NE-2519: Move Sail Library to official release branch

[gcs278]

This commit upgrades the vendored Sail Library from Aslak's dev branch to the official OSSM 3.3.1 release from openshift-service-mesh/sail-operator. OSSM 3.3.1 is the first release containing the Sail Library code.

This approach gives us a stable, versioned Sail Library dependency while continuing to use OSSM 3.3.0 images and components. We remain on Istio v1.28.4 with OSSM 3.3.0 runtime images - the OSSM 3.3.1 release branch simply provides the Sail Library code and pinned image SHAs for these OSSM 3.3.0 components, eliminating the usage of floating tags.

Gateway API compatibility:
The OSSM 3.3.1 Sail Library with Istio 1.28.4 is compatible with Gateway API v1.4.x, so we can safely use v1.4.1 without conflicts. This removes the need for the temporary v1.4.1 pin that was required when using the main branch (which tracked newer Istio versions).

Steps performed:

 go mod edit -dropreplace sigs.k8s.io/gateway-api
 go get github.com/openshift-service-mesh/sail-operator@v3.3.1
 go get sigs.k8s.io/gateway-api@v1.4.1
 go mod tidy
 go mod vendor

Note: The OLM bump for OSSM 3.3.1 and the bump to Istio v1.28.5 will be done here: #1406

[openshift-ci-robot]

@gcs278: This pull request references NE-2519 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

To help stage the bump to 3.3.1 (OCPBUGS-79376), this commit moves our vendored sail library from Aslak's dev branch to the release-3.3.1 branch in openshift-service-mesh/sail-operator. This provides a couple benefits, including the SHAs for the current OSSM 3.3.0 release that we are using, which eliminates the usage of floating tags in favor of pinned image SHAs as well as alignment of go module dependencies.

Gateway API downgrade to v1.4.1:
During TP, we used openshift-service-mesh/sail-operator main branch which vendored the latest Istio requiring Gateway API v1.5.0. We decided to pin to v1.4.1 to ensure compatibility with our CRDs.

Now with release-3.3.1 branch, sail-operator vendors Istio 1.28.5 which only requires Gateway API v1.4.0. This allows us to safely remove the pin and downgrade to v1.4.1 without conflicts.

Steps performed:
Removed gateway-api version pin from go.mod
go get github.com/openshift-service-mesh/sail-operator@rv3.3.1
go get sigs.k8s.io/gateway-api@v1.4.1
go mod tidy
go mod vendor

Note: We were previously using the Aslak's dev branch which was rebased on the main branch of the Sail Operator. This change uses the current release-3.3.1 branch to align our dependencies and receive the latest SHAs in the CSV, rather than an OSSM version bump to 3.3.1 (coming shortly thereafter).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates go.mod: changes sigs.k8s.io/gateway-api requirement from v1.5.0 to v1.4.1 and removes its replace stanza, updates an indirect istio.io/istio pseudo-version, and replaces the github.com/istio-ecosystem/sail-operator replacement with github.com/openshift-service-mesh/sail-operator at a new pseudo-version. In pkg/operator/controller/gatewayclass/controller.go (NewUnmanaged path) the call to install.SetImageDefaults and related image-default constants were removed; Sail Library initialization and reconciliation wiring remain.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gcs278]

@aslakknutsen mind taking a quick look? Since we are still running with 3.3.0 - I'd like decouple the OSSM 3.3.1 bump from the release-3.3 alignment, so this is just vendoring openshift-service-mesh/sail-operator#756. It would keep our 3.3.0 bump to 3.3.1 cleaner. Let me know if you see any issues in the vendoring here.

[candita]

Is this still needed?

[rikatz]

Yes because the sail library is just published downstream

[gcs278]

I think so - the comment is helpful. I'm pointing out that we are using the release-3.3.1 branch for now (it's not obvious when you see github.com/openshift-service-mesh/sail-operator v0.0.0-20260326131517-bb433f868807 that that is the release-3.3.1 branch).

[candita]

But I thought we had a way to get the 3.3.1 release without replace now? Is the istio-ecosystem/sail-operator not included in the downstream package? Why include github.com/istio-ecosystem/sail-operator to start with, then replace it when we could include github.com/openshift-service-mesh/sail-operator to start with?

[gcs278]

Oh sorry you meant the replace - yea we still need to do the replace because the openshift-service-mesh/sail-operator code itself imports via istio-ecosystem/sail-operator, like this.

This is because they fork from istio-ecosystem/sail-operator, and keep the module import common. Additionally, OSSM sail-operator is declared as istio-ecosystem/sail-operator. Even if I replace CIO's imports with openshift-service-mesh/sail-operator, it still will fail because the sail library vendors istio-ecosystem/sail-operator.

Hence the reason we need to still replace - it just resolves their naming requirements.

[candita]

Is it because of https://github.com/openshift-service-mesh/sail-operator/blob/release-3.3.1/go.mod#L190? We are using the release-3.3.1 branch's go.mod, right?

[gcs278]

Well not quite the reason, but it is another example of using a forked go module, your link shows:

replace istio.io/istio => github.com/openshift-service-mesh/istio v0.0.0-20260319123329-abdbf45d7cca

This is the sail operator (itself) vendoring the istio module from github.com/openshift-service-mesh/istio, which is also forked from istio.io/istio so the module name is kept the same as the upstream.

In summary - we must replace github.com/istio-ecosystem/sail-operator with github.com/openshift-service-mesh/sail-operator because the fork maintains the original module name for compatibility, just like how sail-operator itself redirects istio.io/istio to its forked Istio (the link you referenced).

The replace isn't due to release-3.3.1 specifically, but we are vendoring the sail library on the release-3.3.1 branch, yes.

[rikatz]

/lgtm
/approve
/hold

Unhold as you wish or as soon @candita is also fine with my answer

Thanks!

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [rikatz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rikatz]

/retest-required

[gcs278]

Oh I should try out the origin TP tests that @rhamini3 worked on:
/test e2e-aws-ovn-techpreview

[rikatz]

/hold cancel

[lihongan]

Pre-merge tested and looks good

// with PR the images pinned by digest
image: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:978f840ceda7eb00c6f15740bcd60e241bee732cd215e9de464ce431b0156ffa

// without the PR and images were tag-based
image: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.28.4

And please add /verified by e2e when all CI passed.

[rhamini3]

/test hypershift-e2e-aks

[gcs278]

unrelated hypershift failures:
/test e2e-hypershift
/test hypershift-e2e-aks

[gcs278]

/test e2e-aws-ovn-hypershift-conformance

[Miciah]

Steps performed:
Removed gateway-api version pin from go.mod
go get github.com/openshift-service-mesh/sail-operator@rv3.3.1
go get sigs.k8s.io/gateway-api@v1.4.1
go mod tidy
go mod vendor

For future reference, you can use go mod edit -dropreplace sigs.k8s.io/gateway-api to remove the pinning easily programmatically.

[Miciah]

this commit moves our vendored sail library from Aslak's dev branch to the release-3.3.1 branch in openshift-service-mesh/sail-operator. This provides a couple benefits, including the SHAs for the current OSSM 3.3.0 release that we are using, which eliminates the usage of floating tags in favor of pinned image SHAs as well as alignment of go module dependencies.
[...]
We were previously using the Aslak's dev branch which was rebased on the main branch of the Sail Operator. This change uses the current release-3.3.1 branch to align our dependencies and receive the latest SHAs in the CSV, rather than an OSSM version bump to 3.3.1 (coming shortly thereafter).

This is a bit confusing. Are you saying that the release-3.3.1 branch, despite its name, currently has the OSSM 3.3.0 SHAs?

It also isn't clear exactly how d1d43fa fits in; does specifying the image registry and image names cause Sail Library to use tags instead of SHAs?

[gcs278]

This is a bit confusing. Are you saying that the release-3.3.1 branch, despite its name, currently has the OSSM 3.3.0 SHAs?

Right, release-3.3.1 that we are moving to in this PR, has the OSSM 3.3.0 image SHAs for Istio v1.28.4. The keep these image SHAs so you can run older versions of istio with newer versions of OSSM.

It also isn't clear exactly how d1d43fa fits in; does specifying the image registry and image names cause Sail Library to use tags instead of SHAs?

Exactly. Using SetImageDefaults causes the Sail Library to ignore the CSV. But, the reason we had to add it, was because we were using the sail library on the main branch, which does not maintain it's CSV.

So, I agree, things are a bit confusing with sail library: we aren't bumping the Istio versions (staying at v1.28.4), but we are effectively bumping to OSSM 3.3.1 for the sail library (because that's the release where they introduced the sail library code). I suppose I should reword the PR description to reflect that. It's like using OSSM 3.3.1 but pinning to istio 1.28.4. Either way, it's better than using the main branch, which is just non-versioned latest dev code.

Also, I realize I could now bump again to get the official 3.3.1 SHAs (openshift-service-mesh/sail-operator#765 has merged), which is tagged as v3.3.1. That would make @rhamini3's OSSM 3.3.1 bump #1406 easier. Ill go ahead and do that since I don't have LGTM yet.

[lihongan]

/verified by e2e

[openshift-ci-robot]

@lihongan: This PR has been marked as verified by e2e.

Details

In response to this:

/verified by e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[lihongan]

/test images

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 019903c and 2 for PR HEAD 5a81d90 in total

[lihongan]

/test e2e-aws-ovn

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 204: The pinned dependency istio.io/istio at version
v0.0.0-20260306174229-7da666217518 is known to be affected by multiple HIGH
severity advisories; update the go.mod entry by either (a) replacing that
version with a newer patched Istio revision that explicitly contains fixes for
GHSA-7774-7vr3-cc8j, GHSA-856q-xv3c-7f2f, GHSA-hqxw-mm44-gc4r, and
GHSA-qcvw-82hh-gq38, or (b) if you must keep this revision, add and document the
downstream backport commits that remediate those GHSA/CVE issues in the
repository and ensure the go.sum/go mod tidy are updated; verify with go list -m
-json istio.io/istio (or equivalent) that the chosen revision contains the
patches before merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a1fed331-5117-4fed-ac3e-250ff01e940f

📥 Commits

Reviewing files that changed from the base of the PR and between 5a81d90 and b1bbbb7.

⛔ Files ignored due to path filters (263)

• go.sum is excluded by !**/*.sum
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/reader-serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/_helpers.tpl is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrole.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrolebinding.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/network-attachment-definition.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/networkpolicy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/resourcequota.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzy_descope_legacy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/_helpers.tpl is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/hpa.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/poddisruptionbudget.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/role.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/service.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-simple.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/_helpers.tpl is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/gateway-class-configmap.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/istiod-injector-configmap.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrolebinding.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzy_descope_legacy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/_helpers.tpl is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/rbac.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/resourcequota.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/default.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/empty.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/reader-serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-demo.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-gke.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3d.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-microk8s.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-minikube.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-openshift.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-preview.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-remote.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-stable.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/NOTES.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/_helpers.tpl is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrole.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrolebinding.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/network-attachment-definition.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/networkpolicy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/resourcequota.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/serviceaccount.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzy_descope_legacy.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzz_profile.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/README.md is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• pkg/operator/controller/gatewayclass/controller.go

💤 Files with no reviewable changes (1)

• pkg/operator/controller/gatewayclass/controller.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Extract the istio.io/istio version from go.mod
ISTIO_VER=$(rg -n '^\s*istio\.io/istio\s+v' go.mod | sed -E 's/.*istio\.io\/istio\s+(v[^ ]+).*/\1/')
echo "Detected istio.io/istio version: ${ISTIO_VER}"

# 2) Query OSV for known vulnerabilities on that exact version
curl -sS https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d "{\"package\":{\"name\":\"istio.io/istio\",\"ecosystem\":\"Go\"},\"version\":\"${ISTIO_VER}\"}" \
  | jq '.vulns[] | {id, summary, aliases, severity: (.database_specific.severity // "unknown"), modified}'

# 3) Check whether the repo already documents any explicit exception/backport note
rg -n -C 2 'GHSA-|CVE-|backport|vulnerability|security exception|istio\.io/istio' README.md go.mod || true

Repository: openshift/cluster-ingress-operator

Length of output: 1496

---

🏁 Script executed:

# Check for SECURITY.md or changelog documenting patches
find . -type f \( -iname "SECURITY.md" -o -iname "CHANGELOG*" -o -iname "RELEASE*" \) | head -20

# Look for any comments in go.mod or go.sum about security or istio
rg -n 'istio' go.sum || true

Repository: openshift/cluster-ingress-operator

Length of output: 1955

---

🏁 Script executed:

# Check the actual commit hash of this pseudo-version
# Pseudo-version format: v0.0.0-<timestamp>-<commithash>
# Extract commit hash and verify what it includes
echo "Pseudo-version breakdown:"
echo "Version: v0.0.0-20260306174229-7da666217518"
echo "Date: 2026-03-06"
echo "Commit hash (short): 7da666217518"

# Search for any documentation in the repo mentioning the specific vulnerabilities
rg -n 'CVE-2021-39155|CVE-2022-23635|CVE-2021-39156|CVE-2019-14993|CVE-2022-31045|GHSA-7774|GHSA-856q|GHSA-hqxw|GHSA-qcvw|GHSA-xwx5' . || echo "No specific CVE references found"

# Check if there's any upstream istio tracking or pinning rationale
rg -n -C 3 'istio' README.md || true

Repository: openshift/cluster-ingress-operator

Length of output: 231

---

Address HIGH severity Istio vulnerabilities before release.

The pinned istio.io/istio version v0.0.0-20260306174229-7da666217518 is flagged by OSV as affected by four HIGH severity advisories:

• GHSA-7774-7vr3-cc8j (CVE-2021-39155): Authorization Policy Bypass Due to Case Insensitive Host Comparison
• GHSA-856q-xv3c-7f2f (CVE-2022-23635): Unauthenticated control plane denial of service attack
• GHSA-hqxw-mm44-gc4r (CVE-2021-39156): Fragments in Path May Lead to Authorization Policy Bypass
• GHSA-qcvw-82hh-gq38 (CVE-2019-14993): Istio ReDoS Vulnerability

Confirm this commit includes downstream backports for these GHSAs, or bump to a patched revision before release.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 204-204: istio.io/istio 0.0.0-20260306174229-7da666217518: Authorization Policy Bypass Due to Case Insensitive Host Comparison

(GHSA-7774-7vr3-cc8j)

---

[HIGH] 204-204: istio.io/istio 0.0.0-20260306174229-7da666217518: Unauthenticated control plane denial of service attack in Istio

(GHSA-856q-xv3c-7f2f)

---

[HIGH] 204-204: istio.io/istio 0.0.0-20260306174229-7da666217518: Istio Fragments in Path May Lead to Authorization Policy Bypass

(GHSA-hqxw-mm44-gc4r)

---

[HIGH] 204-204: istio.io/istio 0.0.0-20260306174229-7da666217518: Istio ReDoS Vulnerability

(GHSA-qcvw-82hh-gq38)

---

[HIGH] 204-204: istio.io/istio 0.0.0-20260306174229-7da666217518: Ill-formed headers may lead to unexpected behavior in Istio

(GHSA-xwx5-5c9g-x68x)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 204, The pinned dependency istio.io/istio at version
v0.0.0-20260306174229-7da666217518 is known to be affected by multiple HIGH
severity advisories; update the go.mod entry by either (a) replacing that
version with a newer patched Istio revision that explicitly contains fixes for
GHSA-7774-7vr3-cc8j, GHSA-856q-xv3c-7f2f, GHSA-hqxw-mm44-gc4r, and
GHSA-qcvw-82hh-gq38, or (b) if you must keep this revision, add and document the
downstream backport commits that remediate those GHSA/CVE issues in the
repository and ensure the go.sum/go mod tidy are updated; verify with go list -m
-json istio.io/istio (or equivalent) that the chosen revision contains the
patches before merging.

[rikatz]

@coderabbitai can you assess if any of the code used by this repository is actually impacted by this CVE? Given the Istio instance is deployed as a separated process from sail library and using pre-built binaries?

[coderabbitai]

🧩 Analysis chain

Let me check how istio.io/istio is actually used in this codebase.

---

🏁 Script executed:

#!/bin/bash
# Find all Go files that import anything from istio.io/istio
rg -n 'istio\.io/istio' --type go -B1 -A1

# Also check what packages from istio.io/istio are imported
rg -n '"istio\.io/istio' --type go

Length of output: 0

---

@rikatz, confirmed — none of the flagged CVEs impact this repository's operator binary.

Here's the assessment:

1. istio.io/istio is not imported anywhere in this repo's Go code. Running a full search across all .go files returns zero matches. It is a purely transitive dependency pulled in by github.com/istio-ecosystem/sail-operator, not used directly.

2. The CVEs are Istio runtime vulnerabilities, not library vulnerabilities that affect operator code:

   • GHSA-7774 / CVE-2021-39155: Authorization policy bypass via case-insensitive host comparison — affects the Istio proxy/control plane handling live traffic.
   • GHSA-856q / CVE-2022-23635: Unauthenticated control plane DoS — affects the Istiod server process.
   • GHSA-hqxw / CVE-2021-39156: Path fragment bypass — affects envoy/proxy traffic routing.
   • GHSA-qcvw / CVE-2019-14993: ReDoS — affects regex evaluation in the Istio control plane.
   • GHSA-xwx5: Ill-formed headers — affects Istio proxy parsing of live HTTP traffic.

3. Istio runs as pre-built container images (separate processes, separate security boundary). This operator only manages Istio CRDs/lifecycle via the Sail Library — it does not serve Istio traffic, implement authorization policies, or execute any of the vulnerable code paths.

The OSV scanner flagged this purely because the module appears in go.mod/go.sum transitively, which is a known false-positive pattern for operator-style projects that vendor upstream module types without executing their runtime logic. The finding can be safely dismissed for this PR.

[rikatz]

/retest-required
/lgtm

[gcs278]

@CodeRabbit can you give me an analysis of the e2e-aws-operator-techpreview failure?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get PR checks to find the e2e-aws-operator-techpreview job status and URL
gh pr checks 1404 --repo openshift/cluster-ingress-operator 2>/dev/null | grep -i "techpreview" | head -20

echo "=== All checks ==="
gh pr checks 1404 --repo openshift/cluster-ingress-operator 2>/dev/null | head -60

Length of output: 6075

---

🏁 Script executed:

#!/bin/bash
FAILED_RUN="2038604716631396352"
BASE_URL="https://storage.googleapis.com/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1404/pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-operator-techpreview/${FAILED_RUN}"

# Check finished.json
curl -s "${BASE_URL}/finished.json" 2>/dev/null
echo "---"

# Get all FAIL lines from build log
echo "=== FAIL lines ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep "^--- FAIL" | head -30

echo "=== Overall FAIL/PASS summary ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep -E "^(FAIL|ok)\s" | head -30

Length of output: 699

---

🏁 Script executed:

#!/bin/bash
FAILED_RUN="2038604716631396352"
BASE_URL="https://storage.googleapis.com/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1404/pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-operator-techpreview/${FAILED_RUN}"

# Get more specific failure details
echo "=== FAIL: lines ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep "FAIL:" | head -40

echo "=== panic lines ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep -i "panic\|timed out\|timeout\|Error Trace\|Error:" | head -40

echo "=== Last 200 lines of build log ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | tail -200

Length of output: 38841

---

🏁 Script executed:

#!/bin/bash
FAILED_RUN="2038604716631396352"
BASE_URL="https://storage.googleapis.com/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1404/pull-ci-openshift-cluster-ingress-operator-master-e2e-aws-operator-techpreview/${FAILED_RUN}"

echo "=== dynamic-config-manager failure context ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep -A 30 "dynamic-config-manager" | grep -v "=== RUN\|=== PAUSE\|=== CONT\|=== NAME" | head -60

echo "=== max-dynamic-servers failure context ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep -A 30 "max-dynamic-servers" | grep -v "=== RUN\|=== PAUSE\|=== CONT\|=== NAME" | head -60

echo "=== TestUnsupportedConfigOverride full section ==="
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | grep -A 5 "TestUnsupportedConfigOverride" | head -60

# Search for Error Trace in the full log around UnsupportedConfigOverride
curl -s "${BASE_URL}/build-log.txt" 2>/dev/null | python3 -c "
import sys
lines = sys.stdin.readlines()
in_section = False
for i, line in enumerate(lines):
    if 'UnsupportedConfigOverride' in line or 'dynamic-config-manager' in line or 'max-dynamic-servers' in line:
        in_section = True
    if in_section:
        print(lines[i].rstrip())
        if i > 0 and ('--- PASS' in line or '--- FAIL' in line or '--- SKIP' in line) and 'UnsupportedConfigOverride' not in line and 'dynamic-config-manager' not in line and 'max-dynamic-servers' not in line:
            in_section = False
" 2>/dev/null | head -150

Length of output: 23413

---

@gcs278 Here's the analysis of the e2e-aws-operator-techpreview failure (run 2038604716631396352):

Failing Tests

Only two sub-tests failed, both under TestUnsupportedConfigOverride:

Sub-test	Duration	Result
dynamic-config-manager	112.64s	FAIL
contstats	82.77s	PASS
max-dynamic-servers	112.61s	FAIL

Root Cause

Both failures share the same error pattern — a timeout waiting for the initial deployment to not have specific env vars set:

operator_test.go:3671: expected initial deployment not to set ROUTER_HAPROXY_CONFIG_MANAGER=true: timed out waiting for the condition
operator_test.go:3671: expected initial deployment not to set ROUTER_MAX_DYNAMIC_SERVERS=1: timed out waiting for the condition

The test also logs:

operator_test.go:3635: DynamicConfigurationManager feature gate is enabled for this test

Both sub-tests timed out at almost exactly the same duration (~112s), suggesting they hit the same polling deadline. The tests were waiting for a router deployment to roll out (or a condition to clear), but it didn't happen within the timeout window in this techpreview environment.

Key Observations

1. Unrelated to this PR — The failures are in TestUnsupportedConfigOverride (HAProxy config manager / dynamic servers feature behavior), which has nothing to do with Sail Library vendoring or Gateway API changes.

2. All GatewayAPI/Sail Library tests passed — testGatewayAPIIstioInstallationSailLibrary ✅, testGatewayAPIIstioUninstallSailLibrary ✅, and all other TestGatewayAPI sub-tests passed cleanly.

3. contstats sibling sub-test passed — confirming the test framework and the techpreview cluster were functional; only the dynamic-config-manager and max-dynamic-servers sub-tests hit the timeout, likely due to slower deployment rollout in this specific run.

4. Techpreview-specific — The e2e-aws-operator (non-techpreview) job passed in the same batch, meaning this is isolated to the techpreview environment's timing characteristics.

Conclusion

This looks like an infrastructure/timing flake in the techpreview environment — the router deployment rollout for those two UnsupportedConfigOverride sub-tests didn't complete within the ~112s polling window. This is unrelated to your sail library vendoring changes. Safe to retest.

[gcs278]

@CodeRabbit, good try, but I think it's because of #1385 adding an API so the TP test needs to be updated.

Otherwise, e2e-aws-operator-techpreview looks good, our test passed 👍

The e2e-aws-ovn-hypershift-conformance pod resize failure is expected, and we have the OK to override:
/override ci/prow/e2e-aws-ovn-hypershift-conformance

e2e-hypershift flaked again on teardown, I'll give it one more spin since we are sometimes passing:
/test e2e-hypershift

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@gcs278 Thanks for the correction — that makes sense. PR #1385 adding a new API would explain why TestUnsupportedConfigOverride/dynamic-config-manager and TestUnsupportedConfigOverride/max-dynamic-servers both hit the same timeout pattern; I misread it as an infra flake rather than a test that needs to be updated to account for the new API behavior. Glad the Sail Library / GatewayAPI TP tests all passed! 👍

Good luck with the e2e-hypershift rerun — hopefully the teardown flake doesn't recur this time.

---

📝 Learnings were identified and not saved (knowledge base disabled). Enable

[openshift-ci]

@gcs278: Overrode contexts on behalf of gcs278: ci/prow/e2e-aws-ovn-hypershift-conformance

Details

In response to this:

@CodeRabbit, good try, but I think it's because of #1385 adding an API so the TP test needs to be updated.

Otherwise, e2e-aws-operator-techpreview looks good, our test passed 👍

The e2e-aws-ovn-hypershift-conformance pod resize failure is expected, and we have the OK to override:
/override ci/prow/e2e-aws-ovn-hypershift-conformance

e2e-hypershift flaked again on teardown, I'll give it one more spin since we are sometimes passing:
/test e2e-hypershift

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rhamini3]

/verified by e2e
thanks!

[openshift-ci-robot]

@rhamini3: This PR has been marked as verified by e2e.

Details

In response to this:

/verified by e2e
thanks!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d212fd1 and 2 for PR HEAD b1bbbb7 in total

[rikatz]

/retest-required

[openshift-ci]

@gcs278: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-techpreview	b1bbbb7	link	false	/test e2e-aws-operator-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[lihongan]

Change included in accepted release 4.22.0-0.nightly-2026-04-01-092906