CNTRLPLANE-2947: Enable configurable PKI for signing CA and serving certificates

[sanchezl]

Overview

Wires configurable PKI support into the service-ca-operator, enabling the signing CA and per-service serving certificates to use key algorithms configured via the PKI cluster resource when the ConfigurablePKI feature gate is enabled. When the gate is off, behavior is unchanged.

Depends on library-go#2127.

Changes

Operator (pkg/operator/)

• operator.go: Added configurablePKIEnabled bool and pkiProvider fields. Constructor checks the feature gate once at startup and conditionally wires the PKI informer and lister-based provider.
• sync_common.go: initializeSigningSecret branches on configurablePKIEnabled — resolves signer key config via pki.ResolveCertificateConfig and calls crypto.NewSigningCertificate, or falls back to crypto.MakeSelfSignedCAConfig.
• rotate.go: Same branching in rotateSigningCA. Widened *rsa.PrivateKey → crypto.Signer throughout (maybeRotateSigningSecret, rotateSigningCA, createIntermediateCACert) for algorithm agnosticism.
• starter.go: Passes resolved featureGates to NewServiceCAOperator.

Controller (pkg/controller/servingcert/)

• serving_cert_issuer.go (new): Extracted servingCertIssuer struct holding ca, intermediateCACert, dnsSuffix, certificateLifetime, configurablePKIEnabled, and pkiProvider. Provides makeServingCert and toRequiredSecret methods shared by both controllers, plus an exported MakeServingCert standalone function for operator rotation tests.
• secret_creating_controller.go: Embeds servingCertIssuer. Constructor accepts configInformers and featureGates; conditionally wires PKI informer/provider.
• secret_updating_controller.go: Same embedding and constructor pattern.
• starter.go: Initializes FeatureGateAccess, waits for initial observation, passes featureGates snapshot to both controller constructors.

Design notes

• Feature gate checked once at construction — FeatureGateAccess default handler calls os.Exit(0) on change, so the process restarts and picks up new gate values. No need for runtime re-checking.
• PKI certificate names: service-ca.service-serving-signer (signing CA), service-ca.service-serving (all per-service serving certs).
• nil provider preserves legacy behavior — when the gate is off, configurablePKIEnabled is false and the legacy crypto.MakeSelfSignedCAConfig / ca.MakeServerCert paths are used. Zero impact on existing clusters.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Implements configurable PKI support via feature gates by introducing a servingCertIssuer component, refactoring certificate handling in controllers, integrating PKI providers, updating RBAC permissions for featuregates and pkis resources, and generalizing key handling from RSA-specific to the crypto.Signer interface.

Changes

Cohort / File(s)	Summary
Dependency & Build go.mod	Updates OpenShift API, client-go, and library-go dependencies to newer pseudo-versions.
Serving Certificate Issuer pkg/controller/servingcert/controller/serving_cert_issuer.go	New module introducing servingCertIssuer component that encapsulates CA state and conditionally resolves serving certificates via configurable PKI when feature gate enabled; provides MakeServingCert and toRequiredSecret helpers.
Serving Cert Controllers pkg/controller/servingcert/controller/secret_creating_controller.go, secret_updating_controller.go, secret_creating_controller_test.go	Refactors controllers to embed servingCertIssuer, removes standalone MakeServingCert and toRequiredSecret public functions, integrates feature gate and PKI informer factory dependencies, delegates certificate generation to issuer methods.
Serving Cert Startup pkg/controller/servingcert/starter/starter.go	Adds feature gate accessor initialization and startup blocking, passes configInformers and featureGates to controller constructors, updates informer wiring to use ctx.Done().
Service CA Operator Core pkg/operator/operator.go, rotate.go, sync_common.go, pkg/operator/starter.go	Converts rotation functions to methods on serviceCAOperator, adds feature gate and PKI support with conditional provider initialization, generalizes key handling from RSA-specific to crypto.Signer interface, updates signing CA initialization to resolve PKI configs when enabled.
Service CA Operator Tests rotate_test.go, sync_common_test.go	Updates test calls to invoke rotation/initialization logic via serviceCAOperator method receivers instead of package-level functions, replaces RSA-specific type assertions with crypto.Signer interface assertions, adds operator version environment variable propagation test.
RBAC & Deployment Manifests bindata/assets/clusterrole.yaml, bindata/assets/deployment.yaml	Grants RBAC permissions for featuregates and pkis resources under config.openshift.io API group; adds OPERATOR_IMAGE_VERSION environment variable to service-ca-controller container spec.
Test Infrastructure pkg/controller/cabundleinjector/admissionwebhook_test.go	Updates test to use kubeInformers shared informer factory and precomputes HasSynced function for cache synchronization.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 43.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly describes the main change: enabling configurable PKI for signing CA and serving certificates, which aligns with the substantial refactoring across multiple controller and operator files.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are stable and deterministic with only static, descriptive strings containing no dynamic content.
Test Structure And Quality	✅ Passed	Test files demonstrate single responsibility, proper setup/cleanup, appropriate timeout handling, descriptive assertion messages, and consistency with codebase patterns.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 89: Update the OpenTelemetry SDK dependency from
go.opentelemetry.io/otel/sdk v1.36.0 to v1.40.0 (or later) in the module
declaration so the vulnerable version is replaced; then run go mod tidy (and
optionally go mod vendor) to update the go.sum and lock the new version. Locate
the dependency string "go.opentelemetry.io/otel/sdk v1.36.0" in go.mod and
change the version to "v1.40.0" or newer, and verify builds/tests pass to
confirm the update succeeded.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8f0f072b-039b-4cc9-89f5-4eebef921fae

📥 Commits

Reviewing files that changed from the base of the PR and between 503e4f5 and ee223c4.

⛔ Files ignored due to path filters (299)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/converter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/validator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/models.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/bytesource/bytesource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/buf.gen.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.gitattributes is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.goreleaser.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/compressible.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bytereader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/fse.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/gen.sh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/huff0.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/le.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/snappy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/s2sx.mod is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/s2sx.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blocktype_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytebuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytereader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decodeheader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/dict.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_base.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_best.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_better.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_dfast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_fast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/framedec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/frameenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_predefined.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/history.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/snappy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zip.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/modern-go/reflect2/safe_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.go-validated.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/OWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_console.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_feature.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_node.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_operatorhub.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_scheduling.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_cli_download.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_link.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_sample.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/imageregistry/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/kubecontrolplane/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/legacyconfig/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/legacyconfig/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machine/v1/types_alibabaprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/types_nutanixprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/types_powervsprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/machine/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for available patched versions and vulnerability details

echo "=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "go.opentelemetry.io/otel/sdk") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo -e "\n=== Checking available versions ==="
go list -m -versions go.opentelemetry.io/otel/sdk 2>/dev/null || echo "Module info not available in current context"

Repository: openshift/service-ca-operator

Length of output: 355

---

🌐 Web query:

GO-2026-4394 OpenTelemetry SDK vulnerability

💡 Result:

GO-2026-4394 is a local arbitrary code execution vulnerability in the OpenTelemetry Go SDK caused by PATH hijacking (CWE-426) on macOS/Darwin. The SDK’s resource detection code (sdk/resource/host_id.go) executes the ioreg command via a search path; if an attacker can influence the process PATH, they may get a malicious ioreg executed in the application’s context. It’s tracked as CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq. (github.com)

• Affected: go.opentelemetry.io/otel/sdk (and .../sdk/resource) >= 1.21.0 and < 1.40.0 (GitHub advisory lists <= 1.39.0). (osv.dev)
• Fixed: 1.40.0 (patch commit d45961b... released in v1.40.0). (github.com)

What to do: upgrade OpenTelemetry Go SDK to v1.40.0+; if you can’t immediately, reduce exposure by ensuring the running environment’s PATH cannot be modified by untrusted users/processes (the issue is fundamentally a local environment/path control problem). (github.com)

Citations:

• 1: GHSA-9h8m-3fm2-qjrq
• 2: https://osv.dev/vulnerability/GO-2026-4394
• 3: GHSA-9h8m-3fm2-qjrq
• 4: GHSA-9h8m-3fm2-qjrq

---

🌐 Web query:

GHSA-9h8m-3fm2-qjrq security advisory

💡 Result:

GHSA-9h8m-3fm2-qjrq (aka CVE-2026-24051, Go vuln GO-2026-4394) is a PATH hijacking issue in the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk) on macOS/Darwin: resource detection runs the ioreg command via the system PATH, so a local attacker who can influence PATH can potentially achieve arbitrary code execution in the application’s context. [1][2]

• Affected versions: >= 1.21.0, < 1.40.0 [1][3]
• Fixed version: 1.40.0 (patch commit d45961b…) [1][2]
• Severity (GitHub CNA): CVSS 3.1 7.0 (High) [1][2]

What to do: upgrade go.opentelemetry.io/otel/sdk to v1.40.0 or later. [1][3]

Sources
[1] GitHub Advisory Database (GHSA-9h8m-3fm2-qjrq) (github.com)
[2] NVD entry for CVE-2026-24051 (nvd.nist.gov)
[3] Go vulnerability report GO-2026-4394 (pkg.go.dev) (pkg.go.dev)

Citations:

• 1: GHSA-9h8m-3fm2-qjrq
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-24051
• 3: https://pkg.go.dev/vuln/GO-2026-4394

---

🌐 Web query:

go.opentelemetry.io/otel/sdk v1.36.0 security vulnerability

💡 Result:

Yes—go.opentelemetry.io/otel/sdk v1.36.0 falls in the affected range for GO-2026-4394 / CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq (introduced 1.21.0, fixed 1.40.0). This is a local arbitrary code execution risk on macOS/Darwin due to PATH hijacking when the SDK’s resource host-id detection runs ioreg via an untrusted search path. The fix is to use the full path to ioreg (/usr/sbin/ioreg). [1][2][3]

What to do: upgrade to go.opentelemetry.io/otel/sdk v1.40.0 or later. [1][2]

Sources: [1] [2] [3]

---

Upgrade OpenTelemetry SDK to v1.40.0 or later to address HIGH severity security vulnerability.

go.opentelemetry.io/otel/sdk v1.36.0 is vulnerable to GO-2026-4394 / GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), a PATH hijacking vulnerability that enables local arbitrary code execution on macOS/Darwin. The SDK's resource detection code runs the ioreg command via the system PATH instead of its absolute path, allowing code execution if PATH can be influenced. Upgrade to v1.40.0 or later to resolve this.

🧰 Tools

🪛 OSV Scanner (2.3.3)

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

---

[HIGH] 89-89: go.opentelemetry.io/otel/sdk 1.36.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 89, Update the OpenTelemetry SDK dependency from
go.opentelemetry.io/otel/sdk v1.36.0 to v1.40.0 (or later) in the module
declaration so the vulnerable version is replaced; then run go mod tidy (and
optionally go mod vendor) to update the go.sum and lock the new version. Locate
the dependency string "go.opentelemetry.io/otel/sdk v1.36.0" in go.mod and
change the version to "v1.40.0" or newer, and verify builds/tests pass to
confirm the update succeeded.

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Wires configurable PKI support into the service-ca-operator, enabling the signing CA and per-service serving certificates to use key algorithms and sizes configured via the PKI cluster resource.

Depends on library-go#2127.

Changes

• Operator loop: Resolves signer key config from the PKI profile when ConfigurablePKI feature gate is enabled; uses crypto.NewSigningCertificate for initial CA creation and rotation
• Controller loop: Resolves serving key config independently; uses CA.NewServerCertificate for per-service cert generation
• Trust bridging (rotate.go): Widened *rsa.PrivateKey to crypto.Signer throughout for ECDSA compatibility
• Feature-gated: nil KeyConfig preserves legacy RSA-2048 behavior — zero impact when gate is off

Certificate names

• service-ca.service-serving-signer — signing CA
• service-ca.service-serving — all per-service serving certs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Wires configurable PKI support into the service-ca-operator, enabling the signing CA and per-service serving certificates to use key algorithms and sizes configured via the PKI cluster resource.

Depends on library-go#2127.

Changes

• Operator loop: Resolves signer key config from the PKI profile when ConfigurablePKI feature gate is enabled; uses crypto.NewSigningCertificate for initial CA creation and rotation
• Controller loop: Resolves serving key config independently; uses CA.NewServerCertificate for per-service cert generation
• Trust bridging (rotate.go): Widened *rsa.PrivateKey to crypto.Signer throughout for ECDSA compatibility
• Feature-gated: nil KeyConfig preserves legacy RSA-2048 behavior — zero impact when gate is off

Certificate names

• service-ca.service-serving-signer — signing CA
• service-ca.service-serving — all per-service serving certs

Summary by CodeRabbit

• New Features

• Added optional support for configurable PKI: when enabled, the operator can use supplied PKI key material for serving certificates and signing CA operations.

• Chores

• Updated Go toolchain to 1.25.0.

• Upgraded numerous module dependencies for improved security, compatibility, and stability.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

go.mod (1)

3-3: Consider keeping go at the real minimum and using toolchain for 1.25.

Since Go 1.21, the go line is the module’s enforced minimum version, while toolchain is the knob for preferring a newer compiler when working in the repo. If this PR doesn’t actually require Go 1.25-only features, raising go here will unnecessarily force every consumer/CI image onto 1.25. (tip.golang.org)

Suggested change

-go 1.25.0
+go 1.24.0
+toolchain go1.25.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, The go.mod currently sets "go 1.25.0" which raises the
enforced minimum; change it back to the real minimum required (e.g., "go 1.20"
or the actual lowest supported version) and instead add a // toolchain directive
to prefer Go 1.25 for development/CI. Update the go.mod by lowering the "go"
version to the true minimum and adding a toolchain comment like "// toolchain:
go1.25" (or equivalent) so consumers are not forced to use 1.25 while your repo
prefers that compiler.

pkg/controller/servingcert/starter/starter.go (1)

125-126: Redundant configInformers.Start() call.

configInformers.Start(stopChan) is called on line 58 and again on line 126. The second call is redundant since informers are already started.

 	kubeInformers.Start(stopChan)
-	configInformers.Start(stopChan)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/starter/starter.go` around lines 125 - 126, The
configInformers.Start(stopChan) call is duplicated (already invoked earlier)
causing a redundant second start; remove the second invocation on the line
alongside kubeInformers.Start(stopChan) so only kubeInformers.Start(stopChan)
and the prior configInformers.Start(stopChan) remain, ensuring stopChan is still
passed to all informer Start calls and no additional Start is invoked for
configInformers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 130: The go.mod contains a permanent replace directive replacing
github.com/openshift/library-go with your personal fork (the line starting
"replace github.com/openshift/library-go => github.com/sanchezl/library-go
..."); remove this personal replace before merging and either point the replace
to an org-owned fork or upstream the needed changes and switch back to the
official module path, or convert the change to a temporary, clearly-commented
local-only workaround (e.g., remove the replace or replace with the org fork
name) so CI/release builds resolve the upstream github.com/openshift/library-go
module instead of a personal namespace.

In `@pkg/controller/servingcert/starter/starter.go`:
- Around line 70-88: CurrentFeatureGates()'s error return is being ignored after
InitialFeatureGatesObserved(); change the select branch to capture the error
from featureGateAccessor.CurrentFeatureGates() (e.g. fg, err :=
featureGateAccessor.CurrentFeatureGates()), check for err != nil and return a
wrapped fmt.Errorf including the err, before using fg.Enabled(...); keep using
InitialFeatureGatesObserved() and the existing PKI resolution logic
(pki.NewListerPKIProfileProvider, pki.ResolveCertificateConfig, cfg.Key)
unchanged otherwise.
- Around line 74-84: The PKIs informer lister is being used before its cache is
guaranteed to be synced; before calling pki.ResolveCertificateConfig and using
PKIs().Lister() (in the block that constructs pkiProvider and calls
pki.ResolveCertificateConfig), call cache.WaitForCacheSync for the PKIs informer
(after configInformers.Start() and alongside the existing wait for
featureGateAccessor.InitialFeatureGatesObserved()) and ensure it returns true;
if it fails, return an error so you don't access an unsynced lister.

In `@pkg/operator/starter.go`:
- Around line 164-179: The PKIs informer must be started and its cache synced
before using its lister; before calling pki.NewListerPKIProfileProvider /
pki.ResolveCertificateConfig (the block that sets signerKeyConfig), call the
informer start/sync helper to WaitForCacheSync for the PKIs informer (e.g. use
configInformers.Start(stopChan) if not already started and then wait on the PKIs
informer’s HasSynced via
configInformers.Config().V1alpha1().PKIs().Informer().HasSynced); if the sync
fails return an error so ResolveCertificateConfig isn’t called against an
unsynced lister.

---

Nitpick comments:
In `@go.mod`:
- Line 3: The go.mod currently sets "go 1.25.0" which raises the enforced
minimum; change it back to the real minimum required (e.g., "go 1.20" or the
actual lowest supported version) and instead add a // toolchain directive to
prefer Go 1.25 for development/CI. Update the go.mod by lowering the "go"
version to the true minimum and adding a toolchain comment like "// toolchain:
go1.25" (or equivalent) so consumers are not forced to use 1.25 while your repo
prefers that compiler.

In `@pkg/controller/servingcert/starter/starter.go`:
- Around line 125-126: The configInformers.Start(stopChan) call is duplicated
(already invoked earlier) causing a redundant second start; remove the second
invocation on the line alongside kubeInformers.Start(stopChan) so only
kubeInformers.Start(stopChan) and the prior configInformers.Start(stopChan)
remain, ensuring stopChan is still passed to all informer Start calls and no
additional Start is invoked for configInformers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ac5134cf-15b2-4320-965b-dc0d7c17bd7e

📥 Commits

Reviewing files that changed from the base of the PR and between ee223c4 and 9f58671.

⛔ Files ignored due to path filters (290)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/converter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/validator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/models.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/bytesource/bytesource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/buf.gen.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.gitattributes is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.goreleaser.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/compressible.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bytereader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/fse.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/gen.sh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/huff0.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/le.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/snappy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/s2sx.mod is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/s2sx.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blocktype_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytebuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytereader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decodeheader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/dict.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_base.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_best.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_better.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_dfast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_fast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/framedec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/frameenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_predefined.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/history.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/snappy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zip.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/modern-go/reflect2/safe_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.go-validated.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/OWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_console.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_feature.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_node.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_operatorhub.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_scheduling.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_cli_download.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_link.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_sample.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/imageregistry/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/imageregistry/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/install.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (10)

• go.mod
• pkg/controller/servingcert/controller/secret_creating_controller.go
• pkg/controller/servingcert/controller/secret_updating_controller.go
• pkg/controller/servingcert/starter/starter.go
• pkg/operator/operator.go
• pkg/operator/rotate.go
• pkg/operator/rotate_test.go
• pkg/operator/starter.go
• pkg/operator/sync_common.go
• pkg/operator/sync_common_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Error from CurrentFeatureGates() is discarded.

Line 72 ignores the error returned by CurrentFeatureGates(). While this may be intentional after InitialFeatureGatesObserved() signals, silently ignoring errors could mask issues.

 	select {
 	case <-featureGateAccessor.InitialFeatureGatesObserved():
-		fg, _ := featureGateAccessor.CurrentFeatureGates()
+		fg, err := featureGateAccessor.CurrentFeatureGates()
+		if err != nil {
+			return fmt.Errorf("failed to get current feature gates: %w", err)
+		}
 		if fg.Enabled(features.FeatureGateConfigurablePKI) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	select {
	case <-featureGateAccessor.InitialFeatureGatesObserved():
	fg, _ := featureGateAccessor.CurrentFeatureGates()
	if fg.Enabled(features.FeatureGateConfigurablePKI) {
	pkiProvider := pki.NewListerPKIProfileProvider(
	configInformers.Config().V1alpha1().PKIs().Lister(),
	"cluster",
	)
	cfg, err := pki.ResolveCertificateConfig(pkiProvider, pki.CertificateTypeServing, "service-ca.service-serving")
	if err != nil {
	return fmt.Errorf("failed to resolve PKI serving config: %w", err)
	}
	if cfg != nil {
	servingKeyConfig = &cfg.Key
	}
	}
	case <-time.After(1 * time.Minute):
	return fmt.Errorf("timed out waiting for FeatureGate detection")
	}
	select {
	case <-featureGateAccessor.InitialFeatureGatesObserved():
	fg, err := featureGateAccessor.CurrentFeatureGates()
	if err != nil {
	return fmt.Errorf("failed to get current feature gates: %w", err)
	}
	if fg.Enabled(features.FeatureGateConfigurablePKI) {
	pkiProvider := pki.NewListerPKIProfileProvider(
	configInformers.Config().V1alpha1().PKIs().Lister(),
	"cluster",
	)
	cfg, err := pki.ResolveCertificateConfig(pkiProvider, pki.CertificateTypeServing, "service-ca.service-serving")
	if err != nil {
	return fmt.Errorf("failed to resolve PKI serving config: %w", err)
	}
	if cfg != nil {
	servingKeyConfig = &cfg.Key
	}
	}
	case <-time.After(1 * time.Minute):
	return fmt.Errorf("timed out waiting for FeatureGate detection")
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/starter/starter.go` around lines 70 - 88,
CurrentFeatureGates()'s error return is being ignored after
InitialFeatureGatesObserved(); change the select branch to capture the error
from featureGateAccessor.CurrentFeatureGates() (e.g. fg, err :=
featureGateAccessor.CurrentFeatureGates()), check for err != nil and return a
wrapped fmt.Errorf including the err, before using fg.Enabled(...); keep using
InitialFeatureGatesObserved() and the existing PKI resolution logic
(pki.NewListerPKIProfileProvider, pki.ResolveCertificateConfig, cfg.Key)
unchanged otherwise.

[sanchezl]

The only way to get an error when calling featureGateAccessor.CurrentFeatureGates() is when featureGateAccessor.AreInitialFeatureGatesObserved() returns false. Since we wait for the featureGateAccessor.InitialFeatureGatesObserved() channel to be closed, there is no way for the error to occur.

[coderabbitai]

@sanchezl, that's a valid point. Since InitialFeatureGatesObserved() channel closure guarantees AreInitialFeatureGatesObserved() returns true before CurrentFeatureGates() is ever called, the error path is indeed unreachable. The blank identifier is correct here.

---

📝 Learnings were identified and not saved (knowledge base disabled). Enable

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does OpenShift library-go NewListerPKIProfileProvider require cache sync before use?

💡 Result:

NewListerPKIProfileProvider itself shouldn’t need an extra “sync” call, but it is only safe/meaningful to use once the informer(s) backing the lister have synced—otherwise the lister can return empty/stale results simply because its local cache hasn’t been populated yet.

In practice that means: start the informer factory and wait for cache.WaitForCacheSync(...) (or the informer’s HasSynced) before calling into the provider. Kubernetes client-go explicitly provides WaitForCacheSync for “waits for caches to populate.” [1]

Note: I couldn’t find NewListerPKIProfileProvider by name in the upstream openshift/library-go API docs as of the currently published module on pkg.go.dev (published Mar 11, 2026), so if you’re looking at a vendored/forked copy, the above guidance still applies whenever it reads via a lister-backed informer cache.

Sources
[1] k8s.io/client-go/tools/cache — WaitForCacheSync docs (pkg.go.dev) (pkg.go.dev)

Citations:

• 1: https://pkg.go.dev/k8s.io/client-go/tools/cache

---

🏁 Script executed:

find . -name "starter.go" -path "*/servingcert/starter/*" | head -5

Repository: openshift/service-ca-operator

Length of output: 120

---

🏁 Script executed:

cat -n ./pkg/controller/servingcert/starter/starter.go | head -120

Repository: openshift/service-ca-operator

Length of output: 5007

---

🏁 Script executed:

cat -n ./pkg/controller/servingcert/starter/starter.go | tail -40

Repository: openshift/service-ca-operator

Length of output: 1570

---

🏁 Script executed:

grep -n "WaitForCacheSync" ./pkg/controller/servingcert/starter/starter.go

Repository: openshift/service-ca-operator

Length of output: 55

---

PKI informer cache must be synced before accessing the lister.

The PKIs().Lister() is accessed at line 74 without waiting for the informer cache to sync. Although configInformers.Start() is called at line 58, the subsequent select waits only for featureGateAccessor.InitialFeatureGatesObserved() (which syncs the FeatureGates informer), not the PKI informer. This can result in empty or stale PKI data if the cache hasn't been populated yet.

Add cache.WaitForCacheSync() before accessing the PKI lister:

Suggested fix

+	if !cache.WaitForCacheSync(ctx.Done(), configInformers.Config().V1alpha1().PKIs().Informer().HasSynced) {
+		return fmt.Errorf("timed out waiting for PKI informer cache to sync")
+	}
 	pkiProvider := pki.NewListerPKIProfileProvider(
 		configInformers.Config().V1alpha1().PKIs().Lister(),
 		"cluster",
 	)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/starter/starter.go` around lines 74 - 84, The PKIs
informer lister is being used before its cache is guaranteed to be synced;
before calling pki.ResolveCertificateConfig and using PKIs().Lister() (in the
block that constructs pkiProvider and calls pki.ResolveCertificateConfig), call
cache.WaitForCacheSync for the PKIs informer (after configInformers.Start() and
alongside the existing wait for
featureGateAccessor.InitialFeatureGatesObserved()) and ensure it returns true;
if it fails, return an error so you don't access an unsynced lister.

[sanchezl]

/hold for openshift/library-go#2127

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Wires configurable PKI support into the service-ca-operator, enabling the signing CA and per-service serving certificates to use key algorithms and sizes configured via the PKI cluster resource.

Depends on library-go#2127.

Changes

• Operator loop: Resolves signer key config from the PKI profile when ConfigurablePKI feature gate is enabled; uses crypto.NewSigningCertificate for initial CA creation and rotation
• Controller loop: Resolves serving key config independently; uses CA.NewServerCertificate for per-service cert generation
• Trust bridging (rotate.go): Widened *rsa.PrivateKey to crypto.Signer throughout for ECDSA compatibility
• Feature-gated: nil KeyConfig preserves legacy RSA-2048 behavior — zero impact when gate is off

Certificate names

• service-ca.service-serving-signer — signing CA
• service-ca.service-serving — all per-service serving certs

Summary by CodeRabbit

• New Features

• Optional configurable PKI support: operator can use supplied PKI key material (gated by a feature) for service serving certs and signing CA operations; feature-gate readiness is checked at startup.

• Tests

• Added unit tests covering PKI resolution and feature-gate behavior.

• Chores

• Bumped Go toolchain to 1.25.0 and updated many module dependencies for security and compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/controller/servingcert/starter/starter.go (1)

64-71: ⚠️ Potential issue | 🟡 Minor

Error from CurrentFeatureGates() should be handled.

While the error after InitialFeatureGatesObserved() may be unlikely, silently ignoring it could mask issues. The logging statement uses the feature gates, so the error should be checked.

🛡️ Proposed fix

 	select {
 	case <-featureGateAccessor.InitialFeatureGatesObserved():
-		featureGates, _ := featureGateAccessor.CurrentFeatureGates()
+		featureGates, err := featureGateAccessor.CurrentFeatureGates()
+		if err != nil {
+			return fmt.Errorf("failed to get current feature gates: %w", err)
+		}
 		klog.Infof("FeatureGates initialized: knownFeatureGates=%v", featureGates.KnownFeatures())
 	case <-time.After(1 * time.Minute):

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/starter/starter.go` around lines 64 - 71, Handle
the error returned by featureGateAccessor.CurrentFeatureGates() instead of
ignoring it: inside the select branch that waits on
featureGateAccessor.InitialFeatureGatesObserved(), call CurrentFeatureGates(),
check its error, and if non-nil log it with klog.Errorf (including the error)
and return that error (or wrap it with context) instead of proceeding to use
featureGates; otherwise continue to log featureGates.KnownFeatures() as before.
Ensure you reference featureGateAccessor.InitialFeatureGatesObserved(),
featureGateAccessor.CurrentFeatureGates(), and the existing
klog.Infof/klog.Errorf calls when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/controller/servingcert/starter/starter.go`:
- Around line 64-71: Handle the error returned by
featureGateAccessor.CurrentFeatureGates() instead of ignoring it: inside the
select branch that waits on featureGateAccessor.InitialFeatureGatesObserved(),
call CurrentFeatureGates(), check its error, and if non-nil log it with
klog.Errorf (including the error) and return that error (or wrap it with
context) instead of proceeding to use featureGates; otherwise continue to log
featureGates.KnownFeatures() as before. Ensure you reference
featureGateAccessor.InitialFeatureGatesObserved(),
featureGateAccessor.CurrentFeatureGates(), and the existing
klog.Infof/klog.Errorf calls when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ec165874-9a2b-4086-8f64-525feeb196fe

📥 Commits

Reviewing files that changed from the base of the PR and between 9f58671 and 9f2e032.

📒 Files selected for processing (11)

• pkg/controller/servingcert/controller/pki.go
• pkg/controller/servingcert/controller/pki_test.go
• pkg/controller/servingcert/controller/secret_creating_controller.go
• pkg/controller/servingcert/controller/secret_updating_controller.go
• pkg/controller/servingcert/starter/starter.go
• pkg/operator/operator.go
• pkg/operator/rotate.go
• pkg/operator/rotate_test.go
• pkg/operator/starter.go
• pkg/operator/sync_common.go
• pkg/operator/sync_common_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/operator.go

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-2947 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Overview

Wires configurable PKI support into the service-ca-operator, enabling the signing CA and per-service serving certificates to use key algorithms and sizes configured via the PKI cluster resource.

Depends on library-go#2127.

Changes

• Operator loop: Resolves signer key config from the PKI profile when ConfigurablePKI feature gate is enabled; uses crypto.NewSigningCertificate for initial CA creation and rotation
• Controller loop: Resolves serving key config independently; uses CA.NewServerCertificate for per-service cert generation
• Trust bridging (rotate.go): Widened *rsa.PrivateKey to crypto.Signer throughout for ECDSA compatibility
• Feature-gated: nil KeyConfig preserves legacy RSA-2048 behavior — zero impact when gate is off

Certificate names

• service-ca.service-serving-signer — signing CA
• service-ca.service-serving — all per-service serving certs

Summary by CodeRabbit

• New Features

• Optional configurable PKI support: operator can use supplied PKI key material ( gated by a feature) for service serving certificates and signing CA operations; feature-gate readiness is checked at startup.

• Tests

• Added unit tests covering PKI resolution and feature-gate behavior.

• Chores

• Bumped Go toolchain to 1.25.0 and upgraded many module dependencies and build images for compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

pkg/controller/servingcert/starter/starter.go (1)

64-67: ⚠️ Potential issue | 🟡 Minor

Handle CurrentFeatureGates() error before proceeding.

Line 66 discards the error return from CurrentFeatureGates(). Please fail fast if it returns an error instead of continuing with potentially invalid gate state.

Suggested fix

 select {
 case <-featureGateAccessor.InitialFeatureGatesObserved():
-	featureGates, _ := featureGateAccessor.CurrentFeatureGates()
+	featureGates, err := featureGateAccessor.CurrentFeatureGates()
+	if err != nil {
+		return fmt.Errorf("failed to get current feature gates: %w", err)
+	}
 	klog.Infof("FeatureGates initialized: knownFeatureGates=%v", featureGates.KnownFeatures())
 case <-time.After(1 * time.Minute):
 	klog.Errorf("timed out waiting for FeatureGate detection")
 	return fmt.Errorf("timed out waiting for FeatureGate detection")
 }

#!/bin/bash
# Verify the ignored error pattern exists in the current file.
rg -nP --type=go 'featureGates,\s*_\s*:=\s*featureGateAccessor\.CurrentFeatureGates\(\)' pkg/controller/servingcert/starter/starter.go -C2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/starter/starter.go` around lines 64 - 67, The code
currently discards the error from featureGateAccessor.CurrentFeatureGates()
inside the select branch; update the select branch that calls
featureGateAccessor.CurrentFeatureGates() to check the returned error and fail
fast (e.g., return the error or klog.Fatalf/klog.Errorf + return) instead of
continuing with a possibly invalid featureGates value—modify the block around
featureGateAccessor.InitialFeatureGatesObserved() to capture (featureGates,
err), handle err != nil (using the existing function/method context where this
select runs), and only log “FeatureGates initialized” and use
featureGates.KnownFeatures() when err == nil.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controller/servingcert/controller/secret_creating_controller.go`:
- Around line 164-167: When resolveServingKeyConfig(sc.featureGateAccessor,
sc.pkiLister) returns an error, don’t return immediately; instead call the
controller’s updateServiceFailure(...) helper to record the key-config
resolution failure on the Service (so it is annotated and counted toward
maxRetries), then return the original error. Update the error branch around
resolveServingKeyConfig to invoke updateServiceFailure with the Service object
in scope and the error (using the same failure reason/message scheme as other
failure paths) before returning.

In `@pkg/controller/servingcert/controller/secret_updating_controller.go`:
- Around line 104-111: The code currently calls
resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister) at the top of the
sync which causes PKI resolution errors to fail every sync; instead, remove that
eager call and defer calling resolveServingKeyConfig until you know the secret
requires regeneration (the branch that checks expiry/needsRegeneration). Move
the resolveServingKeyConfig invocation into the regeneration code path (where
you build/generate a new secret/certificate), handle and return errors only from
that regeneration step, and ensure non-regenerating paths do not call
resolveServingKeyConfig or surface its errors (so healthy secrets continue
syncing even if PKI resolution is transiently failing).

---

Duplicate comments:
In `@pkg/controller/servingcert/starter/starter.go`:
- Around line 64-67: The code currently discards the error from
featureGateAccessor.CurrentFeatureGates() inside the select branch; update the
select branch that calls featureGateAccessor.CurrentFeatureGates() to check the
returned error and fail fast (e.g., return the error or klog.Fatalf/klog.Errorf
+ return) instead of continuing with a possibly invalid featureGates
value—modify the block around featureGateAccessor.InitialFeatureGatesObserved()
to capture (featureGates, err), handle err != nil (using the existing
function/method context where this select runs), and only log “FeatureGates
initialized” and use featureGates.KnownFeatures() when err == nil.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 13c732dc-90eb-4198-bbcf-77f134ac4e3a

📥 Commits

Reviewing files that changed from the base of the PR and between 9f2e032 and 8dbdb34.

⛔ Files ignored due to path filters (286)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/converter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/error.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/validator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/context.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/extensions.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/compiler/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/models.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/jsonschema/writer.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/OpenAPIv2.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv2/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/OpenAPIv3.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gnostic-models/openapiv3/document.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/.travis.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/bytesource/bytesource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/google/gofuzz/fuzz.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/annotations_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/buf.gen.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options/openapiv2_protoopaque.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.gitattributes is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/.goreleaser.yml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/SECURITY.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/compressible.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/bytereader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/fse/fse.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/gen.sh is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/.gitignore is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/compress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/decompress_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/huff0/huff0.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/le.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/decode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/encode_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/internal/snapref/snappy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/s2sx.mod is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/s2sx.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bitreader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bitwriter.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blockenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/blocktype_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytebuf.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/bytereader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decodeheader.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/decoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/dict.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_base.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_best.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_better.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_dfast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/enc_fast.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/encoder_options.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/framedec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/frameenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/fse_predefined.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/history.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/matchlen_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqdec_generic.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/seqenc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/snappy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zip.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/klauspost/compress/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/modern-go/reflect2/safe_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/gomega_dsl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/internal/async_assertion.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/be_comparable_to_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/onsi/gomega/matchers/match_yaml_matcher.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.go-validated.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/OWNERS is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apiserver/v1/types_apirequestcount.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apiserver/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/apps/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/authorization/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/build/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/cloudnetwork/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_operator.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_console.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_feature.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_infrastructure.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_network.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_node.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_operatorhub.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_scheduling.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_backup.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_crio_credential_provider_config.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/types_insights.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha2/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_cli_download.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_link.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_plugin.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/types_console_sample.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/console/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/console/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/install.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/register.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/types_pacemakercluster.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/etcd/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/util.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/types_helm_chart_repository.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/helm/v1beta1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/docker10/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/dockerpre012/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/image/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/image/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*

📒 Files selected for processing (14)

• .ci-operator.yaml
• Dockerfile.rhel7
• go.mod
• pkg/controller/servingcert/controller/pki.go
• pkg/controller/servingcert/controller/pki_test.go
• pkg/controller/servingcert/controller/secret_creating_controller.go
• pkg/controller/servingcert/controller/secret_updating_controller.go
• pkg/controller/servingcert/starter/starter.go
• pkg/operator/operator.go
• pkg/operator/rotate.go
• pkg/operator/rotate_test.go
• pkg/operator/starter.go
• pkg/operator/sync_common.go
• pkg/operator/sync_common_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/sync_common_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Record key-config resolution failures via service failure annotations.

Returning directly here bypasses updateServiceFailure, so this new failure mode is not counted against maxRetries and does not annotate the Service with actionable error state.

💡 Suggested fix

 	keyConfig, err := resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister)
 	if err != nil {
-		return err
+		return sc.updateServiceFailure(ctx, serviceCopy, fmt.Errorf("unable to resolve serving key config: %w", err))
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/controller/secret_creating_controller.go` around
lines 164 - 167, When resolveServingKeyConfig(sc.featureGateAccessor,
sc.pkiLister) returns an error, don’t return immediately; instead call the
controller’s updateServiceFailure(...) helper to record the key-config
resolution failure on the Service (so it is annotated and counted toward
maxRetries), then return the original error. Update the error branch around
resolveServingKeyConfig to invoke updateServiceFailure with the Service object
in scope and the error (using the same failure reason/message scheme as other
failure paths) before returning.

[openshift-ci-robot]

@sanchezl: An error was encountered searching for bug CNTRLPLANE-2947 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Overview

Wires configurable PKI support into the service-ca-operator, enabling the signing CA and per-service serving certificates to use key algorithms and sizes configured via the PKI cluster resource.

Depends on library-go#2127.

Changes

• Operator loop: Resolves signer key config from the PKI profile when ConfigurablePKI feature gate is enabled; uses crypto.NewSigningCertificate for initial CA creation and rotation
• Controller loop: Resolves serving key config independently; uses CA.NewServerCertificate for per-service cert generation
• Trust bridging (rotate.go): Widened *rsa.PrivateKey to crypto.Signer throughout for ECDSA compatibility
• Feature-gated: nil KeyConfig preserves legacy RSA-2048 behavior — zero impact when gate is off

Certificate names

• service-ca.service-serving-signer — signing CA
• service-ca.service-serving — all per-service serving certs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

♻️ Duplicate comments (3)

pkg/controller/servingcert/controller/secret_updating_controller.go (1)

104-111: ⚠️ Potential issue | 🟠 Major

Defer key-config resolution to regeneration-only paths.

Resolving at Line 108 makes healthy secrets fail sync on transient PKI lookup errors, even when no cert rewrite is needed. Resolve only in branches that actually call toRequiredSecret.

Suggested direction

- keyConfig, err := resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister)
- if err != nil {
- 	return err
- }
-
 if sc.requiresRegeneration(service, sharedSecret, sc.minTimeLeftForCert) {
+	keyConfig, err := resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister)
+	if err != nil {
+		return err
+	}
 	if err := toRequiredSecret(sc.dnsSuffix, sc.ca, sc.intermediateCACert, service, secretCopy, sc.certificateLifetime, keyConfig); err != nil {
 		return err
 	}
 	_, err := sc.secretClient.Secrets(secretCopy.Namespace).Update(ctx, secretCopy, metav1.UpdateOptions{})
 	return err
 }
- update, err := sc.ensureSecretData(service, secretCopy, keyConfig)
+ update, err := sc.ensureSecretData(service, secretCopy)

Also applies to: 125-125

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/controller/secret_updating_controller.go` around
lines 104 - 111, The code eagerly calls resolveServingKeyConfig and assigns
keyConfig before determining whether regeneration is needed, causing transient
PKI lookup failures to break healthy secret syncs; move the call to
resolveServingKeyConfig so it is only invoked in the branches that actually call
toRequiredSecret (i.e., defer resolution into the regeneration/code-paths that
build required secrets), remove the early resolution and any use of keyConfig
outside those branches, and ensure both occurrences (the current early call and
the duplicate at the later location) are consolidated so resolution happens only
when toRequiredSecret will be executed.

pkg/controller/servingcert/controller/secret_creating_controller.go (1)

164-167: ⚠️ Potential issue | 🟠 Major

Route PKI key-config resolution failures through updateServiceFailure.

At Line 166, returning directly skips service failure annotations/retry accounting, so this new failure mode is not tracked like other generation failures.

Suggested fix

 keyConfig, err := resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister)
 if err != nil {
-	return err
+	return sc.updateServiceFailure(ctx, serviceCopy, fmt.Errorf("unable to resolve serving key config: %w", err))
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/controller/secret_creating_controller.go` around
lines 164 - 167, The direct return of err from resolveServingKeyConfig bypasses
service failure handling; replace the bare "return err" with a call to the
controller's failure annotator (updateServiceFailure) so the service's failure
annotation and retry accounting are updated. Specifically, where
resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister) currently returns
an error, invoke sc.updateServiceFailure(...) (using the same service
identifier/context used elsewhere in this file), pass a concise failure message
indicating key-config resolution and the err, and follow the established return
behavior used by other failure paths in this controller (mirror the pattern
around other calls to updateServiceFailure in this file to determine whether to
return the error or nil after annotating).

go.mod (1)

130-130: ⚠️ Potential issue | 🟠 Major

Remove the personal-fork replace before merge.

Line 130 routes all github.com/openshift/library-go resolution through a personal fork, which is a release/supply-chain risk if this lands in main. Keep this only as a short-lived development override and switch back to upstream/org-owned source before merge.

Suggested minimal change

-replace github.com/openshift/library-go => github.com/sanchezl/library-go v0.0.0-20260316031911-77a86494b72b

Use this read-only check before merge (expected: second command returns no matches):

#!/bin/bash
set -euo pipefail

# 1) Find any replace for openshift/library-go
rg -nP '^\s*replace\s+github\.com/openshift/library-go\s*=>'

# 2) Ensure it does not point outside the openshift org
rg -nP '^\s*replace\s+github\.com/openshift/library-go\s*=>\s+github\.com/(?!openshift/)' || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 130, The go.mod contains a development-only replace directive
"replace github.com/openshift/library-go => github.com/sanchezl/library-go ..."
that must be removed before merging; delete that replace line in go.mod (or
revert it to the original upstream module) so imports resolve to
github.com/openshift/library-go, then run the provided two-step grep/rg checks
to verify no remaining replace entries point outside the openshift org; keep
this change local to the feature branch only if you still need the fork during
testing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Line 130: The go.mod contains a development-only replace directive "replace
github.com/openshift/library-go => github.com/sanchezl/library-go ..." that must
be removed before merging; delete that replace line in go.mod (or revert it to
the original upstream module) so imports resolve to
github.com/openshift/library-go, then run the provided two-step grep/rg checks
to verify no remaining replace entries point outside the openshift org; keep
this change local to the feature branch only if you still need the fork during
testing.

In `@pkg/controller/servingcert/controller/secret_creating_controller.go`:
- Around line 164-167: The direct return of err from resolveServingKeyConfig
bypasses service failure handling; replace the bare "return err" with a call to
the controller's failure annotator (updateServiceFailure) so the service's
failure annotation and retry accounting are updated. Specifically, where
resolveServingKeyConfig(sc.featureGateAccessor, sc.pkiLister) currently returns
an error, invoke sc.updateServiceFailure(...) (using the same service
identifier/context used elsewhere in this file), pass a concise failure message
indicating key-config resolution and the err, and follow the established return
behavior used by other failure paths in this controller (mirror the pattern
around other calls to updateServiceFailure in this file to determine whether to
return the error or nil after annotating).

In `@pkg/controller/servingcert/controller/secret_updating_controller.go`:
- Around line 104-111: The code eagerly calls resolveServingKeyConfig and
assigns keyConfig before determining whether regeneration is needed, causing
transient PKI lookup failures to break healthy secret syncs; move the call to
resolveServingKeyConfig so it is only invoked in the branches that actually call
toRequiredSecret (i.e., defer resolution into the regeneration/code-paths that
build required secrets), remove the early resolution and any use of keyConfig
outside those branches, and ensure both occurrences (the current early call and
the duplicate at the later location) are consolidated so resolution happens only
when toRequiredSecret will be executed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 99c3e15d-1ac4-4606-9a55-1539b39a825d

📥 Commits

Reviewing files that changed from the base of the PR and between 8dbdb34 and 8a05e65.

⛔ Files ignored due to path filters (47)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/certificateconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/custompkipolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/defaultcertificateconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/ecdsakeyconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/keyconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatemanagement.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkiprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkispec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/rsakeyconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/key_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (12)

• go.mod
• pkg/controller/servingcert/controller/pki.go
• pkg/controller/servingcert/controller/pki_test.go
• pkg/controller/servingcert/controller/secret_creating_controller.go
• pkg/controller/servingcert/controller/secret_updating_controller.go
• pkg/controller/servingcert/starter/starter.go
• pkg/operator/operator.go
• pkg/operator/rotate.go
• pkg/operator/rotate_test.go
• pkg/operator/starter.go
• pkg/operator/sync_common.go
• pkg/operator/sync_common_test.go

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/operator/operator.go
• pkg/controller/servingcert/starter/starter.go
• pkg/operator/rotate_test.go
• pkg/operator/sync_common_test.go
• pkg/controller/servingcert/controller/pki.go

[sanchezl]

/retest

[openshift-ci]

@sanchezl: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sanchezl]

/payload-job-with-prs periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview #327

[openshift-ci]

@sanchezl: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4adf4dc0-2df2-11f1-8241-50cd0463c517-0

[openshift-ci]

@sanchezl: This PR was included in a payload test run from #327
trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4adf4dc0-2df2-11f1-8241-50cd0463c517-0

[sanchezl]

/payload-job periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview

[openshift-ci]

@sanchezl: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/716fb4e0-2e9f-11f1-9f05-183014ecb950-0

[sanchezl]

/verified by "e2e-aws-ovn-techpreview"

Verification Summary

The Apr 2 periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview payload job succeeded (4,227 tests, 1 unrelated failure). Both the TechPreview and non-TechPreview (ci/prow/e2e-aws) jobs were analyzed using captured artifacts from gather-extra.

TechPreview (ConfigurablePKI Enabled): ECDSA certs generated

• Signing CA uses ECDSA P-384 — decoded from the captured signing-cabundle ConfigMap: Public-Key: (384 bit), ASN1 OID: secp384r1, Signature Algorithm: ecdsa-with-SHA384. This is the only ECDSA CA on the cluster; all other CAs (kube-apiserver-lb-signer, localhost-signer, etc.) remain RSA 2048.
• ConfigurablePKI feature gate confirmed Enabled in FeatureGatesInitialized events for both operator and controller.
• Default PKI profile code path exercised — controller log: serving_cert_issuer.go:48] PKI resource not found, using default PKI profile (no explicit PKI resource was created; DefaultPKIProfile() returns ECDSA P-384 for signers, ECDSA P-256 for serving certs).
• PKI informer active — "Caches populated" type="*v1alpha1.PKI" in both operator and controller logs.
• ClusterOperator healthy: Available=True, Degraded=False, controller pod 0 restarts.
• Key e2e tests passed:
  • [sig-network][Feature:Router] The HAProxy router should support reencrypt to services backed by a serving certificate automatically — canonical proof that service-ca-issued certs work end-to-end.
  • [sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA] OLMv1 operator with webhooks should have a working validating webhook — TechPreview-gated test using service-ca as webhook cert provider.
  • All 104 TLS/cert/auth tests passed, including all tls artifacts must be registered and all registered tls artifacts must have no metadata violation regressions.

Non-TechPreview (ConfigurablePKI Disabled): RSA certs preserved

• ConfigurablePKI confirmed Disabled — in the ci/prow/e2e-aws job, the feature gate is in the Disabled list.
• No PKI informer started, no PKI CRD registered — the new code paths are completely dormant (0 matches for v1alpha1.PKI or PKI resource not found in logs).
• Signing CA uses RSA 2048 — decoded from captured signing-cabundle ConfigMap: Public-Key: (2048 bit), Signature Algorithm: sha256WithRSAEncryption. All CAs uniformly RSA 2048.
• ClusterOperator healthy: Available=True, Degraded=False, controller pod 0 restarts.

Side-by-Side

Property	e2e-aws (non-TP)	e2e-aws-ovn-techpreview
ConfigurablePKI	Disabled	Enabled
Signing CA algorithm	RSA 2048	ECDSA P-384
PKI informer	Not started	Active
Operator healthy	Yes	Yes
Job result	SUCCESS	SUCCESS

[openshift-ci-robot]

@sanchezl: This PR has been marked as verified by "e2e-aws-ovn-techpreview".

Details

In response to this:

/verified by "e2e-aws-ovn-techpreview"

Verification Summary

The Apr 2 periodic-ci-openshift-release-main-ci-4.22-e2e-aws-ovn-techpreview payload job succeeded (4,227 tests, 1 unrelated failure). Both the TechPreview and non-TechPreview (ci/prow/e2e-aws) jobs were analyzed using captured artifacts from gather-extra.

TechPreview (ConfigurablePKI Enabled): ECDSA certs generated

• Signing CA uses ECDSA P-384 — decoded from the captured signing-cabundle ConfigMap: Public-Key: (384 bit), ASN1 OID: secp384r1, Signature Algorithm: ecdsa-with-SHA384. This is the only ECDSA CA on the cluster; all other CAs (kube-apiserver-lb-signer, localhost-signer, etc.) remain RSA 2048.
• ConfigurablePKI feature gate confirmed Enabled in FeatureGatesInitialized events for both operator and controller.
• Default PKI profile code path exercised — controller log: serving_cert_issuer.go:48] PKI resource not found, using default PKI profile (no explicit PKI resource was created; DefaultPKIProfile() returns ECDSA P-384 for signers, ECDSA P-256 for serving certs).
• PKI informer active — "Caches populated" type="*v1alpha1.PKI" in both operator and controller logs.
• ClusterOperator healthy: Available=True, Degraded=False, controller pod 0 restarts.
• Key e2e tests passed:
• [sig-network][Feature:Router] The HAProxy router should support reencrypt to services backed by a serving certificate automatically — canonical proof that service-ca-issued certs work end-to-end.
• [sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA] OLMv1 operator with webhooks should have a working validating webhook — TechPreview-gated test using service-ca as webhook cert provider.
• All 104 TLS/cert/auth tests passed, including all tls artifacts must be registered and all registered tls artifacts must have no metadata violation regressions.

Non-TechPreview (ConfigurablePKI Disabled): RSA certs preserved

• ConfigurablePKI confirmed Disabled — in the ci/prow/e2e-aws job, the feature gate is in the Disabled list.
• No PKI informer started, no PKI CRD registered — the new code paths are completely dormant (0 matches for v1alpha1.PKI or PKI resource not found in logs).
• Signing CA uses RSA 2048 — decoded from captured signing-cabundle ConfigMap: Public-Key: (2048 bit), Signature Algorithm: sha256WithRSAEncryption. All CAs uniformly RSA 2048.
• ClusterOperator healthy: Available=True, Degraded=False, controller pod 0 restarts.

Side-by-Side

Property	e2e-aws (non-TP)	e2e-aws-ovn-techpreview
ConfigurablePKI	Disabled	Enabled
Signing CA algorithm	RSA 2048	ECDSA P-384
PKI informer	Not started	Active
Operator healthy	Yes	Yes
Job result	SUCCESS	SUCCESS

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sanchezl]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

pkg/controller/servingcert/starter/starter.go (1)

111-112: Duplicate configInformers.Start() call.

configInformers.Start(ctx.Done()) is already called at line 61. While Start() is idempotent on SharedInformerFactory, calling it twice is unnecessary and may cause confusion.

♻️ Suggested fix: remove duplicate call

 	kubeInformers.Start(ctx.Done())
-	configInformers.Start(ctx.Done())

 	go servingCertController.Run(ctx, 5)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/starter/starter.go` around lines 111 - 112, The
file contains a duplicate call to configInformers.Start(ctx.Done()) (called
earlier and again at lines shown); remove the second invocation so only
kubeInformers.Start(ctx.Done()) and the single configInformers.Start(ctx.Done())
remain; update the starter.go block that calls kubeInformers.Start and
configInformers.Start to call each SharedInformerFactory.Start exactly once.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controller/servingcert/controller/secret_creating_controller_test.go`:
- Around line 99-103: The test initializes servingCertIssuer without setting
certificateLifetime, so makeServingCert ends up passing a zero duration to
ca.MakeServerCert; update the test setup where servingCertIssuer is constructed
(servingCertIssuer{...}) to set certificateLifetime to a non-zero duration (e.g.
a sensible time.Duration like 1*time.Hour or the test-suite constant) so that
makeServingCert calls ca.MakeServerCert with a valid lifetime; ensure the field
name certificateLifetime in the servingCertIssuer struct is included in that
literal initialization.

In `@pkg/controller/servingcert/controller/secret_creating_controller.go`:
- Around line 164-166: The call to sc.toRequiredSecret(serviceCopy, secret) can
return PKI resolution errors from makeServingCert and currently returns raw
errors, bypassing updateServiceFailure; change the error handling to mirror the
other branches in generateCert by invoking sc.updateServiceFailure(serviceCopy,
err) (and any relevant message/annotations used elsewhere) before returning the
error so the failure is counted, annotated on the Service, and subject to
maxRetries logic (targeting sc.toRequiredSecret and makeServingCert as the error
sources to locate the fix).

---

Nitpick comments:
In `@pkg/controller/servingcert/starter/starter.go`:
- Around line 111-112: The file contains a duplicate call to
configInformers.Start(ctx.Done()) (called earlier and again at lines shown);
remove the second invocation so only kubeInformers.Start(ctx.Done()) and the
single configInformers.Start(ctx.Done()) remain; update the starter.go block
that calls kubeInformers.Start and configInformers.Start to call each
SharedInformerFactory.Start exactly once.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eba556a7-0c18-4516-8815-afad61657ba8

📥 Commits

Reviewing files that changed from the base of the PR and between 8dbdb34 and ca5ae82.

⛔ Files ignored due to path filters (111)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tokenclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/usernameclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/additionalalertmanagerconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/authorizationconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/basicauth.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/certificateconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/custompkipolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/defaultcertificateconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/dropequalactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/ecdsakeyconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/hashmodactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/keepequalactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/keyconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/label.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/labelmapactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/lowercaseactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metadataconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metadataconfigcustom.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/oauth2.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/oauth2endpointparam.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatemanagement.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkiprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkispec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusremotewriteheader.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/queueconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/relabelactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/relabelconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/remotewriteauthorization.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/remotewritespec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/replaceactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/rsakeyconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/secretkeyselector.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/sigv4.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/tlsconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/uppercaseactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/pki.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/route/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/cert_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/keygen.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/profile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/resolve.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/pki/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (15)

• bindata/assets/clusterrole.yaml
• bindata/assets/deployment.yaml
• go.mod
• pkg/controller/cabundleinjector/admissionwebhook_test.go
• pkg/controller/servingcert/controller/secret_creating_controller.go
• pkg/controller/servingcert/controller/secret_creating_controller_test.go
• pkg/controller/servingcert/controller/secret_updating_controller.go
• pkg/controller/servingcert/controller/serving_cert_issuer.go
• pkg/controller/servingcert/starter/starter.go
• pkg/operator/operator.go
• pkg/operator/rotate.go
• pkg/operator/rotate_test.go
• pkg/operator/starter.go
• pkg/operator/sync_common.go
• pkg/operator/sync_common_test.go

✅ Files skipped from review due to trivial changes (1)

• go.mod

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/operator/rotate_test.go
• pkg/operator/operator.go
• pkg/operator/sync_common_test.go
• pkg/operator/sync_common.go
• pkg/operator/rotate.go
• pkg/operator/starter.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing certificateLifetime initialization in test setup.

The embedded servingCertIssuer does not set certificateLifetime, leaving it at the zero value. When makeServingCert calls ca.MakeServerCert(subjects, s.certificateLifetime, ...), a zero duration may produce certificates with unexpected validity periods or cause test failures.

🔧 Proposed fix

 	controller := &serviceServingCertController{
 		servingCertIssuer: servingCertIssuer{
 			ca:                 ca,
 			intermediateCACert: nil,
 			dnsSuffix:          "cluster.local",
+			certificateLifetime: 2 * 365 * 24 * time.Hour,
 		},

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	servingCertIssuer: servingCertIssuer{
	ca: ca,
	intermediateCACert: nil,
	dnsSuffix: "cluster.local",
	},
	servingCertIssuer: servingCertIssuer{
	ca: ca,
	intermediateCACert: nil,
	dnsSuffix: "cluster.local",
	certificateLifetime: 2 * 365 * 24 * time.Hour,
	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/controller/secret_creating_controller_test.go`
around lines 99 - 103, The test initializes servingCertIssuer without setting
certificateLifetime, so makeServingCert ends up passing a zero duration to
ca.MakeServerCert; update the test setup where servingCertIssuer is constructed
(servingCertIssuer{...}) to set certificateLifetime to a non-zero duration (e.g.
a sensible time.Duration like 1*time.Hour or the test-suite constant) so that
makeServingCert calls ca.MakeServerCert with a valid lifetime; ensure the field
name certificateLifetime in the servingCertIssuer struct is included in that
literal initialization.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

PKI resolution errors bypass failure tracking.

When sc.toRequiredSecret fails due to PKI resolution errors (from the embedded makeServingCert), the error returns directly without calling updateServiceFailure. This means:

1. Failures aren't counted toward maxRetries
2. The service isn't annotated with error information
3. On persistent PKI misconfiguration, services will retry indefinitely without actionable error state

Other error paths in generateCert (lines 171, 176, 181, 187) consistently use updateServiceFailure.

🔧 Proposed fix

-	if err := sc.toRequiredSecret(serviceCopy, secret); err != nil {
-		return err
-	}
+	if err := sc.toRequiredSecret(serviceCopy, secret); err != nil {
+		return sc.updateServiceFailure(ctx, serviceCopy, err)
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controller/servingcert/controller/secret_creating_controller.go` around
lines 164 - 166, The call to sc.toRequiredSecret(serviceCopy, secret) can return
PKI resolution errors from makeServingCert and currently returns raw errors,
bypassing updateServiceFailure; change the error handling to mirror the other
branches in generateCert by invoking sc.updateServiceFailure(serviceCopy, err)
(and any relevant message/annotations used elsewhere) before returning the error
so the failure is counted, annotated on the Service, and subject to maxRetries
logic (targeting sc.toRequiredSecret and makeServingCert as the error sources to
locate the fix).

[kaleemsiddiqu]

/verified by @kaleemsiddiqu
Tested manually, service-ca-* namespaces certs getting renewed correctly.

[openshift-ci-robot]

@kaleemsiddiqu: This PR has been marked as verified by @kaleemsiddiqu.

Details

In response to this:

/verified by @kaleemsiddiqu
Tested manually, service-ca-* namespaces certs getting renewed correctly.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kaleemsiddiqu]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaleemsiddiqu, sanchezl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sanchezl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment