OPRUN-4601: use resource-based RBAC for lifecycle-server auth by perdasilva · Pull Request #1290 · openshift/operator-framework-olm

perdasilva · 2026-05-06T09:21:00Z

Summary

Replace the controller-runtime metrics auth filter (filters.WithAuthenticationAndAuthorization) with a custom resource-based authorization middleware for the lifecycle-server API
The metrics filter performed nonResourceURL-based SubjectAccessReviews, which meant the default system:discovery ClusterRole (granting GET on /api/*) allowed any authenticated user to bypass authorization
The new middleware creates SubjectAccessReviews with ResourceAttributes (apiGroup: lifecycle.olm.openshift.io, resource: lifecycles, verb: get) so access requires an explicit ClusterRoleBinding to the new lifecycle-server-consumer ClusterRole

Changes

pkg/lifecycle-server/auth.go — New auth middleware using DelegatingAuthenticatorConfig + DelegatingAuthorizerConfig with resource-based AttributesRecord
pkg/lifecycle-server/auth_test.go — 7 unit tests covering all auth code paths (401, 403, 500, 200, DecisionNoOpinion, attributes verification, reason non-leakage)
cmd/lifecycle-server/start.go — Swap metrics filter for new NewAuthFilter

Test plan

go build ./cmd/lifecycle-server/... compiles
go test ./pkg/lifecycle-server/... — all tests pass
go vet ./pkg/lifecycle-server/... ./cmd/lifecycle-server/... — clean
Deploy to cluster and verify: unauthenticated requests get 401, authenticated requests without the consumer ClusterRoleBinding get 403, requests with the binding get 200

🤖 Generated with Claude Code

Summary by CodeRabbit

New Features
- Enforces authentication and authorization for lifecycle server API requests; returns appropriate HTTP status codes for auth outcomes.
Refactor
- Simplified middleware wiring and startup error handling.
Tests
- Added unit tests for unauthenticated, unauthorized, error, and allowed request scenarios and attribute construction.
Chores
- Updated Go module dependencies and metadata.

coderabbitai · 2026-05-06T09:21:20Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Replaces controller-runtime auth wiring with a new server.NewAuthFilter(restCfg, httpClient, log) that returns an HTTP middleware performing TokenReview authentication and SubjectAccessReview authorization for get on lifecycle.olm.openshift.io/lifecycles; wires the middleware into the API handler, adds unit tests, and updates go.mod.

Changes

Lifecycle Server Authentication Middleware

Layer / File(s)	Summary
Data / Constants `pkg/lifecycle-server/auth.go`	Introduces unexported constants for target API group/resource used by authorization checks.
Core Implementation `pkg/lifecycle-server/auth.go`	Adds `NewAuthFilter(cfg rest.Config, httpClient http.Client, log logr.Logger) (func(http.Handler) http.Handler, error)` and the middleware that: builds TokenReview authenticator and SubjectAccessReview authorizer (with webhook retry/backoff and caching), disables anonymous auth, authenticates requests, maps outcomes to 401/403/500, and forwards only when authorization decision is Allow for `get` on `lifecycles`.
Server Wiring `cmd/lifecycle-server/start.go`	Removes controller-runtime metrics/filters import; constructs `authFilter` via `server.NewAuthFilter(...)` and applies it with `apiHandler := authFilter(baseHandler)` (startup otherwise unchanged).
Tests `pkg/lifecycle-server/auth_test.go`	Adds unit tests with `fakeAuthenticator` and `fakeAuthorizer` verifying response codes and behavior for: unauthenticated (401), authentication errors (500), denied/no-opinion (403), allowed (200), attribute construction, and authorizer errors (500).
Dependencies `go.mod`	Moves `k8s.io/apiserver v0.35.4` into direct `require` and updates/adds several `k8s.io/*` module entries (e.g., `k8s.io/cli-runtime v0.35.0`).

Sequence Diagram

sequenceDiagram
    participant Client
    participant AuthMiddleware as Auth Middleware
    participant Authenticator as TokenReview Authenticator
    participant Authorizer as SubjectAccessReview Authorizer
    participant Handler as Inner Handler

    Client->>AuthMiddleware: HTTP Request
    AuthMiddleware->>Authenticator: AuthenticateRequest()
    alt Authentication Error
        Authenticator-->>AuthMiddleware: Error
        AuthMiddleware-->>Client: 500 Internal Server Error
    else Unauthenticated
        Authenticator-->>AuthMiddleware: No User
        AuthMiddleware-->>Client: 401 Unauthorized
    else Authenticated
        Authenticator-->>AuthMiddleware: User Identity
        AuthMiddleware->>Authorizer: Authorize(user, verb="get", apiGroup="lifecycle.olm.openshift.io", resource="lifecycles")
        alt Authorization Error
            Authorizer-->>AuthMiddleware: Error
            AuthMiddleware-->>Client: 500 Internal Server Error
        else Denied or NoOpinion
            Authorizer-->>AuthMiddleware: Denied / NoOpinion
            AuthMiddleware-->>Client: 403 Forbidden
        else Allowed
            Authorizer-->>AuthMiddleware: Allowed
            AuthMiddleware->>Handler: Forward request
            Handler-->>Client: Handler response
        end
    end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Assertions lack failure messages on lines 54, 73, 95, 118, 139, 162-167, 189. Violates requirement `#4` and inconsistent with existing tests in server_test.go and fbc_test.go.	Add failure messages to all require assertions. Change `require.Equal(t, http.StatusUnauthorized, rec.Code)` to `require.Equal(t, http.StatusUnauthorized, rec.Code, "expected 401 Unauthorized")`.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: replacing controller-runtime metrics-based auth with resource-based RBAC for the lifecycle-server authentication.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check for Ginkgo test names does not apply. New tests use standard Go testing (testing.T), not Ginkgo. No Ginkgo-style test definitions found.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The changes include unit tests in auth_test.go using standard Go testing package with *testing.T, not Ginkgo tests. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR contains only Go unit tests for HTTP middleware with mocked authenticators. SNO check applies only to Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only authentication/authorization code (Go files) and dependencies. No deployment manifests, Kubernetes resources, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout contract violations found. All logging uses klog/v2 (writes to stderr by default), error output explicitly uses os.Stderr, and new auth middleware has no stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only standard Go unit tests (auth_test.go), not Ginkgo e2e tests. The check applies only to Ginkgo e2e tests; this is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2026-05-06T13:14:40Z

@perdasilva: This pull request references OPRUN-4601 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Replace the controller-runtime metrics auth filter (filters.WithAuthenticationAndAuthorization) with a custom resource-based authorization middleware for the lifecycle-server API

The metrics filter performed nonResourceURL-based SubjectAccessReviews, which meant the default system:discovery ClusterRole (granting GET on /api/*) allowed any authenticated user to bypass authorization

The new middleware creates SubjectAccessReviews with ResourceAttributes (apiGroup: lifecycle.olm.openshift.io, resource: lifecycles, verb: get) so access requires an explicit ClusterRoleBinding to the new lifecycle-server-consumer ClusterRole

Changes

pkg/lifecycle-server/auth.go — New auth middleware using DelegatingAuthenticatorConfig + DelegatingAuthorizerConfig with resource-based AttributesRecord

pkg/lifecycle-server/auth_test.go — 7 unit tests covering all auth code paths (401, 403, 500, 200, DecisionNoOpinion, attributes verification, reason non-leakage)

cmd/lifecycle-server/start.go — Swap metrics filter for new NewAuthFilter

tmp-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml — Add lifecycle-server-consumer ClusterRole for API consumers

tmp-manifests/0000_50_olm_08-lifecycle-controller.rbac.yaml — Grant lifecycle-controller access to the lifecycle API

Test plan

go build ./cmd/lifecycle-server/... compiles

go test ./pkg/lifecycle-server/... — all tests pass

go vet ./pkg/lifecycle-server/... ./cmd/lifecycle-server/... — clean

Deploy to cluster and verify: unauthenticated requests get 401, authenticated requests without the consumer ClusterRoleBinding get 403, requests with the binding get 200

🤖 Generated with Claude Code

Summary by CodeRabbit

New Features

Added authentication and authorization middleware for lifecycle server API requests, enforcing Kubernetes token-based auth and RBAC checks.

Refactor

Internalized middleware integration to simplify request handling and improve error paths.

Tests

Added unit tests covering unauthenticated, unauthorized, error, and allowed request scenarios.

Chores

Updated build dependencies and module metadata.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/lifecycle-server/auth.go (1)
21-24: ⚡ Quick win

Keep these constants unexported.

APIGroup and Resource look internal to this middleware and the tests can still use them without exporting. Lowercasing them avoids accidentally growing the server package API surface.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/lifecycle-server/auth.go` around lines 21 - 24, Rename the exported
constants APIGroup and Resource to unexported identifiers (e.g., apiGroup and
resource) in the auth.go file and update all internal references to those
symbols (including unit tests in the same package) so the package API surface
doesn't grow unintentionally; ensure no external package code relies on
APIGroup/Resource and adjust tests or move them into the same package if
necessary.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/lifecycle-server/auth.go`:
- Around line 86-92: The SAR call is missing the resource Name so
resourceNames-scoped RBAC can't match; in the authz.Authorize invocation that
constructs authorizer.AttributesRecord (the block that sets User: res.User,
Verb: "get", APIGroup: APIGroup, Resource: Resource, ResourceRequest: true),
extract the package name from the request path (the {package} segment of
/api/{version}/lifecycles/{package} using req.URL.Path parsing or the router
vars) and set AttributesRecord.Name to that package string before calling
authz.Authorize so the authorization is evaluated against the specific lifecycle
resource.

---

Nitpick comments:
In `@pkg/lifecycle-server/auth.go`:
- Around line 21-24: Rename the exported constants APIGroup and Resource to
unexported identifiers (e.g., apiGroup and resource) in the auth.go file and
update all internal references to those symbols (including unit tests in the
same package) so the package API surface doesn't grow unintentionally; ensure no
external package code relies on APIGroup/Resource and adjust tests or move them
into the same package if necessary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 269ceef6-45fa-480f-9ce0-030e8cb99009

📥 Commits

Reviewing files that changed from the base of the PR and between 7fc0232 and cd520b2.

📒 Files selected for processing (4)

cmd/lifecycle-server/start.go
go.mod
pkg/lifecycle-server/auth.go
pkg/lifecycle-server/auth_test.go

joelanford · 2026-05-06T13:38:19Z

PR description says:

tmp-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml — Add lifecycle-server-consumer ClusterRole for API consumers

tmp-manifests/0000_50_olm_08-lifecycle-controller.rbac.yaml — Grant lifecycle-controller access to the lifecycle API

But I don't see those in the changeset. iirc, the manifests directory is generated, and I had to trace where to put the new lifecycle-controller manifests to ensure the generation step puts them in the CVO manifests directory.

perdasilva · 2026-05-06T14:50:10Z

PR description says:

tmp-manifests/0000_50_olm_09-lifecycle-server.rbac.yaml — Add lifecycle-server-consumer ClusterRole for API consumers

tmp-manifests/0000_50_olm_08-lifecycle-controller.rbac.yaml — Grant lifecycle-controller access to the lifecycle API

But I don't see those in the changeset. iirc, the manifests directory is generated, and I had to trace where to put the new lifecycle-controller manifests to ensure the generation step puts them in the CVO manifests directory.

sorry about that - I've updated the description. Those were either wrong or breadcrumbs for the client-side RBAC requirements

perdasilva · 2026-05-07T11:09:30Z

/retest

joelanford · 2026-05-07T17:36:33Z

/hold
for a couple of nits (feel free to unhold as you please)

/lgtm

perdasilva · 2026-05-08T07:14:34Z

/unhold

I've addressed the comments =D

coderabbitai

🧹 Nitpick comments (1)

pkg/lifecycle-server/auth.go (1)
86-92: ⚡ Quick win

Consider adding an explicit HTTP method check to the auth middleware for defense-in-depth.

Currently, the auth middleware hardcodes Verb: "get" when authorizing requests. While all existing routes are registered with the explicit "GET /path" pattern (which causes Go's http.ServeMux to automatically reject non-GET requests with 405 Method Not Allowed), adding an explicit method gate in the middleware would prevent a potential security gap if future routes are added without an explicit method prefix.
♻️ Proposed hardening diff
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			if req.Method != http.MethodGet {
+				http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+				return
+			}
+
 			res, ok, err := authn.AuthenticateRequest(req)
 			if err != nil {
 				log.Error(err, "authentication failed")
 				http.Error(w, "Authentication failed", http.StatusInternalServerError)
 				return
 			}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/lifecycle-server/auth.go` around lines 86 - 92, The middleware currently
passes a hardcoded Verb: "get" to authz.Authorize; add an explicit HTTP method
check in the auth middleware before calling authz.Authorize so the request's
method is validated (e.g., ensure req.Method == "GET" or map other allowed
methods) and reject invalid methods with an HTTP 405/403 as appropriate; update
the call site that constructs authorizer.AttributesRecord (the block using
res.User and Verb: "get") to derive Verb from req.Method (normalized/lowercased)
or to gate by req.Method first, so authorization always matches the actual HTTP
verb.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/lifecycle-server/auth.go`:
- Around line 86-92: The middleware currently passes a hardcoded Verb: "get" to
authz.Authorize; add an explicit HTTP method check in the auth middleware before
calling authz.Authorize so the request's method is validated (e.g., ensure
req.Method == "GET" or map other allowed methods) and reject invalid methods
with an HTTP 405/403 as appropriate; update the call site that constructs
authorizer.AttributesRecord (the block using res.User and Verb: "get") to derive
Verb from req.Method (normalized/lowercased) or to gate by req.Method first, so
authorization always matches the actual HTTP verb.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c6fc3eef-1b7b-4474-83fb-c786fae4927f

📥 Commits

Reviewing files that changed from the base of the PR and between 8bef57e and 3560581.

📒 Files selected for processing (4)

cmd/lifecycle-server/start.go
go.mod
pkg/lifecycle-server/auth.go
pkg/lifecycle-server/auth_test.go

✅ Files skipped from review due to trivial changes (1)

pkg/lifecycle-server/auth_test.go

fgiudici

We are missing the manifest for the new RBAC needed for the new auth in the PR.
Is something to be addressed later/somewhere else?

Replace the controller-runtime metrics auth filter with a custom resource-based authorization middleware. The metrics filter performed nonResourceURL-based SubjectAccessReviews, which meant the default system:discovery ClusterRole (granting GET on /api/*) allowed any authenticated user to access the lifecycle-server API. The new middleware creates SubjectAccessReviews with ResourceAttributes (apiGroup: lifecycle.olm.openshift.io, resource: lifecycles, verb: get) so access requires an explicit ClusterRoleBinding to the new lifecycle-server-consumer ClusterRole. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Per G. da Silva <pegoncal@redhat.com>

fgiudici

/lgtm

openshift-ci · 2026-05-08T08:14:45Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fgiudici, perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~DOWNSTREAM_OWNERS~~ [perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

fgiudici · 2026-05-08T08:17:24Z

/verified bypass

The lifecycle-server will be spawn by the lifecycle-controller, not yet merged, so this code cannot be really tested.
We are going to test the whole new feature when we will have all the pieces in place.

openshift-ci-robot · 2026-05-08T08:17:36Z

@fgiudici: The verified label has been added.

Details

In response to this:

/verified bypass

The lifecycle-server will be spawn by the lifecycle-controller, not yet merged, so this code cannot be really tested.
We are going to test the whole new feature when we will have all the pieces in place.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-merge-bot · 2026-05-08T12:02:51Z

/retest-required

Remaining retests: 0 against base HEAD da5f5f3 and 2 for PR HEAD 2b05ab2 in total

perdasilva · 2026-05-08T12:25:51Z

/retest

openshift-ci Bot requested review from fgiudici and oceanc80 May 6, 2026 09:21

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 6, 2026

perdasilva force-pushed the lifecycle-server-auth branch from 7fc0232 to cd520b2 Compare May 6, 2026 13:03

perdasilva changed the title ~~feat: use resource-based RBAC for lifecycle-server auth~~ OPRUN-4601: use resource-based RBAC for lifecycle-server auth May 6, 2026

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 6, 2026

coderabbitai Bot reviewed May 6, 2026

View reviewed changes

Comment thread pkg/lifecycle-server/auth.go

perdasilva force-pushed the lifecycle-server-auth branch from cd520b2 to 11ba9c5 Compare May 7, 2026 07:21

joelanford reviewed May 7, 2026

View reviewed changes

Comment thread pkg/lifecycle-server/auth.go Outdated

joelanford reviewed May 7, 2026

View reviewed changes

Comment thread pkg/lifecycle-server/auth_test.go

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 7, 2026

openshift-ci Bot assigned joelanford May 7, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 7, 2026

perdasilva force-pushed the lifecycle-server-auth branch from 11ba9c5 to 8bef57e Compare May 8, 2026 07:14

openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label May 8, 2026

openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 8, 2026

perdasilva force-pushed the lifecycle-server-auth branch from 8bef57e to 3560581 Compare May 8, 2026 07:32

coderabbitai Bot reviewed May 8, 2026

View reviewed changes

fgiudici reviewed May 8, 2026

View reviewed changes

Comment thread pkg/lifecycle-server/auth_test.go Outdated

Comment thread pkg/lifecycle-server/auth_test.go Outdated

Comment thread pkg/lifecycle-server/auth_test.go Outdated

Comment thread pkg/lifecycle-server/auth_test.go Outdated

Comment thread pkg/lifecycle-server/auth_test.go Outdated

perdasilva force-pushed the lifecycle-server-auth branch from 3560581 to 2b05ab2 Compare May 8, 2026 08:12

fgiudici approved these changes May 8, 2026

View reviewed changes

openshift-ci Bot assigned fgiudici May 8, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 8, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label May 8, 2026

openshift-merge-bot Bot merged commit 12c6652 into openshift:main May 8, 2026
16 of 17 checks passed

Conversation

perdasilva commented May 6, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Test plan

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Sequence Diagram

Estimated code review effort

❌ Failed checks (2 warnings)

Uh oh!

openshift-ci-robot commented May 6, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Test plan

Summary by CodeRabbit

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

joelanford commented May 6, 2026

Uh oh!

perdasilva commented May 6, 2026

Uh oh!

perdasilva commented May 7, 2026

Uh oh!

Uh oh!

Uh oh!

joelanford commented May 7, 2026

Uh oh!

perdasilva commented May 8, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

fgiudici left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fgiudici left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented May 8, 2026

Uh oh!

fgiudici commented May 8, 2026

Uh oh!

openshift-ci-robot commented May 8, 2026

Uh oh!

openshift-merge-bot Bot commented May 8, 2026

Uh oh!

perdasilva commented May 8, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

perdasilva commented May 6, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 6, 2026 •

edited

Loading

openshift-ci-robot commented May 6, 2026 •

edited by openshift-ci Bot

Loading