OCPCLOUD-3347: tls: use centralized TLS profile (unrevert)

[damdo]

Unrevert of the revert #291, to reintroduce #286

--

Start using centralized TLS profile fetched from the APIServer configuration.
Remove kube-rbac-proxy

[openshift-ci-robot]

@damdo: This pull request references OCPCLOUD-3347 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Unrevert of the revert #291, to reintroduce #286

--

Start using centralized TLS profile fetched from the APIServer configuration.
Remove kube-rbac-proxy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[damdo]

/hold

For HCP to sort out the RBAC permission issue

[damdo]

/cc @neisw @bryan-cox

[damdo]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [damdo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sjenning]

/hold

until the hypershift presubmit jobs are in place openshift/release#75309

[damdo]

/retest

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aks openshift/hypershift#7802

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aws openshift/hypershift#7802

[sjenning]

Seems it is still failing

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-machine-approver/292/pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws/2026910449928245248/artifacts/e2e-hypershift-aws/hypershift-aws-run-e2e-external/artifacts/TestCreateCluster/namespaces/e2e-clusters-mn452-create-cluster-bxhgg/core/pods/logs/machine-approver-75cf8896f4-6tr6c-machine-approver-previous.log

F0226 07:08:51.113286       1 main.go:161] unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" not found

[jmencak]

Seems it is still failing

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-machine-approver/292/pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws/2026910449928245248/artifacts/e2e-hypershift-aws/hypershift-aws-run-e2e-external/artifacts/TestCreateCluster/namespaces/e2e-clusters-mn452-create-cluster-bxhgg/core/pods/logs/machine-approver-75cf8896f4-6tr6c-machine-approver-previous.log

F0226 07:08:51.113286       1 main.go:161] unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" not found

In HyperShift, shouldn't we be querying the HostedCluster object instead of the APIServer one? At least the enhancement seems to suggest that for SLOs.

Edit: Saying that, using APIServer object from the hosted cluster in HyperShift works just fine for my use case and the implementation is simpler than trying to find the HostedCluster object as suggested by the the enhancement.

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Walkthrough

This PR introduces native TLS support to the machine-approver controller by replacing the external kube-rbac-proxy sidecar with built-in metrics server TLS configuration. It adds CLI flags for TLS settings, implements dynamic TLS profile resolution based on cluster APIServer configuration, updates deployment manifests accordingly, and bumps Kubernetes/OpenShift dependencies.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Updated OpenShift (api, client-go, library-go, added controller-runtime-common) and Kubernetes/controller-runtime versions. Added indirect dependencies for CEL, gRPC, OpenTelemetry, and apiserver/konnectivity modules.
Application Logic main.go	Added CLI flags for --metrics-bind-address, --tls-min-version, --tls-cipher-suites. Replaced environment-variable-driven metrics configuration with flag-based binding. Introduced TLS server configuration resolution via pkgtls.ResolveTLSConfig(), wired metrics server TLS settings, and added a SecurityProfileWatcher controller to react to TLS policy changes. Changed manager control flow to use a cancelable context from signal handler.
TLS Module pkg/tls/tls.go, pkg/tls/tls_test.go, pkg/tls/suite_test.go	Introduced ResolveTLSConfig() function to resolve TLS configuration from CLI overrides or cluster-driven TLS profiles. Added TLSConfigResult type and comprehensive Ginkgo test suite covering CLI overrides, cluster profile resolution, graceful fallbacks, and error handling. Test suite includes environment setup with controller-runtime envtest and configv1 APIs.
Metrics Configuration pkg/metrics/metrics.go	Renamed DefaultMetricsPort constant to DefaultMetricsBindAddress and updated default value from 127.0.0.1:9191 to 0.0.0.0:9192.
RBAC Configuration manifests/01-rbac.yaml	Added RBAC rule granting get, list, watch permissions on apiservers resource under config.openshift.io API group to system:openshift:controller:machine-approver ClusterRole.
Deployment Configuration manifests/04-deployment-capi.yaml, manifests/04-deployment.yaml	Removed kube-rbac-proxy sidecar container entirely. Updated machine-approver-controller to add --metrics-bind-address flag, expose port 9192/9194 named https, mount TLS certificates at /tmp/k8s-metrics-server/serving-certs, and removed legacy METRICS_PORT/METRICS_BIND_ADDRESS environment variables. Removed associated auth-proxy-config ConfigMap volume.
Removed Resources manifests/02-kube-rbac-proxy-config.yaml, manifests/image-references	Deleted kube-rbac-proxy ConfigMap manifest file and removed kube-rbac-proxy ImageStream tag definition from image references.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tls.go`:
- Around line 90-97: The current lookups using
utiltls.FetchAPIServerTLSAdherencePolicy and utiltls.FetchAPIServerTLSProfile
treat a NotFound as fatal and block controller startup; change these calls to
treat api server "cluster" NotFound as a non-fatal fallback by detecting the
NotFound error (apierrors.IsNotFound(err)) and continuing with
default/topology-specific TLS settings instead of returning fmt.Errorf; keep
returning errors for other error types. Update the code around
tlsAdherencePolicy and tlsProfileSpec retrieval to branch on
apierrors.IsNotFound(err) and document that defaults are used when missing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5e11ae30-6239-4703-941a-f55d90519025

📥 Commits

Reviewing files that changed from the base of the PR and between a9edd69 and 9ee0b44.

⛔ Files ignored due to path filters (291)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitattributes is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/backoff.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/ticker.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/timer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/LICENSE.txt is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/capture_metrics.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/docs.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/wrap_generated_gteq_1.8.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/felixge/httpsnoop/wrap_generated_lt_1.8.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-logr/stdr/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-logr/stdr/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-logr/stdr/stdr.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/cel.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/folding.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/inlining.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/io.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/library.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/macro.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/optimizer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/program.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/prompt.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/templates/authoring.tmpl is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/checker.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/cost.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/decls/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/decls/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/mapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/printer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/scopes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/ast.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/conversion.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/expr.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/navigable.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/containers/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/containers/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/cost.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/debug/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/debug/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/decls/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/decls/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/env/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/env/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/functions/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/functions/functions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/location.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/operators/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/operators/operators.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/overloads/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/overloads/overloads.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/runes/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/runes/buffer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/source.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/stdlib/standard.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/any_value.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/bool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/compare.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/double.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/duration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/err.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/int.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/json_value.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/list.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/null.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/object.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/optional.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/overflow.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/checked.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/enum.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/equal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/file.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/pb.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/ref/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/ref/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/ref/reference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/string.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/timestamp.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/comparer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/field_tester.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/indexer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/iterator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/lister.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/mapper.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/matcher.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/math.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/receiver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/sizer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/traits.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/traits/zeroer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/uint.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/unknown.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/bindings.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/comprehensions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/encoders.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/extension_option_factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/formatting.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/formatting_v2.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/guards.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/lists.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/math.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/native.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/protos.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/regex.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/sets.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/ext/strings.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/activation.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/attribute_patterns.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/attributes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/decorators.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/dispatcher.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/evalstate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/functions/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/functions/functions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/interpretable.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/interpreter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/optimizations.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/planner.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/prune.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/interpreter/runtimecost.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/BUILD.bazel is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/CEL.g4 is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/CEL.interp is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/CEL.tokens is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/CELLexer.interp is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/CELLexer.tokens is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/cel_base_listener.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/cel_base_visitor.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/cel_lexer.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/cel_listener.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/cel_parser.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/cel_visitor.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/doc.go is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/gen/generate.sh is excluded by !**/gen/**, !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/helper.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/input.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/macro.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/parser.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/unescape.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/parser/unparser.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/compile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/fuzz.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/parse.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/context.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/convert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/fieldmask.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/handler.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_httpbodyproto.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_jsonpb.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshaler.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshaler_registry.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/mux.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/pattern.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/proto2_convert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/query.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/pattern.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/readerfactory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/string_array_flag.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/trie.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (9)

• go.mod
• main.go
• manifests/01-rbac.yaml
• manifests/02-kube-rbac-proxy-config.yaml
• manifests/04-deployment-capi.yaml
• manifests/04-deployment.yaml
• manifests/image-references
• pkg/metrics/metrics.go
• tls.go

💤 Files with no reviewable changes (2)

• manifests/image-references
• manifests/02-kube-rbac-proxy-config.yaml

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aks openshift/hypershift#8019

[damdo]

/test e2e-aws-capi-techpreview

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aws openshift/hypershift#8019

[coderabbitai]

♻️ Duplicate comments (2)

go.mod (2)

56-56: ⚠️ Potential issue | 🔴 Critical

Upgrade vulnerable gRPC dependency (critical).

Line 56 pins google.golang.org/grpc v1.72.2, which is vulnerable to GHSA-p77j-4mvh-x3m3 (authorization bypass). Please upgrade to v1.79.3 or later.

Suggested diff

-	google.golang.org/grpc v1.72.2 // indirect
+	google.golang.org/grpc v1.79.3 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 56, Update the pinned gRPC module version in go.mod: replace
the current module entry "google.golang.org/grpc v1.72.2" with at least
"google.golang.org/grpc v1.79.3" (or newer) to address the GHSA-p77j-4mvh-x3m3
authorization bypass; after updating the module line run your usual Go
dependency update (e.g., go get/resolve and go mod tidy) and run tests/build to
ensure no downstream breakage.

---

47-47: ⚠️ Potential issue | 🟠 Major

Upgrade vulnerable OpenTelemetry SDK dependency.

Line 47 pins go.opentelemetry.io/otel/sdk v1.36.0, which is in the vulnerable range for GO-2026-4394 / GHSA-9h8m-3fm2-qjrq. Please bump to v1.40.0 or later before release.

Suggested diff

-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.40.0 // indirect

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 47, The go.mod currently pins the vulnerable dependency
go.opentelemetry.io/otel/sdk at v1.36.0; update that version to v1.40.0 or later
(e.g., change go.opentelemetry.io/otel/sdk v1.36.0 -> v1.40.0) and then refresh
modules (run the appropriate go get/go mod tidy to ensure transitive updates) so
the project uses the non-vulnerable OpenTelemetry SDK release.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@go.mod`:
- Line 56: Update the pinned gRPC module version in go.mod: replace the current
module entry "google.golang.org/grpc v1.72.2" with at least
"google.golang.org/grpc v1.79.3" (or newer) to address the GHSA-p77j-4mvh-x3m3
authorization bypass; after updating the module line run your usual Go
dependency update (e.g., go get/resolve and go mod tidy) and run tests/build to
ensure no downstream breakage.
- Line 47: The go.mod currently pins the vulnerable dependency
go.opentelemetry.io/otel/sdk at v1.36.0; update that version to v1.40.0 or later
(e.g., change go.opentelemetry.io/otel/sdk v1.36.0 -> v1.40.0) and then refresh
modules (run the appropriate go get/go mod tidy to ensure transitive updates) so
the project uses the non-vulnerable OpenTelemetry SDK release.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f8e5b3fe-f184-429f-8d51-efc79a4c129f

📥 Commits

Reviewing files that changed from the base of the PR and between 0bb07b2 and 3cf84c8.

📒 Files selected for processing (3)

• go.mod
• main.go
• tls.go

✅ Files skipped from review due to trivial changes (1)

• tls.go

🚧 Files skipped from review as they are similar to previous changes (1)

• main.go

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aws openshift/hypershift#8019

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aks openshift/hypershift#8019

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aws openshift/hypershift#8019

[damdo]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aks openshift/hypershift#8019

[damdo]

/payload-job-with-prs e2e-hypershift-aws openshift/hypershift#8019

[openshift-ci]

@damdo: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[damdo]

/payload-job-with-prs pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws openshift/hypershift#8019

[openshift-ci]

@damdo: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[sunzhaohua2]

/payload-job-with-prs periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance openshift/hypershift#8019

[openshift-ci]

@sunzhaohua2: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-ovn-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/15948fb0-244f-11f1-83e2-50fda993a409-0

[sunzhaohua2]

/payload-job-with-prs periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-external-oidc openshift/hypershift#8019

[openshift-ci]

@sunzhaohua2: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-aws-external-oidc

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/15022440-267f-11f1-9a65-bf72365d4b33-0

[damdo]

/override ci/prow/e2e-aws-capi-techpreview

This job is failing for unrelated reasons. And because of the recent changes in openshift/cluster-capi-operator#494
We've created a card to track this (here OCPCLOUD-3419) and @mdbooth is working on that

[openshift-ci]

@damdo: Overrode contexts on behalf of damdo: ci/prow/e2e-aws-capi-techpreview

Details

In response to this:

/override ci/prow/e2e-aws-capi-techpreview

This job is failing for unrelated reasons. And because of the recent changes in openshift/cluster-capi-operator#494
We've created a card to track this (here OCPCLOUD-3419) and @mdbooth is working on that

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sunzhaohua2]

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aws openshift/hypershift#8019

[coderabbitai]

🧹 Nitpick comments (1)

pkg/tls/tls.go (1)

76-88: Consider the behavior when only cipher suites are provided without a minimum version.

When tlsMinVersion is empty but tlsCipherSuites is non-empty, cliflag.TLSVersion("") returns 0, resulting in cfg.MinVersion = 0 (Go's default, which is TLS 1.0 for servers). While this may be intentional to allow fine-grained control, operators might expect a reasonable default minimum version when specifying cipher suites.

If this is the intended behavior, consider documenting it in the flag help text. Otherwise, consider defaulting to TLS 1.2 when cipher suites are provided but no minimum version is specified.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/tls/tls.go` around lines 76 - 88, The code currently sets cfg.MinVersion
from minVersion (which can be 0 when tlsMinVersion flag is empty), causing
servers to use Go's default TLS 1.0; update the TLSConfig closure so that if
minVersion == 0 and cipherSuites is non-empty you set minVersion =
tls.VersionTLS12 before assigning cfg.MinVersion and applying cfg.CipherSuites
(refer to the TLSConfig func closure, cfg.MinVersion, minVersion and
cipherSuites); this ensures a reasonable default (TLS 1.2) when users supply
cipher suites but omit tlsMinVersion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/tls/tls.go`:
- Around line 76-88: The code currently sets cfg.MinVersion from minVersion
(which can be 0 when tlsMinVersion flag is empty), causing servers to use Go's
default TLS 1.0; update the TLSConfig closure so that if minVersion == 0 and
cipherSuites is non-empty you set minVersion = tls.VersionTLS12 before assigning
cfg.MinVersion and applying cfg.CipherSuites (refer to the TLSConfig func
closure, cfg.MinVersion, minVersion and cipherSuites); this ensures a reasonable
default (TLS 1.2) when users supply cipher suites but omit tlsMinVersion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed3bc660-3b1d-4672-ad43-884a0e539a08

📥 Commits

Reviewing files that changed from the base of the PR and between 3cf84c8 and 9ab6219.

📒 Files selected for processing (4)

• main.go
• pkg/tls/suite_test.go
• pkg/tls/tls.go
• pkg/tls/tls_test.go

[sunzhaohua2]

/test e2e-aws-capi-techpreview

[openshift-ci]

@damdo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-hypershift-aks	9ab6219	link	true	/test e2e-hypershift-aks
ci/prow/e2e-hypershift-aws	9ab6219	link	true	/test e2e-hypershift-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[damdo]

@sunzhaohua2 ci/prow/e2e-aws-capi-techpreview failures are unrelated and permanent due to how CCAPIO does handle adoption of CRDs. @mdbooth is working on a fix for that. For now we can override it

/override ci/prow/e2e-aws-capi-techpreview

[openshift-ci]

@damdo: Overrode contexts on behalf of damdo: ci/prow/e2e-aws-capi-techpreview

Details

In response to this:

@sunzhaohua2 ci/prow/e2e-aws-capi-techpreview failures are unrelated and permanent due to how CCAPIO does handle adoption of CRDs. @mdbooth is working on a fix for that. For now we can override it

/override ci/prow/e2e-aws-capi-techpreview

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sjenning]

This should be able to merge before the hypershift change (openshift/hypershift#8019) so that we can properly premerge test for both PRs.

The issue is that the PR is still trying to read the APIServer cluster resource directly.  It should not do this for hypershift.

Flag --apigroup has been deprecated, apigroup has been deprecated in favor of api-group-version option
W0401 13:29:20.511577       1 client_config.go:682] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0401 13:29:20.512773       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=true
I0401 13:29:20.512824       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=true
I0401 13:29:20.512845       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0401 13:29:20.512863       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0401 13:29:20.512881       1 envvar.go:172] "Feature gate default state" feature="InOrderInformers" enabled=true
I0401 13:29:20.512898       1 envvar.go:172] "Feature gate default state" feature="InOrderInformersBatchProcess" enabled=true
E0401 13:29:20.538274       1 tls.go:106] unable to get TLS adherence policy from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" not found
E0401 13:29:20.539801       1 tls.go:114] unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" not found

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-machine-approver/292/pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws/2039330566452547584

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-machine-approver/292/pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws/2039330566452547584/artifacts/e2e-hypershift-aws/hypershift-aws-run-e2e-external/artifacts/TestCreateCluster/namespaces/e2e-clusters-8spll-create-cluster-xzjbw/core/pods/logs/machine-approver-cb69d8f5b-w6xj6-machine-approver-previous.log