ACM-30179: Use TLS configuration from the APIServer when available by giladravid16 · Pull Request #801 · openshift/image-based-install-operator

giladravid16 · 2026-04-19T15:22:12Z

OCP 4.22 indroduces a new feature in the APIServer for configuring TLS configuration, and we want our components to also use the same TLS configuration that is defined in the APIServer.

When starting a components we will attempt to get the APIServer and check its TLSAdherencePolicy (decides whether we should apply the TLS configuration) and TLSProfileSpec (the actual TLS configuration).
For our operator we also add a controller called SecurityProfileWatcher (provided by openshift/controller-runtime-common) in order to force a restart when these values change.
For our server we implement a similar behavior ourselves.

This also required updating a lot of packages including the client-go which further required setting the environment variable KUBE_FEATURE_WatchListClient to false on the operator in order to fix a known bug where controllers don't start due to a cache sync issue.

Summary by CodeRabbit

New Features
- Added a TLS‑protected metrics endpoint with certificate support and a dedicated service exposing port 8080
- Implemented dynamic TLS configuration and automatic reload behavior tied to cluster TLS/profile changes
Chores
- Expanded operator permissions to support token review, subject access review, and API server read access
- Updated dependency versions across the project

openshift-ci-robot · 2026-04-19T15:22:16Z

@giladravid16: This pull request references ACM-30179 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-04-19T15:22:28Z

Walkthrough

Adds runtime TLS resolution and serving TLS wiring, a watcher that triggers process reloads on cluster TLS/profile changes, a new metrics Service and mounted metrics certs, expanded RBAC for token/subject-access reviews and apiserver access, and multiple dependency bumps and manifest updates.

Changes

Cohort / File(s)	Summary
TLS configuration package `internal/tlsconfig/tlsconfig.go`	New package exposing `TLSConfigResult`, `ResolveTLSConfig(...)`, and `ServingTLSConfig(...)` to fetch cluster TLS adherence/profile and produce TLS mutators.
Manager binary `cmd/manager/main.go`, `config/manager/manager.yaml`	Manager now uses a cancellable context, resolves TLS at startup, configures metrics/webhook servers for secure serving with `/metrics-certs`, adds a SecurityProfileWatcher that cancels context on TLS policy/profile change, and mounts `metrics-certs` secret with env `KUBE_FEATURE_WatchListClient="false"`.
Server binary `cmd/server/main.go`	HTTPS startup switched to resolved TLS config and programmatic TLS setup (loads cert/key, sets TLSConfig, uses ListenAndServeTLS), CLI flag/logger init added, and background watcher exits process on APIServer TLS policy/profile changes.
New metrics Service `bundle/manifests/image-based-install-metrics_v1_service.yaml`	Added `Service` `image-based-install-metrics` exposing TCP port `8080`, annotated `service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs`, selecting `app: image-based-install-operator`.
CSVs & Deployment spec `bundle/manifests/image-based-install-operator.clusterserviceversion.yaml`	Updated CSV annotations timestamp, expanded `spec.install.spec.clusterPermissions` with tokenreviews/subjectaccessreviews/apiservers rules, and added `metrics-certs` secret volume/volumeMount into the operator pod template.
RBAC and markers `config/rbac/role.yaml`, `controllers/imageclusterinstall_controller.go`	Extended `ClusterRole` with `authentication.k8s.io: tokenreviews (create)`, `authorization.k8s.io: subjectaccessreviews (create)`, and `config.openshift.io: apiservers (get,list,watch)`; added kubebuilder markers reflecting these permissions.
Dependency graph `go.mod`	Bumped many direct/indirect dependencies, added OpenShift-related modules (`github.com/openshift/client-go`, `.../controller-runtime-common`, `.../library-go`), and adjusted `replace` pins.

Sequence Diagram(s)

sequenceDiagram
    actor Operator
    participant TLS as TLS Config Resolver
    participant API as Kubernetes API Server
    participant Mgr as Manager/Server
    participant Watch as SecurityProfileWatcher

    Operator->>Mgr: start (derive cancellable ctx)
    Mgr->>TLS: ResolveTLSConfig(ctx, restConfig)
    TLS->>API: GET TLSAdherencePolicy
    TLS->>API: GET TLSProfileSpec
    API-->>TLS: return policies
    TLS->>TLS: choose cluster profile or default
    TLS-->>Mgr: TLSConfigResult (mutator + metadata)
    Mgr->>Mgr: configure secure serving (CertDir=/metrics-certs, TLSOpts)
    Mgr->>Watch: register watcher on APIServer
    Watch->>API: watch APIServer
    API-->>Watch: watch.Modified events

    rect rgba(255, 100, 100, 0.5)
    Note over Watch,Mgr: on profile/adherence change
    Watch->>Watch: compare previous vs current (deep equal)
    Watch->>Mgr: trigger shutdown (cancel / os.Exit)
    end

    Mgr->>Operator: graceful shutdown / exit to allow reload

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: implementing TLS configuration retrieval from the APIServer, which is the primary focus of the PR across multiple files (tlsconfig.go, main.go, cmd/server/main.go).
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names across multiple test files use stable, deterministic descriptive strings with no dynamic values including pod names, timestamps, UUIDs, node names, or IP addresses.
Test Structure And Quality	✅ Passed	No Ginkgo test files were modified in this PR, making the custom test quality assessment not applicable.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. All changes consist of infrastructure modifications including TLS configuration code, Kubernetes manifests, RBAC rules, dependency updates, and manager/server startup logic.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not introduce any new Ginkgo e2e tests. Changes consist of infrastructure updates including TLS configuration, manager startup modifications, Kubernetes manifests, RBAC rules, and dependency updates. No test files with Ginkgo test cases are being added.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request does not introduce topology-unfriendly scheduling constraints. Deployment uses single replica with no affinity rules, nodeSelector, or topology spread constraints. Compatible with SNO, Two-Node Fixed, Two-Node with Arbiter, and HyperShift topologies.
Ote Binary Stdout Contract	✅ Passed	PR properly configures logging to write to stderr via zap in main functions. No stdout writes, klog usage, or premature logger initialization detected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. The nine files modified consist of Kubernetes manifests, configuration files, and Go source code—none are test files or contain new Ginkgo test definitions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-04-19T15:23:01Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giladravid16

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [giladravid16]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 4

🧹 Nitpick comments (2)

internal/tlsconfig/tlsconfig.go (1)

38-48: Consider logging at Info level when defaulting TLS settings.

When the TLS adherence policy or profile cannot be fetched, the code logs at Error level but continues with defaults. Since this is expected behavior during startup (before APIServer is readable), consider using Info or Warning level instead to avoid alarming operators.

♻️ Suggested change

 	tlsAdherencePolicy, err := crtls.FetchAPIServerTLSAdherencePolicy(ctx, k8sClient)
 	if err != nil {
-		log.Error(err, "unable to get TLS adherence policy from API server; defaulting until APIServer is readable")
+		log.Info("unable to get TLS adherence policy from API server; defaulting until APIServer is readable", "error", err)
 		tlsAdherencePolicy = ""
 	}

 	tlsProfileSpec, err := crtls.FetchAPIServerTLSProfile(ctx, k8sClient)
 	if err != nil {
-		log.Error(err, "unable to get TLS profile from API server; defaulting until APIServer is readable")
+		log.Info("unable to get TLS profile from API server; defaulting until APIServer is readable", "error", err)
 		tlsProfileSpec = configv1.TLSProfileSpec{}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/tlsconfig/tlsconfig.go` around lines 38 - 48, The current error logs
inside FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile error
branches use log.Error while the code then defaults and continues; change those
calls (the log.Error invocations referencing tlsAdherencePolicy and
tlsProfileSpec in internal/tlsconfig/tlsconfig.go) to a non-error level such as
log.Info or log.Warn to reflect expected startup behavior—update the two places
where FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile errors are
handled to call log.Info/log.Warn with the same message and error context
instead of log.Error.

cmd/manager/main.go (1)

105-113: Consider using the cancellable context for TLS resolution.

Line 109 uses context.Background() instead of ctx. If this is intentional to ensure TLS setup completes regardless of signals, consider adding an explicit timeout to prevent potential indefinite blocking if there are network issues reaching the API server.
💡 Suggested alternative with timeout
-	tlsResult, err := tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+	tlsCtx, tlsCancel := context.WithTimeout(ctx, 30*time.Second)
+	defer tlsCancel()
+	tlsResult, err := tlsconfig.ResolveTLSConfig(tlsCtx, restCfg)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@cmd/manager/main.go` around lines 105 - 113, The TLS resolution is using
context.Background() which ignores the cancellable signal context (ctx) — change
the call to use the existing ctx or a derived context with a timeout so TLS
resolution honors cancellation and cannot block indefinitely; specifically
update the call to tlsconfig.ResolveTLSConfig to pass ctx (or
context.WithTimeout(ctx, <reasonable duration>) and use that cancel) while still
using restCfg, and ensure you call the derived cancel when done and handle err
as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/server/main.go`:
- Around line 125-151: The watch loop using for event := range w.ResultChan()
currently stops silently when the watch channel closes; change it to an explicit
receive (event, ok := <-w.ResultChan()) and when ok is false log a warning/info
that the watch closed and re-establish the watch (recreate/assign w by calling
the same watch-creation logic used earlier, with a small backoff/retry) so TLS
change monitoring resumes; ensure the retry replaces the w variable used by the
loop and preserves existing handling of current, crtls.GetTLSProfileSpec and
equality.Semantic.DeepEqual checks.
- Around line 116-122: In watchAndExitOnTLSChange, the call to
configClient.ConfigV1().APIServers().Watch(...) can fail silently; update the
error path to log the failure before returning by using the provided log
(*logrus.Logger) — e.g., call log.WithError(err).Error("failed to establish
watch for APIServers") or similar — referencing the existing function name
watchAndExitOnTLSChange and the Watch invocation so the failure is recorded for
operators and debugging.

In `@go.mod`:
- Line 265: The dependency go.opentelemetry.io/otel/sdk is pinned to v1.39.0
which has a PATH hijacking vulnerability; update the module version to v1.40.0
or later in go.mod (replace the v1.39.0 entry for go.opentelemetry.io/otel/sdk),
then run the Go tooling (go get with the chosen version and go mod tidy) to
ensure the newer version is fetched and the module graph is clean; after
updating, run your test suite or build to verify nothing breaks.
- Line 288: Update the grpc dependency to a fixed version to remediate the
GHSA-p77j-4mvh-x3m3 vulnerability: change the google.golang.org/grpc module
referenced in go.mod to v1.79.3 or later (prefer v1.80.0) and then refresh your
modules with the Go toolchain (e.g., use go get/update and go mod tidy) so the
new version is recorded and vendored; verify compilation and run tests that
exercise HTTP/2 handlers to confirm no regressions.

---

Nitpick comments:
In `@cmd/manager/main.go`:
- Around line 105-113: The TLS resolution is using context.Background() which
ignores the cancellable signal context (ctx) — change the call to use the
existing ctx or a derived context with a timeout so TLS resolution honors
cancellation and cannot block indefinitely; specifically update the call to
tlsconfig.ResolveTLSConfig to pass ctx (or context.WithTimeout(ctx, <reasonable
duration>) and use that cancel) while still using restCfg, and ensure you call
the derived cancel when done and handle err as before.

In `@internal/tlsconfig/tlsconfig.go`:
- Around line 38-48: The current error logs inside
FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile error branches use
log.Error while the code then defaults and continues; change those calls (the
log.Error invocations referencing tlsAdherencePolicy and tlsProfileSpec in
internal/tlsconfig/tlsconfig.go) to a non-error level such as log.Info or
log.Warn to reflect expected startup behavior—update the two places where
FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile errors are handled
to call log.Info/log.Warn with the same message and error context instead of
log.Error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1ca3bcd2-7d09-4248-a937-c41822e2c4e7

📥 Commits

Reviewing files that changed from the base of the PR and between 99a951c and b97a361.

⛔ Files ignored due to path filters (291)

go.sum is excluded by !**/*.sum
vendor/github.com/AlecAivazis/survey/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/confirm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/core/template.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/core/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/input.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/multiselect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/password.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/renderer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/select.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/survey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/display_posix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/output.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_bsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_posix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/transform.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/validate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/autorest/date/go_mod_tidy_hack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/logger/go_mod_tidy_hack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/logger/logger.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/tracing/go_mod_tidy_hack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/mutex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/mutex_nomutex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_AssociateAlias.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CopyDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistributionWithTags.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateInvalidation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateMonitoringSubscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreatePublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistributionWithTags.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteMonitoringSubscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeletePublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentityConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistributionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfileConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetInvalidation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroupConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetMonitoringSubscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControlConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKeyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistributionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCachePolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCloudFrontOriginAccessIdentities.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListConflictingAliases.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListContinuousDeploymentPolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByCachePolicyId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByOriginRequestPolicyId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByResponseHeadersPolicyId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByWebACLId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionConfigs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionProfiles.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFunctions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListInvalidations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyGroups.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyValueStores.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginAccessControls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginRequestPolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListPublicKeys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListRealtimeLogConfigs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListResponseHeadersPolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListStreamingDistributions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListTagsForResource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_PublishFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TagResource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TestFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UntagResource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistributionWithStagingConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdatePublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/deserializers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/generated.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/internal/endpoints/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/serializers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/enums.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/validators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptAddressTransfer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptCapacityReservationBillingOwnership.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptReservedInstancesExchangeQuote.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayMulticastDomainAssociations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayPeeringAttachment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayVpcAttachment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcEndpointConnections.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcPeeringConnection.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AdvertiseByoipCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateHosts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateIpamPoolCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ApplySecurityGroupsToClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignIpv6Addresses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateIpAddresses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateCapacityReservationBillingOwner.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateEnclaveCertificateIamRole.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIamInstanceProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateInstanceEventWindow.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamByoasn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamResourceDiscovery.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteServer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteTable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSecurityGroupVpc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSubnetCidrBlock.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayMulticastDomain.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (9)

bundle/manifests/image-based-install-metrics_v1_service.yaml
bundle/manifests/image-based-install-operator.clusterserviceversion.yaml
cmd/manager/main.go
cmd/server/main.go
config/manager/manager.yaml
config/rbac/role.yaml
controllers/imageclusterinstall_controller.go
go.mod
internal/tlsconfig/tlsconfig.go

OCP 4.22 indroduces a new feature in the APIServer for configuring TLS configuration, and we want our components to also use the same TLS configuration that is defined in the APIServer. When starting a components we will attempt to get the APIServer and check its TLSAdherencePolicy (decides whether we should apply the TLS configuration) and TLSProfileSpec (the actual TLS configuration). For our operator we also add a controller called SecurityProfileWatcher (provided by openshift/controller-runtime-common) in order to force a restart when these values change. For our server we implement a similar behavior ourselves. This also required updating a lot of packages including the client-go which further required setting the environment variable KUBE_FEATURE_WatchListClient to false on the operator in order to fix a known bug where controllers don't start due to a cache sync issue.

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 28-32: The replace directive forcing
sigs.k8s.io/controller-runtime to v0.19.3 conflicts with the declared dependency
sigs.k8s.io/controller-runtime v0.23.3 and causes TLS/logger call sites (e.g.,
in cmd/manager/main.go TLS-related calls and logger setup in both managers) to
be built against the older API; update or remove the replace directive so
controller-runtime resolves to v0.23.3 (i.e., change the replace from v0.19.3 to
v0.23.3 or delete the replace if not needed) and then run `go mod tidy` to
ensure the dependency graph is consistent.

In `@internal/tlsconfig/tlsconfig.go`:
- Around line 44-64: When FetchAPIServerTLSProfile fails you currently assign a
zero-value tlsProfileSpec which leads to empty ciphers; instead assign the
actual default profile: set tlsProfileSpec =
*configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType] so later calls to
crtls.NewTLSConfigFromProfile(tlsProfileSpec) produce the expected default
ciphers. Update the error branch that handles FetchAPIServerTLSProfile; keep the
existing logging and ensure references to tlsProfileSpec,
FetchAPIServerTLSProfile, ShouldHonorClusterTLSProfile, NewTLSConfigFromProfile,
configv1.TLSProfiles and libgocrypto.DefaultTLSProfileType are used to locate
and change the assignment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 74cd2db7-97ea-495c-92a0-bd6ac54265b3

📥 Commits

Reviewing files that changed from the base of the PR and between b97a361 and 410f70c.

⛔ Files ignored due to path filters (291)

go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/confirm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/core/template.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/core/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/input.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/multiselect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/password.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/renderer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/select.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/survey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/display_posix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/output.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_bsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_posix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/transform.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AlecAivazis/survey/v2/validate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/autorest/date/go_mod_tidy_hack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/logger/go_mod_tidy_hack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/logger/logger.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/go-autorest/tracing/go_mod_tidy_hack.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/mutex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/mutex_nomutex.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_AssociateAlias.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CopyDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistributionWithTags.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateInvalidation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateMonitoringSubscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreatePublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistributionWithTags.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteMonitoringSubscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeletePublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentityConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistributionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryption.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfileConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetInvalidation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroupConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetMonitoringSubscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControlConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKeyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicyConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistributionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCachePolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCloudFrontOriginAccessIdentities.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListConflictingAliases.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListContinuousDeploymentPolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByCachePolicyId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByOriginRequestPolicyId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByResponseHeadersPolicyId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByWebACLId.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionConfigs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionProfiles.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFunctions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListInvalidations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyGroups.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyValueStores.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginAccessControls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginRequestPolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListPublicKeys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListRealtimeLogConfigs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListResponseHeadersPolicies.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListStreamingDistributions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListTagsForResource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_PublishFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TagResource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TestFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UntagResource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCachePolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCloudFrontOriginAccessIdentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateContinuousDeploymentPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistributionWithStagingConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFunction.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyGroup.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyValueStore.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginAccessControl.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginRequestPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdatePublicKey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateRealtimeLogConfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateResponseHeadersPolicy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateStreamingDistribution.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/deserializers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/generated.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/go_module_metadata.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/internal/endpoints/endpoints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/serializers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/enums.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/validators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptAddressTransfer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptCapacityReservationBillingOwnership.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptReservedInstancesExchangeQuote.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayMulticastDomainAssociations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayPeeringAttachment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayVpcAttachment.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcEndpointConnections.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcPeeringConnection.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AdvertiseByoipCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateHosts.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateIpamPoolCidr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ApplySecurityGroupsToClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignIpv6Addresses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateIpAddresses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateNatGatewayAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateAddress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateCapacityReservationBillingOwner.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateClientVpnTargetNetwork.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateDhcpOptions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateEnclaveCertificateIamRole.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIamInstanceProfile.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateInstanceEventWindow.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamByoasn.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (9)

bundle/manifests/image-based-install-metrics_v1_service.yaml
bundle/manifests/image-based-install-operator.clusterserviceversion.yaml
cmd/manager/main.go
cmd/server/main.go
config/manager/manager.yaml
config/rbac/role.yaml
controllers/imageclusterinstall_controller.go
go.mod
internal/tlsconfig/tlsconfig.go

✅ Files skipped from review due to trivial changes (2)

config/rbac/role.yaml
bundle/manifests/image-based-install-metrics_v1_service.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

controllers/imageclusterinstall_controller.go
bundle/manifests/image-based-install-operator.clusterserviceversion.yaml
cmd/manager/main.go

coderabbitai · 2026-04-20T07:53:56Z

+	k8s.io/api v0.35.2
+	k8s.io/apimachinery v0.35.2
+	k8s.io/client-go v0.35.2
+	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
+	sigs.k8s.io/controller-runtime v0.23.3


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail printf 'controller-runtime entries in go.mod:\n' rg -n 'sigs\.k8s\.io/controller-runtime' go.mod printf '\nKubernetes dependency versions in go.mod:\n' rg -n 'k8s\.io/(api|apimachinery|client-go)\s+v' go.mod printf '\ncontroller-runtime-dependent call sites introduced in the codebase:\n' rg -n 'TLSOpts|SetLogger|UseFlagOptions|GetConfigOrDie' cmd internal

Repository: openshift/image-based-install-operator

Length of output: 871

Align the controller-runtime replace directive with the version required in the dependency tree.

Lines 28–30 and line 32 update the Kubernetes stack to v0.35.2 and require sigs.k8s.io/controller-runtime v0.23.3. However, line 327 replaces controller-runtime with v0.19.3, which means the TLS-related call sites introduced in cmd/manager/main.go (lines 122, 130) and the logger setup in both managers are built against the older version. This version mismatch can cause API or behavior incompatibilities. Update the replace directive to match v0.23.3 or remove it if no longer necessary.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@go.mod` around lines 28 - 32, The replace directive forcing sigs.k8s.io/controller-runtime to v0.19.3 conflicts with the declared dependency sigs.k8s.io/controller-runtime v0.23.3 and causes TLS/logger call sites (e.g., in cmd/manager/main.go TLS-related calls and logger setup in both managers) to be built against the older API; update or remove the replace directive so controller-runtime resolves to v0.23.3 (i.e., change the replace from v0.19.3 to v0.23.3 or delete the replace if not needed) and then run `go mod tidy` to ensure the dependency graph is consistent.

coderabbitai · 2026-04-20T07:53:56Z

+	tlsProfileSpec, err := crtls.FetchAPIServerTLSProfile(ctx, k8sClient)
+	if err != nil {
+		log.Error(err, "unable to get TLS profile from API server; defaulting until APIServer is readable")
+		tlsProfileSpec = configv1.TLSProfileSpec{}
+	}
+
+	var tlsConfig func(*tls.Config)
+
+	if libgocrypto.ShouldHonorClusterTLSProfile(tlsAdherencePolicy) {
+		profileTLSConfig, unsupportedCiphers := crtls.NewTLSConfigFromProfile(tlsProfileSpec)
+		if len(unsupportedCiphers) > 0 {
+			log.Info("TLS configuration contains unsupported ciphers that will be ignored", "unsupportedCiphers", unsupportedCiphers)
+		}
+		tlsConfig = profileTLSConfig
+	} else {
+		defaultTLSConfig, unsupportedCiphers := crtls.NewTLSConfigFromProfile(*configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType])
+		if len(unsupportedCiphers) > 0 {
+			log.Info("TLS configuration contains unsupported ciphers that will be ignored", "unsupportedCiphers", unsupportedCiphers)
+		}
+		tlsConfig = defaultTLSConfig
+	}


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "tlsconfig.go" -type f 2>/dev/null | head -20

Repository: openshift/image-based-install-operator

Length of output: 64

🏁 Script executed:

find . -path "*/internal/tlsconfig/tlsconfig.go" -type f

Repository: openshift/image-based-install-operator

Length of output: 115

🏁 Script executed:

# List the internal directory structure find . -path "*/internal/tlsconfig*" -type f 2>/dev/null | head -20

Repository: openshift/image-based-install-operator

Length of output: 115

🏁 Script executed:

wc -l ./internal/tlsconfig/tlsconfig.go

Repository: openshift/image-based-install-operator

Length of output: 118

🏁 Script executed:

cat -n ./internal/tlsconfig/tlsconfig.go

Repository: openshift/image-based-install-operator

Length of output: 3546

🏁 Script executed:

# Search for NewTLSConfigFromProfile definition rg "NewTLSConfigFromProfile" --type go

Repository: openshift/image-based-install-operator

Length of output: 737

🏁 Script executed:

# Search for TLSProfiles usage and definition rg "TLSProfiles\[" --type go

Repository: openshift/image-based-install-operator

Length of output: 894

🏁 Script executed:

# Look for imports and check if these are from external packages rg "controller-runtime-common|library-go|openshift/api" ./internal/tlsconfig/tlsconfig.go

Repository: openshift/image-based-install-operator

Length of output: 250

🏁 Script executed:

sed -n '/^func NewTLSConfigFromProfile/,/^}/p' vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go | head -80

Repository: openshift/image-based-install-operator

Length of output: 1004

🏁 Script executed:

rg "TLSVersionOrDie" --type go

Repository: openshift/image-based-install-operator

Length of output: 334

🏁 Script executed:

# Search in vendor to find the definition rg "func TLSVersionOrDie" vendor/ --type go

Repository: openshift/image-based-install-operator

Length of output: 191

🏁 Script executed:

sed -n '/^func TLSVersionOrDie/,/^}/p' vendor/github.com/openshift/library-go/pkg/crypto/crypto.go

Repository: openshift/image-based-install-operator

Length of output: 223

🏁 Script executed:

sed -n '/^func TLSVersion/,/^}/p' vendor/github.com/openshift/library-go/pkg/crypto/crypto.go | head -40

Repository: openshift/image-based-install-operator

Length of output: 856

🏁 Script executed:

rg "DefaultTLSVersion|DefaultTLSProfileType" vendor/github.com/openshift/library-go/pkg/crypto/crypto.go -A 2

Repository: openshift/image-based-install-operator

Length of output: 568

🏁 Script executed:

rg "DefaultTLSProfileType" vendor/github.com/openshift/api/config/v1 --type go

Repository: openshift/image-based-install-operator

Length of output: 64

Use the actual default TLS profile when fetch fails to ensure consistent cipher configuration.

When FetchAPIServerTLSProfile fails, the code logs "defaulting" but assigns an empty configv1.TLSProfileSpec{}. Later, if ShouldHonorClusterTLSProfile is true, this empty spec is passed to NewTLSConfigFromProfile, which results in an empty cipher list rather than the default ciphers. Meanwhile, the else branch correctly uses the explicit default profile. Additionally, the returned TLSProfileSpec becomes empty, misrepresenting the actual configuration in use.

Replace the zero-value assignment with the explicit default profile from configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType] to ensure both cipher configuration and result integrity.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@internal/tlsconfig/tlsconfig.go` around lines 44 - 64, When FetchAPIServerTLSProfile fails you currently assign a zero-value tlsProfileSpec which leads to empty ciphers; instead assign the actual default profile: set tlsProfileSpec = *configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType] so later calls to crtls.NewTLSConfigFromProfile(tlsProfileSpec) produce the expected default ciphers. Update the error branch that handles FetchAPIServerTLSProfile; keep the existing logging and ensure references to tlsProfileSpec, FetchAPIServerTLSProfile, ShouldHonorClusterTLSProfile, NewTLSConfigFromProfile, configv1.TLSProfiles and libgocrypto.DefaultTLSProfileType are used to locate and change the assignment.

giladravid16 · 2026-04-20T12:18:46Z

/retest-required

giladravid16 · 2026-04-20T13:36:16Z

/retest-required

giladravid16 · 2026-04-20T14:44:41Z

/retest-required

giladravid16 · 2026-04-20T15:04:55Z

/cc @carbonin

openshift-ci · 2026-04-20T17:10:30Z

@giladravid16: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 19, 2026

openshift-ci bot requested review from Missxiaoguo and tsorya April 19, 2026 15:22

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 19, 2026

coderabbitai bot reviewed Apr 19, 2026

View reviewed changes

Comment thread cmd/server/main.go

Comment thread cmd/server/main.go

Comment thread go.mod Outdated

Comment thread go.mod Outdated

giladravid16 force-pushed the ACM-30179 branch from b97a361 to 410f70c Compare April 20, 2026 07:37

coderabbitai bot reviewed Apr 20, 2026

View reviewed changes

openshift-ci bot requested a review from carbonin April 20, 2026 15:05

Conversation

giladravid16 commented Apr 19, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Apr 19, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai bot commented Apr 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

openshift-ci bot commented Apr 19, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Apr 20, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Apr 20, 2026

Choose a reason for hiding this comment

Uh oh!

giladravid16 commented Apr 20, 2026

Uh oh!

giladravid16 commented Apr 20, 2026

Uh oh!

giladravid16 commented Apr 20, 2026

Uh oh!

giladravid16 commented Apr 20, 2026

Uh oh!

openshift-ci bot commented Apr 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

giladravid16 commented Apr 19, 2026 •

edited by coderabbitai bot

Loading

openshift-ci-robot commented Apr 19, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Apr 19, 2026 •

edited

Loading