OCPCLOUD-3276,OCPBUGS-76344,OCPBUGS-69888,OCPBUGS-78289: Merge https://github.com/kubernetes/cloud-provider-aws:master (ea961d6) into main by damdo · Pull Request #131 · openshift/cloud-provider-aws

damdo · 2026-03-11T11:28:17Z

Summary by CodeRabbit

New Features
- Added support for dual-stack public ECR hosts (ecr-public.aws.com).
- Implemented Load Balancer Type annotation immutability validation to prevent unintended type changes.
- Improved test node discovery to skip unschedulable nodes.
Chores
- Upgraded to Go 1.25 and updated all base images accordingly.
- Updated AWS SDK, Kubernetes, and testing framework dependencies to latest versions.

1.35.0 release

Adds validation to prevent users from changing the Load Balancer type annotation (service.beta.kubernetes.io/aws-load-balancer-type) after the load balancer has been created. This prevents undefined behavior and potential service disruptions. The validation detects the current load balancer type by analyzing the hostname pattern in the service's LoadBalancer status: - Classic Load Balancer: hostname ends with ".elb.amazonaws.com" - Network Load Balancer: hostname ends with ".elb.<region>.amazonaws.com" If a mismatch is detected between the annotation and the existing load balancer type, the controller returns a validation error preventing the update. Relatest to Issue 1254 Signed-off-by: Claude (AI Assistant) <noreply@anthropic.com> Co-Authored-By: Marco Braga <mrbraga@redhat.com>

fix: lb leak preventing changes in Load Balancer type annotation after creation

The previous solution for processing the work queue sleeps after processing every work item, which isn't ideal for responsive tests, and it was resulting in flakes. Instead, process work as fast as possible, and only sleep when the queue is empty. Note: analysis of the failing logs and the possible fix was assisted by an "AI" agent. Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com> Co-Authored-By: Claude Code <noreply@anthropic.com>

Only wait for delayed test queue entries if there is no work

Update the version of ecr dependency to fix the ipv6 endpoints

feat(ecr-cred-provider): support public dualstack endpoints

Skip unsupported or unscheduled worker nodes when discovering candidates for load balancer scenarios. Some tests, such as hairpin traffic, discover worker nodes using the node-role.kubernetes.io label. If a discovered node has NoSchedule or NoExecute taints, the test fails because the workload is implemented generically and does not define specific tolerations. Filtering these nodes during discovery ensures the test selects a candidate capable of hosting the workload without requiring changes to the test's pod specification.

The otel SDK bump to v1.40.0 fixes the CVE GO-2026-4394 that was causing the govulncheck to fail. Otel packages bumped from v1.36.0 → v1.40.0: - go.opentelemetry.io/otel - go.opentelemetry.io/otel/metric - go.opentelemetry.io/otel/sdk (this fixes GO-2026-4394) - go.opentelemetry.io/otel/trace - go.opentelemetry.io/auto/sdk (v1.1.0 → v1.2.1) Transitive dependency also updated: - golang.org/x/sys (v0.38.0 → v0.40.0)

e2e/loadbalancer: fix e2e by skipping unscheduled nodes on discovery

openshift-ci-robot · 2026-03-11T11:28:28Z

@damdo: This pull request references OCPCLOUD-3276 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

This pull request references Jira Issue OCPBUGS-76344, which is invalid:

expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-69888, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @miyadav

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-03-11T11:28:38Z

Walkthrough

Bumps Go/tooling versions to 1.25.x across build files and dependencies; adds dual-host support for public ECR; refines tagging controller queue drain logic; enforces immutability of LoadBalancer Type annotation via ingress hostname checks; restructures OpenShift tests extension module and removes its build artifacts.

Changes

Cohort / File(s)	Summary
Build / Go toolchain `\.ko.yaml`, `Dockerfile`, `cloudbuild.yaml`, `Dockerfile.openshift`, `\.ci-operator.yaml`, `Makefile`	Bumps Go and base image tags from 1.24.x → 1.25.x; updates Makefile Go directive and adds `KOPS_DISCOVERY_STORE` env to e2e targets; removes tests-extension builder stage from OpenShift Dockerfile; CI build_root_image tag updated.
Dependency upgrades `go.mod`, `tests/aws-cloud-controller-manager-tests-ext/go.mod`	Updates module Go version to 1.25.0 and upgrades many deps: AWS SDK v2 services, Kubernetes modules to v0.35.x, testing libs (ginkgo/gomega/testify), OpenTelemetry/Prometheus, and numerous indirects. Module path renamed for tests module.
ECR credential provider `cmd/ecr-credential-provider/main.go`, `cmd/ecr-credential-provider/main_test.go`	Replaces single `ecrPublicHost` constant with `ecrPublicHosts` slice (adds `ecr-public.aws.com`) and updates host membership checks. Adds test cases for dualstack host and invalid authorization token parsing.
Tagging controller tests `pkg/controllers/tagging/tagging_controller_test.go`	Changes workqueue draining loop to a bounded-wait pattern with max empty checks (3) and a longer empty delay (20ms) to account for rate-limiter delayed requeueing.
AWS provider validations `pkg/providers/v1/aws_validations.go`, `pkg/providers/v1/aws_validations_test.go`	Adds validation preventing LoadBalancer Type annotation changes after creation by inferring current LB type from Service Status LoadBalancer Ingress hostnames; tests extended with ingressStatus cases to cover hostname patterns and absence.
OpenShift tests extension runtime `tests/aws-cloud-controller-manager-tests-ext/main.go`	Removes import/use of the OpenShift CCM tests extension and topology-based SingleReplica exclusions; updates command help text to reference Machine API Operator tests extension.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	PR introduces logic bug in isNodeSchedulable helper that returns true for nodes without taints without checking Unschedulable flag, and contains duplicate test case names in aws_validations_test.go.	Fix isNodeSchedulable to check Unschedulable flag before taint length check; differentiate duplicate test case names in aws_validations_test.go for clear test failure diagnosis.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references upstream merge with specific commits and Jira tickets, but clearly summarizes the primary change: merging upstream kubernetes/cloud-provider-aws into main branch.
Stable And Deterministic Test Names	✅ Passed	All test names use static descriptive strings without dynamic values; dynamic value construction correctly placed in test bodies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

📝 Coding Plan

Generate coding plan for human review comments

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use Trivy to scan for security misconfigurations and secrets in Infrastructure as Code files.

Add a .trivyignore file to your project to customize which findings Trivy reports.

openshift-ci-robot · 2026-03-11T11:30:08Z

@damdo: This pull request references OCPCLOUD-3276 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

This pull request references Jira Issue OCPBUGS-76344, which is invalid:

expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-69888, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @miyadav

Details

In response to this:

Summary by CodeRabbit

New Features

Added support for dual-stack public ECR hosts (ecr-public.aws.com).

Implemented Load Balancer Type annotation immutability validation to prevent unintended type changes.

Improved test node discovery to skip unschedulable nodes.

Chores

Upgraded to Go 1.25 and updated all base images accordingly.

Updated AWS SDK, Kubernetes, and testing framework dependencies to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/e2e/loadbalancer.go (1)
596-598: ⚠️ Potential issue | 🟠 Major

Potential panic and incorrect nodeCount when all nodes are unschedulable.

Two issues in this block:

Panic risk: If all discovered nodes are unschedulable, workerNodeList will be empty, and accessing workerNodeList[0] at line 598 will cause an index out of range panic.

Incorrect count: e2e.nodeCount is set to len(nodeList.Items) (all nodes) but workerNodeList only contains schedulable nodes. This mismatch could cause test failures when nodeCount is used to validate load balancer target counts.
🐛 Proposed fix
 			workerNodeList = append(workerNodeList, node.Name)
 		}
+		if len(workerNodeList) == 0 {
+			continue // Try next selector if no schedulable nodes found
+		}
 		// Save the first worker node in the list to be used in cases.
 		sort.Strings(workerNodeList)
-		e2e.nodeCount = len(nodeList.Items)
+		e2e.nodeCount = len(workerNodeList)
 		e2e.nodeSingleSample = workerNodeList[0]
 		e2e.nodeSelector = selector
 		return
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/loadbalancer.go` around lines 596 - 598, The code risks an
index-out-of-range and uses the wrong count: update the block that sets
e2e.nodeCount and e2e.nodeSingleSample to base them on schedulable nodes
(workerNodeList) and guard against an empty slice; specifically, replace the
assignment e2e.nodeCount = len(nodeList.Items) with e2e.nodeCount =
len(workerNodeList) and only set e2e.nodeSingleSample = workerNodeList[0] after
checking len(workerNodeList) > 0 (handle the empty case by returning an error or
skipping the test as appropriate). Ensure you modify the logic near the
variables workerNodeList, nodeList, e2e.nodeCount, and e2e.nodeSingleSample.

♻️ Duplicate comments (1)

tests/e2e/go.mod (1)
81-81: ⚠️ Potential issue | 🟠 Major

HIGH: OpenTelemetry SDK vulnerable to arbitrary code execution via PATH hijacking.

Same vulnerability as flagged in tests/aws-cloud-controller-manager-tests-ext/go.mod - go.opentelemetry.io/otel/sdk v1.36.0 has HIGH severity vulnerability GHSA-9h8m-3fm2-qjrq.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@tests/e2e/go.mod` at line 81, The listed OpenTelemetry SDK dependency line
"go.opentelemetry.io/otel/sdk v1.36.0" is vulnerable (GHSA-9h8m-3fm2-qjrq);
update that module entry in tests/e2e/go.mod to a patched release (e.g., upgrade
"go.opentelemetry.io/otel/sdk" to a non-vulnerable version such as v1.37.0 or
later), then refresh the module graph (update go.sum / tidy) so the project uses
the patched SDK; ensure the same change is applied consistently where the same
dependency appears.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: Update the Go version declaration in go.mod from "go 1.25.0" to "go
1.25.8": open the go.mod file and change the module's go directive to "go
1.25.8" so the project uses the latest 1.25 patch release; run go mod tidy or a
quick build to verify there are no compatibility issues after the change.

In `@pkg/providers/v1/aws_validations_test.go`:
- Around line 486-501: Two adjacent test entries in the table/ slice share the
same name causing confusing output; update the test name strings so they are
unique (e.g., append " (no annotation)" to the case where annotations:
map[string]string{} and " (clb annotation)" to the case where annotations:
map[string]string{ServiceAnnotationLoadBalancerType: "clb"}) while leaving the
rest of each test (ingressStatus using nlbHostname and expectedError "cannot
update Load Balancer Type annotation") unchanged so failures are
distinguishable.

In `@tests/aws-cloud-controller-manager-tests-ext/go.mod`:
- Line 87: Update the vulnerable dependency go.opentelemetry.io/otel/sdk in the
go.mod to v1.40.0 or later (e.g., set module version to v1.40.0), then run the
module tooling to update checksums—use `go get
go.opentelemetry.io/otel/sdk@v1.40.0` (or newer) and `go mod tidy` to refresh
go.sum; ensure references to go.opentelemetry.io/otel/sdk in the
tests/aws-cloud-controller-manager-tests-ext/go.mod are changed and run `go
test` to verify no breakage.

In `@tests/aws-cloud-controller-manager-tests-ext/main.go`:
- Line 75: Update the CLI help text by replacing the misleading Long field value
("Machine API Operator tests extension for OpenShift") with an accurate
description for this binary/extension (for example "AWS Cloud Controller Manager
tests extension for OpenShift"); locate the cobra.Command instance in this file
that sets the Long field (the command variable where Long is assigned) and
update that string so the --help output reflects the AWS Cloud Controller
Manager extension and imported AWS CCM e2e tests.

In `@tests/e2e/loadbalancer.go`:
- Around line 560-574: The isNodeSchedulable function incorrectly returns true
when len(node.Spec.Taints) == 0 without considering node.Spec.Unschedulable;
update the function (isNodeSchedulable) to first check node.Spec.Unschedulable
and return false if set, then proceed to handle taints (node.Spec.Taints) and
evaluate taint effects (v1.TaintEffectNoSchedule, v1.TaintEffectNoExecute) as
currently done.

---

Outside diff comments:
In `@tests/e2e/loadbalancer.go`:
- Around line 596-598: The code risks an index-out-of-range and uses the wrong
count: update the block that sets e2e.nodeCount and e2e.nodeSingleSample to base
them on schedulable nodes (workerNodeList) and guard against an empty slice;
specifically, replace the assignment e2e.nodeCount = len(nodeList.Items) with
e2e.nodeCount = len(workerNodeList) and only set e2e.nodeSingleSample =
workerNodeList[0] after checking len(workerNodeList) > 0 (handle the empty case
by returning an error or skipping the test as appropriate). Ensure you modify
the logic near the variables workerNodeList, nodeList, e2e.nodeCount, and
e2e.nodeSingleSample.

---

Duplicate comments:
In `@tests/e2e/go.mod`:
- Line 81: The listed OpenTelemetry SDK dependency line
"go.opentelemetry.io/otel/sdk v1.36.0" is vulnerable (GHSA-9h8m-3fm2-qjrq);
update that module entry in tests/e2e/go.mod to a patched release (e.g., upgrade
"go.opentelemetry.io/otel/sdk" to a non-vulnerable version such as v1.37.0 or
later), then refresh the module graph (update go.sum / tidy) so the project uses
the patched SDK; ensure the same change is applied consistently where the same
dependency appears.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a4ed6550-e0b0-4bb4-a89a-20c905d57631

📥 Commits

Reviewing files that changed from the base of the PR and between 33c8f09 and cf82f61.

⛔ Files ignored due to path filters (286)

go.sum is excluded by !**/*.sum
tests/aws-cloud-controller-manager-tests-ext/go.sum is excluded by !**/*.sum
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/stream.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/CHANGELOG.md is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/Makefile is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/README.md is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/endpoints/endpoint.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/go_module_metadata.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/metrics/nop.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/middleware/ordered_group.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/middleware/step_build.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/middleware/step_deserialize.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/middleware/step_finalize.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/middleware/step_initialize.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/middleware/step_serialize.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/modman.toml is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/github.com/aws/smithy-go/transport/http/metrics.go is excluded by !**/vendor/**
tests/aws-cloud-controller-manager-tests-ext/vendor/modules.txt is excluded by !**/vendor/**
tests/e2e/go.sum is excluded by !**/*.sum
tests/e2e/vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/.gitattributes is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/.gitignore is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/GOVERNANCE.md is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/LICENSE is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/MAINTAINERS.md is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/README.md is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/WORKSPACE is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**
tests/e2e/vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**
tests/e2e/vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**
tests/e2e/vendor/cel.dev/expr/regen_go_proto.sh is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !**/vendor/**
tests/e2e/vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**
tests/e2e/vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/NOTICE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/checksum.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/context.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/credential_cache.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/auto.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/configuration.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/defaults.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/defaults/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/defaultsmode.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/errors.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/from_ptr.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/logging.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/logging_generate.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/osname.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/osname_go115.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/recursion_detection.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/request_id.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/request_id_retriever.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/array.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/encoder.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/map.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/restjson/decoder_util.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/xml/error_utils.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/token_bucket.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/token_rate_limit.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/request.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive_ratelimit.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/adaptive_token_bucket.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/attempt_metrics.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/errors.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/jitter_backoff.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retry.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/throttle_error.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/timeout_error.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/retryer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/runtime.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/cache.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/const.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/header_rules.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/hmac.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/host.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/scope.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/time.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/util.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/presign_middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/stream.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/to_ptr.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/content_type.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/response_error.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/response_error_middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/types.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/aws/version.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/defaultsmode.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/env_config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/generate.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/load_options.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/local.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/resolve.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/resolve_bearer_token.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/auth.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/endpoints.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_cached_token.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_credentials_provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/sso_token_provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_client.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetDynamicData.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetIAMInfo.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetInstanceIdentityDocument.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetMetadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetRegion.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetToken.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/api_op_GetUserData.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/auth.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/endpoints.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config/resolvers.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/request_middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/token_provider.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/auth.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/scheme.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/bearer_token_adapter.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/bearer_token_signer_adapter.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/credentials_adapter.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/smithy.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/endpoints.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/arn.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/doc.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/generate.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/host.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/endpoints.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/endpoints.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/LICENSE.txt is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/errors.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/ini.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/parse.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/sections.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/strings.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/token.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/tokenize.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/ini/value.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/rand/rand.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/sdk/interfaces.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/sdk/time.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/sdkio/byte.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/shareddefaults/shared_config.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/strings/strings.go is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/LICENSE is excluded by !**/vendor/**
tests/e2e/vendor/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight/docs.go is excluded by !**/vendor/**

📒 Files selected for processing (14)

.ko.yaml
Dockerfile
Makefile
cloudbuild.yaml
cmd/ecr-credential-provider/main.go
cmd/ecr-credential-provider/main_test.go
go.mod
pkg/controllers/tagging/tagging_controller_test.go
pkg/providers/v1/aws_validations.go
pkg/providers/v1/aws_validations_test.go
tests/aws-cloud-controller-manager-tests-ext/go.mod
tests/aws-cloud-controller-manager-tests-ext/main.go
tests/e2e/go.mod
tests/e2e/loadbalancer.go

coderabbitai · 2026-03-11T11:33:40Z

go.mod

 module k8s.io/cloud-provider-aws

-go 1.24.0
+go 1.25.0


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is the latest stable Go version released?

💡 Result:

The latest stable Go release is Go 1.26.1, released on March 5, 2026. [1]

Sources:
[1] https://go.dev/doc/devel/release

🌐 Web query:

Go 1.25.0 release date and stability

💡 Result:

Release date: Go 1.25.0 was released on August 12, 2025. [1]

Stability: 1.25.0 is a stable, production major release (not a beta/RC). Some new capabilities in the 1.25 line are explicitly opt-in experimental features (for example, experimental GC and encoding/json/v2), so you only use them if you enable them. [2]

Practical recommendation: For the best “stability” in real deployments, use the latest Go 1.25 patch release (it includes accumulated bug/security fixes). As of March 5, 2026, that is Go 1.25.8. [1]

Sources:
[1] Go “Release History” (go1.25.0 / 1.25.x dates) — https://tip.golang.org/doc/devel/release
[2] Go 1.25 Release Notes / announcement (experimental features are opt-in; compatibility promise) — https://tip.golang.org/doc/go1.25 , https://go.dev/blog/go1.25

Consider updating to Go 1.25.8 instead of 1.25.0.

Go 1.25.0 is a valid, production-stable release. However, as of March 2026, Go 1.25.8 is available and includes accumulated bug and security fixes. Use the latest 1.25 patch release for production deployments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 3, Update the Go version declaration in go.mod from "go 1.25.0" to "go 1.25.8": open the go.mod file and change the module's go directive to "go 1.25.8" so the project uses the latest 1.25 patch release; run go mod tidy or a quick build to verify there are no compatibility issues after the change.

coderabbitai · 2026-03-11T11:33:40Z

pkg/providers/v1/aws_validations_test.go

+		{
+			name:        "NLB in existing service with type annotation should not be allowed to change to CLB",
+			annotations: map[string]string{},
+			ingressStatus: []v1.LoadBalancerIngress{
+				{Hostname: nlbHostname},
+			},
+			expectedError: "cannot update Load Balancer Type annotation",
+		},
+		{
+			name:        "NLB in existing service with type annotation should not be allowed to change to CLB",
+			annotations: map[string]string{ServiceAnnotationLoadBalancerType: "clb"},
+			ingressStatus: []v1.LoadBalancerIngress{
+				{Hostname: nlbHostname},
+			},
+			expectedError: "cannot update Load Balancer Type annotation",
+		},


⚠️ Potential issue | 🟡 Minor

Duplicate test case names will cause confusing output.

Both test cases at lines 486-493 and 494-501 have the identical name "NLB in existing service with type annotation should not be allowed to change to CLB", but they test different scenarios (empty annotations vs. explicit clb annotation). This makes test failures harder to diagnose.

✏️ Proposed fix to differentiate test names

// Type change from NLB to CLB - should fail { - name: "NLB in existing service with type annotation should not be allowed to change to CLB", + name: "NLB in existing service should not be allowed to change to CLB with no annotation", annotations: map[string]string{}, ingressStatus: []v1.LoadBalancerIngress{ {Hostname: nlbHostname}, }, expectedError: "cannot update Load Balancer Type annotation", }, { - name: "NLB in existing service with type annotation should not be allowed to change to CLB", + name: "NLB in existing service should not be allowed to change to CLB with explicit clb annotation", annotations: map[string]string{ServiceAnnotationLoadBalancerType: "clb"}, ingressStatus: []v1.LoadBalancerIngress{ {Hostname: nlbHostname}, }, expectedError: "cannot update Load Balancer Type annotation", },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

{

name: "NLB in existing service with type annotation should not be allowed to change to CLB",

annotations: map[string]string{},

ingressStatus: []v1.LoadBalancerIngress{

{Hostname: nlbHostname},

},

expectedError: "cannot update Load Balancer Type annotation",

},

{

name: "NLB in existing service with type annotation should not be allowed to change to CLB",

annotations: map[string]string{ServiceAnnotationLoadBalancerType: "clb"},

ingressStatus: []v1.LoadBalancerIngress{

{Hostname: nlbHostname},

},

expectedError: "cannot update Load Balancer Type annotation",

},

{

name: "NLB in existing service should not be allowed to change to CLB with no annotation",

annotations: map[string]string{},

ingressStatus: []v1.LoadBalancerIngress{

{Hostname: nlbHostname},

},

expectedError: "cannot update Load Balancer Type annotation",

},

{

name: "NLB in existing service should not be allowed to change to CLB with explicit clb annotation",

annotations: map[string]string{ServiceAnnotationLoadBalancerType: "clb"},

ingressStatus: []v1.LoadBalancerIngress{

{Hostname: nlbHostname},

},

expectedError: "cannot update Load Balancer Type annotation",

},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pkg/providers/v1/aws_validations_test.go` around lines 486 - 501, Two adjacent test entries in the table/ slice share the same name causing confusing output; update the test name strings so they are unique (e.g., append " (no annotation)" to the case where annotations: map[string]string{} and " (clb annotation)" to the case where annotations: map[string]string{ServiceAnnotationLoadBalancerType: "clb"}) while leaving the rest of each test (ingressStatus using nlbHostname and expectedError "cannot update Load Balancer Type annotation") unchanged so failures are distinguishable.

coderabbitai · 2026-03-11T11:33:40Z

tests/aws-cloud-controller-manager-tests-ext/go.mod

-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

go.opentelemetry.io/otel/sdk GHSA-9h8m-3fm2-qjrq patched version

💡 Result:

The patched (fixed) version of go.opentelemetry.io/otel/sdk for GHSA-9h8m-3fm2-qjrq is v1.40.0 (upgrade to 1.40.0 or later). [1][2]

Affected range: >= 1.21.0, < 1.40.0. [1]

Sources:
[1] (github.com)
[2] (osv.dev)

Citations:

1: GHSA-9h8m-3fm2-qjrq

2: https://osv.dev/vulnerability/GO-2026-4394

🌐 Web query:

GHSA-9h8m-3fm2-qjrq opentelemetry severity PATH hijacking CVE

💡 Result:

GHSA-9h8m-3fm2-qjrq is CVE-2026-24051: the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk) can allow arbitrary code execution via local PATH hijacking on macOS/Darwin because sdk/resource/host_id.go executes the ioreg command using the ambient search PATH (CWE-426). Severity: High (CVSS v3.1 7.0) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Affected: >= 1.21.0, < 1.40.0 (often described as v1.20.0–1.39.0). Fix: upgrade to v1.40.0 (includes patch commit d45961b…). [1][2][3]

Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 or later. The current version (v1.36.0) is affected by GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), a HIGH severity vulnerability that allows arbitrary code execution via local PATH hijacking on macOS/Darwin. The SDK's host_id.go executes the ioreg command using the ambient search PATH without proper validation, enabling privilege escalation. Upgrade to v1.40.0+ which includes the fix.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@tests/aws-cloud-controller-manager-tests-ext/go.mod` at line 87, Update the vulnerable dependency go.opentelemetry.io/otel/sdk in the go.mod to v1.40.0 or later (e.g., set module version to v1.40.0), then run the module tooling to update checksums—use `go get go.opentelemetry.io/otel/sdk@v1.40.0` (or newer) and `go mod tidy` to refresh go.sum; ensure references to go.opentelemetry.io/otel/sdk in the tests/aws-cloud-controller-manager-tests-ext/go.mod are changed and run `go test` to verify no breakage.

coderabbitai · 2026-03-11T11:33:40Z

tests/aws-cloud-controller-manager-tests-ext/main.go


 	root := &cobra.Command{
-		Long: "AWS Cloud Controller Manager tests extension for OpenShift",
+		Long: "Machine API Operator tests extension for OpenShift",


⚠️ Potential issue | 🟡 Minor

Fix the CLI help text to match this extension.

This binary still registers the aws-cloud-controller-manager extension and imports AWS CCM e2e tests, so the new Machine API Operator description is misleading in --help output.

Suggested fix

- Long: "Machine API Operator tests extension for OpenShift", + Long: "AWS Cloud Controller Manager tests extension for OpenShift",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

Long: "Machine API Operator tests extension for OpenShift",

Long: "AWS Cloud Controller Manager tests extension for OpenShift",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@tests/aws-cloud-controller-manager-tests-ext/main.go` at line 75, Update the CLI help text by replacing the misleading Long field value ("Machine API Operator tests extension for OpenShift") with an accurate description for this binary/extension (for example "AWS Cloud Controller Manager tests extension for OpenShift"); locate the cobra.Command instance in this file that sets the Long field (the command variable where Long is assigned) and update that string so the --help output reflects the AWS Cloud Controller Manager extension and imported AWS CCM e2e tests.

coderabbitai · 2026-03-11T11:33:40Z

tests/e2e/loadbalancer.go

+// isNodeSchedulable checks if a node is schedulable by checking if it has any taints that prevent scheduling pods.
+func (e2e *e2eTestConfig) isNodeSchedulable(node *v1.Node) bool {
+	if node == nil {
+		return false
+	}
+	if len(node.Spec.Taints) == 0 {
+		return true
+	}
+	for _, taint := range node.Spec.Taints {
+		if node.Spec.Unschedulable || taint.Effect == v1.TaintEffectNoSchedule || taint.Effect == v1.TaintEffectNoExecute {
+			return false
+		}
+	}
+	return true
+}


⚠️ Potential issue | 🟠 Major

Unschedulable flag not checked when node has no taints.

If a node has node.Spec.Unschedulable = true but has no taints, the function returns true at line 567 before the Unschedulable check (which is inside the taint loop) is ever reached.

🐛 Proposed fix

func (e2e *e2eTestConfig) isNodeSchedulable(node *v1.Node) bool { if node == nil { return false } + if node.Spec.Unschedulable { + return false + } if len(node.Spec.Taints) == 0 { return true } for _, taint := range node.Spec.Taints { - if node.Spec.Unschedulable || taint.Effect == v1.TaintEffectNoSchedule || taint.Effect == v1.TaintEffectNoExecute { + if taint.Effect == v1.TaintEffectNoSchedule || taint.Effect == v1.TaintEffectNoExecute { return false } } return true }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

// isNodeSchedulable checks if a node is schedulable by checking if it has any taints that prevent scheduling pods.

func (e2e *e2eTestConfig) isNodeSchedulable(node *v1.Node) bool {

if node == nil {

return false

}

if len(node.Spec.Taints) == 0 {

return true

}

for _, taint := range node.Spec.Taints {

if node.Spec.Unschedulable || taint.Effect == v1.TaintEffectNoSchedule || taint.Effect == v1.TaintEffectNoExecute {

return false

}

}

return true

}

// isNodeSchedulable checks if a node is schedulable by checking if it has any taints that prevent scheduling pods.

func (e2e *e2eTestConfig) isNodeSchedulable(node *v1.Node) bool {

if node == nil {

return false

}

if node.Spec.Unschedulable {

return false

}

if len(node.Spec.Taints) == 0 {

return true

}

for _, taint := range node.Spec.Taints {

if taint.Effect == v1.TaintEffectNoSchedule || taint.Effect == v1.TaintEffectNoExecute {

return false

}

}

return true

}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@tests/e2e/loadbalancer.go` around lines 560 - 574, The isNodeSchedulable function incorrectly returns true when len(node.Spec.Taints) == 0 without considering node.Spec.Unschedulable; update the function (isNodeSchedulable) to first check node.Spec.Unschedulable and return false if set, then proceed to handle taints (node.Spec.Taints) and evaluate taint effects (v1.TaintEffectNoSchedule, v1.TaintEffectNoExecute) as currently done.

mtulio · 2026-03-11T12:38:25Z

This change is reverting recent OTE changes. See https://github.com/openshift/cloud-provider-aws/pull/131/changes#diff-4d340145e8182acf63688fb7b5cea1d41a5e6ccbf6aeaf81b0a556d6ff1cf7a0R1 and https://github.com/openshift/cloud-provider-aws/blob/main/tests/aws-cloud-controller-manager-tests-ext/go.mod#L1
/hold

Don't read LDFLAGS from env, in brew we set C specific flags that cause the build to break.

# Conflicts: # .github/workflows/helm_chart_release.yaml

Adds .spec file for building the ecr credential provider. We build this using brew, and tooling from ART. This means we don't need to worry about setting env vars (e.g OS_GIT_VERSION) and where Source0 is set.

damdo · 2026-03-16T14:45:54Z

/label rebase/manual

mtulio · 2026-03-16T14:53:59Z

/test e2e-aws-ovn-techpreview

damdo · 2026-03-16T14:59:10Z

/hold

For testing to finish

openshift-ci-robot · 2026-03-16T14:59:21Z

@damdo: This pull request references OCPCLOUD-3276 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

This pull request references Jira Issue OCPBUGS-76344, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @miyadav

This pull request references Jira Issue OCPBUGS-69888, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @miyadav

Details

In response to this:

Summary by CodeRabbit

New Features

Added support for dual-stack public ECR hosts (ecr-public.aws.com).

Implemented Load Balancer Type annotation immutability validation to prevent unintended type changes.

Improved test node discovery to skip unschedulable nodes.

Chores

Upgraded to Go 1.25 and updated all base images accordingly.

Updated AWS SDK, Kubernetes, and testing framework dependencies to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

damdo · 2026-03-16T14:59:32Z

/test e2e-aws-ovn-techpreview

nrb · 2026-03-16T15:23:30Z

/approve

openshift-ci · 2026-03-16T15:24:58Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [nrb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

damdo · 2026-03-16T18:49:01Z

/test e2e-hypershift

openshift-ci · 2026-03-16T21:37:58Z

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

damdo · 2026-03-16T22:57:38Z

/unhold

openshift-ci-robot · 2026-03-16T23:02:53Z

@damdo: Jira Issue Verification Checks: Jira Issue OCPBUGS-76344
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-76344 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Jira Issue Verification Checks: Jira Issue OCPBUGS-69888
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-69888 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary by CodeRabbit

New Features

Added support for dual-stack public ECR hosts (ecr-public.aws.com).

Implemented Load Balancer Type annotation immutability validation to prevent unintended type changes.

Improved test node discovery to skip unschedulable nodes.

Chores

Upgraded to Go 1.25 and updated all base images accordingly.

Updated AWS SDK, Kubernetes, and testing framework dependencies to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-03-17T07:35:10Z

@damdo: Jira Issue OCPBUGS-76344 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

Jira Issue OCPBUGS-69888 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

Jira Issue Verification Checks: Jira Issue OCPBUGS-78289
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-78289 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Summary by CodeRabbit

New Features

Added support for dual-stack public ECR hosts (ecr-public.aws.com).

Implemented Load Balancer Type annotation immutability validation to prevent unintended type changes.

Improved test node discovery to skip unschedulable nodes.

Chores

Upgraded to Go 1.25 and updated all base images accordingly.

Updated AWS SDK, Kubernetes, and testing framework dependencies to latest versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

damdo · 2026-03-17T07:36:06Z

/jira refresh

openshift-ci-robot · 2026-03-17T07:36:15Z

@damdo: Jira Issue Verification Checks: Jira Issue OCPBUGS-76344
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-76344 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Jira Issue Verification Checks: Jira Issue OCPBUGS-69888
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-69888 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Jira Issue OCPBUGS-78289 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

damdo · 2026-03-17T07:36:46Z

/jira refresh

openshift-ci-robot · 2026-03-17T07:36:52Z

@damdo: Jira Issue OCPBUGS-76344 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state.

Jira Issue OCPBUGS-69888 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state.

Jira Issue Verification Checks: Jira Issue OCPBUGS-78289
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-78289 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-merge-robot · 2026-03-27T20:03:13Z

Fix included in accepted release 4.22.0-0.nightly-2026-03-15-203841

Ganiredi and others added 14 commits December 19, 2025 17:06

1.35.0 release

3739e68

Merge pull request kubernetes#1320 from Ganiredi/v1.35.0

d1c7c02

1.35.0 release

Merge pull request kubernetes#1325 from mtulio/fix-1254-lb-leak

742c08c

fix: lb leak preventing changes in Load Balancer type annotation after creation

Merge pull request kubernetes#1331 from nrb/fix-tag-timeouts

1243690

Only wait for delayed test queue entries if there is no work

feat(ecr-cred-provider): support public dualstack endpoints

32e84a3

Update the version of ecr dependency to fix the ipv6 endpoints

9d1154c

Merge pull request kubernetes#1333 from kmala/master

af797b6

Update the version of ecr dependency to fix the ipv6 endpoints

Merge pull request kubernetes#1332 from mselim00/dualstack-public

b6c9d76

feat(ecr-cred-provider): support public dualstack endpoints

Merge pull request kubernetes#1340 from mtulio/e2e-fix-unscheduled-nodes

ea961d6

e2e/loadbalancer: fix e2e by skipping unscheduled nodes on discovery

merge upstream/master into main

06fd63f

openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 11, 2026

openshift-ci bot requested a review from miyadav March 11, 2026 11:28

coderabbitai bot reviewed Mar 11, 2026

View reviewed changes

openshift-ci bot requested review from nrb and racheljpg March 11, 2026 11:38

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 11, 2026

theobarberbany and others added 5 commits March 16, 2026 11:41

UPSTREAM: <carry>: Updates ecr-credential-provider make target

6457ff3

Don't read LDFLAGS from env, in brew we set C specific flags that cause the build to break.

UPSTREAM: <carry>: Set up repository for OpenShift CI

b70e407

# Conflicts: # .github/workflows/helm_chart_release.yaml

UPSTREAM: <carry>: Adds ecr-credential-provider .spec file

6e96d33

Adds .spec file for building the ecr credential provider. We build this using brew, and tooling from ART. This means we don't need to worry about setting env vars (e.g OS_GIT_VERSION) and where Source0 is set.

UPSTREAM: <carry>: Add snyk exclusion file

b18d390

UPSTREAM: <carry>: Sync OWNERS file

fe5737d

openshift-ci bot assigned mdbooth and RadekManak Mar 16, 2026

openshift-ci bot added the rebase/manual Indicates the PR should not be rebased by the rebasebot. label Mar 16, 2026

damdo closed this Mar 16, 2026

damdo reopened this Mar 16, 2026

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2026

damdo mentioned this pull request Mar 16, 2026

OCPBUGS-78289: Updating ose-aws-cloud-controller-manager-container image to be consistent with ART for 4.22 #132

Closed

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 16, 2026

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2026

openshift-merge-bot bot merged commit 24a5524 into openshift:main Mar 16, 2026
11 checks passed

This was referenced Mar 17, 2026

DNM/SPLAT-2672: e2e/ote/ccm-aws: moving binary cccmo project #133

Closed

SPLAT-2672: e2e/ote/ccm-aws: moving OTE binary from CCM-AWS openshift/cluster-cloud-controller-manager-operator#437

Merged

	Long: "Machine API Operator tests extension for OpenShift",
	Long: "AWS Cloud Controller Manager tests extension for OpenShift",

Conversation

damdo commented Mar 11, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Mar 11, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (2 warnings)

Uh oh!

openshift-ci-robot commented Mar 11, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

mtulio commented Mar 11, 2026

Uh oh!

damdo commented Mar 16, 2026

Uh oh!

mtulio commented Mar 16, 2026

Uh oh!

damdo commented Mar 16, 2026

Uh oh!

openshift-ci-robot commented Mar 16, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

damdo commented Mar 16, 2026

Uh oh!

nrb commented Mar 16, 2026

Uh oh!

openshift-ci bot commented Mar 16, 2026

Uh oh!

damdo commented Mar 16, 2026

Uh oh!

openshift-ci bot commented Mar 16, 2026

Uh oh!

damdo commented Mar 16, 2026

Uh oh!

Uh oh!

openshift-ci-robot commented Mar 16, 2026

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Mar 17, 2026

Summary by CodeRabbit

Uh oh!

damdo commented Mar 17, 2026

Uh oh!

openshift-ci-robot commented Mar 17, 2026

Uh oh!

damdo commented Mar 17, 2026

Uh oh!

openshift-ci-robot commented Mar 17, 2026

Uh oh!

openshift-merge-robot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

damdo commented Mar 11, 2026 •

edited by coderabbitai bot

Loading

openshift-ci-robot commented Mar 11, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Mar 11, 2026 •

edited

Loading

openshift-ci-robot commented Mar 11, 2026 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Mar 16, 2026 •

edited by openshift-ci bot

Loading