Skip to content

OCPCLOUD-3346: tls: use centralized TLS#1456

Open
RadekManak wants to merge 15 commits intoopenshift:mainfrom
RadekManak:feature-centralized-tsl-endpoints
Open

OCPCLOUD-3346: tls: use centralized TLS#1456
RadekManak wants to merge 15 commits intoopenshift:mainfrom
RadekManak:feature-centralized-tsl-endpoints

Conversation

@RadekManak
Copy link
Copy Markdown
Contributor

@RadekManak RadekManak commented Jan 26, 2026
edited by coderabbitai bot
Loading

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
    • read APIServer/cluster TLS profile on startup,
    • configure min TLS/ciphers from that profile,
    • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
    • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
    • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
    • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
    • go-build.sh root-dir handling fix,
    • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 26, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jan 26, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

  • Replace the MAO metrics kube‑rbac‑proxy sidecar with direct HTTPS in the operator binary, using the serving cert mounted from the MAO secret.
  • Watch the APIServer TLS profile and trigger a controlled shutdown so MAO restarts and picks up TLS changes.
  • Propagate the APIServer TLS profile into machine-api-controllers kube‑rbac‑proxy args (cipher suites + min TLS), with unit coverage.

Details

  • Direct MAO metrics TLS
  • MAO now listens on :8443 and serves /metrics via ListenAndServeTLS using /etc/tls/private/tls.crt|tls.key.
  • The deployment drops the kube‑rbac‑proxy sidecar, mounts the serving cert into /etc/tls/private, and exposes port 8443.
  • RBAC is updated to allow reading apiservers for TLS profile fetch.
  • TLS profile reload
  • MAO fetches the APIServer TLS profile at startup and builds a tls.Config.
  • A config informer watches APIServer updates and triggers shutdown on profile changes.
  • Centralized proxy TLS for controllers
  • OperatorConfig now carries the TLS profile.
  • machine-api-controllers kube‑rbac‑proxy args are generated from the profile (--tls-cipher-suites, --tls-min-version),
  • Tests updated to include APIServer presence and TLS profile expectations; a focused test validates proxy TLS args.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak
Copy link
Copy Markdown
Contributor Author

RadekManak commented Jan 26, 2026

/assign @damdo

damdo
damdo reviewed Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Looks good, a couple of minor points.

pkg/operator/operator.go Outdated
var tlsProfile *osconfigv1.TLSProfileSpec
apiServer, err := optr.osClient.ConfigV1().APIServers().Get(context.Background(), "cluster", metav1.GetOptions{})
if err != nil {
klog.Warningf("Failed to fetch APIServer, using default TLS profile: %v", err)
Copy link
Copy Markdown
Member

@damdo damdo Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we return here?
What would happen otherwise?

@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 4e665c0 to 24eed11 Compare February 18, 2026 14:55
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Feb 18, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 24eed11 to 6b35a05 Compare February 18, 2026 15:25
damdo
damdo reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this Radek!
I left a bunch of comments but it mostly looks good! TY

@damdo
Copy link
Copy Markdown
Member

damdo commented Feb 25, 2026

/retest

@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 9b911a2 to fe1ce87 Compare February 27, 2026 10:25
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Feb 27, 2026
edited
Loading

Walkthrough

Replaces HTTP /metrics with a controller-runtime TLS metrics server, adds cluster TLS-profile resolution and CLI overrides, propagates TLS args into controllers/webhooks, removes kube-rbac-proxy sidecar, adds APIServer TLS-profile watcher triggering graceful shutdown on changes, and migrates event-recording APIs and tests to use events.EventRecorder.

Changes

Cohort / File(s) Summary
Metrics & startup
cmd/machine-api-operator/start.go		 Switch metrics exposure from plain HTTP to a controller-runtime TLS metrics server on port 8443; register machine metrics in ctrlmetrics.Registry; construct server with authn/authz filters and TLS options; wire lifecycle to leader election stop channel; add APIServer TLS-profile watcher that triggers centralized shutdown on profile/adherence changes.
Deployment & RBAC
install/0000_30_machine-api-operator_11_deployment.yaml, install/0000_30_machine-api-operator_09_rbac.yaml		 Remove kube-rbac-proxy sidecar, expose https port 8443 and set METRICS_PORT=8443, mount TLS secret at /etc/tls/private; add apiservers to Role/ClusterRole for config.openshift.io.
TLS utility & wiring
pkg/tls/tls.go, cmd/machineset/main.go		 Add TLS resolution utility returning a TLS mutator plus profile/adherence metadata; add CLI flags --tls-min-version and --tls-cipher-suites, parse/validate flags with pflag, and inject resolved TLS into webhook server TLS options.
Operator config & platform plumbing
pkg/operator/config.go, pkg/operator/operator.go		 Add TLSProfile and TLSAdherencePolicy to OperatorConfig; fetch cluster-scoped APIServer and derive/populate TLS profile/adherence in maoConfigFromInfrastructure with error paths on failures.
TLS arg propagation in pod templates
pkg/operator/sync.go		 Introduce getTLSArgs/resolveTLSProfile, compute TLS args from resolved profile and adherence policy, thread tlsArgs into newPodTemplateSpec, newContainers, newKubeProxyContainers, and kube-proxy/kube-rbac-proxy argument assembly.
New/updated tests (TLS + sync)
pkg/operator/operator_test.go, pkg/operator/sync_test.go		 Add APIServer to operator tests and assert TLSProfile population; add extensive tests for TLS arg generation, container args/ports/volume mounts, and resolveTLSProfile behavior across adherence policies and platforms.
Event recorder migration (controllers)
pkg/controller/.../*.go
pkg/controller/machine/controller.go, pkg/controller/machine/drain_controller.go, pkg/controller/machineset/controller.go, pkg/controller/machinehealthcheck/..., pkg/controller/vsphere/...		 Migrate from record.EventRecorder to events.EventRecorder, change recorder acquisition to mgr.GetEventRecorder(...), update recorder field types and adapt all Eventf call signatures to include the new nil parameter and explicit reason/action strings.
Event recorder tests & adapters
pkg/controller/.../*_test.go		 Update tests to wrap fake recorders with record.NewEventRecorderAdapter or switch to events.NewFakeRecorder(...); adjust helpers and assertions to match new recorder API and event reason/message expectations.
Webhooks & small cleanups
pkg/webhooks/machine_webhook.go, cmd/vsphere/main.go		 Replace k8s.io/utils/strings/slices with Go stdlib slices; change some GetEventRecorderFor calls to GetEventRecorder.
Build, deps & docs
go.mod, hack/go-build.sh, AGENTS.md		 Bump ginkgo/gomega, OpenShift/Kubernetes modules and various golang.org/x deps; guard cd in hack/go-build.sh; update AGENTS.md test invocation to use make unit.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 19.05% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality ⚠️ Warning New test functions TestNewKubeProxyContainers and TestNewContainersTLSArgs contain approximately 18-20 assertions lacking meaningful failure messages, reducing test debuggability despite some assertions having messages demonstrating developers understood the pattern. Add meaningful failure messages to all assertions without them, using test case names and container names for context, ensuring consistency across both new test functions.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'OCPCLOUD-3346: tls: use centralized TLS' accurately summarizes the main change: implementing centralized TLS configuration for the machine-api-operator instead of using individual kube-rbac-proxy sidecars.
Stable And Deterministic Test Names ✅ Passed All test names in modified files are static and deterministic with no dynamic values, random suffixes, UUIDs, timestamps, or variable concatenation.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Feb 27, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Summary by CodeRabbit

Release Notes

  • New Features

  • Metrics are now exposed securely on port 8443 with TLS instead of HTTP, improving security.

  • Added dynamic TLS profile watching that automatically reloads configuration when cluster TLS settings change.

  • Chores

  • Simplified deployment by removing the kube-rbac-proxy container.

  • Updated RBAC permissions to support new TLS profile retrieval.

  • Upgraded dependencies for improved Kubernetes and OpenShift compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak
Copy link
Copy Markdown
Contributor Author

RadekManak commented Feb 27, 2026
edited
Loading

/hold This will crash baremetal until the PR merges.
openshift/cluster-api-provider-baremetal#248

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 27, 2026
coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/machine-api-operator/start.go`:
- Around line 247-251: The current goroutine fatals on any metricsServer.Start
error; change it to only treat context.Canceled as a non-fatal shutdown and exit
gracefully, while still fataling for other unexpected errors. Locate the
anonymous goroutine that calls metricsServer.Start(metricsServerCtx) and update
its error handling to check for errors.Is(err, context.Canceled) (allowing a
clean shutdown/log and not calling klog.Fatalf) and call klog.Fatalf only for
other error values; do not special-case http.ErrServerClosed because
metricsServer.Start already filters that.

In `@cmd/machineset/main.go`:
- Line 177: The call to utiltls.NewTLSConfigFromProfile is ignoring its error
(tlsOpts, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)); change this to
capture and handle the error (e.g., tlsOpts, err :=
utiltls.NewTLSConfigFromProfile(tlsProfile)) and if err != nil log the error via
the existing logger or fmt and exit/return a non-zero status so the webhook
server does not start with invalid TLS settings; update the initialization path
in main (where tlsProfile and tlsOpts are used) to propagate or handle the error
appropriately.

In `@pkg/operator/sync.go`:
- Around line 865-875: In getTLSArgs, capture the second return value from
utiltls.NewTLSConfigFromProfile (the unsupportedCiphers slice) instead of
discarding it, and emit a log containing those unsupported cipher names so
profile-to-flag translation mismatches are visible; specifically, change the
call to utiltls.NewTLSConfigFromProfile to receive (tlsConfigFn,
unsupportedCiphers), and then log unsupportedCiphers (mirroring the pattern used
in cmd/machine-api-operator/start.go) before continuing to build the tlsArgs.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8846555 and fe1ce87.

⛔ Files ignored due to path filters (287)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/BurntSushi/toml/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/encode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/lex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/meta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/methods.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/journal/journal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/COPYING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE.BSD is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE.MPL-2.0 is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/codecov.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/deprecated_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/internal/consts/consts.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/join.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/assert/assert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/errors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/at_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/fd_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/mount_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_go120.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_errors_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_go121.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_generics_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/kernelversion/kernel_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/mount_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_lookup_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/mkdir_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/open_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/procfs/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/vfs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/merge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/profile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/proto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/pprof/profile/prune.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/format/format.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gmeasure/experiment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/runtime-spec/specs-go/config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/runtime-spec/specs-go/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/selinux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_config_client.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/fake/fake_insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/chacha20/chacha_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/keys.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/messages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/ssh_gss.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/streamlocal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/crypto/ssh/tcpip.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/modfile/print.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/modfile/read.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/modfile/rule.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/module/module.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/mod/semver/semver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/context/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/net/websocket/hybi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/diagnostic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/atomicalign/atomicalign.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/httpresponse/httpresponse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/pkgfact/pkgfact.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/shift/shift.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/sortslice/analyzer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdversion/stdversion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/structtag/structtag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/waitgroup/waitgroup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/astutil/imports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/buildutil/allpackages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/buildutil/tags.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/cfg/builder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/cfg/cfg.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/golist.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/packages/visit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/builder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/create.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/emit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/func.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/instantiate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssa.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssautil/visit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/subst.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/ssa/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/imports/forward.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/analysisinternal/analysis.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/comment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/equal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/stringlit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/astutil/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/imports/fix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/imports/sortimports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/lookup.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/modindex/symbols.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/moreiters/iters.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/packagepath/packagepath.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/delete.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/edit.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/imports.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/refactor/refactor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/typeindex/typeindex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (13)
  • cmd/machine-api-operator/start.go
  • cmd/machineset/main.go
  • go.mod
  • hack/go-build.sh
  • install/0000_30_machine-api-operator_09_rbac.yaml
  • install/0000_30_machine-api-operator_11_deployment.yaml
  • pkg/controller/machine/machine_controller_test.go
  • pkg/operator/config.go
  • pkg/operator/operator.go
  • pkg/operator/operator_test.go
  • pkg/operator/sync.go
  • pkg/operator/sync_test.go
  • pkg/webhooks/machine_webhook.go

@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Feb 27, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Summary by CodeRabbit

  • New Features

  • Metrics now served securely over TLS on port 8443 with certificate mounting.

  • Operator watches cluster TLS profile and gracefully reloads to apply changes.

  • Webhook server gains configurable TLS cipher suites and minimum TLS version.

  • Chores

  • Removed sidecar proxy from deployment; simplified container layout and mounts.

  • RBAC expanded to allow reading cluster TLS profile.

  • Dependency upgrades and build script robustness improvements.

  • Tests

  • Enhanced tests to cover TLS argument generation and webhook/controller TLS behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/machine-api-operator/start.go`:
- Around line 299-316: The code must avoid converting a shutdown-triggered cache
sync failure into a hard crash: in the initMachineAPIInformers() path where
cache.WaitForCacheSync(...) is currently followed by klog.Fatal on false, change
the logic to detect a shutdown caused by
setupTLSProfileWatcher/handleTLSProfileEvent calling shutdown() (i.e., the stop
channel being closed or context cancelled) and return an error or nil to allow
graceful restart instead of calling klog.Fatal; update initMachineAPIInformers()
to check the stop channel or context before deciding to fatal, and ensure
setupTLSProfileWatcher/handleTLSProfileEvent continue to call shutdown() as
before.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between fe1ce87 and 1659685.

📒 Files selected for processing (2)
  • cmd/machine-api-operator/start.go
  • cmd/machineset/main.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • cmd/machineset/main.go

cmd/machine-api-operator/start.go Outdated
Comment on lines +299 to +316
func setupTLSProfileWatcher(ctx *ControllerContext, shutdown func()) error {
configClient := ctx.ClientBuilder.OpenshiftClientOrDie("tls-profile-watcher")
initialProfile, err := fetchAPIServerTLSProfileSpec(context.Background(), configClient)
if err != nil {
return err
}
klog.Fatal(server.ListenAndServe())

apiServerInformer := ctx.ConfigInformerFactory.Config().V1().APIServers().Informer()
_, err = apiServerInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(obj interface{}) {
handleTLSProfileEvent(obj, &initialProfile, shutdown)
},
UpdateFunc: func(_, newObj interface{}) {
handleTLSProfileEvent(newObj, &initialProfile, shutdown)
},
DeleteFunc: func(obj interface{}) {
handleTLSProfileEvent(obj, &initialProfile, shutdown)
},
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify control flow: read the key sections mentioned in the review
echo "=== Section 1: Lines 96-140 (startup context) ==="
sed -n '96,140p' cmd/machine-api-operator/start.go

echo -e "\n=== Section 2: Lines 143-153 (cache sync with fatal) ==="
sed -n '143,153p' cmd/machine-api-operator/start.go

echo -e "\n=== Section 3: Lines 299-370 (setupTLSProfileWatcher) ==="
sed -n '299,370p' cmd/machine-api-operator/start.go

Repository: openshift/machine-api-operator

Length of output: 4655

Prevent fatal crash when TLS watcher triggers shutdown before cache sync completes.

shutdown() can be called from APIServer events after the TLS watcher is registered but before initMachineAPIInformers() cache sync finishes. This closes stopCh, causing cache.WaitForCacheSync() to return false, which unconditionally triggers klog.Fatal() at line 150—converting an intended graceful restart into a hard crash.

Suggested hardening 
func initMachineAPIInformers(ctx *ControllerContext) {
	mInformer := ctx.MachineInformerFactory.Machine().V1beta1().Machines().Informer()
	msInformer := ctx.MachineInformerFactory.Machine().V1beta1().MachineSets().Informer()
	ctx.MachineInformerFactory.Start(ctx.Stop)
	if !cache.WaitForCacheSync(ctx.Stop,
		mInformer.HasSynced,
		msInformer.HasSynced) {
+		select {
+		case <-ctx.Stop:
+			klog.V(2).Info("Skipping Machine API informer sync due to shutdown")
+			return
+		default:
+			klog.Fatal("Failed to sync caches for Machine api informers")
+		}
	}
	klog.Info("Synced up machine api informer caches")
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@cmd/machine-api-operator/start.go` around lines 299 - 316, The code must
avoid converting a shutdown-triggered cache sync failure into a hard crash: in
the initMachineAPIInformers() path where cache.WaitForCacheSync(...) is
currently followed by klog.Fatal on false, change the logic to detect a shutdown
caused by setupTLSProfileWatcher/handleTLSProfileEvent calling shutdown() (i.e.,
the stop channel being closed or context cancelled) and return an error or nil
to allow graceful restart instead of calling klog.Fatal; update
initMachineAPIInformers() to check the stop channel or context before deciding
to fatal, and ensure setupTLSProfileWatcher/handleTLSProfileEvent continue to
call shutdown() as before.

@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 1659685 to 8048f70 Compare March 20, 2026 15:59
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 20, 2026
edited by openshift-ci bot
Loading

@RadekManak: This pull request references OCPCLOUD-3346 which is a valid jira issue.

Details

In response to this:

  • Serve machine-api-operator metrics directly over HTTPS (:8443) using controller-runtime’s metrics server with delegated authn/authz (WithAuthenticationAndAuthorization), and remove the MAO kube-rbac-proxy sidecar.
  • Add TLS profile awareness for MAO metrics:
  • read APIServer/cluster TLS profile on startup,
  • configure min TLS/ciphers from that profile,
  • watch for TLS profile changes and trigger shutdown so the pod restarts with updated TLS settings.
  • Propagate the same TLS profile to controller kube-rbac-proxy sidecars (machine, machineset, mhc) by generating --tls-min-version and profile-derived --tls-cipher-suites args.
  • Update manifests accordingly:
  • deployment ports/volume mounts/env (METRICS_PORT=8443) for direct secure serving,
  • RBAC to watch config.openshift.io/apiservers.
  • Include supporting dependency/vendor updates and minor follow-ups:
  • dependency bumps (controller-runtime, openshift/api, openshift/client-go, etc.),
  • go-build.sh root-dir handling fix,
  • lint/import cleanup (pkg/webhooks/machine_webhook.go, context import updates).

Notes

  • Provider/controller metrics remain behind kube-rbac-proxy and continue using the existing namespace/metrics authorization model.
  • MAO direct /metrics auth uses delegated token/SAR checks; scraper access relies on existing cluster-monitoring prometheus-k8s cluster RBAC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@RadekManak
Serve MAO metrics with direct TLS and profile reload.
0c0e03a 
Remove the kube-rbac-proxy sidecar, mount the serving cert, and
restart the operator on APIServer TLS profile changes.
@RadekManak
Propagate TLS profile to controller proxies.
a53d195 
Capture the APIServer TLS profile in operator config and use it to
configure kube-rbac-proxy TLS args, with unit coverage.
@RadekManak
Fix build script
99111f8
@RadekManak
Add tests for newKubeProxyContainer
8abe10d 
Add unit tests to verify TLS configuration handling in
newKubeProxyContainer, including tests for TLS 1.2 with cipher suites
and TLS 1.3 without cipher suites.
@RadekManak
Use controller-runtime metrics server auth filter.
de64024
@RadekManak
Fix lint
35db3fc
@RadekManak
Persist TLS profile for change detection
fd57f97
@RadekManak
Compute TLS arguments once for kube-rbac-proxy containers
e4ffaa4 
Move TLS configuration computation from per-container to once per batch
in newKubeProxyContainers. This avoids redundant processing when creating
multiple kube-rbac-proxy containers with the same TLS profile.
@RadekManak
Add TLS configuration support for machineset controller webhooks
fa27fc6 
Introduce command-line flags for TLS cipher suites and minimum version in the machineset controller. Update the container creation logic to utilize these TLS settings
@RadekManak
Pass TLS settings to baremetal machine-controller webhooks.
f4148cb 
This ensures Metal3 remediation webhooks use the configured TLS profile while keeping other controllers unchanged.
@RadekManak
Log unsupported TLS ciphers for machineset webhooks.
a8857a4 
Mirror machine-api-operator logging so ignored ciphers are visible during startup.
@RadekManak
Handle metrics server context cancellation as graceful shutdown.
5b0b7ce
@RadekManak
Vendor
6b1fdd0
@RadekManak
Honor API server TLS adherence policy for TLS args.
029e5ec 
Only apply cluster TLS profile arguments when adherence requires it, and restart on either TLS profile or adherence-policy changes.
@RadekManak
Fix lint
28078b4
@RadekManak RadekManak force-pushed the feature-centralized-tsl-endpoints branch from 8048f70 to 28078b4 Compare March 27, 2026 15:09
@RadekManak
Copy link
Copy Markdown
Contributor Author

RadekManak commented Mar 27, 2026

@coderabbitai full review

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 27, 2026

✅ Actions performed

Full review triggered.

coderabbitai[bot]
coderabbitai bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
cmd/machine-api-operator/start.go (1)

149-153: ⚠️ Potential issue | 🟡 Minor

Consider graceful handling when shutdown occurs during cache sync.

If the TLS profile watcher triggers shutdown while WaitForCacheSync is in progress, it will return false and cause a Fatal exit rather than a graceful restart. This is a narrow timing window but could cause unexpected crashes during startup.

♻️ Suggested adjustment 
 	if !cache.WaitForCacheSync(ctx.Stop,
 		mInformer.HasSynced,
 		msInformer.HasSynced) {
+		select {
+		case <-ctx.Stop:
+			klog.Info("Cache sync interrupted by shutdown, exiting gracefully")
+			return
+		default:
+		}
 		klog.Fatal("Failed to sync caches for Machine api informers")
 	}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@cmd/machine-api-operator/start.go` around lines 149 - 153, WaitForCacheSync
can return false because ctx.Stop was closed during shutdown; instead of
unconditionally calling klog.Fatal, check whether the context was cancelled and
handle that gracefully. Modify the block around cache.WaitForCacheSync to detect
cancellation (inspect ctx.Done()/ctx.Err()) when it returns false: if the
context is cancelled, log an informational message and return/exit cleanly (no
klog.Fatal), otherwise keep the klog.Fatal for real sync failures; reference
cache.WaitForCacheSync, ctx.Stop (or ctx.Done/ctx.Err), mInformer.HasSynced,
msInformer.HasSynced, and klog.Fatal when making this change.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@cmd/machine-api-operator/start.go`:
- Around line 149-153: WaitForCacheSync can return false because ctx.Stop was
closed during shutdown; instead of unconditionally calling klog.Fatal, check
whether the context was cancelled and handle that gracefully. Modify the block
around cache.WaitForCacheSync to detect cancellation (inspect
ctx.Done()/ctx.Err()) when it returns false: if the context is cancelled, log an
informational message and return/exit cleanly (no klog.Fatal), otherwise keep
the klog.Fatal for real sync failures; reference cache.WaitForCacheSync,
ctx.Stop (or ctx.Done/ctx.Err), mInformer.HasSynced, msInformer.HasSynced, and
klog.Fatal when making this change.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 90175a7d-7894-4755-80a7-620d53d89e07

📥 Commits

Reviewing files that changed from the base of the PR and between b8fd345 and 28078b4.

⛔ Files ignored due to path filters (274)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/google/pprof/profile/merge.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/pprof/profile/profile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/pprof/profile/proto.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/pprof/profile/prune.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/format/format.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/gmeasure/experiment.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/matchers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/matchers/have_key_matcher.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/matchers/have_key_with_value_matcher.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/matchers/match_error_strictly_matcher.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/onsi/gomega/matchers/support/goraph/edge/edge.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/additionalalertmanagerconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/authorizationconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/basicauth.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/certificateconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/custompkipolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/defaultcertificateconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/dropequalactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/ecdsakeyconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/hashmodactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/keepequalactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/keyconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/label.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/labelmapactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/lowercaseactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metadataconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metadataconfigcustom.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/oauth2.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/oauth2endpointparam.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatemanagement.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkiprofile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkispec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusremotewriteheader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/queueconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/relabelactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/relabelconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/remotewriteauthorization.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/remotewritespec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/replaceactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/rsakeyconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/secretkeyselector.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/sigv4.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/tlsconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/uppercaseactionconfig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_config_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_imagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/fake/fake_pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/machine/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/modfile/print.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/modfile/read.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/modfile/rule.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/module/module.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/trace/events.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/websocket/hybi.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_x86.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/diagnostic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdversion/stdversion.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/waitgroup/waitgroup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ast/astutil/imports.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/cfg/builder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/cfg/cfg.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/packages/packages.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/packages/visit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/builder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/create.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/emit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/func.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/instantiate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssa.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssautil/visit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/subst.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/callee.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/imports/forward.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysisinternal/analysis.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/astutil/stringlit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/astutil/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/event/core/export.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/imports/sortimports.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/modindex/index.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/modindex/lookup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/moreiters/iters.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/packagepath/packagepath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/delete.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/edit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/imports.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/refactor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/stdlib.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/classify_call.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/varkind.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/refactor/satisfy/find.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/utils/buffer/ring_fixed.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/utils/exec/exec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/utils/exec/fixup_go118.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/utils/exec/fixup_go119.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/utils/strings/slices/slices.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (26)
  • AGENTS.md
  • cmd/machine-api-operator/start.go
  • cmd/machineset/main.go
  • cmd/vsphere/main.go
  • go.mod
  • hack/go-build.sh
  • install/0000_30_machine-api-operator_09_rbac.yaml
  • install/0000_30_machine-api-operator_11_deployment.yaml
  • pkg/controller/machine/controller.go
  • pkg/controller/machine/drain_controller.go
  • pkg/controller/machine/drain_controller_test.go
  • pkg/controller/machinehealthcheck/machinehealthcheck_controller.go
  • pkg/controller/machinehealthcheck/machinehealthcheck_controller_test.go
  • pkg/controller/machineset/controller.go
  • pkg/controller/machineset/controller_test.go
  • pkg/controller/vsphere/actuator.go
  • pkg/controller/vsphere/actuator_test.go
  • pkg/controller/vsphere/machineset/controller.go
  • pkg/controller/vsphere/machineset/controller_test.go
  • pkg/operator/config.go
  • pkg/operator/operator.go
  • pkg/operator/operator_test.go
  • pkg/operator/sync.go
  • pkg/operator/sync_test.go
  • pkg/tls/tls.go
  • pkg/webhooks/machine_webhook.go

damdo
damdo reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Radek!
A couple of Q. but

/approve

cmd/machineset/main.go
Comment on lines +96 to +97
pflag.StringVar(&tlsMinVersionFlag, "tls-min-version", "", "Minimum TLS version supported. When set with --tls-cipher-suites, overrides the cluster-wide TLS profile. Possible values: "+strings.Join(cliflag.TLSPossibleVersions(), ", "))
pflag.StringSliceVar(&tlsCipherSuitesFlag, "tls-cipher-suites", nil, "Comma-separated list of cipher suites for the server. When set with --tls-min-version, overrides the cluster-wide TLS profile. Possible values: "+strings.Join(cliflag.TLSCipherPossibleValues(), ", "))
Copy link
Copy Markdown
Member

@damdo damdo Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need pflag? I'd prefer if used flag where possible

cmd/machine-api-operator/start.go
const (
// defaultMetricsPort is the default port to expose metrics.
defaultMetricsPort = 8080
defaultMetricsPort = 8443
Copy link
Copy Markdown
Member

@damdo damdo Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the external port changing? Or is this the original external port that the proxy had?

cmd/machine-api-operator/start.go
klog.Fatalf("Unable to resolve TLS configuration: %v", err)
}
if err := setupTLSProfileWatcher(ctrlCtx, tlsResult, shutdown); err != nil {
klog.Fatalf("Unable to set up TLS profile watcher: %v", err)
Copy link
Copy Markdown
Member

@damdo damdo Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the fatal error consistent to what we do in c-r ?

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 27, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 27, 2026
@damdo
Copy link
Copy Markdown
Member

damdo commented Mar 28, 2026

/retest

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 28, 2026

@RadekManak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-metal-ipi 28078b4 link true /test e2e-metal-ipi
ci/prow/e2e-metal-ipi-ovn-ipv6 28078b4 link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-operator 28078b4 link true /test e2e-aws-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@damdo damdo damdo left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

Assignees

@damdo damdo

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RadekManak @openshift-ci-robot @damdo