ACM-30179: Use TLS configuration from the APIServer when available#801
ACM-30179: Use TLS configuration from the APIServer when available#801giladravid16 wants to merge 1 commit intoopenshift:mainfrom
Conversation
|
@giladravid16: This pull request references ACM-30179 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughAdds runtime TLS resolution and serving TLS wiring, a watcher that triggers process reloads on cluster TLS/profile changes, a new metrics Service and mounted metrics certs, expanded RBAC for token/subject-access reviews and apiserver access, and multiple dependency bumps and manifest updates. Changes
Sequence Diagram(s)sequenceDiagram
actor Operator
participant TLS as TLS Config Resolver
participant API as Kubernetes API Server
participant Mgr as Manager/Server
participant Watch as SecurityProfileWatcher
Operator->>Mgr: start (derive cancellable ctx)
Mgr->>TLS: ResolveTLSConfig(ctx, restConfig)
TLS->>API: GET TLSAdherencePolicy
TLS->>API: GET TLSProfileSpec
API-->>TLS: return policies
TLS->>TLS: choose cluster profile or default
TLS-->>Mgr: TLSConfigResult (mutator + metadata)
Mgr->>Mgr: configure secure serving (CertDir=/metrics-certs, TLSOpts)
Mgr->>Watch: register watcher on APIServer
Watch->>API: watch APIServer
API-->>Watch: watch.Modified events
rect rgba(255, 100, 100, 0.5)
Note over Watch,Mgr: on profile/adherence change
Watch->>Watch: compare previous vs current (deep equal)
Watch->>Mgr: trigger shutdown (cancel / os.Exit)
end
Mgr->>Operator: graceful shutdown / exit to allow reload
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes 🚥 Pre-merge checks | ✅ 9 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (9 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giladravid16 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (2)
internal/tlsconfig/tlsconfig.go (1)
38-48: Consider logging at Info level when defaulting TLS settings.When the TLS adherence policy or profile cannot be fetched, the code logs at Error level but continues with defaults. Since this is expected behavior during startup (before APIServer is readable), consider using Info or Warning level instead to avoid alarming operators.
♻️ Suggested change
tlsAdherencePolicy, err := crtls.FetchAPIServerTLSAdherencePolicy(ctx, k8sClient) if err != nil { - log.Error(err, "unable to get TLS adherence policy from API server; defaulting until APIServer is readable") + log.Info("unable to get TLS adherence policy from API server; defaulting until APIServer is readable", "error", err) tlsAdherencePolicy = "" } tlsProfileSpec, err := crtls.FetchAPIServerTLSProfile(ctx, k8sClient) if err != nil { - log.Error(err, "unable to get TLS profile from API server; defaulting until APIServer is readable") + log.Info("unable to get TLS profile from API server; defaulting until APIServer is readable", "error", err) tlsProfileSpec = configv1.TLSProfileSpec{} }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@internal/tlsconfig/tlsconfig.go` around lines 38 - 48, The current error logs inside FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile error branches use log.Error while the code then defaults and continues; change those calls (the log.Error invocations referencing tlsAdherencePolicy and tlsProfileSpec in internal/tlsconfig/tlsconfig.go) to a non-error level such as log.Info or log.Warn to reflect expected startup behavior—update the two places where FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile errors are handled to call log.Info/log.Warn with the same message and error context instead of log.Error.cmd/manager/main.go (1)
105-113: Consider using the cancellable context for TLS resolution.Line 109 uses
context.Background()instead ofctx. If this is intentional to ensure TLS setup completes regardless of signals, consider adding an explicit timeout to prevent potential indefinite blocking if there are network issues reaching the API server.💡 Suggested alternative with timeout
- tlsResult, err := tlsconfig.ResolveTLSConfig(context.Background(), restCfg) + tlsCtx, tlsCancel := context.WithTimeout(ctx, 30*time.Second) + defer tlsCancel() + tlsResult, err := tlsconfig.ResolveTLSConfig(tlsCtx, restCfg)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@cmd/manager/main.go` around lines 105 - 113, The TLS resolution is using context.Background() which ignores the cancellable signal context (ctx) — change the call to use the existing ctx or a derived context with a timeout so TLS resolution honors cancellation and cannot block indefinitely; specifically update the call to tlsconfig.ResolveTLSConfig to pass ctx (or context.WithTimeout(ctx, <reasonable duration>) and use that cancel) while still using restCfg, and ensure you call the derived cancel when done and handle err as before.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@cmd/server/main.go`:
- Around line 125-151: The watch loop using for event := range w.ResultChan()
currently stops silently when the watch channel closes; change it to an explicit
receive (event, ok := <-w.ResultChan()) and when ok is false log a warning/info
that the watch closed and re-establish the watch (recreate/assign w by calling
the same watch-creation logic used earlier, with a small backoff/retry) so TLS
change monitoring resumes; ensure the retry replaces the w variable used by the
loop and preserves existing handling of current, crtls.GetTLSProfileSpec and
equality.Semantic.DeepEqual checks.
- Around line 116-122: In watchAndExitOnTLSChange, the call to
configClient.ConfigV1().APIServers().Watch(...) can fail silently; update the
error path to log the failure before returning by using the provided log
(*logrus.Logger) — e.g., call log.WithError(err).Error("failed to establish
watch for APIServers") or similar — referencing the existing function name
watchAndExitOnTLSChange and the Watch invocation so the failure is recorded for
operators and debugging.
In `@go.mod`:
- Line 265: The dependency go.opentelemetry.io/otel/sdk is pinned to v1.39.0
which has a PATH hijacking vulnerability; update the module version to v1.40.0
or later in go.mod (replace the v1.39.0 entry for go.opentelemetry.io/otel/sdk),
then run the Go tooling (go get with the chosen version and go mod tidy) to
ensure the newer version is fetched and the module graph is clean; after
updating, run your test suite or build to verify nothing breaks.
- Line 288: Update the grpc dependency to a fixed version to remediate the
GHSA-p77j-4mvh-x3m3 vulnerability: change the google.golang.org/grpc module
referenced in go.mod to v1.79.3 or later (prefer v1.80.0) and then refresh your
modules with the Go toolchain (e.g., use go get/update and go mod tidy) so the
new version is recorded and vendored; verify compilation and run tests that
exercise HTTP/2 handlers to confirm no regressions.
---
Nitpick comments:
In `@cmd/manager/main.go`:
- Around line 105-113: The TLS resolution is using context.Background() which
ignores the cancellable signal context (ctx) — change the call to use the
existing ctx or a derived context with a timeout so TLS resolution honors
cancellation and cannot block indefinitely; specifically update the call to
tlsconfig.ResolveTLSConfig to pass ctx (or context.WithTimeout(ctx, <reasonable
duration>) and use that cancel) while still using restCfg, and ensure you call
the derived cancel when done and handle err as before.
In `@internal/tlsconfig/tlsconfig.go`:
- Around line 38-48: The current error logs inside
FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile error branches use
log.Error while the code then defaults and continues; change those calls (the
log.Error invocations referencing tlsAdherencePolicy and tlsProfileSpec in
internal/tlsconfig/tlsconfig.go) to a non-error level such as log.Info or
log.Warn to reflect expected startup behavior—update the two places where
FetchAPIServerTLSAdherencePolicy and FetchAPIServerTLSProfile errors are handled
to call log.Info/log.Warn with the same message and error context instead of
log.Error.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 1ca3bcd2-7d09-4248-a937-c41822e2c4e7
⛔ Files ignored due to path filters (291)
go.sumis excluded by!**/*.sumvendor/github.com/AlecAivazis/survey/v2/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/confirm.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/core/template.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/core/write.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/input.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/multiselect.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/password.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/renderer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/select.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/survey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/display_posix.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/error.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/output.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_bsd.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_linux.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_posix.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/transform.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/validate.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txtis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.jsonis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.ymlis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/autorest/date/go_mod_tidy_hack.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/logger/go_mod_tidy_hack.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/logger/logger.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/tracing/go_mod_tidy_hack.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/.gitignoreis excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/LICENSEis excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/antlrdoc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_config.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_config_set.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_simulator.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_state.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_type.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/char_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/common_token_factory.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/common_token_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/comparators.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/configuration.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/dfa.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/dfa_state.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/error_listener.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/error_strategy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/errors.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/file_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/input_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/int_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/interval_set.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/jcollect.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer_action.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/mutex.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/mutex_nomutex.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/nostatistics.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/parser.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/prediction_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/prediction_mode.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/recognizer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/rule_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/semantic_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/statistics.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/stats_data.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/token.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/token_source.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/token_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/trace_listener.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/transition.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/tree.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/trees.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/utils.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.jsonis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/LICENSE.txtis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_AssociateAlias.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CopyDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistributionWithTags.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateInvalidation.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateMonitoringSubscription.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreatePublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistributionWithTags.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteMonitoringSubscription.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeletePublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentityConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistributionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryption.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfileConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetInvalidation.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroupConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetMonitoringSubscription.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControlConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKeyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistributionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCachePolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCloudFrontOriginAccessIdentities.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListConflictingAliases.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListContinuousDeploymentPolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByCachePolicyId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByOriginRequestPolicyId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByResponseHeadersPolicyId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByWebACLId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionConfigs.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionProfiles.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFunctions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListInvalidations.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyGroups.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyValueStores.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginAccessControls.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginRequestPolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListPublicKeys.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListRealtimeLogConfigs.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListResponseHeadersPolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListStreamingDistributions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListTagsForResource.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_PublishFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TagResource.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TestFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UntagResource.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistributionWithStagingConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdatePublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/auth.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/deserializers.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/doc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/endpoints.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/generated.jsonis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/internal/endpoints/endpoints.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/options.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/serializers.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/enums.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/errors.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/types.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/validators.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptAddressTransfer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptCapacityReservationBillingOwnership.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptReservedInstancesExchangeQuote.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayMulticastDomainAssociations.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayPeeringAttachment.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayVpcAttachment.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcEndpointConnections.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcPeeringConnection.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AdvertiseByoipCidr.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateHosts.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateIpamPoolCidr.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ApplySecurityGroupsToClientVpnTargetNetwork.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignIpv6Addresses.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateIpAddresses.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateNatGatewayAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateCapacityReservationBillingOwner.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateClientVpnTargetNetwork.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateDhcpOptions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateEnclaveCertificateIamRole.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIamInstanceProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateInstanceEventWindow.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamByoasn.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamResourceDiscovery.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateNatGatewayAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteServer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateRouteTable.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSecurityGroupVpc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateSubnetCidrBlock.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateTransitGatewayMulticastDomain.gois excluded by!**/vendor/**,!vendor/**
📒 Files selected for processing (9)
bundle/manifests/image-based-install-metrics_v1_service.yamlbundle/manifests/image-based-install-operator.clusterserviceversion.yamlcmd/manager/main.gocmd/server/main.goconfig/manager/manager.yamlconfig/rbac/role.yamlcontrollers/imageclusterinstall_controller.gogo.modinternal/tlsconfig/tlsconfig.go
OCP 4.22 indroduces a new feature in the APIServer for configuring TLS configuration, and we want our components to also use the same TLS configuration that is defined in the APIServer. When starting a components we will attempt to get the APIServer and check its TLSAdherencePolicy (decides whether we should apply the TLS configuration) and TLSProfileSpec (the actual TLS configuration). For our operator we also add a controller called SecurityProfileWatcher (provided by openshift/controller-runtime-common) in order to force a restart when these values change. For our server we implement a similar behavior ourselves. This also required updating a lot of packages including the client-go which further required setting the environment variable KUBE_FEATURE_WatchListClient to false on the operator in order to fix a known bug where controllers don't start due to a cache sync issue.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@go.mod`:
- Around line 28-32: The replace directive forcing
sigs.k8s.io/controller-runtime to v0.19.3 conflicts with the declared dependency
sigs.k8s.io/controller-runtime v0.23.3 and causes TLS/logger call sites (e.g.,
in cmd/manager/main.go TLS-related calls and logger setup in both managers) to
be built against the older API; update or remove the replace directive so
controller-runtime resolves to v0.23.3 (i.e., change the replace from v0.19.3 to
v0.23.3 or delete the replace if not needed) and then run `go mod tidy` to
ensure the dependency graph is consistent.
In `@internal/tlsconfig/tlsconfig.go`:
- Around line 44-64: When FetchAPIServerTLSProfile fails you currently assign a
zero-value tlsProfileSpec which leads to empty ciphers; instead assign the
actual default profile: set tlsProfileSpec =
*configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType] so later calls to
crtls.NewTLSConfigFromProfile(tlsProfileSpec) produce the expected default
ciphers. Update the error branch that handles FetchAPIServerTLSProfile; keep the
existing logging and ensure references to tlsProfileSpec,
FetchAPIServerTLSProfile, ShouldHonorClusterTLSProfile, NewTLSConfigFromProfile,
configv1.TLSProfiles and libgocrypto.DefaultTLSProfileType are used to locate
and change the assignment.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 74cd2db7-97ea-495c-92a0-bd6ac54265b3
⛔ Files ignored due to path filters (291)
go.sumis excluded by!**/*.sumvendor/cel.dev/expr/BUILD.bazelis excluded by!**/vendor/**,!vendor/**vendor/cel.dev/expr/MODULE.bazelis excluded by!**/vendor/**,!vendor/**vendor/cel.dev/expr/checked.pb.gois excluded by!**/*.pb.go,!**/vendor/**,!vendor/**vendor/cel.dev/expr/eval.pb.gois excluded by!**/*.pb.go,!**/vendor/**,!vendor/**vendor/cel.dev/expr/explain.pb.gois excluded by!**/*.pb.go,!**/vendor/**,!vendor/**vendor/cel.dev/expr/syntax.pb.gois excluded by!**/*.pb.go,!**/vendor/**,!vendor/**vendor/cel.dev/expr/value.pb.gois excluded by!**/*.pb.go,!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/confirm.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/core/template.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/core/write.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/input.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/multiselect.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/password.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/renderer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/select.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/survey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/display_posix.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/error.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/output.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_bsd.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_linux.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_posix.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_ppc64le.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/transform.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/AlecAivazis/survey/v2/validate.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txtis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.jsonis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.ymlis excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/autorest/date/go_mod_tidy_hack.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/logger/go_mod_tidy_hack.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/logger/logger.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/Azure/go-autorest/tracing/go_mod_tidy_hack.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/.gitignoreis excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/LICENSEis excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/README.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/antlrdoc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_config.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_config_set.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_simulator.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_state.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/atn_type.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/char_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/common_token_factory.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/common_token_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/comparators.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/configuration.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/dfa.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/dfa_state.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/error_listener.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/error_strategy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/errors.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/file_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/input_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/int_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/interval_set.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/jcollect.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer_action.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/mutex.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/mutex_nomutex.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/nostatistics.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/parser.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/prediction_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/prediction_mode.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/recognizer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/rule_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/semantic_context.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/statistics.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/stats_data.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/token.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/token_source.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/token_stream.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/trace_listener.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/transition.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/tree.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/trees.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/antlr4-go/antlr/v4/utils.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.jsonis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/LICENSE.txtis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_AssociateAlias.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CopyDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistributionWithTags.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateInvalidation.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateMonitoringSubscription.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreatePublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistributionWithTags.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteMonitoringSubscription.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeletePublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentityConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistributionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryption.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfileConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetInvalidation.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroupConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetMonitoringSubscription.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControlConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKeyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicyConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistributionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCachePolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCloudFrontOriginAccessIdentities.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListConflictingAliases.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListContinuousDeploymentPolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByCachePolicyId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByOriginRequestPolicyId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByResponseHeadersPolicyId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListDistributionsByWebACLId.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionConfigs.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFieldLevelEncryptionProfiles.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListFunctions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListInvalidations.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyGroups.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListKeyValueStores.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginAccessControls.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListOriginRequestPolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListPublicKeys.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListRealtimeLogConfigs.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListResponseHeadersPolicies.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListStreamingDistributions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListTagsForResource.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_PublishFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TagResource.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_TestFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UntagResource.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCachePolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateCloudFrontOriginAccessIdentity.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateContinuousDeploymentPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateDistributionWithStagingConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFieldLevelEncryptionProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateFunction.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyGroup.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateKeyValueStore.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginAccessControl.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateOriginRequestPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdatePublicKey.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateRealtimeLogConfig.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateResponseHeadersPolicy.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_UpdateStreamingDistribution.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/auth.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/deserializers.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/doc.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/endpoints.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/generated.jsonis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/go_module_metadata.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/internal/endpoints/endpoints.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/options.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/serializers.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/enums.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/errors.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/types/types.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/validators.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/CHANGELOG.mdis excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_client.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptAddressTransfer.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptCapacityReservationBillingOwnership.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptReservedInstancesExchangeQuote.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayMulticastDomainAssociations.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayPeeringAttachment.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptTransitGatewayVpcAttachment.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcEndpointConnections.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AcceptVpcPeeringConnection.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AdvertiseByoipCidr.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateHosts.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AllocateIpamPoolCidr.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_ApplySecurityGroupsToClientVpnTargetNetwork.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignIpv6Addresses.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateIpAddresses.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssignPrivateNatGatewayAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateAddress.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateCapacityReservationBillingOwner.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateClientVpnTargetNetwork.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateDhcpOptions.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateEnclaveCertificateIamRole.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIamInstanceProfile.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateInstanceEventWindow.gois excluded by!**/vendor/**,!vendor/**vendor/github.com/aws/aws-sdk-go-v2/service/ec2/api_op_AssociateIpamByoasn.gois excluded by!**/vendor/**,!vendor/**
📒 Files selected for processing (9)
bundle/manifests/image-based-install-metrics_v1_service.yamlbundle/manifests/image-based-install-operator.clusterserviceversion.yamlcmd/manager/main.gocmd/server/main.goconfig/manager/manager.yamlconfig/rbac/role.yamlcontrollers/imageclusterinstall_controller.gogo.modinternal/tlsconfig/tlsconfig.go
✅ Files skipped from review due to trivial changes (2)
- config/rbac/role.yaml
- bundle/manifests/image-based-install-metrics_v1_service.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
- controllers/imageclusterinstall_controller.go
- bundle/manifests/image-based-install-operator.clusterserviceversion.yaml
- cmd/manager/main.go
| k8s.io/api v0.35.2 | ||
| k8s.io/apimachinery v0.35.2 | ||
| k8s.io/client-go v0.35.2 | ||
| k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 | ||
| sigs.k8s.io/controller-runtime v0.23.3 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf 'controller-runtime entries in go.mod:\n'
rg -n 'sigs\.k8s\.io/controller-runtime' go.mod
printf '\nKubernetes dependency versions in go.mod:\n'
rg -n 'k8s\.io/(api|apimachinery|client-go)\s+v' go.mod
printf '\ncontroller-runtime-dependent call sites introduced in the codebase:\n'
rg -n 'TLSOpts|SetLogger|UseFlagOptions|GetConfigOrDie' cmd internalRepository: openshift/image-based-install-operator
Length of output: 871
Align the controller-runtime replace directive with the version required in the dependency tree.
Lines 28–30 and line 32 update the Kubernetes stack to v0.35.2 and require sigs.k8s.io/controller-runtime v0.23.3. However, line 327 replaces controller-runtime with v0.19.3, which means the TLS-related call sites introduced in cmd/manager/main.go (lines 122, 130) and the logger setup in both managers are built against the older version. This version mismatch can cause API or behavior incompatibilities. Update the replace directive to match v0.23.3 or remove it if no longer necessary.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` around lines 28 - 32, The replace directive forcing
sigs.k8s.io/controller-runtime to v0.19.3 conflicts with the declared dependency
sigs.k8s.io/controller-runtime v0.23.3 and causes TLS/logger call sites (e.g.,
in cmd/manager/main.go TLS-related calls and logger setup in both managers) to
be built against the older API; update or remove the replace directive so
controller-runtime resolves to v0.23.3 (i.e., change the replace from v0.19.3 to
v0.23.3 or delete the replace if not needed) and then run `go mod tidy` to
ensure the dependency graph is consistent.
| tlsProfileSpec, err := crtls.FetchAPIServerTLSProfile(ctx, k8sClient) | ||
| if err != nil { | ||
| log.Error(err, "unable to get TLS profile from API server; defaulting until APIServer is readable") | ||
| tlsProfileSpec = configv1.TLSProfileSpec{} | ||
| } | ||
|
|
||
| var tlsConfig func(*tls.Config) | ||
|
|
||
| if libgocrypto.ShouldHonorClusterTLSProfile(tlsAdherencePolicy) { | ||
| profileTLSConfig, unsupportedCiphers := crtls.NewTLSConfigFromProfile(tlsProfileSpec) | ||
| if len(unsupportedCiphers) > 0 { | ||
| log.Info("TLS configuration contains unsupported ciphers that will be ignored", "unsupportedCiphers", unsupportedCiphers) | ||
| } | ||
| tlsConfig = profileTLSConfig | ||
| } else { | ||
| defaultTLSConfig, unsupportedCiphers := crtls.NewTLSConfigFromProfile(*configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType]) | ||
| if len(unsupportedCiphers) > 0 { | ||
| log.Info("TLS configuration contains unsupported ciphers that will be ignored", "unsupportedCiphers", unsupportedCiphers) | ||
| } | ||
| tlsConfig = defaultTLSConfig | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd /tmp && find . -name "tlsconfig.go" -type f 2>/dev/null | head -20Repository: openshift/image-based-install-operator
Length of output: 64
🏁 Script executed:
find . -path "*/internal/tlsconfig/tlsconfig.go" -type fRepository: openshift/image-based-install-operator
Length of output: 115
🏁 Script executed:
# List the internal directory structure
find . -path "*/internal/tlsconfig*" -type f 2>/dev/null | head -20Repository: openshift/image-based-install-operator
Length of output: 115
🏁 Script executed:
wc -l ./internal/tlsconfig/tlsconfig.goRepository: openshift/image-based-install-operator
Length of output: 118
🏁 Script executed:
cat -n ./internal/tlsconfig/tlsconfig.goRepository: openshift/image-based-install-operator
Length of output: 3546
🏁 Script executed:
# Search for NewTLSConfigFromProfile definition
rg "NewTLSConfigFromProfile" --type goRepository: openshift/image-based-install-operator
Length of output: 737
🏁 Script executed:
# Search for TLSProfiles usage and definition
rg "TLSProfiles\[" --type goRepository: openshift/image-based-install-operator
Length of output: 894
🏁 Script executed:
# Look for imports and check if these are from external packages
rg "controller-runtime-common|library-go|openshift/api" ./internal/tlsconfig/tlsconfig.goRepository: openshift/image-based-install-operator
Length of output: 250
🏁 Script executed:
sed -n '/^func NewTLSConfigFromProfile/,/^}/p' vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go | head -80Repository: openshift/image-based-install-operator
Length of output: 1004
🏁 Script executed:
rg "TLSVersionOrDie" --type goRepository: openshift/image-based-install-operator
Length of output: 334
🏁 Script executed:
# Search in vendor to find the definition
rg "func TLSVersionOrDie" vendor/ --type goRepository: openshift/image-based-install-operator
Length of output: 191
🏁 Script executed:
sed -n '/^func TLSVersionOrDie/,/^}/p' vendor/github.com/openshift/library-go/pkg/crypto/crypto.goRepository: openshift/image-based-install-operator
Length of output: 223
🏁 Script executed:
sed -n '/^func TLSVersion/,/^}/p' vendor/github.com/openshift/library-go/pkg/crypto/crypto.go | head -40Repository: openshift/image-based-install-operator
Length of output: 856
🏁 Script executed:
rg "DefaultTLSVersion|DefaultTLSProfileType" vendor/github.com/openshift/library-go/pkg/crypto/crypto.go -A 2Repository: openshift/image-based-install-operator
Length of output: 568
🏁 Script executed:
rg "DefaultTLSProfileType" vendor/github.com/openshift/api/config/v1 --type goRepository: openshift/image-based-install-operator
Length of output: 64
Use the actual default TLS profile when fetch fails to ensure consistent cipher configuration.
When FetchAPIServerTLSProfile fails, the code logs "defaulting" but assigns an empty configv1.TLSProfileSpec{}. Later, if ShouldHonorClusterTLSProfile is true, this empty spec is passed to NewTLSConfigFromProfile, which results in an empty cipher list rather than the default ciphers. Meanwhile, the else branch correctly uses the explicit default profile. Additionally, the returned TLSProfileSpec becomes empty, misrepresenting the actual configuration in use.
Replace the zero-value assignment with the explicit default profile from configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType] to ensure both cipher configuration and result integrity.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@internal/tlsconfig/tlsconfig.go` around lines 44 - 64, When
FetchAPIServerTLSProfile fails you currently assign a zero-value tlsProfileSpec
which leads to empty ciphers; instead assign the actual default profile: set
tlsProfileSpec = *configv1.TLSProfiles[libgocrypto.DefaultTLSProfileType] so
later calls to crtls.NewTLSConfigFromProfile(tlsProfileSpec) produce the
expected default ciphers. Update the error branch that handles
FetchAPIServerTLSProfile; keep the existing logging and ensure references to
tlsProfileSpec, FetchAPIServerTLSProfile, ShouldHonorClusterTLSProfile,
NewTLSConfigFromProfile, configv1.TLSProfiles and
libgocrypto.DefaultTLSProfileType are used to locate and change the assignment.
|
/retest-required |
2 similar comments
|
/retest-required |
|
/retest-required |
|
/cc @carbonin |
|
@giladravid16: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
OCP 4.22 indroduces a new feature in the APIServer for configuring TLS configuration, and we want our components to also use the same TLS configuration that is defined in the APIServer.
When starting a components we will attempt to get the APIServer and check its TLSAdherencePolicy (decides whether we should apply the TLS configuration) and TLSProfileSpec (the actual TLS configuration).
For our operator we also add a controller called SecurityProfileWatcher (provided by openshift/controller-runtime-common) in order to force a restart when these values change.
For our server we implement a similar behavior ourselves.
This also required updating a lot of packages including the client-go which further required setting the environment variable KUBE_FEATURE_WatchListClient to false on the operator in order to fix a known bug where controllers don't start due to a cache sync issue.
Summary by CodeRabbit
New Features
Chores