code uses WithCustomValidator(), which is deprecated in controller-runtime v0.23.3 (line 84 of vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go marks it as deprecated with recommendation to use WithValidator instead). Update the webhook registration to use the non-deprecated WithValidator() method. The same issue exists in api/v1/ptpconfig_webhook.go line 60.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@api/v1/ptpoperatorconfig_webhook.go` around lines 37 - 42, Update the webhook
registration to stop using the deprecated WithCustomValidator and switch to
WithValidator: in the SetupWebhookWithManager function of PtpOperatorConfig
replace the call to WithCustomValidator(&ptpOperatorConfigValidator{}) with
WithValidator(&ptpOperatorConfigValidator{}), and make the analogous change in
api/v1/ptpconfig_webhook.go (the SetupWebhookWithManager there) replacing
WithCustomValidator usage for its validator with WithValidator to match
controller-runtime v0.23.3.
Comment on lines
+133
to
+137
| data.Data["TLSCipherSuites"] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + | ||
| "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + | ||
| "TLS_RSA_WITH_AES_128_CBC_SHA256," + | ||
| "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + | ||
| "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" |
There was a problem hiding this comment.
Cipher suite mismatch between test and implementation.
The legacy cipher suites in this test differ from the legacyCipherSuites constant in controllers/ptpoperatorconfig_controller.go. The test uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as the 5th cipher, but the controller uses TLS_RSA_WITH_AES_256_CBC_SHA.
From controller (context snippet 1):
"TLS_RSA_WITH_AES_256_CBC_SHA"
This test:
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
This means the test will fail or is not accurately validating the legacy behavior.
🔧 Proposed fix to align with controller's legacyCipherSuites
data.Data["TLSCipherSuites"] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
"TLS_RSA_WITH_AES_128_CBC_SHA256," +
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," +
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+ "TLS_RSA_WITH_AES_256_CBC_SHA"And update the assertion similarly:
assert.Contains(t, rbacProxyArgs,
"--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"+
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"+
"TLS_RSA_WITH_AES_128_CBC_SHA256,"+
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,"+
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
+ "TLS_RSA_WITH_AES_256_CBC_SHA")Consider using the legacyCipherSuites constant directly in the test to avoid future drift.
Also applies to: 167-172
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@controllers/tls_profile_test.go` around lines 133 - 137, The test's
hard-coded TLS cipher list in tls_profile_test.go (data.Data["TLSCipherSuites"])
does not match the legacyCipherSuites constant in
controllers/ptpoperatorconfig_controller.go (the 5th entry differs); update the
test to use the same values as legacyCipherSuites—either by importing/reference
that constant into the test or by replacing the hard-coded entries so they
exactly match legacyCipherSuites (and do the same replacement for the second
occurrence around lines 167-172) to prevent drift.
| FROM docker.io/golang:1.25.7 AS builder | ||
| RUN apt-get update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/* | ||
| WORKDIR /go/src/github.com/k8snetworkplumbingwg/ptp-operator | ||
| COPY .. . |
There was a problem hiding this comment.
Suspicious COPY path - verify .. is intentional.
COPY .. . copies the parent directory into the container. This appears to be a typo and should likely be COPY . . to copy the current directory context.
🐛 Proposed fix
-COPY .. .
+COPY . .📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| COPY .. . | |
| COPY . . |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@ptp-tools/Dockerfile.ptpop` at line 4, The Dockerfile contains a suspicious
COPY instruction "COPY .. ." that copies the parent directory into the build
context; replace it with "COPY . ." so the current build context is copied
instead (locate the COPY .. . line in the Dockerfile.ptpop and update it to COPY
. .). Ensure the build context actually contains the intended files and that no
parent-dir artifacts are required before committing the change.
Comment on lines
+2098
to
+2099
| By("Checking clock class recovers to Locked (6)") | ||
| waitForClockClass(fullConfig, strconv.Itoa(int(fbprotocol.ClockClass6))) |
There was a problem hiding this comment.
Verify both BC instances recover in dual-NIC modes.
waitForClockClass() succeeds as soon as any ptp4l metric reaches 6. In DualNICBoundaryClock*, Line 2099 can pass while the other config is still degraded. The new per-config helpers in test/pkg/ptptesthelper/ptptesthelper.go are a better fit here.
💡 Tighten the dual-NIC recovery check
- By("Checking clock class recovers to Locked (6)")
- waitForClockClass(fullConfig, strconv.Itoa(int(fbprotocol.ClockClass6)))
+ By("Checking clock class recovers to Locked (6)")
+ if fullConfig.PtpModeDiscovered == testconfig.DualNICBoundaryClock ||
+ fullConfig.PtpModeDiscovered == testconfig.DualNICBoundaryClockHA {
+ primaryNIC := ptptesthelper.DiscoverNICInfo(
+ *(*ptpv1.PtpConfig)(fullConfig.DiscoveredClockUnderTestPtpConfig),
+ slavePodNodeName,
+ "NIC-1",
+ )
+ secondaryNIC := ptptesthelper.DiscoverNICInfo(
+ *(*ptpv1.PtpConfig)(fullConfig.DiscoveredClockUnderTestSecondaryPtpConfig),
+ slavePodNodeName,
+ "NIC-2",
+ )
+ ptptesthelper.VerifyNICClockClass(fullConfig, primaryNIC, int(fbprotocol.ClockClass6))
+ ptptesthelper.VerifyNICClockClass(fullConfig, secondaryNIC, int(fbprotocol.ClockClass6))
+ } else {
+ waitForClockClass(fullConfig, strconv.Itoa(int(fbprotocol.ClockClass6)))
+ }📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| By("Checking clock class recovers to Locked (6)") | |
| waitForClockClass(fullConfig, strconv.Itoa(int(fbprotocol.ClockClass6))) | |
| By("Checking clock class recovers to Locked (6)") | |
| if fullConfig.PtpModeDiscovered == testconfig.DualNICBoundaryClock || | |
| fullConfig.PtpModeDiscovered == testconfig.DualNICBoundaryClockHA { | |
| primaryNIC := ptptesthelper.DiscoverNICInfo( | |
| *(*ptpv1.PtpConfig)(fullConfig.DiscoveredClockUnderTestPtpConfig), | |
| slavePodNodeName, | |
| "NIC-1", | |
| ) | |
| secondaryNIC := ptptesthelper.DiscoverNICInfo( | |
| *(*ptpv1.PtpConfig)(fullConfig.DiscoveredClockUnderTestSecondaryPtpConfig), | |
| slavePodNodeName, | |
| "NIC-2", | |
| ) | |
| ptptesthelper.VerifyNICClockClass(fullConfig, primaryNIC, int(fbprotocol.ClockClass6)) | |
| ptptesthelper.VerifyNICClockClass(fullConfig, secondaryNIC, int(fbprotocol.ClockClass6)) | |
| } else { | |
| waitForClockClass(fullConfig, strconv.Itoa(int(fbprotocol.ClockClass6))) | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@test/conformance/serial/ptp.go` around lines 2098 - 2099, The test uses
waitForClockClass which returns as soon as any ptp4l instance reaches 6,
allowing DualNICBoundaryClock* to pass while the other BC is still degraded;
replace the single waitForClockClass(fullConfig, ...) call with the per-config
helpers in test/pkg/ptptesthelper/ptptesthelper.go so you explicitly assert each
boundary-clock config recovers to ClockClass6 (i.e., call the ptptesthelper
check for each BC instance or loop over both configs), ensuring both NIC
instances reach fbprotocol.ClockClass6 rather than relying on a single global
success.
Comment on lines
+3574
to
+3615
| func setupBCClockClassEvents(nodeName string) bcEventContext { | ||
| ctx := bcEventContext{} | ||
| if !event.Enable() { | ||
| return ctx | ||
| } | ||
| logrus.Info("Deploy consumer app for BC clock class event monitoring") | ||
| if createErr := event.CreateConsumerApp(nodeName); createErr != nil { | ||
| logrus.Warnf("PTP events not available: %s; skipping event checks", createErr) | ||
| return ctx | ||
| } | ||
| time.Sleep(10 * time.Second) | ||
| event.InitPubSub() | ||
| var eventCleanup func() | ||
| ctx.subs, eventCleanup = event.SubscribeToGMChangeEvents(100, true, 60*time.Second) | ||
| termMonitor, monErr := event.MonitorPodLogsRegex() | ||
| if monErr != nil { | ||
| logrus.Warnf("Could not start event monitoring: %s; skipping event checks", monErr) | ||
| } else { | ||
| ctx.available = true | ||
| } | ||
| DeferCleanup(func() { | ||
| if termMonitor != nil { | ||
| stopMonitor(termMonitor) | ||
| } | ||
| eventCleanup() | ||
| event.PubSub.Close() | ||
| if deleteErr := event.DeleteConsumerNamespace(); deleteErr != nil { | ||
| logrus.Debugf("Deleting consumer namespace failed: %s", deleteErr) | ||
| } | ||
| }) | ||
| return ctx | ||
| } | ||
|
|
||
| // verifyClockClassViaEvent drains the clock-class event channel and asserts the | ||
| // expected value. No-op when events are not available. | ||
| func verifyClockClassViaEvent(evCtx bcEventContext, expectedClass int) { | ||
| if !evCtx.available { | ||
| return | ||
| } | ||
| events := getGMEvents(evCtx.subs.GNSS, evCtx.subs.CLOCKCLASS, evCtx.subs.LOCKSTATE, 10*time.Second) | ||
| verifyMetric(events[ptpEvent.PtpClockClassChange], float64(expectedClass)) | ||
| } |
There was a problem hiding this comment.
The event helper can report readiness too early and lose relevant clock-class changes.
MonitorPodLogsRegex() in test/pkg/event/event.go:460-510 currently always returns nil, so Line 3592 marks events as available even when log streaming never actually starts. On top of that, verifyClockClassViaEvent() only checks the last PtpClockClassChange kept by getGMEvents(). During the dual-NIC swap path, both 248 and 6 can be emitted in the same window, so the assertion becomes arrival-order dependent.
openshift-ci
bot
removed
the
needs-rebase
Contributor
Author
|
/retest-required |
github-actions
bot
force-pushed
the
upstream-sync-2026-04-02
branch
from
9527173 to
ef75480
Compare
openshift-ci
bot
added
the
needs-rebase
Contributor
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Contributor
|
@jzding: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upstream PRs included