Skip to content

TRT-2586: Revert "NE-2471: Replace OLM-based Istio install with Sail Library"#1397

Closed
stbenjam wants to merge 2 commits intoopenshift:masterfrom
stbenjam:revert-pr-1354
Closed

TRT-2586: Revert "NE-2471: Replace OLM-based Istio install with Sail Library"#1397
stbenjam wants to merge 2 commits intoopenshift:masterfrom
stbenjam:revert-pr-1354

Conversation

@stbenjam
Copy link
Copy Markdown
Member

@stbenjam stbenjam commented Mar 20, 2026

This reverts #1354 and the dependent #1383.

This PR is causing blocking job failures (aws-ovn-techpreview, aws-ovn-techpreview-serial-3of3) in the nightly amd64 payload 4.22.0-0.nightly-2026-03-20-053450.

JIRA: https://issues.redhat.com/browse/TRT-2586

Failing Jobs

Why?

PR #1354 replaced the OLM-based Istio install with Sail Library. The GatewayAPIController no longer creates the servicemeshoperator3 OLM Subscription, causing all GatewayAPI TechPreview tests to fail. PR #1383 was also reverted as it depended on changes from #1354.

cc @gcs278 @rikatz

To unrevert, please revert this PR and include a fix for the issue.

/label trt-revert

Opened by Revertomatic.

stbenjam added 2 commits March 20, 2026 10:53
@stbenjam
Revert "Merge pull request openshift#1383 from rikatz/use-system-prox…
2e7d096 
…y-for-istio"

This reverts commit 2b994ed, reversing
changes made to 128729e.
@stbenjam
Revert "Merge pull request openshift#1354 from gcs278/gwapi-without-olm"
2c150d4 
This reverts commit 128729e, reversing
changes made to b347d80.
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 20, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 20, 2026
edited by openshift-ci bot
Loading

@stbenjam: This pull request references NE-2471 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This reverts #1354 and the dependent #1383.

This PR is causing blocking job failures (aws-ovn-techpreview, aws-ovn-techpreview-serial-3of3) in the nightly amd64 payload 4.22.0-0.nightly-2026-03-20-053450.

JIRA: https://issues.redhat.com/browse/TRT-2586

Failing Jobs

Why?

PR #1354 replaced the OLM-based Istio install with Sail Library. The GatewayAPIController no longer creates the servicemeshoperator3 OLM Subscription, causing all GatewayAPI TechPreview tests to fail. PR #1383 was also reverted as it depended on changes from #1354.

cc @gcs278 @rikatz

To unrevert, please revert this PR and include a fix for the issue.

/label trt-revert

Opened by Revertomatic.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 20, 2026

@stbenjam: The label(s) /label trt-revert cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, rebase/manual, cluster-config-api-changed, run-integration-tests, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, ok-to-test, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

This reverts #1354 and the dependent #1383.

This PR is causing blocking job failures (aws-ovn-techpreview, aws-ovn-techpreview-serial-3of3) in the nightly amd64 payload 4.22.0-0.nightly-2026-03-20-053450.

JIRA: https://issues.redhat.com/browse/TRT-2586

Failing Jobs

Why?

PR #1354 replaced the OLM-based Istio install with Sail Library. The GatewayAPIController no longer creates the servicemeshoperator3 OLM Subscription, causing all GatewayAPI TechPreview tests to fail. PR #1383 was also reverted as it depended on changes from #1354.

cc @gcs278 @rikatz

To unrevert, please revert this PR and include a fix for the issue.

/label trt-revert

Opened by Revertomatic.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@stbenjam
Copy link
Copy Markdown
Member Author

stbenjam commented Mar 20, 2026

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview
/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-3of3

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 20, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request removes Sail Library integration across the ingress operator codebase. Changes include: removing Go module dependencies related to Sail Library, deleting manifest files for the openshift-ingress-operator-sail-library ClusterRole and associated ClusterRoleBinding, removing multiple DNS record CRD variants, simplifying the gatewayclass controller to run only the OLM-based reconciliation flow, deleting Sail Library installation and migration logic, removing related test fixtures and helpers, updating shell scripts to remove Sail Library CRD variant handling, and removing the GatewayAPIWithoutOLMEnabled feature gate throughout the codebase. The operator now exclusively uses the Operator Lifecycle Manager approach for Gateway API provisioning and no longer supports the Sail Library deployment path.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can use Trivy to scan for security misconfigurations and secrets in Infrastructure as Code files.

Add a .trivyignore file to your project to customize which findings Trivy reports.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 20, 2026

@stbenjam: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview
  • periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview-serial-3of3

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/bcfc5f40-246c-11f1-9edf-90bb0aa8015c-0

@openshift-ci openshift-ci bot requested review from davidesalerno and knobunc March 20, 2026 14:55
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 20, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rfredette for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@stbenjam stbenjam changed the title Revert "NE-2471: Replace OLM-based Istio install with Sail Library" TRT-2586: Revert "NE-2471: Replace OLM-based Istio install with Sail Library" Mar 20, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Mar 20, 2026
edited by openshift-ci bot
Loading

@stbenjam: This pull request references TRT-2586 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This reverts #1354 and the dependent #1383.

This PR is causing blocking job failures (aws-ovn-techpreview, aws-ovn-techpreview-serial-3of3) in the nightly amd64 payload 4.22.0-0.nightly-2026-03-20-053450.

JIRA: https://issues.redhat.com/browse/TRT-2586

Failing Jobs

Why?

PR #1354 replaced the OLM-based Istio install with Sail Library. The GatewayAPIController no longer creates the servicemeshoperator3 OLM Subscription, causing all GatewayAPI TechPreview tests to fail. PR #1383 was also reverted as it depended on changes from #1354.

cc @gcs278 @rikatz

To unrevert, please revert this PR and include a fix for the issue.

/label trt-revert

Opened by Revertomatic.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai[bot]
coderabbitai bot reviewed Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
manifests/00-custom-resource-definition.yaml (1)

2030-2035: ⚠️ Potential issue | 🟠 Major

Conflicting minTLSVersion guidance vs enum values

The new note says the highest allowed value is VersionTLS12, but this same schema still allows VersionTLS13 via enum. This contradiction will mislead API consumers and docs generation.

Please align the note and enum (either remove/update the note or enforce the intended cap in schema).

Also applies to: 3327-3333

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@manifests/00-custom-resource-definition.yaml` around lines 2030 - 2035, The
CRD currently has conflicting guidance for minTLSVersion: the inline NOTE states
the highest allowed is VersionTLS12 while the enum for minTLSVersion still
includes VersionTLS13; pick one consistent intent and update the schema and doc
comment accordingly — either remove VersionTLS13 from the enum (so minTLSVersion
enum only lists VersionTLS10, VersionTLS11, VersionTLS12) or change the note to
allow VersionTLS13, and apply the same change to the other identical
minTLSVersion block (the second occurrence) so both the NOTE and the enum values
for minTLSVersion (VersionTLS10/11/12/13) are consistent.
pkg/operator/controller/gatewayclass/controller.go (1)

107-135: ⚠️ Potential issue | 🔴 Critical

Add capability flags to gatewayclass controller Config and guard the OLM-only watches.

The Subscription and InstallPlan watches at lines 110 and 133 are set up unconditionally during controller creation, but these APIs only exist when the "OperatorLifecycleManager" and "marketplace" capabilities are enabled. On clusters without these capabilities, watch setup will fail during NewUnmanaged(), causing operator startup to fail—even though the parent gatewayapi controller gates whether dependent controllers are actually started.

Pass MarketplaceEnabled and OperatorLifecycleManagerEnabled to the gatewayclass Config struct and conditionally set up the OLM watches only when both capabilities are enabled. This matches the pattern already used in status and gatewayapi controllers.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/controller/gatewayclass/controller.go` around lines 107 - 135,
Add MarketplaceEnabled and OperatorLifecycleManagerEnabled boolean fields to the
gatewayclass controller Config and only register the OLM-related watches when
both are true: wrap the Subscription watch (predicate isServiceMeshSubscription
and reconciler.enqueueRequestForSomeGatewayClass()) and the InstallPlan watch
(predicates isOurInstallPlan and isInstallPlanReadyForApproval with
reconciler.enqueueRequestForSomeGatewayClass()) in a conditional that checks
cfg.MarketplaceEnabled && cfg.OperatorLifecycleManagerEnabled; leave all other
logic and predicates unchanged so watches are only set up when those
capabilities are present.
🧹 Nitpick comments (1)
pkg/operator/controller/status/controller.go (1)

483-502: Skip the cluster-wide Subscription scan until Gateway API is actually requested.

r.subscriptionCache.List(...) now runs on every status reconcile whenever OLM+marketplace are enabled, even when there are no openshift.io/gateway-controller/v1 classes. That makes this path O(total subscriptions) for clusters that are not using Gateway API.

♻️ Proposed change 
-		state.expectedGatewayAPIOperatorVersion = r.config.GatewayAPIOperatorVersion
-		subscriptionList := operatorsv1alpha1.SubscriptionList{}
-		if err := r.subscriptionCache.List(ctx, &subscriptionList); err != nil {
-			return state, fmt.Errorf("failed to get subscriptions: %w", err)
-		}
-		for _, subscription := range subscriptionList.Items {
-			if subscription.Spec != nil && ossmSubscriptions.Has(subscription.Spec.Package) {
-				state.ossmSubscriptions = append(state.ossmSubscriptions, subscription)
-			}
-		}
-
 		gatewayClassList := gatewayapiv1.GatewayClassList{}
 		if err := r.cache.List(ctx, &gatewayClassList, client.MatchingFields{
 			operatorcontroller.GatewayClassIndexFieldName: operatorcontroller.OpenShiftGatewayClassControllerName,
 		}); err != nil {
 			return state, fmt.Errorf("failed to list gateway classes: %w", err)
 		}
 		// If one or more gateway classes have ControllerName=operatorcontroller.OpenShiftGatewayClassControllerName,
 		// the ingress operator should try to install OSSM.
-		state.shouldInstallOSSM = (len(gatewayClassList.Items) > 0)
+		state.shouldInstallOSSM = len(gatewayClassList.Items) > 0
+		if state.shouldInstallOSSM {
+			state.expectedGatewayAPIOperatorVersion = r.config.GatewayAPIOperatorVersion
+			subscriptionList := operatorsv1alpha1.SubscriptionList{}
+			if err := r.subscriptionCache.List(ctx, &subscriptionList); err != nil {
+				return state, fmt.Errorf("failed to get subscriptions: %w", err)
+			}
+			for _, subscription := range subscriptionList.Items {
+				if subscription.Spec != nil && ossmSubscriptions.Has(subscription.Spec.Package) {
+					state.ossmSubscriptions = append(state.ossmSubscriptions, subscription)
+				}
+			}
+		}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/controller/status/controller.go` around lines 483 - 502,
Currently the code always calls r.subscriptionCache.List(...) and scans all
Subscriptions even when Gateway API isn't present; change the logic to first
list GatewayClass (using r.cache.List with
operatorcontroller.GatewayClassIndexFieldName /
OpenShiftGatewayClassControllerName) and set state.shouldInstallOSSM, and only
if state.shouldInstallOSSM is true then call r.subscriptionCache.List(...) to
populate state.ossmSubscriptions (filtering by
ossmSubscriptions.Has(subscription.Spec.Package)); keep assignment of
state.expectedGatewayAPIOperatorVersion as before.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 37: Update the pinned grpc module in go.mod: replace the existing
google.golang.org/grpc v1.75.1 entry with v1.79.3 (or a later patch) to address
GHSA-p77j-4mvh-x3m3, then refresh module files so the updated version is
reflected (update dependencies and lockfile/go.sum) and verify the project
builds/tests pass; the change targets the google.golang.org/grpc version line
currently set to v1.75.1.

In `@manifests/00-custom-resource-definition.yaml`:
- Around line 2014-2017: The example under the ciphers list uses the weak legacy
cipher "DES-CBC3-SHA"; update the example to a modern, secure suite (e.g., an
ECDHE-AES-GCM or CHACHA20-based cipher) wherever the generic "ciphers" example
appears (refer to the ciphers key/example and the specific example value
"DES-CBC3-SHA"), and ensure legacy suites are only shown in explicit
compatibility sections (also apply the same replacement to the other occurrences
noted around lines 3311-3314).

---

Outside diff comments:
In `@manifests/00-custom-resource-definition.yaml`:
- Around line 2030-2035: The CRD currently has conflicting guidance for
minTLSVersion: the inline NOTE states the highest allowed is VersionTLS12 while
the enum for minTLSVersion still includes VersionTLS13; pick one consistent
intent and update the schema and doc comment accordingly — either remove
VersionTLS13 from the enum (so minTLSVersion enum only lists VersionTLS10,
VersionTLS11, VersionTLS12) or change the note to allow VersionTLS13, and apply
the same change to the other identical minTLSVersion block (the second
occurrence) so both the NOTE and the enum values for minTLSVersion
(VersionTLS10/11/12/13) are consistent.

In `@pkg/operator/controller/gatewayclass/controller.go`:
- Around line 107-135: Add MarketplaceEnabled and
OperatorLifecycleManagerEnabled boolean fields to the gatewayclass controller
Config and only register the OLM-related watches when both are true: wrap the
Subscription watch (predicate isServiceMeshSubscription and
reconciler.enqueueRequestForSomeGatewayClass()) and the InstallPlan watch
(predicates isOurInstallPlan and isInstallPlanReadyForApproval with
reconciler.enqueueRequestForSomeGatewayClass()) in a conditional that checks
cfg.MarketplaceEnabled && cfg.OperatorLifecycleManagerEnabled; leave all other
logic and predicates unchanged so watches are only set up when those
capabilities are present.

---

Nitpick comments:
In `@pkg/operator/controller/status/controller.go`:
- Around line 483-502: Currently the code always calls
r.subscriptionCache.List(...) and scans all Subscriptions even when Gateway API
isn't present; change the logic to first list GatewayClass (using r.cache.List
with operatorcontroller.GatewayClassIndexFieldName /
OpenShiftGatewayClassControllerName) and set state.shouldInstallOSSM, and only
if state.shouldInstallOSSM is true then call r.subscriptionCache.List(...) to
populate state.ossmSubscriptions (filtering by
ossmSubscriptions.Has(subscription.Spec.Package)); keep assignment of
state.expectedGatewayAPIOperatorVersion as before.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 7bda3637-d05d-4377-aae9-d20ece296358

📥 Commits

Reviewing files that changed from the base of the PR and between 2b994ed and 2c150d4.

⛔ Files ignored due to path filters (274)
  • go.sum is excluded by !**/*.sum
  • vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !**/vendor/**, !vendor/**
  • vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !**/vendor/**, !vendor/**
  • vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/.deepsource.toml is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/FUNDING.json is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/SECURITY.md is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/merge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/dario.cat/mergo/mergo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/SECURITY.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/constants.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/csi_entry_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/csi_param_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/escape_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/event_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/ground_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/osc_string_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/parser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/parser_actions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/states.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/utilities.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/ansi.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/api.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/utilities.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/COPYING is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/decode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/deprecated.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/encode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/internal/tz.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/lex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/meta.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/type_fields.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/BurntSushi/toml/type_toml.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/MakeNowJust/heredoc/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/MakeNowJust/heredoc/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/MakeNowJust/heredoc/heredoc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/appveyor.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/randomstringutils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/stringutils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/goutils/wordutils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/SECURITY.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/collection.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/constraints.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/semver/v3/version.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/Makefile is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/crypto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/date.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/defaults.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/dict.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/list.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/network.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/numeric.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/reflect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/regex.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/semver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/sprig/v3/url.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/case.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/delete.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/delete_ctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/expr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/insert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/insert_ctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/part.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/placeholder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/row.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/select.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/select_ctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/squirrel.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/squirrel_ctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/statement.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/stmtcacher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/update.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/update_ctx.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/Masterminds/squirrel/where.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/fs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/fs_json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/fs_os.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/fs_zip.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/gettext.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/locale.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/mo/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/mo/encoder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/mo/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/mo/header.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/mo/message.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/mo/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/plural/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/plural/formula.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/plural/table.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/comment.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/header.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/line_reader.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/message.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/re.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/po/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/tr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/chai2010/gettext-go/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/NOTICE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/archive/compression/compression.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/content/adaptor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/content/content.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/content/helpers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/errdefs/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/errdefs/grpc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/filters/adaptor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/filters/filter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/filters/parser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/filters/quote.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/filters/scanner.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/annotations.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/diffid.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/handlers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/image.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/importexport.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/labels.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/images/mediatypes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/labels/labels.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/labels/validate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/pkg/randutil/randutil.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/remotes/handlers.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/containerd/remotes/resolver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/errdefs/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/errdefs/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/errdefs/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/errdefs/resolve.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/log/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/log/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/log/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/log/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/.gitattributes is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/compare.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/cpuinfo_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/cpuinfo_other.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/database.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/defaults.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/defaults_darwin.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/defaults_freebsd.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/defaults_unix.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/defaults_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/platform_compat_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/platforms.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/platforms_other.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/containerd/platforms/platforms_windows.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/join.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/open_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/vfs.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/envoyproxy/protoc-gen-validate/validate/BUILD is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/evanphx/json-patch/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/evanphx/json-patch/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/evanphx/json-patch/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/evanphx/json-patch/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/evanphx/json-patch/merge.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/evanphx/json-patch/patch.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/decoder.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/path.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/exponent-io/jsonpath/pathaction.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/LICENSE.MIT is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/error_1_13.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/error_backward.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/join_unwrap_1_20.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/join_unwrap_backward.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/parse_panic.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-errors/errors/stackframe.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/.travis.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/column.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/db.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/gorp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/hooks.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/index.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/lockerror.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/logging.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/nulltypes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/select.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/go-gorp/gorp/v3/table.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (26)
  • go.mod
  • hack/update-generated-crd.sh
  • hack/verify-generated-crd.sh
  • manifests/00-cluster-role-sail-library.yaml
  • manifests/00-cluster-role.yaml
  • manifests/00-custom-resource-definition-internal-CustomNoUpgrade.yaml
  • manifests/00-custom-resource-definition-internal-DevPreviewNoUpgrade.yaml
  • manifests/00-custom-resource-definition-internal-OKD.yaml
  • manifests/00-custom-resource-definition-internal-TechPreviewNoUpgrade.yaml
  • manifests/00-custom-resource-definition-internal.yaml
  • manifests/00-custom-resource-definition.yaml
  • manifests/01-cluster-role-binding-sail-library.yaml
  • pkg/operator/controller/gatewayapi/controller.go
  • pkg/operator/controller/gatewayclass/controller.go
  • pkg/operator/controller/gatewayclass/controller_test.go
  • pkg/operator/controller/gatewayclass/istio.go
  • pkg/operator/controller/gatewayclass/istio_sail_installer.go
  • pkg/operator/controller/gatewayclass/istio_sail_installer_test.go
  • pkg/operator/controller/gatewayclass/migration.go
  • pkg/operator/controller/gatewayclass/status.go
  • pkg/operator/controller/status/controller.go
  • pkg/operator/controller/status/controller_test.go
  • pkg/operator/controller/test/util/fake.go
  • pkg/operator/operator.go
  • test/e2e/gateway_api_test.go
  • test/e2e/util_gatewayapi_test.go
💤 Files with no reviewable changes (12)
  • manifests/01-cluster-role-binding-sail-library.yaml
  • manifests/00-custom-resource-definition-internal-CustomNoUpgrade.yaml
  • pkg/operator/controller/test/util/fake.go
  • manifests/00-cluster-role.yaml
  • manifests/00-custom-resource-definition-internal-TechPreviewNoUpgrade.yaml
  • manifests/00-cluster-role-sail-library.yaml
  • manifests/00-custom-resource-definition-internal-DevPreviewNoUpgrade.yaml
  • pkg/operator/controller/gatewayclass/migration.go
  • pkg/operator/controller/gatewayclass/istio_sail_installer_test.go
  • manifests/00-custom-resource-definition-internal-OKD.yaml
  • pkg/operator/controller/gatewayclass/istio_sail_installer.go
  • pkg/operator/controller/gatewayclass/status.go

go.mod
golang.org/x/time v0.12.0
google.golang.org/api v0.126.0
google.golang.org/grpc v1.79.1
google.golang.org/grpc v1.75.1
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python <<'PY'
import json
import pathlib
import re
import urllib.request

text = pathlib.Path("go.mod").read_text()
match = re.search(r'^\s*google\.golang\.org/grpc\s+v([^\s]+)', text, re.M)
if not match:
    raise SystemExit("google.golang.org/grpc not found in go.mod")

version = match.group(1)
payload = json.dumps({
    "package": {"ecosystem": "Go", "name": "google.golang.org/grpc"},
    "version": version,
}).encode()

req = urllib.request.Request(
    "https://api.osv.dev/v1/query",
    data=payload,
    headers={"Content-Type": "application/json"},
)

with urllib.request.urlopen(req, timeout=20) as resp:
    data = json.load(resp)

print(f"google.golang.org/grpc in go.mod: {version}")
for vuln in data.get("vulns", []):
    print(vuln.get("id"), vuln.get("aliases", []), vuln.get("summary"))
if not data.get("vulns"):
    print("No OSV vulnerabilities returned for this version.")
PY

Repository: openshift/cluster-ingress-operator

Length of output: 2660

🏁 Script executed:

cat go.mod | grep -A 2 -B 2 "google.golang.org/grpc"

Repository: openshift/cluster-ingress-operator

Length of output: 222

🌐 Web query:

GHSA-p77j-4mvh-x3m3 google.golang.org/grpc vulnerability

💡 Result:

GHSA-p77j-4mvh-x3m3 (CVE-2026-33186) — google.golang.org/grpc (gRPC-Go) is a critical authorization bypass caused by improper validation of the HTTP/2 :path pseudo-header. A gRPC-Go server could accept a non-canonical path missing the required leading slash (e.g., Service/Method instead of /Service/Method), route it successfully, but have path-based authorization interceptors (including google.golang.org/grpc/authz) evaluate the raw non-canonical string—so deny rules for canonical paths may not match, enabling bypass when a fallback allow rule exists. Exploitation requires an attacker able to send raw HTTP/2 frames with malformed :path. [1][2]

  • Affected: google.golang.org/grpc < 1.79.3 [1]
  • Fixed in: 1.79.3 (and newer) [1][2]
  • Recommended action: upgrade to v1.79.3+. If you can’t upgrade immediately, mitigate by adding an outermost interceptor that rejects methods whose info.FullMethod doesn’t start with /, and/or enforce strict HTTP/2 pseudo-header validation/normalization at a proxy/load balancer; consider “default deny” policies. [1][2]

Sources: GitHub Advisory Database entry for GHSA-p77j-4mvh-x3m3 [1], OSV entry (GHSA-p77j-4mvh-x3m3) [2].

Upgrade google.golang.org/grpc to v1.79.3 or later to fix GHSA-p77j-4mvh-x3m3.

Line 37 pins google.golang.org/grpc to v1.75.1, which is vulnerable to GHSA-p77j-4mvh-x3m3—a critical authorization bypass where improperly validated HTTP/2 :path pseudo-headers (missing leading slash) can bypass path-based authorization interceptors, including google.golang.org/grpc/authz. Affected versions are < 1.79.3. Upgrade before merging.

🧰 Tools
🪛 OSV Scanner (2.3.3)

[CRITICAL] 37-37: google.golang.org/grpc 1.75.1: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 37, Update the pinned grpc module in go.mod: replace the
existing google.golang.org/grpc v1.75.1 entry with v1.79.3 (or a later patch) to
address GHSA-p77j-4mvh-x3m3, then refresh module files so the updated version is
reflected (update dependencies and lockfile/go.sum) and verify the project
builds/tests pass; the change targets the google.golang.org/grpc version line
currently set to v1.75.1.

manifests/00-custom-resource-definition.yaml
Comment on lines +2014 to +2017
do not support. For example, to use DES-CBC3-SHA (yaml):

ciphers:
- ECDHE-RSA-AES128-GCM-SHA256

TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable
and are always enabled when TLS 1.3 is negotiated.
- DES-CBC3-SHA
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Security docs regression: example now highlights weak 3DES cipher

Changing the example cipher to DES-CBC3-SHA in the generic ciphers descriptions promotes a legacy weak choice. Even as an example, this can drive insecure configurations.

Use a modern example cipher (for example, ECDHE-...-AESGCM/CHACHA20) and keep legacy suites only in explicitly compatibility-focused sections.

Also applies to: 3311-3314

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@manifests/00-custom-resource-definition.yaml` around lines 2014 - 2017, The
example under the ciphers list uses the weak legacy cipher "DES-CBC3-SHA";
update the example to a modern, secure suite (e.g., an ECDHE-AES-GCM or
CHACHA20-based cipher) wherever the generic "ciphers" example appears (refer to
the ciphers key/example and the specific example value "DES-CBC3-SHA"), and
ensure legacy suites are only shown in explicit compatibility sections (also
apply the same replacement to the other occurrences noted around lines
3311-3314).

@stbenjam
Copy link
Copy Markdown
Member Author

stbenjam commented Mar 20, 2026

Looks like openshift/origin#39896 makes the tests work, but didn't make the cut in the nightly. Next one should have it

@stbenjam stbenjam closed this Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@davidesalerno davidesalerno Awaiting requested review from davidesalerno

@knobunc knobunc Awaiting requested review from knobunc

Assignees

No one assigned

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stbenjam @openshift-ci-robot