Skip to content

CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (07-Apr-2026)#688

Closed
jzding wants to merge 23 commits intoopenshift:mainfrom
jzding:upstream-sync-2026-04-02
Closed

CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (07-Apr-2026)#688
jzding wants to merge 23 commits intoopenshift:mainfrom
jzding:upstream-sync-2026-04-02

Conversation

@jzding
Copy link
Copy Markdown
Contributor

@jzding jzding commented Apr 2, 2026
edited by openshift-ci bot
Loading

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Skipped PRs

  • #195 Configure AWS timeout to 2 hours for long jobs — manually skipped (SKIP_PRS)

jzding and others added 23 commits March 11, 2026 19:37
@jzding @claude
Set tls-profiles feature annotation to true in CSV
9b1e577 
The operator now honors the cluster-wide TLS security profile from the
APIServer CR, so declare this capability via the OLM feature annotation.

Signed-off-by: Jack Ding <jackding@gmail.com>

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sshnaidm
Configure AWS timeout to 2 hours for long jobs
099076a
@edcdavid
Merge pull request openshift#195 from sshnaidm/fixjobtimeoutaws
179c8f8 
Configure AWS timeout to 2 hours for long jobs
@josephdrichard
Merge pull request openshift#194 from jzding/tls-profile
a13bcee 
Set tls-profiles feature annotation to true in CSV
@yaronh12
Add T-BC clock class recovery test for upstream link outage
da824bf
@edcdavid
Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
71b624a
@nocturnalastro
Merge pull request openshift#198 from edcdavid/fix-krp
a5cfda4 
Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
@yaronh12
Added must-gather collection to CI
06fec1f
@gtannous-spec
Expose system-level and base board hardware details in NodePtpDeviceS…
963e7f0 
…tatus
@nocturnalastro
Update Dockerfile builder image
5130c3d 
Move builder image to non-docker image so that we do not get hit with pull limits
@jzding
Merge pull request openshift#200 from nocturnalastro/update_go_base_i…
4ec2565 
…mage

Update Dockerfile builder image
@aabughosh
Add test coverage for clockClass verification when locking PTP source…
0096e6b 
… (OCPBUGS-59883, OCPBUGS-66407)
@jzding
Upgrade to Go 1.25 and update dependencies
0a19e33 
This is needed for TLSAdherence support.

- Upgrade from Go 1.24 to Go 1.25.0
- Update openshift/api to v0.0.0-20260318185450-1f2fa3f09f4e
- Update openshift/library-go to v0.0.0-20260318142011-72bf34f474bc
- Update openshift/controller-runtime-common to v0.0.0-20260318085703-1812aed6dbd2
- Upgrade sigs.k8s.io/controller-runtime from v0.22.5 to v0.23.3
- Upgrade k8s.io dependencies from v0.34.3 to v0.35.2
- Update l2discovery-lib from v0.0.21 to v0.1.0
- Update l2discovery image in CI test
- Fix webhook registrations for controller-runtime v0.23 generic API

Signed-off-by: Jack Ding <jackding@gmail.com>
@nocturnalastro
Merge pull request openshift#202 from jzding/tls-adherence
6427ac2 
Upgrade to Go 1.25 and update dependencies
@edcdavid
Merge pull request openshift#185 from yaronh12/test-tbc-cc-upgrade-to…
93d102f 
…-locked-after-degrading

PTP CI: Add BC clock class recovery test for upstream link outage
@edcdavid
Merge pull request openshift#192 from yaronh12/add-mustgather-to-ci
da35c41 
Add must-gather collection to CI pipeline
@jzding
update OWNERS
9d5a3f2 
Signed-off-by: Jack Ding <jackding@gmail.com>
@jzding
Merge pull request openshift#197 from aabughosh/addlocktest
7ae692d 
CNF-19617: Add test coverage for clockClass verification when locking PTP source
@gtannous-spec
Merge pull request openshift#201 from gtannous-spec/baseboard-info
158f56c 
Expose system-level and base board hardware details in NodePtpDevice Status
@jzding
Add TLS adherence support
b50744e 
Read the tlsAdherence policy from the APIServer CR and use
ShouldHonorClusterTLSProfile to conditionally apply the cluster
TLS profile. In Legacy mode (default), Go TLS defaults are used.
In Strict mode, the cluster-wide TLS profile is enforced on the
operator's webhook/metrics servers and on the daemon's
kube-rbac-proxy.

The SecurityProfileWatcher now also monitors adherence policy
changes and triggers a graceful restart when the policy changes.

Signed-off-by: Jack Ding <jackding@gmail.com>
@jzding
refactor: use nil TLSProfileSpec pointer to signal legacy TLS mode
47793bf 
Replace the separate TLSAdherencePolicy field on the reconciler
with a nil *TLSProfileSpec pointer pattern. When the pointer is
nil, legacy hardcoded ciphers are used. When non-nil, the cluster
TLS profile is applied. The adherence decision is made once in
main.go and expressed through the pointer value.

Signed-off-by: Jack Ding <jackding@gmail.com>
@nocturnalastro
Merge pull request openshift#203 from jzding/update-owners
08dd224 
update OWNERS
@jzding
Merge pull request openshift#206 from jzding/tls-adherence
ef75480 
CNF-21768: Add TLS adherence support
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 2, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Apr 2, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 2, 2026
edited by openshift-ci bot
Loading

@jzding: This pull request references CNF-19617 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21832 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-22018 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references Jira Issue OCPBUGS-59883, which is invalid:

  • expected the bug to be open, but it isn't
  • expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.18.z" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

This pull request references Jira Issue OCPBUGS-66407, which is invalid:

  • expected the bug to be open, but it isn't
  • expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #195 Configure AWS timeout to 2 hours for long jobs
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 2, 2026
edited by openshift-ci bot
Loading

@jzding: This pull request references CNF-19617 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21832 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-22018 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references Jira Issue OCPBUGS-59883, which is invalid:

  • expected the bug to be open, but it isn't
  • expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.18.z" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

This pull request references Jira Issue OCPBUGS-66407, which is invalid:

  • expected the bug to be open, but it isn't
  • expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.20.z" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #195 Configure AWS timeout to 2 hours for long jobs
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from aneeshkp April 2, 2026 23:29
@openshift-ci openshift-ci bot requested a review from josephdrichard April 2, 2026 23:29
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Apr 2, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jzding

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 2, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 2, 2026
edited
Loading

Walkthrough

This PR upgrades the Go toolchain from 1.24 to 1.25, adds SMBIOS/DMI system and base-board information fields to the NodePtpDevice API, updates webhook registration patterns, refactors TLS profile handling with adherence policy support, extends conformance tests for boundary clock clock class transitions, introduces new container images, and updates related manifests and dependencies.

Changes

Cohort / File(s) Summary
Go Toolchain and Dependencies
go.mod, Dockerfile, ptp-tools/Dockerfile.*		 Upgraded Go from 1.24.x to 1.25.x across build stages; updated Kubernetes and controller-runtime dependencies to v0.35.2 and v0.23.3 respectively; removed toolchain go1.24.1 directive and github.com/gogo/protobuf dependency.
API Type Definitions
api/v1/nodeptpdevice_types.go, api/v1/zz_generated.deepcopy.go		 Added new exported types SystemInfo and BaseBoardInfo with SMBIOS/DMI fields (manufacturer, productName, version, serialNumber, skuNumber, family); extended NodePtpDeviceStatus with optional pointers to these types; generated deepcopy methods for new types.
Webhook Registration
api/v1/ptpconfig_webhook.go, api/v1/ptpoperatorconfig_webhook.go		 Changed webhook builder pattern from ctrl.NewWebhookManagedBy(mgr).For(r).WithValidator(...) to ctrl.NewWebhookManagedBy(mgr, r).WithCustomValidator(...).
TLS Profile Handling
controllers/ptpoperatorconfig_controller.go, main.go		 Changed TLSProfileSpec field from concrete to pointer type (*configv1.TLSProfileSpec); added setTLSTemplateData helper with legacy cipher suite fallback; introduced TLS adherence policy fetching and conditional honor logic in main startup.
CRD Schema Updates
config/crd/bases/ptp.openshift.io_nodeptpdevices.yaml, bundle/manifests/ptp.openshift.io_nodeptpdevices.yaml, manifests/stable/ptp.openshift.io_nodeptpdevices.yaml		 Extended NodePtpDeviceStatus schema with baseBoardInfo and systemInfo objects containing SMBIOS/DMI string fields.
Container and Operator Manifests
bindata/linuxptp/ptp-daemon.yaml, config/prometheus/monitor.yaml		 Added conditional TLS cipher suites and min-version args to kube-rbac-proxy; added client certificate paths (certFile, keyFile) to Prometheus ServiceMonitor TLS config.
ClusterServiceVersion and Metadata
bundle/manifests/ptp-operator.clusterserviceversion.yaml, config/manifests/bases/ptp-operator.clusterserviceversion.yaml, manifests/stable/ptp-operator.clusterserviceversion.yaml		 Updated createdAt annotation timestamp and toggled features.operators.openshift.io/tls-profiles from "false" to "true".
OWNERS File
OWNERS		 Removed entire reviewers list; updated approvers list by removing aneeshkp and adding edcdavid, sebsoto.
TLS Profile Tests
controllers/tls_profile_test.go, controllers/tls_watcher_test.go		 Refactored test setup with makeTestRenderData() helper; added TestTLSProfileTemplateRendering_LegacyAdherence covering legacy cipher suite handling; added three unit tests for setTLSTemplateData covering intermediate, nil, and modern TLS profiles.
Conformance Tests
test/conformance/serial/ptp.go, test/pkg/ptptesthelper/ptptesthelper.go		 Added four new boundary-clock conformance specs verifying clock class transitions (6 ↔ 248) across single/dual-NIC and outage recovery scenarios; added event-based clock-class verification helpers; introduced PMC, metrics, and ptp4l config manipulation utilities in test helper package.
Test Infrastructure
scripts/k8s-start.sh, scripts/run-tests.sh, scripts/run-on-vm.sh, must-gather/collection-scripts/gather		 Added scheduling.k8s.io/v1 PriorityClass creation in cluster setup; added run_must_gather() and on_exit() handlers for automated must-gather collection; extended test runner with --must-gather-image and --debug-image flags; updated tcpdump invocation with per-command timeout wrapping.
Debug Tooling
ptp-tools/Dockerfile.debug, ptp-tools/Makefile		 Introduced new debug image based on CentOS Stream 9 with tcpdump; extended Makefile VALUES to include debug component for podman build/push/clean targets.
Test Configuration
test/pkg/testconfig/testconfig.go		 Updated L2 discovery image version from v14 to v15.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 2, 2026
@jzding jzding changed the title CNF-19617, CNF-21768, CNF-21832, CNF-22018, OCPBUGS-59883, OCPBUGS-66407: Sync from upstream (02-Apr-2026) CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (02-Apr-2026) Apr 2, 2026
@openshift-ci-robot openshift-ci-robot removed jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Apr 2, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 2, 2026
edited by openshift-ci bot
Loading

@jzding: This pull request references CNF-19617 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21832 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-22018 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #195 Configure AWS timeout to 2 hours for long jobs
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@github-actions github-actions bot force-pushed the upstream-sync-2026-04-02 branch from 9527173 to ef75480 Compare April 2, 2026 23:42
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 2, 2026
coderabbitai[bot]
coderabbitai bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
scripts/run-tests.sh (1)

28-43: ⚠️ Potential issue | 🟠 Major

DEBUG_IMAGE variable is used without initialization.

The DEBUG_IMAGE variable is used at line 127 but is never initialized with a default value. If --debug-image flag is not provided, the variable will be unset, causing the script to fail under set -u (nounset) at line 17.

🐛 Proposed fix to initialize DEBUG_IMAGE 
 LINUXPTP_DAEMON_IMAGE=""
 MUST_GATHER_IMAGE=""
+DEBUG_IMAGE=""
 
 while [[ $# -gt 0 ]]; do
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@scripts/run-tests.sh` around lines 28 - 43, Initialize DEBUG_IMAGE to a safe
default (e.g., empty string) so it is always defined under set -u; add
DEBUG_IMAGE="" alongside MUST_GATHER_IMAGE="" near the top initialization block
and ensure the existing --debug-image case in the argument parser still assigns
to DEBUG_IMAGE, or alternatively add a guard/fallback check before any use of
DEBUG_IMAGE (referencing the DEBUG_IMAGE variable and the --debug-image case in
the argument parsing logic).
🧹 Nitpick comments (4)
ptp-tools/Dockerfile.cep (1)

14-22: Consider adding a non-root USER directive in the runtime stage.

The runtime stage runs as root by default. Other similar Dockerfiles in this PR (e.g., ptp-tools/Dockerfile.krp) properly set USER 65534 for the runtime stage.

🔒 Proposed fix to run as non-root 
 FROM quay.io/centos/centos:stream9
 COPY --from=builder /go/src/github.com/redhat-cne/cloud-event-proxy/build/cloud-event-proxy /
 COPY --from=builder /go/src/github.com/redhat-cne/cloud-event-proxy/plugins/*.so /plugins/
 LABEL io.k8s.display-name="Cloud Event Proxy" \
       io.k8s.description="This is a component of OpenShift Container Platform and provides a side car to handle cloud events." \
       io.openshift.tags="openshift" \
       maintainer="PTP Team <ptp-dev@redhat.com>"

+USER 65534
 ENTRYPOINT ["./cloud-event-proxy"]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ptp-tools/Dockerfile.cep` around lines 14 - 22, The runtime stage currently
runs as root; add a non-root user directive (e.g., USER 65534) in the runtime
stage to match other Dockerfiles: place the USER 65534 line after the COPY
directives (after copying /cloud-event-proxy and /plugins/) and before
ENTRYPOINT ["./cloud-event-proxy"]; ensure the binary and /plugins are
readable/executable by that UID (adjust ownership or permissions in the build
stage or via chown/chmod before switching user) so the service runs as non-root.
Dockerfile (1)

9-20: Runtime stage runs as root - consider adding a non-root USER directive.

The runtime stage lacks a USER directive, so the container runs as root. This is flagged by static analysis (DS-0002). Adding a non-root user improves security posture.

🔒 Proposed fix to run as non-root 
 FROM quay.io/centos/centos:stream9
 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/ptp-operator/build/_output/bin/ptp-operator /usr/local/bin/
 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/ptp-operator/manifests /manifests
 COPY bindata /bindata

 LABEL io.k8s.display-name="OpenShift ptp-operator" \
       io.k8s.description="This is a component that manages cluster PTP configuration." \
       io.openshift.tags="openshift,ptp" \
       com.redhat.delivery.appregistry=true \
       maintainer="PTP Team <ptp-dev@redhat.com>"

+USER 65534
 ENTRYPOINT ["/usr/local/bin/ptp-operator"]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 9 - 20, The Dockerfile runtime stage currently runs
as root (no USER set) which triggers DS-0002; create a non-root user (e.g.,
ptpuser) and group in the runtime stage, chown the copied artifacts
(/usr/local/bin/ptp-operator, /manifests, /bindata) to that user, and add a USER
ptpuser directive before the ENTRYPOINT to run /usr/local/bin/ptp-operator
without root privileges; update any file permissions as needed so the operator
can read/execute its files under the new user.
ptp-tools/Dockerfile.ptpop (1)

2-2: Consider adding --no-install-recommends flag.

Adding --no-install-recommends reduces image size by skipping optional packages.

♻️ Proposed improvement 
-RUN apt-get update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends binutils-gold && rm -rf /var/lib/apt/lists/*
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ptp-tools/Dockerfile.ptpop` at line 2, Update the Dockerfile RUN line that
currently reads "RUN apt-get update && apt-get install -y binutils-gold && rm
-rf /var/lib/apt/lists/*" to include the --no-install-recommends flag so
optional packages aren't pulled in; keep the apt-get update and the existing
cleanup (rm -rf /var/lib/apt/lists/*) intact and ensure the flag is placed after
apt-get install -y (i.e., apt-get install -y --no-install-recommends
binutils-gold).
ptp-tools/Dockerfile.lptpd (1)

9-20: Consider adding a non-root user (optional).

Static analysis flags that the container runs as root. However, given this is a PTP daemon requiring privileged hardware access (PHC devices, network interfaces), running as root may be intentional. If the daemon can operate with reduced privileges for any operations, consider adding a non-root user.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ptp-tools/Dockerfile.lptpd` around lines 9 - 20, The Dockerfile currently
runs the ptp daemon as root via CMD ["/usr/local/bin/ptp"]; add a non-root user
and switch to it where possible by creating a user/group (e.g., ptpuser),
chowning the installed binary and any runtime dirs to that user, and adding a
USER ptpuser directive before CMD; ensure you preserve required privileged
access (PHC/network) by only switching to non-root if /usr/local/bin/ptp and its
runtime resources are owned by ptpuser or if capabilities are set appropriately
so the daemon can still bind to needed devices.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@api/v1/ptpoperatorconfig_webhook.go`:
- Around line 37-42: Update the webhook registration to stop using the
deprecated WithCustomValidator and switch to WithValidator: in the
SetupWebhookWithManager function of PtpOperatorConfig replace the call to
WithCustomValidator(&ptpOperatorConfigValidator{}) with
WithValidator(&ptpOperatorConfigValidator{}), and make the analogous change in
api/v1/ptpconfig_webhook.go (the SetupWebhookWithManager there) replacing
WithCustomValidator usage for its validator with WithValidator to match
controller-runtime v0.23.3.

In `@controllers/tls_profile_test.go`:
- Around line 133-137: The test's hard-coded TLS cipher list in
tls_profile_test.go (data.Data["TLSCipherSuites"]) does not match the
legacyCipherSuites constant in controllers/ptpoperatorconfig_controller.go (the
5th entry differs); update the test to use the same values as
legacyCipherSuites—either by importing/reference that constant into the test or
by replacing the hard-coded entries so they exactly match legacyCipherSuites
(and do the same replacement for the second occurrence around lines 167-172) to
prevent drift.

In `@ptp-tools/Dockerfile.ptpop`:
- Line 4: The Dockerfile contains a suspicious COPY instruction "COPY .. ." that
copies the parent directory into the build context; replace it with "COPY . ."
so the current build context is copied instead (locate the COPY .. . line in the
Dockerfile.ptpop and update it to COPY . .). Ensure the build context actually
contains the intended files and that no parent-dir artifacts are required before
committing the change.

In `@test/conformance/serial/ptp.go`:
- Around line 2098-2099: The test uses waitForClockClass which returns as soon
as any ptp4l instance reaches 6, allowing DualNICBoundaryClock* to pass while
the other BC is still degraded; replace the single waitForClockClass(fullConfig,
...) call with the per-config helpers in test/pkg/ptptesthelper/ptptesthelper.go
so you explicitly assert each boundary-clock config recovers to ClockClass6
(i.e., call the ptptesthelper check for each BC instance or loop over both
configs), ensuring both NIC instances reach fbprotocol.ClockClass6 rather than
relying on a single global success.

---

Outside diff comments:
In `@scripts/run-tests.sh`:
- Around line 28-43: Initialize DEBUG_IMAGE to a safe default (e.g., empty
string) so it is always defined under set -u; add DEBUG_IMAGE="" alongside
MUST_GATHER_IMAGE="" near the top initialization block and ensure the existing
--debug-image case in the argument parser still assigns to DEBUG_IMAGE, or
alternatively add a guard/fallback check before any use of DEBUG_IMAGE
(referencing the DEBUG_IMAGE variable and the --debug-image case in the argument
parsing logic).

---

Nitpick comments:
In `@Dockerfile`:
- Around line 9-20: The Dockerfile runtime stage currently runs as root (no USER
set) which triggers DS-0002; create a non-root user (e.g., ptpuser) and group in
the runtime stage, chown the copied artifacts (/usr/local/bin/ptp-operator,
/manifests, /bindata) to that user, and add a USER ptpuser directive before the
ENTRYPOINT to run /usr/local/bin/ptp-operator without root privileges; update
any file permissions as needed so the operator can read/execute its files under
the new user.

In `@ptp-tools/Dockerfile.cep`:
- Around line 14-22: The runtime stage currently runs as root; add a non-root
user directive (e.g., USER 65534) in the runtime stage to match other
Dockerfiles: place the USER 65534 line after the COPY directives (after copying
/cloud-event-proxy and /plugins/) and before ENTRYPOINT ["./cloud-event-proxy"];
ensure the binary and /plugins are readable/executable by that UID (adjust
ownership or permissions in the build stage or via chown/chmod before switching
user) so the service runs as non-root.

In `@ptp-tools/Dockerfile.lptpd`:
- Around line 9-20: The Dockerfile currently runs the ptp daemon as root via CMD
["/usr/local/bin/ptp"]; add a non-root user and switch to it where possible by
creating a user/group (e.g., ptpuser), chowning the installed binary and any
runtime dirs to that user, and adding a USER ptpuser directive before CMD;
ensure you preserve required privileged access (PHC/network) by only switching
to non-root if /usr/local/bin/ptp and its runtime resources are owned by ptpuser
or if capabilities are set appropriately so the daemon can still bind to needed
devices.

In `@ptp-tools/Dockerfile.ptpop`:
- Line 2: Update the Dockerfile RUN line that currently reads "RUN apt-get
update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/*" to
include the --no-install-recommends flag so optional packages aren't pulled in;
keep the apt-get update and the existing cleanup (rm -rf /var/lib/apt/lists/*)
intact and ensure the flag is placed after apt-get install -y (i.e., apt-get
install -y --no-install-recommends binutils-gold).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 65ed3265-a92f-4d02-a673-b03acf2ea072

📥 Commits

Reviewing files that changed from the base of the PR and between 3c0739e and ef75480.

⛔ Files ignored due to path filters (267)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/toleration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/events/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/extensions/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/extensions/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/extensions/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/extensions/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
📒 Files selected for processing (33)
  • .github/workflows/aws-ci.yaml
  • Dockerfile
  • OWNERS
  • api/v1/nodeptpdevice_types.go
  • api/v1/ptpconfig_webhook.go
  • api/v1/ptpoperatorconfig_webhook.go
  • api/v1/zz_generated.deepcopy.go
  • bindata/linuxptp/ptp-daemon.yaml
  • bundle/manifests/ptp-operator.clusterserviceversion.yaml
  • bundle/manifests/ptp.openshift.io_nodeptpdevices.yaml
  • config/crd/bases/ptp.openshift.io_nodeptpdevices.yaml
  • config/manifests/bases/ptp-operator.clusterserviceversion.yaml
  • config/prometheus/monitor.yaml
  • controllers/ptpoperatorconfig_controller.go
  • controllers/tls_profile_test.go
  • controllers/tls_watcher_test.go
  • go.mod
  • main.go
  • manifests/stable/ptp-operator.clusterserviceversion.yaml
  • manifests/stable/ptp.openshift.io_nodeptpdevices.yaml
  • must-gather/collection-scripts/gather
  • ptp-tools/Dockerfile.cep
  • ptp-tools/Dockerfile.debug
  • ptp-tools/Dockerfile.krp
  • ptp-tools/Dockerfile.lptpd
  • ptp-tools/Dockerfile.ptpop
  • ptp-tools/Makefile
  • scripts/k8s-start.sh
  • scripts/run-on-vm.sh
  • scripts/run-tests.sh
  • test/conformance/serial/ptp.go
  • test/pkg/ptptesthelper/ptptesthelper.go
  • test/pkg/testconfig/testconfig.go

api/v1/ptpoperatorconfig_webhook.go
Comment on lines 37 to 42
func (r *PtpOperatorConfig) SetupWebhookWithManager(mgr ctrl.Manager, client client.Client) error {
k8sclient = client
return ctrl.NewWebhookManagedBy(mgr).
For(r).
WithValidator(&ptpOperatorConfigValidator{}).
return ctrl.NewWebhookManagedBy(mgr, r).
WithCustomValidator(&ptpOperatorConfigValidator{}).
Complete()
}
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify controller-runtime version supports this API pattern
echo "=== Checking controller-runtime version ==="
grep -E 'sigs.k8s.io/controller-runtime' go.mod | head -5

echo ""
echo "=== Verify CustomValidator interface usage in codebase ==="
rg -n 'WithCustomValidator' --type go -C2

Repository: openshift/ptp-operator

Length of output: 3193

Replace deprecated WithCustomValidator with WithValidator.

The code uses WithCustomValidator(), which is deprecated in controller-runtime v0.23.3 (line 84 of vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go marks it as deprecated with recommendation to use WithValidator instead). Update the webhook registration to use the non-deprecated WithValidator() method. The same issue exists in api/v1/ptpconfig_webhook.go line 60.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/v1/ptpoperatorconfig_webhook.go` around lines 37 - 42, Update the webhook
registration to stop using the deprecated WithCustomValidator and switch to
WithValidator: in the SetupWebhookWithManager function of PtpOperatorConfig
replace the call to WithCustomValidator(&ptpOperatorConfigValidator{}) with
WithValidator(&ptpOperatorConfigValidator{}), and make the analogous change in
api/v1/ptpconfig_webhook.go (the SetupWebhookWithManager there) replacing
WithCustomValidator usage for its validator with WithValidator to match
controller-runtime v0.23.3.

@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 2, 2026
@jzding
Copy link
Copy Markdown
Contributor Author

jzding commented Apr 3, 2026

/retest-required

@github-actions github-actions bot force-pushed the upstream-sync-2026-04-02 branch from 9527173 to ef75480 Compare April 3, 2026 03:17
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 3, 2026
@jzding jzding force-pushed the upstream-sync-2026-04-02 branch from ef75480 to c004468 Compare April 7, 2026 14:30
@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 7, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 7, 2026
edited by openshift-ci bot
Loading

@jzding: This pull request references CNF-19617 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21832 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-22018 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 7, 2026
edited by openshift-ci bot
Loading

@jzding: This pull request references CNF-19617 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21832 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-22018 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Skipped PRs

  • #195 Configure AWS timeout to 2 hours for long jobs — manually skipped (SKIP_PRS)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

1 similar comment
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Apr 7, 2026
edited by openshift-ci bot
Loading

@jzding: This pull request references CNF-19617 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21768 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-21832 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references CNF-22018 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Upstream PRs included

  • #206 CNF-21768: Add TLS adherence support (CNF-21768)
  • #203 update OWNERS
  • #202 Upgrade to Go 1.25 and update dependencies
  • #201 Expose system-level and base board hardware details in NodePtpDevice Status (CNF-21832)
  • #200 Update Dockerfile builder image
  • #198 Update Dockerfile.krp to use Go version 1.25.7 for the builder stage
  • #197 CNF-19617: Add test coverage for clockClass verification when locking PTP source (CNF-19617,OCPBUGS-59883,OCPBUGS-66407)
  • #194 Set tls-profiles feature annotation to true in CSV
  • #192 Add must-gather collection to CI pipeline
  • #185 PTP CI: Add BC clock class recovery test for upstream link outage (CNF-22018)

Skipped PRs

  • #195 Configure AWS timeout to 2 hours for long jobs — manually skipped (SKIP_PRS)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jzding jzding changed the title CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (02-Apr-2026) CNF-19617, CNF-21768, CNF-21832, CNF-22018: Sync from upstream (07-Apr-2026) Apr 7, 2026
coderabbitai[bot]
coderabbitai bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
ptp-tools/Dockerfile.ptpop (1)

4-4: ⚠️ Potential issue | 🔴 Critical

COPY .. . remains a build-break risk.

This still looks like a parent-path copy and can fail with “outside build context” depending on how the build context is passed.

To verify whether this is currently safe in repo workflows, inspect where this Dockerfile is built and what context path is used:

#!/bin/bash
set -euo pipefail

# Find all references to this Dockerfile and ptpop image build invocations
rg -n -C3 'Dockerfile\.ptpop|ptpop' 

# Confirm the Dockerfile instruction in question
rg -n -C2 '^\s*COPY\s+\.\.\s+\.' ptp-tools/Dockerfile.ptpop

Expected result: if build commands use context . (repo root) or .. (from ptp-tools), COPY .. . is typically invalid and should be replaced with a context-relative path.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ptp-tools/Dockerfile.ptpop` at line 4, The Dockerfile.ptpop contains a risky
instruction "COPY .. ." that can fail when the build context doesn't include the
parent directory; replace that instruction with a context-relative COPY (e.g.,
COPY <relative-source-dir> .) that references files inside the declared build
context, or alternatively change the build invocation that targets
Dockerfile.ptpop to set the correct build context (so the parent path is
actually inside the context). Update the Dockerfile.ptpop COPY line to point to
the specific directory or files needed instead of "..", and ensure any
CI/workflow step that builds the ptpop image uses the matching context so the
COPY path is valid.
🧹 Nitpick comments (3)
go.mod (1)

108-110: Update the replace-rationale comment to current versions.

The note still references controller-runtime v0.22.5 and k8s 0.34.x, but this file now uses v0.23.3 and 0.35.x.

Suggested diff 
-// the v6 required by controller-runtime v0.22.5 and other k8s 0.34.x deps. Pin to newer
+// the v6 required by controller-runtime v0.23.3 and other k8s 0.35.x deps. Pin to newer
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 108 - 110, Update the replace-rationale comment in
go.mod to reflect current versions: change the referenced controller-runtime
version from v0.22.5 to v0.23.3 and Kubernetes from 0.34.x to 0.35.x, keeping
the rest of the explanation about pinning to commits that use
structured-merge-diff/v6 and the note about removals once openshift/client-go
and openshift/api publish compatible tagged releases; edit the comment block
that currently mentions "controller-runtime v0.22.5 and other k8s 0.34.x deps"
so it instead reads "controller-runtime v0.23.3 and other k8s 0.35.x deps" (no
code changes needed).
ptp-tools/Dockerfile.ptpop (1)

2-2: Harden apt install to reduce unnecessary packages.

Consider adding --no-install-recommends to keep the builder layer smaller and reduce package surface area.

Suggested diff 
-RUN apt-get update && apt-get install -y binutils-gold && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends binutils-gold && rm -rf /var/lib/apt/lists/*
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ptp-tools/Dockerfile.ptpop` at line 2, The apt-get install line in the
Dockerfile RUN instruction should be hardened by adding --no-install-recommends
to apt-get install so it doesn't pull recommended (unnecessary) packages; modify
the RUN that currently invokes apt-get update && apt-get install -y
binutils-gold && rm -rf /var/lib/apt/lists/* to include --no-install-recommends
in the apt-get install invocation to keep the builder layer smaller and reduce
package surface area.
ptp-tools/Dockerfile.debug (1)

1-2: Clarify root-user intent for the debug image.

This image defaults to root. If root is required for tcpdump, document/enforce that usage scope; otherwise set a non-root USER to reduce blast radius.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@ptp-tools/Dockerfile.debug` around lines 1 - 2, The Dockerfile.debug
currently runs as root to install tcpdump; decide whether root is intentional or
not: if tcpdump must run as root, document this intent in the image (e.g., add a
LABEL or comment indicating root is required for packet capture) and explicitly
keep/clarify running as root; otherwise create a non-root user in
Dockerfile.debug (e.g., add a dedicated user, adjust ownership for any needed
files, and set USER to that non-root account) so the debug image does not
default to root — references: Dockerfile.debug, tcpdump, and the USER directive.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@must-gather/collection-scripts/gather`:
- Around line 25-26: The --debug-image case branch currently does unguarded
"shift 2" and can loop forever or accept a following flag as the value; update
the '--debug-image)' case in the gather script to first verify there is a next
argument and that "$2" is not another option (e.g., non-empty and does not start
with '-'); if the check passes set DEBUG_IMAGE="$2" and shift 2, otherwise print
a clear error message and exit with a non-zero status so the parser cannot spin
or accept a flag as the image.

---

Duplicate comments:
In `@ptp-tools/Dockerfile.ptpop`:
- Line 4: The Dockerfile.ptpop contains a risky instruction "COPY .. ." that can
fail when the build context doesn't include the parent directory; replace that
instruction with a context-relative COPY (e.g., COPY <relative-source-dir> .)
that references files inside the declared build context, or alternatively change
the build invocation that targets Dockerfile.ptpop to set the correct build
context (so the parent path is actually inside the context). Update the
Dockerfile.ptpop COPY line to point to the specific directory or files needed
instead of "..", and ensure any CI/workflow step that builds the ptpop image
uses the matching context so the COPY path is valid.

---

Nitpick comments:
In `@go.mod`:
- Around line 108-110: Update the replace-rationale comment in go.mod to reflect
current versions: change the referenced controller-runtime version from v0.22.5
to v0.23.3 and Kubernetes from 0.34.x to 0.35.x, keeping the rest of the
explanation about pinning to commits that use structured-merge-diff/v6 and the
note about removals once openshift/client-go and openshift/api publish
compatible tagged releases; edit the comment block that currently mentions
"controller-runtime v0.22.5 and other k8s 0.34.x deps" so it instead reads
"controller-runtime v0.23.3 and other k8s 0.35.x deps" (no code changes needed).

In `@ptp-tools/Dockerfile.debug`:
- Around line 1-2: The Dockerfile.debug currently runs as root to install
tcpdump; decide whether root is intentional or not: if tcpdump must run as root,
document this intent in the image (e.g., add a LABEL or comment indicating root
is required for packet capture) and explicitly keep/clarify running as root;
otherwise create a non-root user in Dockerfile.debug (e.g., add a dedicated
user, adjust ownership for any needed files, and set USER to that non-root
account) so the debug image does not default to root — references:
Dockerfile.debug, tcpdump, and the USER directive.

In `@ptp-tools/Dockerfile.ptpop`:
- Line 2: The apt-get install line in the Dockerfile RUN instruction should be
hardened by adding --no-install-recommends to apt-get install so it doesn't pull
recommended (unnecessary) packages; modify the RUN that currently invokes
apt-get update && apt-get install -y binutils-gold && rm -rf
/var/lib/apt/lists/* to include --no-install-recommends in the apt-get install
invocation to keep the builder layer smaller and reduce package surface area.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8fc2d9f6-11de-46c8-8543-0036b7e8604b

📥 Commits

Reviewing files that changed from the base of the PR and between ef75480 and c004468.

⛔ Files ignored due to path filters (253)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admission/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/admissionregistration/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apidiscovery/v2beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apiserverinternal/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/apps/v1beta2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authentication/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/authorization/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/autoscaling/v2beta2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/batch/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1alpha1/zz_generated.prerelease-lifecycle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/register.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/certificates/v1beta1/zz_generated.prerelease-lifecycle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1alpha2/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/coordination/v1beta1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/toleration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/core/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/types_swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1/zz_generated.model_name.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/generated.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/k8s.io/api/discovery/v1beta1/types.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (32)
  • Dockerfile
  • OWNERS
  • api/v1/nodeptpdevice_types.go
  • api/v1/ptpconfig_webhook.go
  • api/v1/ptpoperatorconfig_webhook.go
  • api/v1/zz_generated.deepcopy.go
  • bindata/linuxptp/ptp-daemon.yaml
  • bundle/manifests/ptp-operator.clusterserviceversion.yaml
  • bundle/manifests/ptp.openshift.io_nodeptpdevices.yaml
  • config/crd/bases/ptp.openshift.io_nodeptpdevices.yaml
  • config/manifests/bases/ptp-operator.clusterserviceversion.yaml
  • config/prometheus/monitor.yaml
  • controllers/ptpoperatorconfig_controller.go
  • controllers/tls_profile_test.go
  • controllers/tls_watcher_test.go
  • go.mod
  • main.go
  • manifests/stable/ptp-operator.clusterserviceversion.yaml
  • manifests/stable/ptp.openshift.io_nodeptpdevices.yaml
  • must-gather/collection-scripts/gather
  • ptp-tools/Dockerfile.cep
  • ptp-tools/Dockerfile.debug
  • ptp-tools/Dockerfile.krp
  • ptp-tools/Dockerfile.lptpd
  • ptp-tools/Dockerfile.ptpop
  • ptp-tools/Makefile
  • scripts/k8s-start.sh
  • scripts/run-on-vm.sh
  • scripts/run-tests.sh
  • test/conformance/serial/ptp.go
  • test/pkg/ptptesthelper/ptptesthelper.go
  • test/pkg/testconfig/testconfig.go
✅ Files skipped from review due to trivial changes (8)
  • config/prometheus/monitor.yaml
  • ptp-tools/Dockerfile.krp
  • api/v1/ptpoperatorconfig_webhook.go
  • bundle/manifests/ptp-operator.clusterserviceversion.yaml
  • config/manifests/bases/ptp-operator.clusterserviceversion.yaml
  • controllers/tls_watcher_test.go
  • bundle/manifests/ptp.openshift.io_nodeptpdevices.yaml
  • api/v1/nodeptpdevice_types.go
🚧 Files skipped from review as they are similar to previous changes (12)
  • scripts/run-on-vm.sh
  • bindata/linuxptp/ptp-daemon.yaml
  • ptp-tools/Makefile
  • manifests/stable/ptp-operator.clusterserviceversion.yaml
  • OWNERS
  • manifests/stable/ptp.openshift.io_nodeptpdevices.yaml
  • api/v1/ptpconfig_webhook.go
  • test/conformance/serial/ptp.go
  • controllers/tls_profile_test.go
  • scripts/run-tests.sh
  • api/v1/zz_generated.deepcopy.go
  • test/pkg/ptptesthelper/ptptesthelper.go

must-gather/collection-scripts/gather
Comment on lines +25 to +26
--debug-image)
DEBUG_IMAGE="$2"; shift 2 ;;
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n must-gather/collection-scripts/gather | head -60

Repository: openshift/ptp-operator

Length of output: 1903

🏁 Script executed:

#!/bin/bash
# Test shift behavior in bash

# Test 1: shift 2 when only 1 parameter available
echo "=== Test 1: shift 2 with 1 parameter ==="
set -- "arg1"
echo "Before: \$# = $#"
shift 2
SHIFT_EXITCODE=$?
echo "After: \$# = $#, shift exit code = $SHIFT_EXITCODE"

# Test 2: Simulating the loop scenario
echo ""
echo "=== Test 2: Loop scenario with --debug-image at end ==="
set -- "--debug-image"
iteration=0
while [[ $# -gt 0 && $iteration -lt 5 ]]; do
  iteration=$((iteration+1))
  echo "Iteration $iteration: \$# = $#, \$1 = $1"
  case "$1" in
    --debug-image=*)
      echo "  Matched --debug-image="
      shift ;;
    --debug-image)
      echo "  Matched --debug-image (no value)"
      shift 2
      echo "  After shift 2: \$# = $#"
      ;;
    *)
      shift ;;
  esac
done
echo "Loop exited. Final iteration count: $iteration"

# Test 3: Simulating with flag following --debug-image
echo ""
echo "=== Test 3: Loop scenario with flag following --debug-image ==="
set -- "--debug-image" "--other"
iteration=0
while [[ $# -gt 0 && $iteration -lt 5 ]]; do
  iteration=$((iteration+1))
  echo "Iteration $iteration: \$# = $#, \$1 = $1, \$2 = $2"
  case "$1" in
    --debug-image=*)
      echo "  Matched --debug-image="
      shift ;;
    --debug-image)
      echo "  Matched --debug-image, \$2 = $2"
      shift 2
      echo "  After shift 2: \$# = $#"
      ;;
    *)
      shift ;;
  esac
done
echo "Loop exited."

Repository: openshift/ptp-operator

Length of output: 940

Guard missing --debug-image values to avoid an infinite argument-parse loop

Line 26 does shift 2 without validating that a value exists. If --debug-image is the final argument, shift fails silently and $# remains unchanged, causing the loop at Line 21 to spin indefinitely. Additionally, if --debug-image is followed by another flag, that flag becomes the DEBUG_IMAGE value without error.

Proposed fix 
   case "$1" in
     --debug-image=*)
       DEBUG_IMAGE="${1#--debug-image=}"; shift ;;
     --debug-image)
+      if [[ $# -lt 2 || "$2" == --* ]]; then
+        echo "ERROR: --debug-image requires a value" >&2
+        exit 2
+      fi
       DEBUG_IMAGE="$2"; shift 2 ;;
     *)
       shift ;;
   esac
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@must-gather/collection-scripts/gather` around lines 25 - 26, The
--debug-image case branch currently does unguarded "shift 2" and can loop
forever or accept a following flag as the value; update the '--debug-image)'
case in the gather script to first verify there is a next argument and that "$2"
is not another option (e.g., non-empty and does not start with '-'); if the
check passes set DEBUG_IMAGE="$2" and shift 2, otherwise print a clear error
message and exit with a non-zero status so the parser cannot spin or accept a
flag as the image.

@github-actions github-actions bot force-pushed the upstream-sync-2026-04-02 branch from c004468 to ef75480 Compare April 7, 2026 15:19
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 7, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Apr 7, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Apr 7, 2026

@jzding: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn ef75480 link true /test e2e-aws-ovn
ci/prow/bundle-check ef75480 link true /test bundle-check
ci/prow/images ef75480 link true /test images
ci/prow/verify-deps ef75480 link true /test verify-deps
ci/prow/gofmt ef75480 link true /test gofmt
ci/prow/govet ef75480 link true /test govet
ci/prow/operator-e2e ef75480 link true /test operator-e2e
ci/prow/security ef75480 link false /test security
ci/prow/ci-index ef75480 link true /test ci-index

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jzding jzding closed this Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@aneeshkp aneeshkp Awaiting requested review from aneeshkp

@josephdrichard josephdrichard Awaiting requested review from josephdrichard

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@jzding @openshift-ci-robot @sshnaidm @edcdavid @josephdrichard @yaronh12 @nocturnalastro @gtannous-spec @aabughosh