CCO-787: use apiserver tls config by jstuever · Pull Request #965 · openshift/cloud-credential-operator

jstuever · 2026-01-27T20:59:02Z

This change ensures the pod-identity-webhook is configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding parameters to the pod-identity-webhook command when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.

openshift-ci-robot · 2026-01-27T20:59:07Z

@jstuever: This pull request references CCO-787 which is a valid jira issue.

Details

In response to this:

This change ensures the pod-identity-webhook is configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding parameters to the pod-identity-webhook command when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

jstuever · 2026-01-27T21:04:12Z

This PR depends on the necessary flags existing on the pod-identity-webhooks as well as the kube-rbac-proxy removal

CCO-784: update to pick up tls-min-version and tls-cipher-suites aws-pod-identity-webhook#207
CCO-785: add flag to configure TLS cipher suites azure-workload-identity#44
CCO-786: update to pick up tls-cipher-suites and tls-min-version gcp-workload-identity-federation-webhook#16
CCO-788: Remove kube-rbac-proxy container from metrics #976

jstuever · 2026-01-27T21:05:41Z

/test e2e-aws-manual-oidc e2e-azure-manual-oidc e2e-gcp-manual-oidc

jstuever · 2026-01-27T21:06:38Z

/hold

codecov · 2026-01-27T22:39:23Z

Codecov Report

❌ Patch coverage is 3.94737% with 73 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.01%. Comparing base (798098a) to head (d6bda97).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/cmd/operator/cmd.go	0.00%	42 Missing ⚠️
...rator/podidentity/podidentitywebhook_controller.go	7.69%	12 Missing ⚠️
pkg/operator/podidentity/gcppodidentitywebhook.go	0.00%	7 Missing ⚠️
pkg/operator/podidentity/awspodidentitywebhook.go	14.28%	4 Missing and 2 partials ⚠️
...kg/operator/podidentity/azurepodidentitywebhook.go	14.28%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #965      +/-   ##
==========================================
- Coverage   46.26%   46.01%   -0.26%     
==========================================
  Files          98       98              
  Lines       12264    12332      +68     
==========================================
  Hits         5674     5674              
- Misses       5939     6003      +64     
- Partials      651      655       +4

Files with missing lines	Coverage Δ
pkg/operator/podidentity/awspodidentitywebhook.go	`60.00% <14.28%> (-18.95%)`	⬇️
...kg/operator/podidentity/azurepodidentitywebhook.go	`76.00% <14.28%> (-24.00%)`	⬇️
pkg/operator/podidentity/gcppodidentitywebhook.go	`0.00% <0.00%> (ø)`
...rator/podidentity/podidentitywebhook_controller.go	`25.52% <7.69%> (-1.71%)`	⬇️
pkg/cmd/operator/cmd.go	`0.00% <0.00%> (ø)`

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

2uasimojo

This looks sane, BUT it seems like it's reinventing logic supplied by upstream libs. Is there a reason you're not using those?

jstuever · 2026-02-04T19:20:26Z

I need to add TLSAdherence and possibly TLSCurvePreferences.

jstuever · 2026-03-05T23:32:18Z

This PR is draft until the dependent PRs merge

openshift-merge-robot · 2026-03-09T17:57:22Z

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

coderabbitai · 2026-03-23T23:11:48Z

Walkthrough

Updated module dependencies; expanded RBAC to include apiservers; operator startup reads API server TLS adherence/profile, wires TLS options into metrics server and a SecurityProfileWatcher, and passes TLS profile into pod-identity webhook deployment substitutions to append TLS flags.

Changes

Cohort / File(s)	Summary
Dependency Updates `go.mod`	Bumped OpenShift and Kubernetes modules; upgraded `sigs.k8s.io/controller-runtime` to v0.23.3; added `github.com/openshift/controller-runtime-common`; removed indirect `github.com/gogo/protobuf`; updated several indirect k8s/openshift deps.
RBAC Configuration `manifests/01-cluster-role.yaml`	Added `apiservers` to the `config.openshift.io` resources list in an existing `ClusterRole` rule (`get,list,watch`).
Operator TLS Integration `pkg/cmd/operator/cmd.go`	Registers `configv1` in a scheme, reads API server TLS adherence and initial TLS profile via a controller-runtime client, constructs TLS options for the metrics server, moves context cancellation outward, and registers a SecurityProfileWatcher that cancels on TLS/policy changes.
Pod Identity Webhooks — AWS / Azure / GCP `pkg/operator/podidentity/awspodidentitywebhook.go`, `pkg/operator/podidentity/azurepodidentitywebhook.go`, `pkg/operator/podidentity/gcppodidentitywebhook.go`	`ApplyDeploymentSubstitutionsInPlace` signature now accepts `tlsProfileSpec configv1.TLSProfileSpec`; functions append `--tls-min-version` and `--tls-cipher-suites` (converted OpenSSL→IANA and comma-joined) to the first container command when profile fields are present.
Pod Identity Controller `pkg/operator/podidentity/podidentitywebhook_controller.go`	Updated `PodIdentityManifestSource` interface and `staticResourceReconciler` to carry and pass `tlsProfileSpec`; initialization now fetches TLS adherence/profile and sets `r.tlsProfileSpec` when cluster TLS profile should be honored.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

jstuever · 2026-03-24T16:45:17Z

/hold cancel

openshift-ci · 2026-03-24T16:45:37Z

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

Details

In response to this:

/override ci/prow/security
Unrelated, and addressed by another bug.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jstuever · 2026-03-24T16:49:17Z

/hold
This should not merge until azure pod-identity-webhook has merged.

CCO-785: add flag to configure TLS cipher suites azure-workload-identity#44

2uasimojo

nit: Looks like some of your module updates ended up in the code commit. Intentional?

pkg/operator/podidentity/awspodidentitywebhook.go

jstuever · 2026-03-24T17:36:15Z

Squashed

2uasimojo · 2026-03-24T17:47:44Z

/lgtm

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/operator/podidentity/podidentitywebhook_controller.go (1)
209-225: Pass the resolved TLS profile into this controller instead of re-reading it here.

Line 209 creates a second startup client, and Lines 214-225 repeat the same TLS adherence/profile discovery that pkg/cmd/operator/cmd.go already performs on a cancelable startup context. Keeping two startup paths in sync makes this easier to drift and adds another uncancelable API dependency via the context.TODO() from Line 162. Prefer threading the effective configv1.TLSProfileSpec into Add/staticResourceReconciler.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/podidentity/podidentitywebhook_controller.go` around lines 209 -
225, The controller currently re-reads the API server TLS adherence/profile
(creating a second startup client and using context.TODO())—change the
Add/staticResourceReconciler and/or the constructor that creates
podidentitywebhook_controller so the resolved configv1.TLSProfileSpec (computed
in pkg/cmd/operator/cmd.go) is passed in and assigned to r.tlsProfileSpec;
remove the client.New(...) and
utiltls.FetchAPIServerTLSAdherencePolicy/FetchAPIServerTLSProfile calls and the
libgocrypto.ShouldHonorClusterTLSProfile branch from
podidentitywebhook_controller.go so the controller uses the injected TLS profile
and avoids the duplicate uncancelable startup API calls.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cmd/operator/cmd.go`:
- Around line 335-348: The manager is started with runCtx instead of the shared
ctx and the file observer uses log.Fatal, causing lifecycle mismatch; change
code to start managers with the provided ctx (replace runCtx usage when calling
mgr.Start and any manager-related goroutines to use ctx) and update
terminateWhenProxyChanges() so the file observer logs with log.Infof/log.Info
instead of log.Fatal; also remove the now-unused signals import (and any
signals.SetupSignalHandler() assignment like runCtx) so the shared ctx is the
single cancellation source.

---

Nitpick comments:
In `@pkg/operator/podidentity/podidentitywebhook_controller.go`:
- Around line 209-225: The controller currently re-reads the API server TLS
adherence/profile (creating a second startup client and using
context.TODO())—change the Add/staticResourceReconciler and/or the constructor
that creates podidentitywebhook_controller so the resolved
configv1.TLSProfileSpec (computed in pkg/cmd/operator/cmd.go) is passed in and
assigned to r.tlsProfileSpec; remove the client.New(...) and
utiltls.FetchAPIServerTLSAdherencePolicy/FetchAPIServerTLSProfile calls and the
libgocrypto.ShouldHonorClusterTLSProfile branch from
podidentitywebhook_controller.go so the controller uses the injected TLS profile
and avoids the duplicate uncancelable startup API calls.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 41115be9-7012-4195-94ea-c4844e3f1a93

📥 Commits

Reviewing files that changed from the base of the PR and between b9b0f7c and 98179d3.

⛔ Files ignored due to path filters (293)

go.sum is excluded by !**/*.sum
vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/cloudnetwork/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/cloudnetwork/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/network/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/networkoperator/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/networkoperator/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/oauth/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/project/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/quota/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/route/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/samples/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/samples/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/security/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/template/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/user/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcelabel.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/githubidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gitlabidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/googleidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/htpasswdidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsource.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/hubsourcestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ibmcloudserviceendpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/identityproviderconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/image.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagecontentpolicyspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorset.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagedigestmirrorsetspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagelabel.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypkirootoftrust.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicypublickeyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagesigstoreverificationpolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorset.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/imagetagmirrorsetspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructure.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/infrastructurestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingress.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ingressstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/keystoneidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kmsconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/kubevirtplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapattributemapping.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ldapidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/loadbalancer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/maxagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/mtumigrationvalues.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/network.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnostics.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticssourceplacement.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkdiagnosticstargetplacement.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkmigration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nodestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixfailuredomain.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformloadbalancer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismelementendpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixprismendpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixresourceidentifier.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauth.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthremoteconnectioninfo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oauthtemplates.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/objectreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcclientstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openidclaims.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openididentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformloadbalancer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operandversion.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhub.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/operatorhubstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformloadbalancer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/pkicertificatesubject.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/platformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyfulciosubject.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyidentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchexactrepository.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policymatchremapidentity.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/policyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/powervsserviceendpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/prefixedclaimmapping.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/profilecustomizations.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/project.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/projectspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/promqlclustercondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxyspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/proxystatus.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (7)

go.mod
manifests/01-cluster-role.yaml
pkg/cmd/operator/cmd.go
pkg/operator/podidentity/awspodidentitywebhook.go
pkg/operator/podidentity/azurepodidentitywebhook.go
pkg/operator/podidentity/gcppodidentitywebhook.go
pkg/operator/podidentity/podidentitywebhook_controller.go

✅ Files skipped from review due to trivial changes (2)

manifests/01-cluster-role.yaml
pkg/operator/podidentity/gcppodidentitywebhook.go

🚧 Files skipped from review as they are similar to previous changes (3)

pkg/operator/podidentity/awspodidentitywebhook.go
pkg/operator/podidentity/azurepodidentitywebhook.go
go.mod

pkg/cmd/operator/cmd.go

jstuever · 2026-03-24T20:43:23Z

/test e2e-hypershift

jstuever · 2026-04-01T21:36:18Z

/test e2e-aws-manual-oidc e2e-azure-manual-oidc e2e-gcp-manual-oidc

This change ensures the metrics server and pod-identity-webhooks are configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding tlsconfig to the metrics port and parameters to the pod-identity-webhook commands when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.

jstuever · 2026-04-01T21:43:06Z

/test e2e-aws-manual-oidc e2e-azure-manual-oidc e2e-gcp-manual-oidc

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/cmd/operator/cmd.go (1)

341-347: ⚠️ Potential issue | 🟠 Major

Still unresolved: the TLS watcher cancel path doesn't stop the managers cleanly.

cancel() now fires on TLS/adherence changes, but run() still starts both managers on signals.SetupSignalHandler() later in the file. In a normal leader-elected run, that can release the lease without stopping the old managers, and the proxy observer then turns the expected shutdown path into log.Fatal.

Suggested fix

-				runCtx := signals.SetupSignalHandler()
 				errs := make(chan error)
 				wg := sync.WaitGroup{}
 				for _, m := range []manager.Manager{mgr, rootMgr} {
 					wg.Add(1)
 					go func(m manager.Manager, ctx context.Context) {
 						defer wg.Done()
 						errs <- m.Start(ctx)

-					}(m, runCtx)
+					}(m, ctx)
 				}

 	go func() {
 		log.WithField("file", path).Info("running file observer")
 		obs.Run(done)
-		log.Fatal("file observer stopped")
+		log.WithField("file", path).Info("file observer stopped")
 	}()

This also makes the signals import removable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/cmd/operator/cmd.go` around lines 341 - 347, The TLS watcher currently
calls cancel() from the OnProfileChange/OnAdherencePolicyChange handlers but
run() still uses signals.SetupSignalHandler() to start managers, so cancelling
the TLS context doesn't stop the managers cleanly; modify run() (the function
that starts the operator managers) to accept and use the TLS-aware context
(propagate the ctx from where cancel() is invoked instead of calling
signals.SetupSignalHandler()), ensure manager.Start(ctx) is run with that
context so they shut down when cancel() is called, and remove the now-unused
signals import; update any calls to run() to pass the provided ctx so the TLS
watcher cancellation cleanly stops the managers.

🧹 Nitpick comments (1)

pkg/operator/podidentity/podidentitywebhook_controller.go (1)
214-225: Extract the APIServer TLS resolution into a shared helper.

This block now duplicates the same FetchAPIServerTLS* + ShouldHonorClusterTLSProfile flow in pkg/cmd/operator/cmd.go, Lines 263-286. Keeping operator startup and webhook deployment TLS behavior aligned is security-sensitive, so a small shared helper would reduce drift the next time this logic changes.

As per coding guidelines, Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/podidentity/podidentitywebhook_controller.go` around lines 214 -
225, The TLS resolution logic duplicating FetchAPIServerTLSAdherencePolicy,
FetchAPIServerTLSProfile and libgocrypto.ShouldHonorClusterTLSProfile should be
extracted into a single shared helper (e.g., ResolveAPIServerTLSProfile(ctx,
k8sClient) returning the resolved profile or nil plus error); update
podidentitywebhook_controller.go to call that helper and assign r.tlsProfileSpec
from its result instead of re-running the three calls, and update
pkg/cmd/operator/cmd.go to use the same helper so both startup and webhook
deployment share identical TLS-resolution behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/cmd/operator/cmd.go`:
- Around line 341-347: The TLS watcher currently calls cancel() from the
OnProfileChange/OnAdherencePolicyChange handlers but run() still uses
signals.SetupSignalHandler() to start managers, so cancelling the TLS context
doesn't stop the managers cleanly; modify run() (the function that starts the
operator managers) to accept and use the TLS-aware context (propagate the ctx
from where cancel() is invoked instead of calling signals.SetupSignalHandler()),
ensure manager.Start(ctx) is run with that context so they shut down when
cancel() is called, and remove the now-unused signals import; update any calls
to run() to pass the provided ctx so the TLS watcher cancellation cleanly stops
the managers.

---

Nitpick comments:
In `@pkg/operator/podidentity/podidentitywebhook_controller.go`:
- Around line 214-225: The TLS resolution logic duplicating
FetchAPIServerTLSAdherencePolicy, FetchAPIServerTLSProfile and
libgocrypto.ShouldHonorClusterTLSProfile should be extracted into a single
shared helper (e.g., ResolveAPIServerTLSProfile(ctx, k8sClient) returning the
resolved profile or nil plus error); update podidentitywebhook_controller.go to
call that helper and assign r.tlsProfileSpec from its result instead of
re-running the three calls, and update pkg/cmd/operator/cmd.go to use the same
helper so both startup and webhook deployment share identical TLS-resolution
behavior.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5931b138-5353-4cc1-8229-20887ebc4881

📥 Commits

Reviewing files that changed from the base of the PR and between 98179d3 and d6bda97.

⛔ Files ignored due to path filters (180)

go.sum is excluded by !**/*.sum
vendor/github.com/gogo/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/.golangci.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/AGENTS.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apiextensions/v1alpha1/types_compatibilityrequirement.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apiextensions/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/build/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/build/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/cloudnetwork/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/cloudnetwork/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/types_ingress.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_insights.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/types_pki.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/image/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/image/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/network/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/network/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/networkoperator/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/networkoperator/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/oauth/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/oauth/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_70_dns_00_dnses.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/types_clusterapi.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/operator/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/project/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/project/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/quota/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/quota/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/route/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/route/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/samples/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/samples/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/security/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/security/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/template/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/template/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/user/v1/generated.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/api/user/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/acceptrisk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/alibabacloudresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserver.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverencryption.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiservernamedservingcert.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverservingcerts.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/audit.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/auditcustomrule.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/authenticationstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsdnsspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsingressspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awskmsconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsserviceendpoint.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureresourcetag.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformloadbalancer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/basicauthidentityprovider.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/build.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/builddefaults.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildoverrides.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/buildspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudcontrollermanagerstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/cloudloadbalancerips.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clustercondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterimagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusternetworkentry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperator.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusteroperatorstatuscondition.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversion.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversioncapabilitiesstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clusterversionstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentoverride.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/componentroutestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/conditionalupdaterisk.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapfilereference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/configmapnamereference.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/console.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consoleauthentication.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolespec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/consolestatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customfeaturegates.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/deprecatedwebhooktokenauthenticator.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dns.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnsspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/dnszone.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/equinixmetalplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalipconfig.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalippolicy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformspec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalplatformstatus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/extramapping.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregate.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateattributes.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregatedetails.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/featuregateselection.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (7)

go.mod
manifests/01-cluster-role.yaml
pkg/cmd/operator/cmd.go
pkg/operator/podidentity/awspodidentitywebhook.go
pkg/operator/podidentity/azurepodidentitywebhook.go
pkg/operator/podidentity/gcppodidentitywebhook.go
pkg/operator/podidentity/podidentitywebhook_controller.go

✅ Files skipped from review due to trivial changes (1)

manifests/01-cluster-role.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

pkg/operator/podidentity/awspodidentitywebhook.go
pkg/operator/podidentity/gcppodidentitywebhook.go

pkg/operator/podidentity/azurepodidentitywebhook.go

jstuever · 2026-04-03T16:28:48Z

/override ci/prow/security
Not it.

jstuever · 2026-04-03T16:29:17Z

/hold cancel

openshift-ci · 2026-04-03T16:29:18Z

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

Details

In response to this:

/override ci/prow/security
Not it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2026-04-03T16:29:19Z

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

newtonheath · 2026-04-03T20:29:19Z

/lgtm

openshift-ci · 2026-04-03T20:29:38Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, jstuever, newtonheath

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [2uasimojo,jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 27, 2026

openshift-ci bot requested review from 2uasimojo and suhanime January 27, 2026 20:59

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 27, 2026

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2026

jstuever changed the title ~~CCO-787: feat: pod-identity-webhook pod to assume apiserver tls config~~ CCO-787: pod-identity-webhook pod to assume apiserver tls config Jan 28, 2026

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 31, 2026

2uasimojo reviewed Feb 2, 2026

View reviewed changes

jstuever changed the title ~~CCO-787: pod-identity-webhook pod to assume apiserver tls config~~ WIP: CCO-787: pod-identity-webhook pod to assume apiserver tls config Feb 4, 2026

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 4, 2026

jstuever force-pushed the CCO-787 branch from eab4769 to 73d3b14 Compare February 27, 2026 21:26

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 27, 2026

jstuever force-pushed the CCO-787 branch from 73d3b14 to 8842b4d Compare March 5, 2026 23:27

jstuever changed the title ~~WIP: CCO-787: pod-identity-webhook pod to assume apiserver tls config~~ WIP: CCO-787: use apiserver tls config Mar 5, 2026

jstuever marked this pull request as draft March 5, 2026 23:29

jstuever force-pushed the CCO-787 branch from 8842b4d to 4ae01a3 Compare March 6, 2026 21:17

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 9, 2026

jstuever mentioned this pull request Mar 18, 2026

CCO-819: Add TLSAdherence tracking openshift/controller-runtime-common#13

Merged

jstuever force-pushed the CCO-787 branch from 4ae01a3 to b9b0f7c Compare March 23, 2026 23:11

openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 23, 2026

jstuever changed the title ~~WIP: CCO-787: use apiserver tls config~~ CCO-787: use apiserver tls config Mar 23, 2026

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 24, 2026

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 24, 2026

2uasimojo reviewed Mar 24, 2026

View reviewed changes

pkg/operator/podidentity/awspodidentitywebhook.go Show resolved Hide resolved

jstuever force-pushed the CCO-787 branch from b9b0f7c to 98179d3 Compare March 24, 2026 17:35

coderabbitai bot reviewed Mar 24, 2026

View reviewed changes

pkg/cmd/operator/cmd.go Show resolved Hide resolved

openshift-ci bot assigned 2uasimojo Mar 24, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 24, 2026

openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 1, 2026

jstuever force-pushed the CCO-787 branch from 98179d3 to d6bda97 Compare April 1, 2026 21:40

openshift-ci bot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 1, 2026

coderabbitai bot reviewed Apr 1, 2026

View reviewed changes

pkg/operator/podidentity/azurepodidentitywebhook.go Show resolved Hide resolved

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 3, 2026

openshift-ci bot assigned newtonheath Apr 3, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 3, 2026

Conversation

jstuever commented Jan 27, 2026

Uh oh!

openshift-ci-robot commented Jan 27, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jstuever commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jstuever commented Jan 27, 2026

Uh oh!

jstuever commented Jan 27, 2026

Uh oh!

codecov bot commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

2uasimojo left a comment

Choose a reason for hiding this comment

Uh oh!

jstuever commented Feb 4, 2026

Uh oh!

jstuever commented Mar 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-merge-robot commented Mar 9, 2026

Uh oh!

coderabbitai bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

jstuever commented Mar 24, 2026

Uh oh!

openshift-ci bot commented Mar 24, 2026

Uh oh!

jstuever commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

2uasimojo left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jstuever commented Mar 24, 2026

Uh oh!

2uasimojo commented Mar 24, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jstuever commented Mar 24, 2026

Uh oh!

jstuever commented Apr 1, 2026

Uh oh!

jstuever commented Apr 1, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jstuever commented Apr 3, 2026

Uh oh!

jstuever commented Apr 3, 2026

Uh oh!

openshift-ci bot commented Apr 3, 2026

Uh oh!

openshift-ci bot commented Apr 3, 2026

Uh oh!

newtonheath commented Apr 3, 2026

Uh oh!

openshift-ci bot commented Apr 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

openshift-ci-robot commented Jan 27, 2026 •

edited by openshift-ci bot

Loading

jstuever commented Jan 27, 2026 •

edited

Loading

codecov bot commented Jan 27, 2026 •

edited

Loading

jstuever commented Mar 5, 2026 •

edited

Loading

coderabbitai bot commented Mar 23, 2026 •

edited

Loading

jstuever commented Mar 24, 2026 •

edited

Loading