wip: CNTRLPLANE-2449: K8s 1.35 rebase

[ingvagabund]

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Notes:

• Because of changing the way the OpenAPI names are generated the current "github.com/openshift/api..." entries under pkg/openapi/zz-generated.openapi.go are no longer sufficient. The new code expects REST friendly names of "com.github.openshift.api...." form. At the same time the original "github.com/openshift/api..." entries are still needed. Otherwise the following error is produced:

  F0312 15:38:36.881981       1 openshift_apiserver.go:435] unable to get openapi models: cannot find model definition for github.com/openshift/api/authorization/v1.LocalResourceAccessReview. If you added a new type, you may need to add +k8s:openapi-gen=true to the package or
  type and run code-gen again  
  

  To generate the original OpenAPI names each OpenShift type needs to implement k8s.io/kube-openapi/pkg/util.OpenAPIModelNamer interface:

  type OpenAPIModelNamer interface {
  	OpenAPIModelName() string
  }

  Experimenting with updating vendor/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go by extending DefinitionNamer.DefinitionNamer to fallback to generating the REST friendly name in case the original entry is used helps yet it produces its own errors:

  E0312 16:20:15.009308       1 fieldmanager.go:155] "[SHOULD NOT HAPPEN] failed to update managedFields" err=<
  	failed to convert new object (openshift/jenkins-agent-base; image.openshift.io/v1, Kind=ImageStreamImport) to smd typed: errors:
  	  .metadata: schema error: no type found matching: k8s.io~1apimachinery~1pkg~1apis~1meta~1v1.ObjectMeta
  	  .spec: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportSpec
  	  .status: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportStatus
  > versionKind="/, Kind=" namespace="openshift" name="jenkins-agent-base"
  

  This requires additional changes to escape / chars. TBD

• The alternative is to update the code to use the new REST friendly names only. Yet, that requires at least to update all schema_openshift_ functions in pkg/openapi/zz-generated.openapi.go. Question is whether this can introduce regressions?

• Inconsistent JSON Pointer escaping when using GetDefinitionName results as schema map keys kubernetes/kube-openapi#580 needs to be fixed as well

Summary by CodeRabbit

• Chores

  • Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies
  • Updated CI/build images to Go 1.25-based release and builder images
  • Revised OpenAPI violation listings and related manifest adjustments

• Refactor

  • Feature-gate and admission initialization are now version-aware
  • Quota configuration now integrates Kubernetes informers

• Tests

  • Watch tests emit bookmark events before real events to ensure correct sequencing

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cfa1c03d-c73c-403a-b252-fc40d54af890

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Go toolchain bumped to 1.25.0 and many module dependencies upgraded. Tests now emit watch bookmark events before real events. Effective API version is threaded into feature-gate and admission initializer flows; quota configuration now accepts Kubernetes informers. CI and image builder tags updated to Go 1.25.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Bumps Go toolchain to 1.25.0 and upgrades/pins many direct and indirect modules (k8s.io/*, OpenShift libs, Prometheus, OpenTelemetry, etc.), including updated replace directives and several k8s version bumps (v0.34.x/v1.34.x → v0.35.x/v1.35.x in places).
Watch Event Sequencing (tests) pkg/apps/apiserver/registry/deploylog/rest_test.go, pkg/apps/apiserver/registry/deploylog/wait_test.go	Test watches now emit a bookmark event (InitialEventsAnnotationKey) before delivering real events; watch modifications/additions are deferred in goroutines to ensure bookmark → event ordering. metav1 usages added/adjusted.
Initialization & Version Propagation pkg/cmd/openshift-apiserver/cmd.go, pkg/cmd/openshift-apiserver/openshiftadmission/plugin_initializer.go, pkg/cmd/openshift-apiserver/openshiftapiserver/config.go	Adds openShiftMajorVersion constant and threads genericConfig.EffectiveVersion into feature-gate and admission initializer flows. NewQuotaConfigurationForAdmission now receives informers; AdmissionOptions.ApplyTo call updated to accept the effective version parameter.
CI & Image Builder .ci-operator.yaml, images/Dockerfile.rhel	Updates CI build root image and Dockerfile builder image tags from rhel-9-golang-1.24-openshift-4.22 to rhel-9-golang-1.25-openshift-4.22 (Go 1.25).
OpenAPI Violation List hack/openapi-violation.list	Removes several prior list_type_missing entries and adds/expands many new violation entries across multiple API groups/versions (new/shifted list/name rules, added streaming_list_type JSON/proto tags, and many ListMeta/Items entries).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'wip: CNTRLPLANE-2449: K8s 1.35 rebase' directly describes the main change: rebasing the codebase to Kubernetes 1.35, and includes a reference to the associated JIRA ticket.
Stable And Deterministic Test Names	✅ Passed	The repository does not use Ginkgo testing framework; modified test files use standard Go testing patterns without dynamic test titles.
Test Structure And Quality	✅ Passed	Test modifications in rest_test.go and wait_test.go maintain single responsibility with table-driven test cases, proper setup/cleanup through helper functions, explicit timeouts, meaningful assertions, and consistency with established codebase patterns.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

Migrating from UI to YAML configuration.

Use the @coderabbitai configuration command in a PR comment to get a dump of all your UI settings in YAML format. You can then edit this YAML file and upload it to the root of your repository to configure CodeRabbit programmatically.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Summary by CodeRabbit

Release Notes

• Chores

• Updated Go toolchain from 1.24.0 to 1.25.0

• Upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies to newer versions

• Aligned component versions with Kubernetes 1.35.x and OpenShift API updates

• Refactor

• Improved feature gate initialization to support version-aware configuration

• Enhanced admission control initialization with effective version tracking

• Tests

• Updated watch event handling to emit bookmark signals before real events, ensuring proper event stream sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 149: The go.mod currently pins the vulnerable module
"go.opentelemetry.io/otel/sdk" at v1.36.0; update it to v1.40.0 or later to
remediate CVE-2026-24051. Edit go.mod to either bump the direct dependency to
v1.40.0+ or add a replace directive forcing "go.opentelemetry.io/otel/sdk" =>
"go.opentelemetry.io/otel/sdk v1.40.0" (or newer) and run `go mod tidy` / `go
get` so transitive consumers (e.g., library-go, k8s.io modules, otelhttp)
resolve the patched version. Ensure CI/builds pick up the new module by
verifying `go.sum` changes and running tests.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b63522ea-2acb-40af-b8cb-0388c289052c

📥 Commits

Reviewing files that changed from the base of the PR and between 56aa2d9 and 512dd2e.

⛔ Files ignored due to path filters (294)

• go.sum is excluded by !**/*.sum
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/opencontainers/runtime-spec/specs-go/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/opencontainers/runtime-spec/specs-go/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.go-validated.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_feature.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types_console_sample.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machine.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/network/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/networkoperator/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/networkoperator/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_console.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/project/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/samples/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/samples/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sccmatching/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/seccomp/strategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/customdeploymentstrategyparams.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcauseimagetrigger.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentcondition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentconfigstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentdetails.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymentstrategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerimagechangeparams.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/deploymenttriggerpolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/execnewpodhook.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/lifecyclehook.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/recreatedeploymentstrategyparams.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/rollingdeploymentstrategyparams.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/applyconfigurations/apps/v1/tagimagehook.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/apps/clientset/versioned/fake/clientset_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrole.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/clusterrolebinding.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/grouprestriction.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/policyrule.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/role.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebinding.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestriction.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/rolebindingrestrictionspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/serviceaccountrestriction.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/applyconfigurations/authorization/v1/userrestriction.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrole.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/clusterrolebinding.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/role.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebinding.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/informers/externalversions/authorization/v1/rolebindingrestriction.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/authorization/informers/externalversions/factory.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/binarybuildsource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/bitbucketwebhookcause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/build.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildcondition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildconfigstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildoutput.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildpostcommitspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildsource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutput.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstatusoutputto.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildstrategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggercause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildtriggerpolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolume.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumemount.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/buildvolumesource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/commonwebhookcause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/configmapbuildsource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/custombuildstrategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/dockerbuildstrategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/genericwebhookcause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitbuildsource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/githubwebhookcause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitlabwebhookcause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/gitsourcerevision.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangecause.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetrigger.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagechangetriggerstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagelabel.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagesourcepath.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/imagestreamtagreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/jenkinspipelinebuildstrategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/proxyconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretbuildsource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretlocalreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/secretspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcebuildstrategy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcecontroluser.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/sourcerevision.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stageinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/stepinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/applyconfigurations/build/v1/webhooktrigger.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/build/clientset/versioned/fake/clientset_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/fulciocawithrekor.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcelabel.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcetag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/githubidentityprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gitlabidentityprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/googleidentityprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/htpasswdidentityprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsourcestatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudserviceendpoint.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityproviderconfig.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (6)

• go.mod
• pkg/apps/apiserver/registry/deploylog/rest_test.go
• pkg/apps/apiserver/registry/deploylog/wait_test.go
• pkg/cmd/openshift-apiserver/cmd.go
• pkg/cmd/openshift-apiserver/openshiftadmission/plugin_initializer.go
• pkg/cmd/openshift-apiserver/openshiftapiserver/config.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for available patches and which direct dependencies bring in the vulnerable version

# Check which direct dependencies require the vulnerable otel/sdk version
echo "=== Checking dependency chain for go.opentelemetry.io/otel/sdk ==="
go mod graph | grep 'go.opentelemetry.io/otel/sdk@'

# Query GitHub Security Advisory for patch information
echo -e "\n=== Checking for security advisories and patches ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: GOMOD, package: "go.opentelemetry.io/otel/sdk") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/openshift-apiserver

Length of output: 2541

---

🌐 Web query:

GO-2026-4394 go.opentelemetry.io otel sdk vulnerability

💡 Result:

GO-2026-4394 (aliases: CVE-2026-24051, GHSA-9h8m-3fm2-qjrq) is an arbitrary code execution issue in the OpenTelemetry Go SDK affecting go.opentelemetry.io/otel/sdk (specifically go.opentelemetry.io/otel/sdk/resource). It’s a PATH hijacking / untrusted search path problem on macOS/Darwin: the host resource detector runs the ioreg command via the system PATH, so a local attacker who can influence PATH can get a malicious ioreg executed in the application’s context. [2] [3]

• Affected versions: >= 1.21.0 and < 1.40.0 (i.e., through 1.39.0) [1] [2]
• Fixed version: 1.40.0 [1] [2]
• Remediation: upgrade to go.opentelemetry.io/otel/sdk v1.40.0+ (or ensure PATH cannot be attacker-controlled on macOS/Darwin systems). [2] [3]

Sources: [1] [2] [3]

---

🌐 Web query:

GHSA-9h8m-3fm2-qjrq opentelemetry vulnerability

💡 Result:

GHSA-9h8m-3fm2-qjrq (aka CVE-2026-24051) is a local arbitrary code execution issue in the OpenTelemetry Go SDK caused by PATH hijacking on macOS/Darwin: sdk/resource/host_id.go runs the ioreg command via the system search path, so an attacker who can influence the process PATH can cause execution of a malicious ioreg binary in the application’s context. CVSS 3.1: 7.0 (High), AV:L. [1][2]

• Affected package: go.opentelemetry.io/otel/sdk [1][3]
• Affected versions: >= 1.21.0 and < 1.40.0 (some writeups describe it as v1.20.0–1.39.0, but the reviewed affected range is >=1.21.0,<1.40.0) [1][3]
• Fixed version: 1.40.0 (patch commit d45961b…) [1][2][3]

What to do: upgrade go.opentelemetry.io/otel/sdk to v1.40.0+. [1][3]

Sources
[1] GitHub Advisory Database – GHSA-9h8m-3fm2-qjrq / CVE-2026-24051 (open-telemetry/opentelemetry-go)
[2] NVD – CVE-2026-24051
[3] OSV / Go vuln entry – GO-2026-4394

---

🌐 Web query:

go.opentelemetry.io/otel/sdk v1.36.0 security vulnerability PATH hijacking

💡 Result:

go.opentelemetry.io/otel/sdk v1.36.0 is affected by CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq (PATH hijacking / untrusted search path) on macOS/Darwin. The issue is in sdk/resource/host_id.go, which executes the ioreg command by name (via PATH search); a local attacker who can influence PATH can potentially get arbitrary code execution in the application’s context. Affected versions are >= 1.21.0 and <= 1.39.0 (so 1.36.0 is included). Fixed in v1.40.0. [1][2]

Mitigation: upgrade to go.opentelemetry.io/otel (and related modules) v1.40.0 or later. [1][2]

Sources
[1] GitHub Security Advisory: GHSA-9h8m-3fm2-qjrq (open-telemetry/opentelemetry-go) (github.com)
[2] NVD: CVE-2026-24051 (nvd.nist.gov)

Citations:

• 1: GHSA-9h8m-3fm2-qjrq
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-24051

---

Critical: Address HIGH severity security vulnerability in OpenTelemetry SDK.

The OpenTelemetry SDK v1.36.0 contains CVE-2026-24051 (GO-2026-4394 / GHSA-9h8m-3fm2-qjrq), a HIGH severity local code execution vulnerability (CVSS 7.0). On macOS/Darwin systems, the SDK's host resource detector executes ioreg via the system PATH, allowing a local attacker with PATH control to achieve arbitrary code execution.

Upgrade to go.opentelemetry.io/otel/sdk v1.40.0 or later. Since this is pulled in by multiple direct dependencies (library-go, k8s.io modules, otelhttp), you may need to update those direct dependencies or add a replace directive to force the patched version.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[HIGH] 149-149: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 149-149: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 149, The go.mod currently pins the vulnerable module
"go.opentelemetry.io/otel/sdk" at v1.36.0; update it to v1.40.0 or later to
remediate CVE-2026-24051. Edit go.mod to either bump the direct dependency to
v1.40.0+ or add a replace directive forcing "go.opentelemetry.io/otel/sdk" =>
"go.opentelemetry.io/otel/sdk v1.40.0" (or newer) and run `go mod tidy` / `go
get` so transitive consumers (e.g., library-go, k8s.io modules, otelhttp)
resolve the patched version. Ensure CI/builds pick up the new module by
verifying `go.sum` changes and running tests.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Summary by CodeRabbit

• Chores

• Updated Go toolchain from 1.24.0 to 1.25.0

• Upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI build root image to the Go 1.25-based release image

• Refactor

• Feature-gate and admission initialization made version-aware to improve compatibility with newer platform APIs

• Tests

• Watch tests now emit bookmark events before real events to ensure correct event sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Summary by CodeRabbit

• Chores

• Updated Go toolchain from 1.24.0 to 1.25.0

• Upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI build root image to the Go 1.25-based release image

• Refactor

• Feature-gate and admission initialization made version-aware to improve compatibility with newer platform APIs

• Tests

• Watch tests now emit bookmark events before real events to ensure correct event sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Summary by CodeRabbit

• Chores

• Updated Go toolchain from 1.24.0 to 1.25.0

• Upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI/build images to use Go 1.25-based release and builder images

• Refactor

• Made feature-gate and admission initialization version-aware

• Quota configuration now integrates Kubernetes informers

• Tests

• Watch tests emit bookmark events before real events to ensure correct sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

images/Dockerfile.rhel (1)

1-13: Static analysis: Image runs as root (pre-existing).

Trivy flagged that no USER directive specifies a non-root user. This is a pre-existing condition, not introduced by this PR. In OpenShift, this may be intentional since SecurityContextConstraints (SCC) typically enforce non-root execution at runtime.

If adding an explicit non-root user is desired for defense-in-depth, consider:

🛡️ Optional: Add non-root USER directive

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/openshift-apiserver/openshift-apiserver /usr/bin/
 COPY --from=builder /go/src/github.com/openshift/openshift-apiserver/openshift-apiserver-tests-ext.gz /usr/bin/
+USER 1001
 ENTRYPOINT ["/usr/bin/openshift-apiserver"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@images/Dockerfile.rhel` around lines 1 - 13, The Dockerfile currently leaves
the container running as root; update the Dockerfile to set a non-root user
after the final image stage by creating or using a low-privilege UID/GID and
adding a USER directive (apply changes after the COPY --from=builder steps and
before ENTRYPOINT), ensure any binaries copied by COPY --from=builder
(openshift-apiserver and openshift-apiserver-tests-ext.gz) have appropriate
ownership and file permissions (chown/chmod) so the new user can execute them,
and then replace/keep ENTRYPOINT ["/usr/bin/openshift-apiserver"] as-is so the
container runs with the non-root user at runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@images/Dockerfile.rhel`:
- Around line 1-13: The Dockerfile currently leaves the container running as
root; update the Dockerfile to set a non-root user after the final image stage
by creating or using a low-privilege UID/GID and adding a USER directive (apply
changes after the COPY --from=builder steps and before ENTRYPOINT), ensure any
binaries copied by COPY --from=builder (openshift-apiserver and
openshift-apiserver-tests-ext.gz) have appropriate ownership and file
permissions (chown/chmod) so the new user can execute them, and then
replace/keep ENTRYPOINT ["/usr/bin/openshift-apiserver"] as-is so the container
runs with the non-root user at runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bf497d6d-e46d-4ef3-b196-f6561523548e

📥 Commits

Reviewing files that changed from the base of the PR and between 6fbd8e1 and 941a19c.

📒 Files selected for processing (2)

• .ci-operator.yaml
• images/Dockerfile.rhel

[ingvagabund]

/retest-required

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Summary by CodeRabbit

• Chores

• Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI/build images to Go 1.25-based release and builder images

• Revised OpenAPI violation listings and related manifest adjustments

• Refactor

• Feature-gate and admission initialization are now version-aware

• Quota configuration now integrates Kubernetes informers

• Tests

• Watch tests emit bookmark events before real events to ensure correct sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (2)

hack/openapi-violation.list (2)

368-369: Please confirm these new OpenShift-owned names_match suppressions are unavoidable.

These entries are for github.com/openshift/api/..., not the rebased k8s.io/... surface. If the companion API bump introduced or promoted these fields, I’d rather fix the underlying Go/json/proto names there than permanently widen the allowlist here. If they’re already compatibility-frozen, please point this PR at the owning API change or follow-up so this doesn’t look like silent debt growth.

Also applies to: 381-382, 392-393, 493-493

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/openapi-violation.list` around lines 368 - 369, The new names_match
suppressions for OpenShift-owned API types (ImagePolicyPKIRootOfTrust with
fields CertificateAuthorityIntermediatesData and CertificateAuthorityRootsData)
must be validated: check the upstream github.com/openshift/api repo to confirm
whether these field/name mismatches were introduced by a companion API bump or
are compatibility-frozen; if the mismatch can be fixed in the owning API, remove
the suppression and open/point to that PR, otherwise add a brief comment in the
suppression list referencing the upstream PR or issue that makes this
unavoidable and include the owning API change identifier so reviewers can trace
the decision.

---

668-669: Please verify we’re not papering over fixable streaming-list tag issues in OpenShift APIs.

Because these suppressions are all under github.com/openshift/api/..., this widens the local exception list for list types we own. If the corresponding ListMeta/Items tags can still be corrected in the companion API repo, that would be preferable to baking in more streaming_list_type_json_tags debt here.

Also applies to: 674-674, 683-683, 687-687, 696-696, 700-700, 730-730

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/openapi-violation.list` around lines 668 - 669, The suppression entries
in hack/openapi-violation.list are hiding potential streaming-list json tag
problems for the types CompatibilityRequirementList (specifically its Items
field) and its embedded ListMeta in
github.com/openshift/api/apiextensions/v1alpha1; locate the
CompatibilityRequirementList definition and its ListMeta and Items fields in the
companion api repo, correct their struct/json tags so they conform to
streaming-list requirements (fix the json tag on Items and ensure ListMeta is
properly tagged/embedded), then remove the corresponding suppression lines from
hack/openapi-violation.list; if a tag cannot be changed for a
backward-compatibility reason, add a concise justification comment in the api
repo and keep a minimal, targeted suppression here.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@hack/openapi-violation.list`:
- Around line 368-369: The new names_match suppressions for OpenShift-owned API
types (ImagePolicyPKIRootOfTrust with fields
CertificateAuthorityIntermediatesData and CertificateAuthorityRootsData) must be
validated: check the upstream github.com/openshift/api repo to confirm whether
these field/name mismatches were introduced by a companion API bump or are
compatibility-frozen; if the mismatch can be fixed in the owning API, remove the
suppression and open/point to that PR, otherwise add a brief comment in the
suppression list referencing the upstream PR or issue that makes this
unavoidable and include the owning API change identifier so reviewers can trace
the decision.
- Around line 668-669: The suppression entries in hack/openapi-violation.list
are hiding potential streaming-list json tag problems for the types
CompatibilityRequirementList (specifically its Items field) and its embedded
ListMeta in github.com/openshift/api/apiextensions/v1alpha1; locate the
CompatibilityRequirementList definition and its ListMeta and Items fields in the
companion api repo, correct their struct/json tags so they conform to
streaming-list requirements (fix the json tag on Items and ensure ListMeta is
properly tagged/embedded), then remove the corresponding suppression lines from
hack/openapi-violation.list; if a tag cannot be changed for a
backward-compatibility reason, add a concise justification comment in the api
repo and keep a minimal, targeted suppression here.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 75ace495-7a91-4c49-be63-fb5d0f35aeac

📥 Commits

Reviewing files that changed from the base of the PR and between 3588461 and a94a06b.

⛔ Files ignored due to path filters (1)

• pkg/openapi/zz_generated.openapi.go is excluded by !**/zz_generated*

📒 Files selected for processing (1)

• hack/openapi-violation.list

[ingvagabund]

/retest-required

[ingvagabund]

/retest-required

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Notes:

• Because of changing the way the OpenAPI names are generated the current "github.com/openshift/api..." entries under pkg/openapi/zz-generated.openapi.go are no longer sufficient. The new code expects REST friendly names of "com.github.openshift.api...." form. At the same time the original "github.com/openshift/api..." entries are still needed. Otherwise the following error is produced:

  F0312 15:38:36.881981       1 openshift_apiserver.go:435] unable to get openapi models: cannot find model definition for github.com/openshift/api/authorization/v1.LocalResourceAccessReview. If you added a new type, you may need to add +k8s:openapi-gen=true to the package or
  

type and run code-gen again

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

* **Chores**
* Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies
* Updated CI/build images to Go 1.25-based release and builder images
* Revised OpenAPI violation listings and related manifest adjustments

* **Refactor**
* Feature-gate and admission initialization are now version-aware
* Quota configuration now integrates Kubernetes informers

* **Tests**
* Watch tests emit bookmark events before real events to ensure correct sequencing
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Notes:

• Because of changing the way the OpenAPI names are generated the current "github.com/openshift/api..." entries under pkg/openapi/zz-generated.openapi.go are no longer sufficient. The new code expects REST friendly names of "com.github.openshift.api...." form. At the same time the original "github.com/openshift/api..." entries are still needed. Otherwise the following error is produced:

  F0312 15:38:36.881981       1 openshift_apiserver.go:435] unable to get openapi models: cannot find model definition for github.com/openshift/api/authorization/v1.LocalResourceAccessReview. If you added a new type, you may need to add +k8s:openapi-gen=true to the package or
  

type and run code-gen again

To generate the original OpenAPI names each OpenShift type needs to implement [k8s.io/kube-openapi/pkg/util.OpenAPIModelNamer interface](https://github.com/kubernetes/kubernetes/blob/master/vendor/k8s.io/kube-openapi/pkg/util/util.go#L99-L101):
```go
type OpenAPIModelNamer interface {
	OpenAPIModelName() string
}

Summary by CodeRabbit

• Chores

• Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI/build images to Go 1.25-based release and builder images

• Revised OpenAPI violation listings and related manifest adjustments

• Refactor

• Feature-gate and admission initialization are now version-aware

• Quota configuration now integrates Kubernetes informers

• Tests

• Watch tests emit bookmark events before real events to ensure correct sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Notes:

• Because of changing the way the OpenAPI names are generated the current "github.com/openshift/api..." entries under pkg/openapi/zz-generated.openapi.go are no longer sufficient. The new code expects REST friendly names of "com.github.openshift.api...." form. At the same time the original "github.com/openshift/api..." entries are still needed. Otherwise the following error is produced:

  F0312 15:38:36.881981       1 openshift_apiserver.go:435] unable to get openapi models: cannot find model definition for github.com/openshift/api/authorization/v1.LocalResourceAccessReview. If you added a new type, you may need to add +k8s:openapi-gen=true to the package or
  

type and run code-gen again

To generate the original OpenAPI names each OpenShift type needs to implement [k8s.io/kube-openapi/pkg/util.OpenAPIModelNamer interface](https://github.com/kubernetes/kubernetes/blob/master/vendor/k8s.io/kube-openapi/pkg/util/util.go#L99-L101):
```go
type OpenAPIModelNamer interface {
	OpenAPIModelName() string
}

Experimenting with updating vendor/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go by extending DefinitionNamer.DefinitionNamer to fallback to generating the REST friendly name in case the original entry is used helps yet it produces its own errors:

E0312 16:20:15.009308       1 fieldmanager.go:155] "[SHOULD NOT HAPPEN] failed to update managedFields" err=<
	failed to convert new object (openshift/jenkins-agent-base; image.openshift.io/v1, Kind=ImageStreamImport) to smd typed: errors:
	  .metadata: schema error: no type found matching: k8s.io~1apimachinery~1pkg~1apis~1meta~1v1.ObjectMeta
	  .spec: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportSpec
	  .status: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportStatus
> versionKind="/, Kind=" namespace="openshift" name="jenkins-agent-base"

Summary by CodeRabbit

• Chores

• Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI/build images to Go 1.25-based release and builder images

• Revised OpenAPI violation listings and related manifest adjustments

• Refactor

• Feature-gate and admission initialization are now version-aware

• Quota configuration now integrates Kubernetes informers

• Tests

• Watch tests emit bookmark events before real events to ensure correct sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Notes:

• Because of changing the way the OpenAPI names are generated the current "github.com/openshift/api..." entries under pkg/openapi/zz-generated.openapi.go are no longer sufficient. The new code expects REST friendly names of "com.github.openshift.api...." form. At the same time the original "github.com/openshift/api..." entries are still needed. Otherwise the following error is produced:

  F0312 15:38:36.881981       1 openshift_apiserver.go:435] unable to get openapi models: cannot find model definition for github.com/openshift/api/authorization/v1.LocalResourceAccessReview. If you added a new type, you may need to add +k8s:openapi-gen=true to the package or
  

type and run code-gen again

To generate the original OpenAPI names each OpenShift type needs to implement [k8s.io/kube-openapi/pkg/util.OpenAPIModelNamer interface](https://github.com/kubernetes/kubernetes/blob/master/vendor/k8s.io/kube-openapi/pkg/util/util.go#L99-L101):
```go
type OpenAPIModelNamer interface {
	OpenAPIModelName() string
}

Experimenting with updating vendor/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go by extending DefinitionNamer.DefinitionNamer to fallback to generating the REST friendly name in case the original entry is used helps yet it produces its own errors:

E0312 16:20:15.009308       1 fieldmanager.go:155] "[SHOULD NOT HAPPEN] failed to update managedFields" err=<
	failed to convert new object (openshift/jenkins-agent-base; image.openshift.io/v1, Kind=ImageStreamImport) to smd typed: errors:
	  .metadata: schema error: no type found matching: k8s.io~1apimachinery~1pkg~1apis~1meta~1v1.ObjectMeta
	  .spec: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportSpec
	  .status: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportStatus
> versionKind="/, Kind=" namespace="openshift" name="jenkins-agent-base"

This requires additional changes to escape / chars. TBD

• The alternative is to update the code to use the new REST friendly names only. Yet, that requires at least to update all schema_openshift_ functions in pkg/openapi/zz-generated.openapi.go. Question is whether this can introduce regressions?

Summary by CodeRabbit

• Chores

• Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI/build images to Go 1.25-based release and builder images

• Revised OpenAPI violation listings and related manifest adjustments

• Refactor

• Feature-gate and admission initialization are now version-aware

• Quota configuration now integrates Kubernetes informers

• Tests

• Watch tests emit bookmark events before real events to ensure correct sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ingvagabund]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/origin#30885

[ingvagabund]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn-builds openshift/origin#30885

[ingvagabund]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn openshift/origin#30885

[ingvagabund]

/testwith openshift/openshift-apiserver/main/e2e-aws-ovn-builds openshift/origin#30885

[ingvagabund]

/test e2e-aws-ovn

[ingvagabund]

/test e2e-aws-ovn-builds

[ingvagabund]

/retest-required

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-2449 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Evidence for openshift/kubernetes-apiserver#84

Picking up #615

Notes:

• Because of changing the way the OpenAPI names are generated the current "github.com/openshift/api..." entries under pkg/openapi/zz-generated.openapi.go are no longer sufficient. The new code expects REST friendly names of "com.github.openshift.api...." form. At the same time the original "github.com/openshift/api..." entries are still needed. Otherwise the following error is produced:

  F0312 15:38:36.881981       1 openshift_apiserver.go:435] unable to get openapi models: cannot find model definition for github.com/openshift/api/authorization/v1.LocalResourceAccessReview. If you added a new type, you may need to add +k8s:openapi-gen=true to the package or
  

type and run code-gen again

To generate the original OpenAPI names each OpenShift type needs to implement [k8s.io/kube-openapi/pkg/util.OpenAPIModelNamer interface](https://github.com/kubernetes/kubernetes/blob/master/vendor/k8s.io/kube-openapi/pkg/util/util.go#L99-L101):
```go
type OpenAPIModelNamer interface {
	OpenAPIModelName() string
}

Experimenting with updating vendor/k8s.io/apiserver/pkg/endpoints/openapi/openapi.go by extending DefinitionNamer.DefinitionNamer to fallback to generating the REST friendly name in case the original entry is used helps yet it produces its own errors:

E0312 16:20:15.009308       1 fieldmanager.go:155] "[SHOULD NOT HAPPEN] failed to update managedFields" err=<
	failed to convert new object (openshift/jenkins-agent-base; image.openshift.io/v1, Kind=ImageStreamImport) to smd typed: errors:
	  .metadata: schema error: no type found matching: k8s.io~1apimachinery~1pkg~1apis~1meta~1v1.ObjectMeta
	  .spec: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportSpec
	  .status: schema error: no type found matching: github.com~1openshift~1api~1image~1v1.ImageStreamImportStatus
> versionKind="/, Kind=" namespace="openshift" name="jenkins-agent-base"

This requires additional changes to escape / chars. TBD

• The alternative is to update the code to use the new REST friendly names only. Yet, that requires at least to update all schema_openshift_ functions in pkg/openapi/zz-generated.openapi.go. Question is whether this can introduce regressions?

• Inconsistent JSON Pointer escaping when using GetDefinitionName results as schema map keys kubernetes/kube-openapi#580 needs to be fixed as well

Summary by CodeRabbit

• Chores

• Updated Go toolchain to 1.25.0 and upgraded Kubernetes, OpenShift, Prometheus, OpenTelemetry, and related dependencies

• Updated CI/build images to Go 1.25-based release and builder images

• Revised OpenAPI violation listings and related manifest adjustments

• Refactor

• Feature-gate and admission initialization are now version-aware

• Quota configuration now integrates Kubernetes informers

• Tests

• Watch tests emit bookmark events before real events to ensure correct sequencing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@ingvagabund: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	df60e1a	link	true	/test verify
ci/prow/verify-deps	df60e1a	link	true	/test verify-deps
ci/prow/go-verify-deps	df60e1a	link	true	/test go-verify-deps

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.