Skip to content

OCPBUGS-65926: UPSTREAM: <carry>: backporting fix for concurrent map iteration and write #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ingvagabund wants to merge 4 commits into
base: openshift-apiserver-4.20-kubernetes-1.33
Choose a base branch
from
Open

OCPBUGS-65926: UPSTREAM: <carry>: backporting fix for concurrent map iteration and write #75

ingvagabund wants to merge 4 commits into from

Conversation

@ingvagabund
Copy link
Member

@ingvagabund ingvagabund commented Nov 24, 2025

Mimicking backports as in openshift/kubernetes#2443. This time for openshift-apiserver.

sxllwx and others added 4 commits November 24, 2025 13:56
@sxllwx @ingvagabund
UPSTREAM: 129472: Fix API server crash on concurrent map iteration an…
7c7906e 
…d write

Improve audit context handling by encapsulating event data and operations behind a structured API. Make
the Audit system more robust in concurrent environments by properly isolating mutable state. The cleaner
API simplifies interaction with audit events, improving maintainability. Encapsulation reduces bugs
by preventing direct manipulation of audit events.

Signed-off-by: Davanum Srinivas <[email protected]>
Co-Authored-By: Jordan Liggitt <[email protected]>
Co-Authored-By: sxllwx <[email protected]>

Kubernetes-commit: 75afa1e0acfb309d984be14937a06f796f220cd6
@dims @ingvagabund
UPSTREAM: 131694: Eliminate AuditContext`s SetEventLevel
fb6914a 
Signed-off-by: Davanum Srinivas <[email protected]>
Co-Authored-By: Jordan Liggitt <[email protected]>

Set event level during context init

Signed-off-by: Davanum Srinivas <[email protected]>

Kubernetes-commit: 960a4939f2502f2a8f2b923203e9075354e4bdc0
@dims @ingvagabund
UPSTREAM: 131725: Avoid encoding in LogResponseObject when we are not…
550c6e4 
… going to use it

Signed-off-by: Davanum Srinivas <[email protected]>

Kubernetes-commit: e418ee3a92ca6c670d26f775b0f669e8a5fe233c
@dims @ingvagabund
UPSTREAM: 131725: Avoid encoding in LogResponseObject when we are not…
7bc3c99 
… going to use it

Signed-off-by: Davanum Srinivas <[email protected]>

Kubernetes-commit: 153233c677d62c0254d54c1e7013645a081ac03d
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 24, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 24, 2025

@ingvagabund: This pull request references Jira Issue OCPBUGS-65926, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
  • expected Jira Issue OCPBUGS-65926 to depend on a bug in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Mimicking backports as in openshift/kubernetes#2443. This time for openshift-apiserver.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ingvagabund
Copy link
Member Author

ingvagabund commented Nov 24, 2025

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 24, 2025
@openshift-ci openshift-ci bot requested review from deads2k and tkashem November 24, 2025 13:09
@ingvagabund ingvagabund mentioned this pull request Nov 24, 2025
Open
@ingvagabund
Copy link
Member Author

ingvagabund commented Nov 24, 2025
edited
Loading

openshift/openshift-apiserver#580 as evidence the backported commits pass the CI

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 2, 2025

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 2, 2025
@p0lyn0mial
Copy link

p0lyn0mial commented Dec 3, 2025

was it a clean pick ?
did you run into any conflicts ?

@p0lyn0mial
Copy link

p0lyn0mial commented Dec 3, 2025

I think that this repo is used by: openshift-apiserver, oauth-apiserver and oauth-server
we need to test/validate all servers.

also it looks like all these servers are pinned to v0.0.0-20250917144435-182485d204aa // points to openshift-apiserver-4.20-kubernetes-1.33 on the master branches:

https://github.com/openshift/openshift-apiserver/blob/main/go.mod#L197C9-L197C152
https://github.com/openshift/oauth-apiserver/blob/master/go.mod#L147
https://github.com/openshift/oauth-server/blob/master/go.mod#L122

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025

was it a clean pick ?
did you run into any conflicts ?

All clean, no conflicts.

Double checking again locally:

This was referenced Dec 3, 2025
Open
Open
@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025

Evidence PRs:

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025

/hold

until all evidence PRs are green

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 3, 2025
@p0lyn0mial
Copy link

p0lyn0mial commented Dec 3, 2025

@ingvagabund since the repos/servers are pinned to v0.0.0-20250917144435-182485d204aa // points to openshift-apiserver-4.20-kubernetes-1.33 on the master branches shouldn't we tests against the master branches ?

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025

1.34/master already have the cherry-picked/backported commits based on

Once openshift-apiserver-4.21-kubernetes-1.34 gets created it will be there. So the master branches for all the serves will get tested then. I am not sure when that's going to happen.

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025

Looks like https://github.com/openshift/oauth-server has not been bumped to 1.34 yet. Also, since ocp 4.17 all the rebases have been merged into master branch only.

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025
edited
Loading

From oauth-server:

$ make
go build -mod=vendor -trimpath -ldflags "-X github.com/openshift/oauth-server/pkg/version.versionFromGit="v0.0.0-alpha.0-230-g5161935" -X github.com/openshift/oauth-server/pkg/version.commitFromGit="51619356" -X github.com/openshift/oauth-server/pkg/version.gitTreeState="clean" -X github.com/openshift/oauth-server/pkg/version.buildDate="2025-12-03T21:44:31Z" " github.com/openshift/oauth-server/cmd/oauth-server
# github.com/openshift/oauth-server/pkg/oauth/handlers
pkg/oauth/handlers/default_auth_handler.go:118:17: undefined: audit.AuditEventFrom
make: *** [vendor/github.com/openshift/build-machinery-go/make/targets/golang/build.mk:16: build] Error 1

A valid error since AuditEventFrom got removed.

@ingvagabund
Copy link
Member Author

ingvagabund commented Dec 3, 2025
edited
Loading

AuditEventFrom partially restored via kubernetes/kubernetes#133765

EDIT: mimicking the code changes from https://github.com/kubernetes/kubernetes/pull/129472/files#diff-4ff3580afd7cb271bca442e8bed618441aca39c8a257e45a5cf329d63e620068R50-R52.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@tkashem tkashem Awaiting requested review from tkashem

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ingvagabund @openshift-ci-robot @p0lyn0mial @sxllwx @dims