OCPBUGS-17007: vendor: Update openshift/library-go to get new default TLS configuration

[wking]

Pulling in openshift/library-go@4a03f7ce49 (openshift/library-go#2051). Generated with:

$ go get github.com/openshift/library-go@master
$ go mod tidy
$ go mod vendor
$ git add -A go.* vendor

using:

$ go version
go version go1.24.0 linux/amd64

[openshift-ci-robot]

@wking: This pull request references Jira Issue OCPBUGS-17007, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jiajliu

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Pulling in openshift/library-go@4a03f7ce49 (openshift/library-go#2051). Generated with:

$ go get github.com/openshift/library-go@master
$ go mod tidy
$ go mod vendor
$ git add -A go.* vendor

using:

$ go version
go version go1.24.0 linux/amd64

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Updates the Go module file to replace the github.com/openshift/library-go dependency with a newer pseudo-version.

Changes

Cohort / File(s)	Summary
Go module dependency update go.mod	Replaces github.com/openshift/library-go version v0.0.0-20251027092748-1a3af44c9cd0 with v0.0.0-20251120164824-14a789e09884.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check for any API changes in the new library-go version that affect imports or usage.
• Verify go mod tidy/build succeeds and CI passes.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between da6072d and 35f61d9.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/crypto/crypto.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• go.mod

🔇 Additional comments (1)

go.mod (1)

15-15: Dependency update properly executed via standard Go tooling.

The pseudo-version update is well-formed, the timestamp progression is sensible (Oct 27 → Nov 20), and the update was generated using standard Go tooling as documented. The PR description clearly references the upstream commit and the TLS configuration improvement being pulled in.

Verify that:

• CI passes with this library-go update (including any TLS configuration changes)
• No breaking changes were introduced by the upstream library commit (OCPBUGS-17349: crypto: remove deprecated TLS ciphers library-go#2051)
• The new TLS defaults align with security and compatibility requirements for the operator

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wking]

Rebased around #1269 with da6072d -> 35f61d9.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hongkailiu, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hongkailiu,wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dis016]

Test Scenario: Verify CVO endpoint cluster-version-operator.openshift-cluster-version.svc_9099 is working well with new TLS configuration.

Validating with existing TestCase 41391-cvo serves metrics over only https not http

dinesh@Dineshs-MacBook-Pro openshift-tests-private % ./bin/extended-platform-tests run all --dry-run |grep -E "41391" |./bin/extended-platform-tests run --timeout "90m" -f -

  I1211 15:19:19.829147 83309 test.go:180] Found authentication type used: 
  I1211 15:19:19.829603 83309 test_context.go:567] The --provider flag is not set. Continuing as if --provider=skeleton had been used.
  I1211 15:19:24.057913 83309 api.go:57] EnvIsKubernetesCluster = no, start monitoring ClusterOperators and ClusterVersions
started: (0/1/1) "[sig-updates] OTA cvo should NonHyperShiftHOST-Author:dis-Medium-41391-cvo serves metrics over only https not http"

  I1211 15:19:28.637155 83395 openshift-tests.go:203] Is kubernetes cluster: no, is external OIDC cluster: no
  I1211 15:19:28.637471 83395 test_context.go:567] The --provider flag is not set. Continuing as if --provider=skeleton had been used.
  [1765446564] openshift extended e2e - 1/1 specs I1211 15:19:35.189043 83395 client.go:293] configPath is now "/var/folders/gw/q6gbymqn2xn3t21cr090k05h0000gn/T/configfile3471580742"
  I1211 15:19:35.189077 83395 client.go:368] The user is now "e2e-test-openshift-cluster-version-rl2kh-user"
  I1211 15:19:35.189088 83395 client.go:370] Creating project "e2e-test-openshift-cluster-version-rl2kh"
  I1211 15:19:36.573141 83395 client.go:378] Waiting on permissions in project "e2e-test-openshift-cluster-version-rl2kh" ...
  I1211 15:19:37.621964 83395 client.go:407] DeploymentConfig capability is enabled, adding 'deployer' SA to the list of default SAs
  I1211 15:19:37.890280 83395 client.go:422] Waiting for ServiceAccount "default" to be provisioned...
  I1211 15:19:38.504484 83395 client.go:422] Waiting for ServiceAccount "builder" to be provisioned...
  I1211 15:19:39.114928 83395 client.go:422] Waiting for ServiceAccount "deployer" to be provisioned...
  I1211 15:19:39.791844 83395 client.go:432] Waiting for RoleBinding "system:image-pullers" to be provisioned...
  I1211 15:19:40.666981 83395 client.go:432] Waiting for RoleBinding "system:image-builders" to be provisioned...
  I1211 15:19:41.156542 83395 client.go:432] Waiting for RoleBinding "system:deployers" to be provisioned...
  I1211 15:19:41.903904 83395 client.go:465] Project "e2e-test-openshift-cluster-version-rl2kh" has been fully provisioned.
  STEP: Check cvo delopyment config file... 12/11/25 15:19:41.904
  I1211 15:19:41.904143 83395 utils.go:64] Dumping deployments cluster-version-operator from namespace openshift-cluster-version
  I1211 15:19:42.716692 83395 utils.go:70] apiVersion: apps/v1
  kind: Deployment
  metadata:
    annotations:
      deployment.kubernetes.io/revision: "2"
      exclude.release.openshift.io/internal-openshift-hosted: "true"
      include.release.openshift.io/self-managed-high-availability: "true"
      kubernetes.io/description: The cluster-version operator manages OpenShift updates
        and reconciles core resources and cluster operators.
    creationTimestamp: "2025-12-11T06:29:26Z"
    generation: 2
    name: cluster-version-operator
    namespace: openshift-cluster-version
    ownerReferences:
    - apiVersion: config.openshift.io/v1
      controller: true
      kind: ClusterVersion
      name: version
      uid: 0497aeb4-9e93-4928-bf04-43ce68df104c
    resourceVersion: "9384"
    uid: 007da6b8-1ada-4214-ac24-e0ae9c010f5e
  spec:
    progressDeadlineSeconds: 600
    replicas: 1
    revisionHistoryLimit: 10
    selector:
      matchLabels:
        k8s-app: cluster-version-operator
    strategy:
      type: Recreate
    template:
      metadata:
        annotations:
          openshift.io/required-scc: hostaccess
          target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
        labels:
          k8s-app: cluster-version-operator
        name: cluster-version-operator
      spec:
        automountServiceAccountToken: false
        containers:
        - args:
          - start
          - --release-image=registry.build08.ci.openshift.org/ci-ln-y41fqtb/release@sha256:30a59a5c10cbd51a302a6cf40fa268b34f7dc75bf197753d6cdad43bd35518b2
          - --enable-auto-update=false
          - --listen=0.0.0.0:9099
          - --serving-cert-file=/etc/tls/serving-cert/tls.crt
          - --serving-key-file=/etc/tls/serving-cert/tls.key
          - --v=2
          - --always-enable-capabilities=Ingress
          env:
          - name: OPERATOR_IMAGE_VERSION
            value: 0.0.1-snapshot
          - name: KUBERNETES_SERVICE_PORT
            value: "6443"
          - name: KUBERNETES_SERVICE_HOST
            value: api-int.ci-ln-y41fqtb-72292.gcp-2.ci.openshift.org
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          - name: CLUSTER_PROFILE
            value: self-managed-high-availability
          image: registry.build08.ci.openshift.org/ci-ln-y41fqtb/release@sha256:30a59a5c10cbd51a302a6cf40fa268b34f7dc75bf197753d6cdad43bd35518b2
          imagePullPolicy: IfNotPresent
          name: cluster-version-operator
          ports:
          - containerPort: 9099
            hostPort: 9099
            name: metrics
            protocol: TCP
          resources:
            requests:
              cpu: 20m
              memory: 50Mi
          securityContext:
            readOnlyRootFilesystem: true
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: FallbackToLogsOnError
          volumeMounts:
          - mountPath: /etc/ssl/certs
            name: etc-ssl-certs
            readOnly: true
          - mountPath: /etc/cvo/updatepayloads
            name: etc-cvo-updatepayloads
            readOnly: true
          - mountPath: /etc/tls/serving-cert
            name: serving-cert
            readOnly: true
          - mountPath: /etc/tls/service-ca
            name: service-ca
            readOnly: true
          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
            name: kube-api-access
            readOnly: true
        dnsPolicy: Default
        hostNetwork: true
        nodeSelector:
          node-role.kubernetes.io/master: ""
        priorityClassName: system-cluster-critical
        restartPolicy: Always
        schedulerName: default-scheduler
        securityContext: {}
        terminationGracePeriodSeconds: 130
        tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
        - effect: NoSchedule
          key: node.kubernetes.io/network-unavailable
          operator: Exists
        - effect: NoSchedule
          key: node.kubernetes.io/not-ready
          operator: Exists
        - effect: NoExecute
          key: node.kubernetes.io/unreachable
          operator: Exists
          tolerationSeconds: 120
        - effect: NoExecute
          key: node.kubernetes.io/not-ready
          operator: Exists
          tolerationSeconds: 120
        volumes:
        - hostPath:
            path: /etc/ssl/certs
            type: ""
          name: etc-ssl-certs
        - hostPath:
            path: /etc/cvo/updatepayloads
            type: ""
          name: etc-cvo-updatepayloads
        - name: serving-cert
          secret:
            defaultMode: 420
            secretName: cluster-version-operator-serving-cert
        - configMap:
            defaultMode: 420
            name: openshift-service-ca.crt
          name: service-ca
        - name: kube-api-access
          projected:
            defaultMode: 420
            sources:
            - serviceAccountToken:
                expirationSeconds: 3600
                path: token
            - configMap:
                items:
                - key: ca.crt
                  path: ca.crt
                name: kube-root-ca.crt
            - downwardAPI:
                items:
                - fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
                  path: namespace
  status:
    availableReplicas: 1
    conditions:
    - lastTransitionTime: "2025-12-11T06:36:41Z"
      lastUpdateTime: "2025-12-11T06:36:41Z"
      message: Deployment has minimum availability.
      reason: MinimumReplicasAvailable
      status: "True"
      type: Available
    - lastTransitionTime: "2025-12-11T06:29:26Z"
      lastUpdateTime: "2025-12-11T06:36:41Z"
      message: ReplicaSet "cluster-version-operator-64d4fb7d9c" has successfully progressed.
      reason: NewReplicaSetAvailable
      status: "True"
      type: Progressing
    observedGeneration: 2
    readyReplicas: 1
    replicas: 1
    updatedReplicas: 1
  STEP: Check cluster-version-operator binary help 12/11/25 15:19:42.717
  I1211 15:19:43.982853 83395 cvo.go:463] Get cvo pods: [cluster-version-operator-64d4fb7d9c-n9vtk]
  I1211 15:19:46.816684 83395 cvo.go:467] CVO help returned: Starts Cluster Version Operator

  Usage:
    cluster-version-operator start [flags]

  Flags:
        --always-enable-capabilities strings   List of the cluster capabilities which will always be implicitly enabled.
        --enable-auto-update                   Enables the autoupdate controller.
    -h, --help                                 help for start
        --hypershift                           This options indicates whether the CVO is running inside a hosted control plane.
        --kubeconfig string                    Kubeconfig file to access a remote cluster (testing only)
        --listen string                        Address to listen on for metrics (default "0.0.0.0:9099")
        --metrics-ca-bundle-file string        The service CA bundle file containing one or more X.509 certificate files for validating certificates generated from the service CA for the respective remote PromQL query service. (default "/etc/tls/service-ca/service-ca.crt")
        --metrics-namespace string             The name of the namespace where the the remote PromQL query service resides. Must be specified when --use-dns-for-services is disabled. (default "openshift-monitoring")
        --metrics-service string               The name of the remote PromQL query service. Must be specified when --use-dns-for-services is disabled. (default "thanos-querier")
        --metrics-token-file string            The bearer token file used to access the remote PromQL query service. (default "/var/run/secrets/kubernetes.io/serviceaccount/token")
        --metrics-url string                   The URL used to access the remote PromQL query service. (default "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091")
        --node-name string                     kubernetes node name CVO is scheduled on. (default "ci-ln-y41fqtb-72292-ggpth-master-0")
        --release-image string                 The Openshift release image url.
        --serving-cert-file string             The X.509 certificate file for serving metrics over HTTPS.  You must set both --serving-cert-file and --serving-key-file unless you set --listen empty.
        --serving-key-file string              The X.509 key file for serving metrics over HTTPS.  You must set both --serving-cert-file and --serving-key-file unless you set --listen empty.
        --update-service string                The preferred update service.  If set, this option overrides any upstream value configured in ClusterVersion spec.
        --use-dns-for-services                 Configures the CVO to use DNS for resolution of services in the cluster.

  Global Flags:
        --add_dir_header                   If true, adds the file directory to the header of the log messages
        --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true) (default true)
        --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
        --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
        --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
        --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
        --logtostderr                      log to standard error instead of files (default true)
        --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
        --skip_headers                     If true, avoid header prefixes in the log messages
        --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
        --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
    -v, --v Level                          number for the log level verbosity
        --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
  STEP: Verify cvo metrics is only exported via https 12/11/25 15:19:46.817
  I1211 15:19:47.518567 83395 cvo.go:482] Get cvo's spec.endpoints: [map[bearerTokenFile:/var/run/secrets/kubernetes.io/serviceaccount/token interval:30s port:metrics scheme:https tlsConfig:map[caFile:/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt serverName:cluster-version-operator.openshift-cluster-version.svc]]]
  I1211 15:19:48.346084 83395 cvo.go:489] Get cvo's spec.endpoints scheme: https
  STEP: Get cvo endpoint URI 12/11/25 15:19:48.346
  I1211 15:19:49.109803 83395 cvo.go:500] Regex mached result: [cluster-version-operator   10.0.0.3:9099 10.0.0.3:9099]
  I1211 15:19:49.109918 83395 cvo.go:503] Get cvo endpoint URI: 10.0.0.3:9099
  STEP: Check metric server is providing service https, but not http 12/11/25 15:19:49.11
  I1211 15:19:49.110248 83395 prometheus_monitoring.go:208] Getting a token assgined to prometheus-k8s from openshift-monitoring namespace...
  I1211 15:19:52.525954 83395 client.go:1086] Error running oc --kubeconfig=/Users/dinesh/Downloads/kubeconfig exec -n openshift-monitoring prometheus-k8s-0 -- /bin/bash -c curl -s -H "Authorization: Bearer <redacted>" http://10.0.0.3:9099/metrics:
  StdOut>
  Client sent an HTTP request to an HTTPS server.
  command terminated with exit code 56
  StdErr>
  Client sent an HTTP request to an HTTPS server.
  command terminated with exit code 56

  STEP: Check metric server is providing service via https correctly. 12/11/25 15:19:52.526
  I1211 15:19:55.475406 83395 client.go:681] Deleted {user.openshift.io/v1, Resource=users  e2e-test-openshift-cluster-version-rl2kh-user}, err: <nil>
  I1211 15:19:55.748439 83395 client.go:681] Deleted {oauth.openshift.io/v1, Resource=oauthclients  e2e-client-e2e-test-openshift-cluster-version-rl2kh}, err: <nil>
  I1211 15:19:56.025249 83395 client.go:681] Deleted {oauth.openshift.io/v1, Resource=oauthaccesstokens  sha256~mGQ1h7UmpSRBxzDBS7gNdIKBzU374Cm-4vq3HeXl9Aw}, err: <nil>
  • SUCCESS! 25.001023892s 
passed: (32.3s) 2025-12-11T09:49:56 "[sig-updates] OTA cvo should NonHyperShiftHOST-Author:dis-Medium-41391-cvo serves metrics over only https not http"

1 pass, 0 skip (32.3s)
dinesh@Dineshs-MacBook-Pro openshift-tests-private % 

[dis016]

Test Scenario: Verify signature Algorithm in certs.

 
dinesh@Dineshs-MacBook-Pro openshift-tests-private % oc get endpoints cluster-version-operator -n openshift-cluster-version                            
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME                       ENDPOINTS           AGE
cluster-version-operator   10.0.101.168:9099   3h27m
dinesh@Dineshs-MacBook-Pro openshift-tests-private % oc get clusterversion                                                                             
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2025-12-11-105352-test-ci-ln-hnd3p8k-latest   True        False         174m    Cluster version is 4.21.0-0-2025-12-11-105352-test-ci-ln-hnd3p8k-latest
dinesh@Dineshs-MacBook-Pro openshift-tests-private % oc get pod -n openshift-cluster-version                                                           
NAME                                        READY   STATUS    RESTARTS   AGE
cluster-version-operator-7f8ddc4675-tm9qv   1/1     Running   0          3h25m
dinesh@Dineshs-MacBook-Pro openshift-tests-private % oc exec cluster-version-operator-7f8ddc4675-tm9qv  -n openshift-cluster-version -it --  /bin/bash 
bash-5.1$ echo | openssl s_client -servername  10.0.101.168 -connect 10.0.101.168:9099 2>/dev/null | openssl x509 -inform pem -noout -text | grep "Signature Algorithm" | uniq
        **Signature Algorithm: sha256WithRSAEncryption**
    **Signature Algorithm: sha256WithRSAEncryption**
 
bash-5.1$ 

bash-5.1$ curl -s -k -I -v -H  "Authorization: Bearer $token" https://10.0.101.168:9099/metrics
*   Trying 10.0.101.168:9099...
* Connected to 10.0.101.168 (10.0.101.168) port 9099 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=cluster-version-operator.openshift-cluster-version.svc
*  start date: Dec 11 11:13:25 2025 GMT
*  expire date: Dec 11 11:13:26 2027 GMT
*  issuer: CN=openshift-service-serving-signer@1765451599
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> HEAD /metrics HTTP/1.1
> Host: 10.0.101.168:9099
> User-Agent: curl/7.76.1
> Accept: */*
> Authorization: Bearer XXXXX
> 
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=underscores
Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=underscores
< Date: Thu, 11 Dec 2025 14:33:13 GMT
Date: Thu, 11 Dec 2025 14:33:13 GMT

< 
* Connection #0 to host 10.0.101.168 left intact
bash-5.1$ exit
exit
dinesh@Dineshs-MacBook-Pro openshift-tests-private %

[dis016]

/verified by @dis016

[openshift-ci-robot]

@dis016: This PR has been marked as verified by @dis016.

Details

In response to this:

/verified by @dis016

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

/jira refresh

The requirements for Jira bugs have changed (Jira issues linked to PRs on main branch need to target different OCP), recalculating validity.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-17007, which is invalid:

• expected the weakness to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

The requirements for Jira bugs have changed (Jira issues linked to PRs on main branch need to target different OCP), recalculating validity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[wking]

/jira refresh

[openshift-ci-robot]

@wking: This pull request references Jira Issue OCPBUGS-17007, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d4cb3b0 and 2 for PR HEAD 35f61d9 in total

[openshift-ci]

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@wking: Jira Issue Verification Checks: Jira Issue OCPBUGS-17007
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-17007 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Pulling in openshift/library-go@4a03f7ce49 (openshift/library-go#2051). Generated with:

$ go get github.com/openshift/library-go@master
$ go mod tidy
$ go mod vendor
$ git add -A go.* vendor

using:

$ go version
go version go1.24.0 linux/amd64

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2025-12-18-234253