HIVE-3097: Go+K8s bump + Installer revendor

[suhanime]

Summary by CodeRabbit

• Chores

  • Upgraded Go toolchain to 1.25 and updated build/base container images and pipeline builders to matching 1.25 / OpenShift 4.21 variants.
  • Removed legacy vendored gogo/protobuf runtime and helper code.

• New Features

  • Added API knobs for TLS adherence, OIDC upstream‑parity validation, image signature verification, conditional‑update preflight/accept‑risks, dedicated‑host allocation, new network no‑overlay options, and MachineAPI migration/status fields.
  • Added Console "GuidedTour" capability.

• Documentation

  • Updated API schema, validation, deepcopy and Swagger docs to reflect the above changes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d9a02bc2-5ba6-4ce1-9785-cbcbe9deea99

📥 Commits

Reviewing files that changed from the base of the PR and between 291cc39 and ae18a9b.

⛔ Files ignored due to path filters (2)

• apis/go.sum is excluded by !**/*.sum
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (14)

• apis/go.mod
• apis/vendor/modules.txt
• cmd/manager/main.go
• cmd/operator/main.go
• contrib/cmd/waitforjob/main.go
• contrib/pkg/adm/managedns/enable.go
• go.mod
• pkg/installmanager/installmanager.go
• pkg/operator/hive/hive_controller.go
• test/e2e/common/apiservice.go
• test/e2e/common/deployment.go
• test/e2e/common/service.go
• test/e2e/destroycluster/destroy_test.go
• test/e2e/postinstall/syncsets/syncsets_suite_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• apis/go.mod

---

📝 Walkthrough

Walkthrough

Bumps Go toolchain and builder/base images to Go 1.25 across CI/Docker; removes the vendored gogo/protobuf runtime; updates many OpenShift API types/validations and generated deepcopy/swagger/CRD manifests; refreshes multiple vendored libraries and small vendor fixes.

Changes

Build & Toolchain

Layer / File(s)	Summary
Go toolchain & deps apis/go.mod	Go directive/toolchain bumped to 1.25 (go1.25.9); core and indirect dependencies upgraded; k8s.io/kube-openapi added; github.com/gogo/protobuf removed from go.mod.
Docker build args Dockerfile	Default build ARGs EL8_BUILD_IMAGE/EL9_BUILD_IMAGE updated from rhel--golang-1.24-openshift-4.20 → rhel--golang-1.25-openshift-4.21.
Make defaults Makefile	Makefile defaults updated: EL8_BUILD_IMAGE, EL9_BUILD_IMAGE moved to Go 1.25 builder images; BASE_IMAGE bumped to OCP 4.21 base.
CI params / PipelineRun defaults .tekton/.../*.yaml	Multiple Tekton PipelineRun manifests update spec.params.build-args to use newer openshift-golang-builder tags (v1.24.13-* → v1.25.9-*).

Vendored runtime removal & API model changes

Layer / File(s)	Summary
Vendored runtime removal (core impl) apis/vendor/github.com/gogo/protobuf/proto/...	Large set of gogo/protobuf source files removed (encode/decode, marshal/unmarshal, table-driven code, extensions, equal/clone/merge, text-format, wrappers, properties, lib, etc.), deleting many exported and internal symbols.
Vendored helpers removed apis/vendor/github.com/gogo/protobuf/sortkeys/*	sortkeys helpers removed.
API type declarations / schema edits apis/vendor/.../config/v1/types_*.go, .../machine/..., .../operator/v1/types_*.go, etc.	Many OpenShift API types updated: new fields/types (e.g., APIServerSpec.tlsAdherence/TLSAdherencePolicy, Token/ OIDC CEL rules types, ImageSigstoreVerificationPolicy and root-of-trust types, ClusterVersion conditional-update fields, OKD FeatureSet, Machine/AWS provider dedicated-host and SynchronizedAPI additions, OVN NoOverlay/BGP types, GuidedTour capability), feature-gate and XValidation annotation edits, and several tombstones/renames.
Deepcopy / Swagger / CRD artifacts apis/vendor/.../zz_generated.deepcopy.go, .../zz_generated.swagger_doc_generated.go, .../zz_generated.featuregated-crd-manifests.yaml	Generated deepcopy methods, swagger doc methods, and feature-gated CRD manifest entries updated/added/removed to match the API model changes and tombstones.
Kubernetes vendor additions apis/vendor/k8s.io/api/...	Added OpenAPI model-name methods and doc generation directives for authorization/core group files.
Other vendored library tweaks apis/vendor/golang.org/x/net/http2/..., apis/vendor/golang.org/x/text/..., apis/vendor/golang.org/x/text/unicode/norm/...	http2 write scheduler buffers PRIORITY_UPDATE for unopened streams; Transformer.isFinal() centralized; some build-tag file removals; unicode norm packed-header decoding and masks adjusted.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Poem

🐰 I hopped from one-two-four up to one-two-five,
Builder tags refreshed, vendored code said goodbye,
New types and guards sprouted in API rows,
Generated code follows where the schema wind blows,
A carrot for reviewers — happy hopping, hi! 🥕

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

[openshift-ci-robot]

@suhanime: This pull request references HIVE-3097 which is a valid jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: suhanime

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [suhanime]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apis/vendor/github.com/openshift/api/config/v1/types_authentication.go`:
- Line 8: The ExternalOIDCWithUpstreamParity feature gate is declared for
oidcProviders validation but not wired to enable the corresponding enum path and
status fields; update the feature-gate plumbing so enabling
ExternalOIDCWithUpstreamParity unlocks AuthenticationTypeOIDC and populates
AuthenticationStatus.OIDCClients. Concretely, extend the
FeatureGateAwareXValidation annotations that reference spec.oidcProviders (and
the similar annotations at the other locations noted) to also allow the enum
value AuthenticationTypeOIDC and the status field OIDCClients when
ExternalOIDCWithUpstreamParity is enabled, and ensure the server-side
schema/validation that governs the Authentication type enum (AuthenticationType)
and the AuthenticationStatus struct checks feature gate
ExternalOIDCWithUpstreamParity before rejecting or omitting OIDCClients; target
the validation blocks referencing oidcProviders, AuthenticationTypeOIDC, and
AuthenticationStatus.OIDCClients so the new gate consistently enables the enum
path and status field.
- Around line 628-630: Update the Kubebuilder validation comment markers that
currently use the wrong assignment operator; change the two markers containing
"kubebuilder:validation:MinLength:=1" and
"kubebuilder:validation:MaxLength:=256" to use "=" instead of ":=" so they read
"kubebuilder:validation:MinLength=1" and "kubebuilder:validation:MaxLength=256"
(these comments are adjacent to the optional field marker in
types_authentication.go).

In `@apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go`:
- Around line 899-903: The doc comment for the "conditions" field currently says
the list "must not contain more than one entry" but the kubebuilder validation
tags (XValidation exists_one, +kubebuilder:validation:MaxItems=8,
+kubebuilder:validation:MinItems=1) allow 1–8 entries; update the comment on the
conditions field in types_cluster_version.go to reflect the actual schema (e.g.,
state that conditions must contain between 1 and 8 entries and must include a
condition of type 'Applies'), keeping the existing validation tags intact.

In `@apis/vendor/github.com/openshift/api/config/v1/types_feature.go`:
- Around line 56-61: Add the OKD value to the hive API validation and mapping:
update the FeatureSet enum validation (the +kubebuilder:validation:Enum tag on
the FeatureSet type) to include "OKD", and add an "OKD" entry to the FeatureSets
map (the FeatureSets variable) mapping to the same set of enabled feature gates
intended for OKD so lookups like fg.FeatureSet == "OKD" return the populated
feature-gates slice; modify hiveconfig_types.go where FeatureSet and FeatureSets
are declared and ensure the OKD entry mirrors the correct enabled gates used by
other fixed sets.

In `@apis/vendor/github.com/openshift/api/config/v1/types_ingress.go`:
- Line 46: Replace the CEL XValidation rule on the domain field so it allows
initial population but enforces immutability thereafter; specifically update the
kubebuilder validation tag (the line with
"+kubebuilder:validation:XValidation:rule="self == oldSelf"") to use the pattern
"!has(oldSelf) || self == oldSelf" so CREATE (when oldSelf is absent) is
permitted and UPDATE requires equality to oldSelf.

In
`@apis/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go`:
- Line 2933: The docstring for the "profileCustomizations" swagger entry
contains a stray apostrophe in "enabled by' default"; open
zz_generated.swagger_doc_generated.go and update the string value for
"profileCustomizations" to read "enabled by default" (remove the extra
apostrophe), then regenerate or re-run the swagger/code generation that produced
zz_generated.swagger_doc_generated.go so the change persists in generated
artifacts.

In
`@apis/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go`:
- Line 56: The unconditional DNS1123 subdomain validation was applied to
CPMSMachineNamePrefix by removing the FeatureGateAwareXValidation marker; either
restore the FeatureGateAwareXValidation annotation for CPMSMachineNamePrefix
with the correct feature gate name to make the rule conditional, or, if the
field should now always be validated, update the API/comments to reflect that
the field is no longer feature-gated and ensure any feature-gate checks or
gating logic for CPMSMachineNamePrefix elsewhere in the codebase are
removed/adjusted to avoid inconsistent behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a7c082f4-03b7-4b34-a340-cdc01e30b550

📥 Commits

Reviewing files that changed from the base of the PR and between bd520da and 87fc8ac.

⛔ Files ignored due to path filters (18)

• apis/go.sum is excluded by !**/*.sum
• apis/vendor/k8s.io/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/core/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/core/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/rbac/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/rbac/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go is excluded by !**/*.pb.go
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (282)

• .tekton/hive-mce-210-pull-request.yaml
• .tekton/hive-mce-210-push.yaml
• .tekton/hive-mce-211-pull-request.yaml
• .tekton/hive-mce-211-push.yaml
• .tekton/hive-mce-217-pull-request.yaml
• .tekton/hive-mce-217-push.yaml
• .tekton/hive-mce-26-pull-request.yaml
• .tekton/hive-mce-26-push.yaml
• .tekton/hive-mce-27-pull-request.yaml
• .tekton/hive-mce-27-push.yaml
• .tekton/hive-mce-28-pull-request.yaml
• .tekton/hive-mce-28-push.yaml
• .tekton/hive-mce-29-pull-request.yaml
• .tekton/hive-mce-29-push.yaml
• .tekton/hive-mce-50-pull-request.yaml
• .tekton/hive-mce-50-push.yaml
• .tekton/hive-mce-51-pull-request.yaml
• .tekton/hive-mce-51-push.yaml
• .tekton/hive-pull-request.yaml
• .tekton/hive-push.yaml
• Dockerfile
• Makefile
• apis/go.mod
• apis/vendor/github.com/gogo/protobuf/AUTHORS
• apis/vendor/github.com/gogo/protobuf/CONTRIBUTORS
• apis/vendor/github.com/gogo/protobuf/LICENSE
• apis/vendor/github.com/gogo/protobuf/proto/Makefile
• apis/vendor/github.com/gogo/protobuf/proto/clone.go
• apis/vendor/github.com/gogo/protobuf/proto/custom_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/decode.go
• apis/vendor/github.com/gogo/protobuf/proto/deprecated.go
• apis/vendor/github.com/gogo/protobuf/proto/discard.go
• apis/vendor/github.com/gogo/protobuf/proto/duration.go
• apis/vendor/github.com/gogo/protobuf/proto/duration_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/encode.go
• apis/vendor/github.com/gogo/protobuf/proto/encode_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/equal.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/lib.go
• apis/vendor/github.com/gogo/protobuf/proto/lib_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/message_set.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/properties.go
• apis/vendor/github.com/gogo/protobuf/proto/properties_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/skip_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/table_marshal.go
• apis/vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/table_merge.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text.go
• apis/vendor/github.com/gogo/protobuf/proto/text_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text_parser.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go
• apis/vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go
• apis/vendor/github.com/openshift/api/config/v1/types_apiserver.go
• apis/vendor/github.com/openshift/api/config/v1/types_authentication.go
• apis/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
• apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
• apis/vendor/github.com/openshift/api/config/v1/types_feature.go
• apis/vendor/github.com/openshift/api/config/v1/types_image_policy.go
• apis/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
• apis/vendor/github.com/openshift/api/config/v1/types_ingress.go
• apis/vendor/github.com/openshift/api/config/v1/types_insights.go
• apis/vendor/github.com/openshift/api/config/v1/types_network.go
• apis/vendor/github.com/openshift/api/config/v1/types_scheduling.go
• apis/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
• apis/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go
• apis/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
• apis/vendor/github.com/openshift/api/operator/v1/types_console.go
• apis/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
• apis/vendor/github.com/openshift/api/operator/v1/types_network.go
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
• apis/vendor/k8s.io/api/authorization/v1/doc.go
• apis/vendor/k8s.io/api/authorization/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/api/core/v1/doc.go
• apis/vendor/k8s.io/api/core/v1/generated.proto
• apis/vendor/k8s.io/api/core/v1/toleration.go
• apis/vendor/k8s.io/api/core/v1/types.go
• apis/vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go
• apis/vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go
• apis/vendor/k8s.io/api/core/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/api/rbac/v1/doc.go
• apis/vendor/k8s.io/api/rbac/v1/generated.proto
• apis/vendor/k8s.io/api/rbac/v1/types.go
• apis/vendor/k8s.io/api/rbac/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/constraints/constraints.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/decimal_int.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/dns.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/errors.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/identifier.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/kube.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/labels/selector.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/doc.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/util/sets/set.go
• apis/vendor/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go
• apis/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go
• apis/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go
• apis/vendor/k8s.io/kube-openapi/LICENSE
• apis/vendor/k8s.io/kube-openapi/pkg/util/trie.go
• apis/vendor/k8s.io/kube-openapi/pkg/util/util.go
• apis/vendor/modules.txt
• go.mod
• hack/ubi-build-deps.sh
• pkg/azureclient/mock/client_generated.go
• test/ote/go.mod
• vendor/github.com/AlecAivazis/survey/v2/README.md
• vendor/github.com/AlecAivazis/survey/v2/confirm.go
• vendor/github.com/AlecAivazis/survey/v2/core/template.go
• vendor/github.com/AlecAivazis/survey/v2/core/write.go
• vendor/github.com/AlecAivazis/survey/v2/input.go
• vendor/github.com/AlecAivazis/survey/v2/multiselect.go
• vendor/github.com/AlecAivazis/survey/v2/password.go
• vendor/github.com/AlecAivazis/survey/v2/renderer.go
• vendor/github.com/AlecAivazis/survey/v2/select.go
• vendor/github.com/AlecAivazis/survey/v2/survey.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/display_posix.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/error.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/output.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_bsd.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_linux.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_posix.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_ppc64le.go
• vendor/github.com/AlecAivazis/survey/v2/transform.go
• vendor/github.com/AlecAivazis/survey/v2/validate.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.md
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txt
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.md
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.json
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.md
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.yml
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.go
• vendor/github.com/Azure/go-autorest/autorest/date/go_mod_tidy_hack.go
• vendor/github.com/Azure/go-autorest/logger/go_mod_tidy_hack.go
• vendor/github.com/Azure/go-autorest/logger/logger.go
• vendor/github.com/Azure/go-autorest/tracing/go_mod_tidy_hack.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go
• vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go
• vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.go
• vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/LICENSE.txt
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_client.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_AssociateAlias.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CopyDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCachePolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCloudFrontOriginAccessIdentity.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateContinuousDeploymentPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistributionWithTags.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionProfile.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFunction.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateInvalidation.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyGroup.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateKeyValueStore.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateMonitoringSubscription.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginAccessControl.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateOriginRequestPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreatePublicKey.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateRealtimeLogConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateResponseHeadersPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateStreamingDistributionWithTags.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCachePolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteCloudFrontOriginAccessIdentity.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteContinuousDeploymentPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFieldLevelEncryptionProfile.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteFunction.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyGroup.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteKeyValueStore.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteMonitoringSubscription.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginAccessControl.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteOriginRequestPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeletePublicKey.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteRealtimeLogConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteResponseHeadersPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DeleteStreamingDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeFunction.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_DescribeKeyValueStore.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCachePolicyConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentity.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetCloudFrontOriginAccessIdentityConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetContinuousDeploymentPolicyConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetDistributionConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryption.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfile.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFieldLevelEncryptionProfileConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetFunction.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetInvalidation.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroup.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetKeyGroupConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetMonitoringSubscription.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControl.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginAccessControlConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetOriginRequestPolicyConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKey.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetPublicKeyConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetRealtimeLogConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetResponseHeadersPolicyConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_GetStreamingDistributionConfig.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCachePolicies.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListCloudFrontOriginAccessIdentities.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListConflictingAliases.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_ListContinuousDeploymentPolicies.go

💤 Files with no reviewable changes (39)

• apis/vendor/github.com/gogo/protobuf/CONTRIBUTORS
• apis/vendor/github.com/gogo/protobuf/AUTHORS
• apis/vendor/github.com/gogo/protobuf/LICENSE
• apis/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/gogo/protobuf/proto/custom_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/encode_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/properties_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/deprecated.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go
• apis/vendor/github.com/gogo/protobuf/proto/equal.go
• apis/vendor/github.com/gogo/protobuf/proto/Makefile
• apis/vendor/github.com/gogo/protobuf/proto/skip_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/lib_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/clone.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/duration.go
• apis/vendor/github.com/gogo/protobuf/proto/discard.go
• apis/vendor/github.com/gogo/protobuf/proto/table_merge.go
• apis/vendor/github.com/gogo/protobuf/proto/duration_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text.go
• apis/vendor/github.com/gogo/protobuf/proto/lib.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/properties.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp.go
• apis/vendor/github.com/gogo/protobuf/proto/text_parser.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers.go
• apis/vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go
• apis/vendor/github.com/gogo/protobuf/proto/decode.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/message_set.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions.go
• apis/vendor/github.com/gogo/protobuf/proto/encode.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align conditions cardinality docs with the actual validation.

At Line 899, the comment says the list must not contain more than one entry, but validation at Line 902 allows up to 8 entries (while requiring exactly one Applies). Please make the docs consistent with the schema.

Suggested doc fix

-   // conditions must not contain more than one entry.
+   // conditions must not contain more than 8 entries.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// conditions must not contain more than one entry.
	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
	// +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'"
	// +kubebuilder:validation:MaxItems=8
	// +kubebuilder:validation:MinItems=1
	// conditions must not contain more than 8 entries.
	// +openshift:enable:FeatureGate=ClusterUpdateAcceptRisks
	// +kubebuilder:validation:XValidation:rule="self.exists_one(x, x.type == 'Applies')",message="must contain a condition of type 'Applies'"
	// +kubebuilder:validation:MaxItems=8
	// +kubebuilder:validation:MinItems=1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go`
around lines 899 - 903, The doc comment for the "conditions" field currently
says the list "must not contain more than one entry" but the kubebuilder
validation tags (XValidation exists_one, +kubebuilder:validation:MaxItems=8,
+kubebuilder:validation:MinItems=1) allow 1–8 entries; update the comment on the
conditions field in types_cluster_version.go to reflect the actual schema (e.g.,
state that conditions must contain between 1 and 8 entries and must include a
condition of type 'Applies'), keeping the existing validation tags intact.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -nC 2 --type=go '\bOKD\b|\bAllFixedFeatureSets\b|\bFeatureSets\s*\['

Repository: openshift/hive

Length of output: 10491

---

🏁 Script executed:

#!/bin/bash
# Find the definition of FeatureSets in hive package
rg -nC 5 'FeatureSets\s*[=:]\s*' --type=go pkg/operator/hive/ || true
echo "---"
# Also check the hive api types for FeatureSet definitions
fd -e '.go' -x grep -l 'FeatureSets' {} \; | grep -i hive | head -10

Repository: openshift/hive

Length of output: 198

---

🏁 Script executed:

#!/bin/bash
# Check the actual FeatureSets map definition in hive types
rg -B 5 -A 30 'FeatureSets\s*=' ./apis/hive/v1/hiveconfig_types.go

Repository: openshift/hive

Length of output: 1357

---

🏁 Script executed:

#!/bin/bash
# Check context around the configmap.go usage to see impact of nil/missing map entry
cat -n ./pkg/operator/hive/configmap.go | sed -n '275,295p'

Repository: openshift/hive

Length of output: 803

---

🏁 Script executed:

#!/bin/bash
# Search for other switch/map uses of FeatureSet that might need OKD
rg -n 'switch.*FeatureSet|FeatureSet.*switch|case.*FeatureSet|case.*DefaultFeatureSet' --type=go

Repository: openshift/hive

Length of output: 1857

---

🏁 Script executed:

#!/bin/bash
# More specific search for hive FeatureSet handling
rg -n 'hivev1\.(DefaultFeatureSet|CustomFeatureSet|OKD|FeatureSet)' --type=go pkg/ apis/ | head -20

Repository: openshift/hive

Length of output: 243

---

🏁 Script executed:

#!/bin/bash
# Verify the FeatureSet type definition in hive types to ensure OKD is not defined there either
rg -B 2 -A 8 'type FeatureSet' ./apis/hive/v1/hiveconfig_types.go

Repository: openshift/hive

Length of output: 641

---

🏁 Script executed:

#!/bin/bash
# Check the kubebuilder validation constraint to confirm OKD is not in hive's enum
cat -n ./apis/hive/v1/hiveconfig_types.go | sed -n '195,215p'

Repository: openshift/hive

Length of output: 1166

---

🏁 Script executed:

#!/bin/bash
# Search more directly for the FeatureSet type definition with kubebuilder constraint
rg -B 3 'type FeatureSet string' ./apis/hive/v1/hiveconfig_types.go

Repository: openshift/hive

Length of output: 192

---

Update hive's FeatureSets map and validation enum to include OKD.

The new OKD feature set is added to AllFixedFeatureSets here, but the hive package's FeatureSet enum and FeatureSets map are missing the OKD entry. This causes a silent failure in pkg/operator/hive/configmap.go:283: when fg.FeatureSet == "OKD", the map lookup returns nil and val stays empty instead of being populated with the intended feature gates.

Add OKD to:

• ./apis/hive/v1/hiveconfig_types.go: Update the +kubebuilder:validation:Enum constraint on FeatureSet to include OKD
• ./apis/hive/v1/hiveconfig_types.go: Add an OKD entry to the FeatureSets map with the appropriate enabled feature gates

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/config/v1/types_feature.go` around lines
56 - 61, Add the OKD value to the hive API validation and mapping: update the
FeatureSet enum validation (the +kubebuilder:validation:Enum tag on the
FeatureSet type) to include "OKD", and add an "OKD" entry to the FeatureSets map
(the FeatureSets variable) mapping to the same set of enabled feature gates
intended for OKD so lookups like fg.FeatureSet == "OKD" return the populated
feature-gates slice; modify hiveconfig_types.go where FeatureSet and FeatureSets
are declared and ensure the OKD entry mirrors the correct enabled gates used by
other fixed sets.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n apis/vendor/github.com/openshift/api/config/v1/types_ingress.go | head -100

Repository: openshift/hive

Length of output: 5813

---

🏁 Script executed:

rg -i "domain" apis/vendor/github.com/openshift/api/config/v1/ -A 2 -B 2 --type go

Repository: openshift/hive

Length of output: 50371

---

🏁 Script executed:

rg -A 5 "type IngressSpec" apis/vendor/github.com/openshift/api/config/v1/types_ingress.go

Repository: openshift/hive

Length of output: 364

---

🏁 Script executed:

sed -n '37,58p' apis/vendor/github.com/openshift/api/config/v1/types_ingress.go

Repository: openshift/hive

Length of output: 1111

---

🏁 Script executed:

find . -type f -name "*.go" -exec grep -l "Domain.*string\|IngressSpec" {} \; | head -20

Repository: openshift/hive

Length of output: 14699

---

🌐 Web query:

Kubernetes CEL XValidation rule oldSelf optional field transition semantics

💡 Result:

In Kubernetes CRD XValidation rules using CEL, the oldSelf variable represents the previous state of the object during updates (available since Kubernetes 1.25 via transition rules). By default, on CREATE operations, oldSelf is absent (null/undefined), so rules referencing oldSelf.field fail unless prefixed with !has(oldSelf.field) || to handle creation gracefully. This idiom checks if the field existed before (using the global has function) or applies the transition condition. The optionalOldSelf: true field (introduced in Kubernetes 1.29 with CRDValidationRatcheting feature, now stable) changes oldSelf to a CEL optional type. This enables direct access via optional-aware methods like oldSelf.hasValue, oldSelf.value, or oldSelf.optMap without has. Example without optionalOldSelf (standard approach): x-kubernetes-validations: - rule: '!has(oldSelf.replicas) || has(self.replicas)' message: 'replicas cannot be unset once set' This prevents unsetting an optional field after it's been set. With optionalOldSelf: true (cleaner syntax): x-kubernetes-validations: - rule: 'oldSelf.hasValue == self.hasValue' message: '.spec.replicas cannot be unset once set' optionalOldSelf: true Here, oldSelf is optional, so oldSelf.hasValue returns false on CREATE (no prior value), allowing the rule to pass if self matches the presence expectation. self is not optional by default; a proposed optionalSelf: true (open issue as of 2025) would make it symmetric. Rules using optional types require Kubernetes 1.29+ (CEL Optional Values feature). This semantics enables precise transition validation (immutability, monotonic increases, state machines) while supporting CREATE/UPDATE uniformly.

Citations:

• 1: CEL Validation: Add 'optionalSelf: true' config for consistency with 'optionalOldSelf: true' kubernetes/kubernetes#132510
• 2: Support CEL CRD validation expressions that reference existing object state. kubernetes/kubernetes#108073
• 3: https://kubernetes.io/docs/reference/using-api/cel/
• 4: https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/
• 5: kube-core: add optionalOldSelf to CEL Rule kube-rs/kube#1947
• 6: KEP-4008: CRDValidationRatcheting: Add support for optional oldSelf kubernetes/kubernetes#121034
• 7: kubernetes-sigs/controller-tools@a57ec68

---

🏁 Script executed:

rg "spec.domain\|\.Domain\s*=" apis/ --type go -B 2 -A 2 | head -100

Repository: openshift/hive

Length of output: 40

---

🏁 Script executed:

rg "Ingress\{" apis/ --type go | head -20

Repository: openshift/hive

Length of output: 551

---

🌐 Web query:

Kubernetes CEL validation rule !has(oldSelf) pattern syntax examples

💡 Result:

The Kubernetes CEL validation rule pattern !has(oldSelf) (or more precisely !has(oldSelf.field)) is used in Custom Resource Definition (CRD) validation rules under x-kubernetes-validations to handle CREATE operations gracefully while enforcing constraints on UPDATE operations. oldSelf represents the previous state of the resource (absent on CREATE). The has macro checks field existence. !has(oldSelf.field) returns true on CREATE (when the field didn't exist before) or if the old field was absent, allowing the rule to pass during creation while validating transitions on updates. Common pattern syntax: - !has(oldSelf.field) || self.field >= oldSelf.field (prevent decreasing a value) - !has(oldSelf.field) || self.field == oldSelf.field (immutable field) - !has(oldSelf) || self.field == oldSelf.field (whole object or top-level checks) Examples from authoritative sources: 1. Storage size cannot decrease: - rule: "!has(oldSelf.storageGB) || self.storageGB >= oldSelf.storageGB" message: "Storage size cannot be decreased" 2. Engine cannot change after creation: - rule: "!has(oldSelf.engine) || self.engine == oldSelf.engine" message: "Database engine cannot be changed after creation" 3. Immutable field: - rule: "!has(oldSelf) || self.immutableField == oldSelf.immutableField" message: "immutableField cannot be changed after creation" 4. Prevent unsetting replicas: - rule: "!has(oldSelf.replicas) || has(self.replicas)" message: "replicas can't be unset" 5. State transition (multi-line): - rule: | !has(oldSelf.state) || oldSelf.state != 'draft' || self.state in ['draft', 'pending'] message: "From draft state, can only transition to pending" This pattern is standard in Kubernetes CRD CEL validation (available since ~1.23+). Official docs confirm self/oldSelf variables and has usage but show general examples; practical patterns appear in tutorials and GitHub issues matching official behavior.

Citations:

• 1: https://oneuptime.com/blog/post/2026-02-09-custom-resource-validation-transition-rules/view
• 2: http://k8s.io/docs/reference/using-api/cel/
• 3: https://kubernetes.io/docs/reference/using-api/cel/
• 4: CEL Validation: Add 'optionalSelf: true' config for consistency with 'optionalOldSelf: true' kubernetes/kubernetes#132510
• 5: https://oneuptime.com/blog/post/2026-02-09-cel-validation-rules-crds-constraints/view
• 6: https://oneuptime.com/blog/post/2026-02-09-crd-validation-cel-expressions/view

---

🌐 Web query:

OpenShift Ingress config domain field required at creation time initialization

💡 Result:

No, the domain field in the OpenShift Ingress configuration (config.openshift.io/v1, cluster Ingress resource) is not strictly required at creation time. Official documentation states it as a string field without "required" designation, and multiple sources explicitly note: "If empty, the default value is ingress.config.openshift.io/cluster.spec.domain". This indicates the API accepts creation without it, likely defaulting during cluster installation from install-config.yaml. However, it must be set before Ingress Controllers or Routes rely on it, and cannot be changed after initial use. For IngressController resources (operator.openshift.io/v1), the spec.domain is also optional, explicitly defaulting to the cluster Ingress domain if empty.

Citations:

• 1: https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/config_apis/ingress-config-openshift-io-v1
• 2: https://docs.okd.io/latest/rest_api/config_apis/ingress-config-openshift-io-v1.html
• 3: https://docs.redhat.com/en/documentation/openshift_container_platform/4.8/html/networking/configuring-ingress
• 4: https://docs.okd.io/4.14/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.html
• 5: https://docs.openshift.com/container-platform/4.15/networking/ingress-operator.html
• 6: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/operator_apis/ingresscontroller-operator-openshift-io-v1
• 7: https://github.com/openshift/api/blob/master/operator/v1/types_ingress.go
• 8: https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/config_apis/ingress-config-openshift-io-v1
• 9: https://docs.openshift.com/container-platform/4.17/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.html

---

Fix the CEL validation rule to allow initial domain population while maintaining immutability afterward.

The current rule self == oldSelf will reject attempts to populate an initially empty domain field because it treats any change as invalid. However, OpenShift documentation confirms the domain field can be empty at creation and is populated during cluster initialization. The rule should allow the field to transition from empty to a value, then become immutable. Use the proper CEL pattern: !has(oldSelf) || self == oldSelf to skip validation on CREATE (when oldSelf is undefined) while enforcing immutability on UPDATE. This aligns with the comment's intent ("Once set, changing domain is not currently supported") by allowing the initial SET while preventing subsequent changes.

Suggested adjustment

- // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="domain is immutable once set"
+ // +kubebuilder:validation:XValidation:rule="!has(oldSelf) || self == oldSelf",message="domain is immutable once set"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="domain is immutable once set"
	// +kubebuilder:validation:XValidation:rule="!has(oldSelf) || self == oldSelf",message="domain is immutable once set"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/config/v1/types_ingress.go` at line 46,
Replace the CEL XValidation rule on the domain field so it allows initial
population but enforces immutability thereafter; specifically update the
kubebuilder validation tag (the line with
"+kubebuilder:validation:XValidation:rule="self == oldSelf"") to use the pattern
"!has(oldSelf) || self == oldSelf" so CREATE (when oldSelf is absent) is
permitted and UPDATE requires equality to oldSelf.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix typo in scheduler deprecation doc string.

Line 2933 contains enabled by' default; this should be enabled by default to keep generated API docs clean and unambiguous.

✏️ Proposed fix

-	"profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. Deprecated: no longer needed, since DRA is GA starting with 4.21, and is enabled by' default in the cluster, this field will be removed in 4.24.",
+	"profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. Deprecated: no longer needed, since DRA is GA starting with 4.21, and is enabled by default in the cluster, this field will be removed in 4.24.",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. Deprecated: no longer needed, since DRA is GA starting with 4.21, and is enabled by' default in the cluster, this field will be removed in 4.24.",
	"profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. Deprecated: no longer needed, since DRA is GA starting with 4.21, and is enabled by default in the cluster, this field will be removed in 4.24.",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@apis/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go`
at line 2933, The docstring for the "profileCustomizations" swagger entry
contains a stray apostrophe in "enabled by' default"; open
zz_generated.swagger_doc_generated.go and update the string value for
"profileCustomizations" to read "enabled by default" (remove the extra
apostrophe), then regenerate or re-run the swagger/code generation that produced
zz_generated.swagger_doc_generated.go so the change persists in generated
artifacts.

[suhanime]

/hold

Need to bump the image on CI for the tests to succeed

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go (1)

895-903: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Keep the conditions docs aligned with the schema.

The comment still says this list “must not contain more than one entry”, but the validation allows 1–8 unique conditions as long as one is Applies.

Suggested doc fix

-	// conditions must not contain more than one entry.
+	// conditions must contain between 1 and 8 entries and include a condition of type Applies.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go`
around lines 895 - 903, Update the doc comment for the conditions field to match
the validation rules: remove the incorrect phrase "must not contain more than
one entry" and state that conditions must contain between 1 and 8 unique entries
and must include a condition of type 'Applies' (reflecting the
+kubebuilder:validation:MinItems=1, +kubebuilder:validation:MaxItems=8 and the
XValidation rule). Edit the comment above the conditions definition in
types_cluster_version.go to mention uniqueness of types and the required
'Applies' condition so docs align with the schema.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apis/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go`:
- Around line 118-125: Restore the commented-out HostPlacement field in
AWSMachineProviderConfig (re-add the HostPlacement *HostPlacement
`json:"hostPlacement,omitempty"` field and keep its
+openshift:enable:FeatureGate=AWSDedicatedHosts and +optional markers) and mark
it as deprecated in the comment so the v1beta1 schema continues to accept the
old JSON name; then update the v1beta1 <-> internal conversion logic for
AWSMachineProviderConfig (the ConvertTo/ConvertFrom implementations or the
generated conversion functions for AWSMachineProviderConfig) to map
HostPlacement <-> Placement.Host (read HostPlacement into Placement.Host during
ConvertFrom and write Placement.Host back to HostPlacement during ConvertTo) so
existing manifests round-trip intact.

In `@apis/vendor/github.com/openshift/api/operator/v1/types_network.go`:
- Around line 401-403: Add FeatureGateAwareXValidation rules to explicitly
forbid bgpManagedConfig unless we are in NoOverlay managed mode: update the
validation annotations around the existing rules that reference transport,
noOverlayConfig and noOverlayConfig.routing to include a rule that errors when
has(self.bgpManagedConfig) is true while either self.?transport.orValue('') !=
'NoOverlay' or self.?noOverlayConfig.routing.orValue('') != 'Managed'; ensure
the message matches the field docs (e.g., "bgpManagedConfig is forbidden unless
transport is NoOverlay and noOverlayConfig.routing is Managed") so
bgpManagedConfig is rejected outside the managed no-overlay case.
- Around line 476-489: The field-level immutability validation on Transport
(Transport TransportOption `json:"transport,omitempty"`) currently enforces
"self == oldSelf" unconditionally, preventing an omission→"Geneve" update;
change the validation to allow the documented exception by replacing the strict
equality rule with a conditional that permits the transition when oldSelf is
empty and new self == "Geneve" (i.e., allow self == oldSelf OR (oldSelf == ""
AND self == "Geneve")), or remove this field-level FeatureGateAwareXValidation
tag and rely on the struct-level validation that already implements the allowed
unset→"Geneve" transition. Ensure the message and FeatureGate=NoOverlayMode
metadata remain consistent.

In `@apis/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go`:
- Around line 41-48: The current priorityUpdateBuf struct holds only a single
global slot (streamID + priority), which causes lost PRIORITY_UPDATEs when
multiple unopened streams get updates; change the buffering to track the most
recent PriorityParam per stream by replacing priorityUpdateBuf with a
map[uint32]PriorityParam (e.g., priorityUpdateBuf map[streamID]PriorityParam)
and update all code that reads/writes it: store incoming PRIORITY_UPDATEs keyed
by their stream ID, look up and consume the entry when OpenStream() (or the
method that applies buffered priority on stream creation) is called, and delete
the map entry after applying; ensure any code that previously checked
streamID==0 is adapted to check map presence.

---

Duplicate comments:
In `@apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go`:
- Around line 895-903: Update the doc comment for the conditions field to match
the validation rules: remove the incorrect phrase "must not contain more than
one entry" and state that conditions must contain between 1 and 8 unique entries
and must include a condition of type 'Applies' (reflecting the
+kubebuilder:validation:MinItems=1, +kubebuilder:validation:MaxItems=8 and the
XValidation rule). Edit the comment above the conditions definition in
types_cluster_version.go to mention uniqueness of types and the required
'Applies' condition so docs align with the schema.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8f1d6f06-72de-4b67-a824-c36458f1d4e6

📥 Commits

Reviewing files that changed from the base of the PR and between 87fc8ac and 579efbf.

⛔ Files ignored due to path filters (18)

• apis/go.sum is excluded by !**/*.sum
• apis/vendor/k8s.io/api/authorization/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/authorization/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/core/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/core/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/rbac/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/api/rbac/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.protomessage.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go is excluded by !**/*.pb.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.protomessage.pb.go is excluded by !**/*.pb.go
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (238)

• .tekton/hive-mce-210-pull-request.yaml
• .tekton/hive-mce-210-push.yaml
• .tekton/hive-mce-211-pull-request.yaml
• .tekton/hive-mce-211-push.yaml
• .tekton/hive-mce-217-pull-request.yaml
• .tekton/hive-mce-217-push.yaml
• .tekton/hive-mce-26-pull-request.yaml
• .tekton/hive-mce-26-push.yaml
• .tekton/hive-mce-27-pull-request.yaml
• .tekton/hive-mce-27-push.yaml
• .tekton/hive-mce-28-pull-request.yaml
• .tekton/hive-mce-28-push.yaml
• .tekton/hive-mce-29-pull-request.yaml
• .tekton/hive-mce-29-push.yaml
• .tekton/hive-mce-50-pull-request.yaml
• .tekton/hive-mce-50-push.yaml
• .tekton/hive-mce-51-pull-request.yaml
• .tekton/hive-mce-51-push.yaml
• .tekton/hive-pull-request.yaml
• .tekton/hive-push.yaml
• Dockerfile
• Makefile
• apis/go.mod
• apis/vendor/github.com/gogo/protobuf/AUTHORS
• apis/vendor/github.com/gogo/protobuf/CONTRIBUTORS
• apis/vendor/github.com/gogo/protobuf/LICENSE
• apis/vendor/github.com/gogo/protobuf/proto/Makefile
• apis/vendor/github.com/gogo/protobuf/proto/clone.go
• apis/vendor/github.com/gogo/protobuf/proto/custom_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/decode.go
• apis/vendor/github.com/gogo/protobuf/proto/deprecated.go
• apis/vendor/github.com/gogo/protobuf/proto/discard.go
• apis/vendor/github.com/gogo/protobuf/proto/duration.go
• apis/vendor/github.com/gogo/protobuf/proto/duration_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/encode.go
• apis/vendor/github.com/gogo/protobuf/proto/encode_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/equal.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/lib.go
• apis/vendor/github.com/gogo/protobuf/proto/lib_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/message_set.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/properties.go
• apis/vendor/github.com/gogo/protobuf/proto/properties_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/skip_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/table_marshal.go
• apis/vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/table_merge.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text.go
• apis/vendor/github.com/gogo/protobuf/proto/text_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text_parser.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go
• apis/vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go
• apis/vendor/github.com/openshift/api/config/v1/types_apiserver.go
• apis/vendor/github.com/openshift/api/config/v1/types_authentication.go
• apis/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
• apis/vendor/github.com/openshift/api/config/v1/types_cluster_version.go
• apis/vendor/github.com/openshift/api/config/v1/types_feature.go
• apis/vendor/github.com/openshift/api/config/v1/types_image_policy.go
• apis/vendor/github.com/openshift/api/config/v1/types_infrastructure.go
• apis/vendor/github.com/openshift/api/config/v1/types_ingress.go
• apis/vendor/github.com/openshift/api/config/v1/types_insights.go
• apis/vendor/github.com/openshift/api/config/v1/types_network.go
• apis/vendor/github.com/openshift/api/config/v1/types_scheduling.go
• apis/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go
• apis/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go
• apis/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
• apis/vendor/github.com/openshift/api/operator/v1/types_console.go
• apis/vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go
• apis/vendor/github.com/openshift/api/operator/v1/types_network.go
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go
• apis/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go
• apis/vendor/golang.org/x/text/secure/bidirule/bidirule.go
• apis/vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go
• apis/vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go
• apis/vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/forminfo.go
• apis/vendor/golang.org/x/text/unicode/norm/tables10.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/tables11.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/tables12.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/tables15.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/tables17.0.0.go
• apis/vendor/golang.org/x/text/unicode/norm/tables9.0.0.go
• apis/vendor/k8s.io/api/authorization/v1/doc.go
• apis/vendor/k8s.io/api/authorization/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/api/core/v1/doc.go
• apis/vendor/k8s.io/api/core/v1/generated.proto
• apis/vendor/k8s.io/api/core/v1/toleration.go
• apis/vendor/k8s.io/api/core/v1/types.go
• apis/vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go
• apis/vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go
• apis/vendor/k8s.io/api/core/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/api/rbac/v1/doc.go
• apis/vendor/k8s.io/api/rbac/v1/generated.proto
• apis/vendor/k8s.io/api/rbac/v1/types.go
• apis/vendor/k8s.io/api/rbac/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
• apis/vendor/k8s.io/apimachinery/pkg/api/resource/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/constraints/constraints.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/decimal_int.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/dns.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/errors.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/identifier.go
• apis/vendor/k8s.io/apimachinery/pkg/api/validate/content/kube.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
• apis/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/labels/selector.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/doc.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go
• apis/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go
• apis/vendor/k8s.io/apimachinery/pkg/util/intstr/zz_generated.model_name.go
• apis/vendor/k8s.io/apimachinery/pkg/util/sets/set.go
• apis/vendor/k8s.io/apimachinery/pkg/util/validation/field/error_matcher.go
• apis/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go
• apis/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go
• apis/vendor/k8s.io/kube-openapi/LICENSE
• apis/vendor/k8s.io/kube-openapi/pkg/util/trie.go
• apis/vendor/k8s.io/kube-openapi/pkg/util/util.go
• apis/vendor/modules.txt
• go.mod
• hack/ubi-build-deps.sh
• pkg/azureclient/mock/client_generated.go
• test/ote/go.mod
• vendor/github.com/AlecAivazis/survey/v2/README.md
• vendor/github.com/AlecAivazis/survey/v2/confirm.go
• vendor/github.com/AlecAivazis/survey/v2/core/template.go
• vendor/github.com/AlecAivazis/survey/v2/core/write.go
• vendor/github.com/AlecAivazis/survey/v2/input.go
• vendor/github.com/AlecAivazis/survey/v2/multiselect.go
• vendor/github.com/AlecAivazis/survey/v2/password.go
• vendor/github.com/AlecAivazis/survey/v2/renderer.go
• vendor/github.com/AlecAivazis/survey/v2/select.go
• vendor/github.com/AlecAivazis/survey/v2/survey.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/display_posix.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/error.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/output.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_bsd.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_linux.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_posix.go
• vendor/github.com/AlecAivazis/survey/v2/terminal/runereader_ppc64le.go
• vendor/github.com/AlecAivazis/survey/v2/transform.go
• vendor/github.com/AlecAivazis/survey/v2/validate.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.md
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txt
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.md
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.json
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.md
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.yml
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.go
• vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.go
• vendor/github.com/Azure/go-autorest/autorest/date/go_mod_tidy_hack.go
• vendor/github.com/Azure/go-autorest/logger/go_mod_tidy_hack.go
• vendor/github.com/Azure/go-autorest/logger/logger.go
• vendor/github.com/Azure/go-autorest/tracing/go_mod_tidy_hack.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/client.go
• vendor/github.com/aws/aws-sdk-go-v2/aws/transport/http/timeout_read_closer.go
• vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/config/resolve_credentials.go
• vendor/github.com/aws/aws-sdk-go-v2/config/shared_config.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/dpop.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/file.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/provider.go
• vendor/github.com/aws/aws-sdk-go-v2/credentials/logincreds/token.go
• vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/ini/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/ini/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/internal/v4a/go_module_metadata.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/CHANGELOG.md
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/LICENSE.txt
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_client.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_AssociateAlias.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CopyDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCachePolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateCloudFrontOriginAccessIdentity.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateContinuousDeploymentPolicy.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistribution.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateDistributionWithTags.go
• vendor/github.com/aws/aws-sdk-go-v2/service/cloudfront/api_op_CreateFieldLevelEncryptionConfig.go

💤 Files with no reviewable changes (41)

• apis/vendor/github.com/gogo/protobuf/CONTRIBUTORS
• apis/vendor/github.com/gogo/protobuf/proto/custom_gogo.go
• apis/vendor/github.com/openshift/api/machine/v1/zz_generated.featuregated-crd-manifests.yaml
• apis/vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp.go
• apis/vendor/github.com/gogo/protobuf/proto/encode_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/Makefile
• apis/vendor/github.com/gogo/protobuf/proto/pointer_reflect.go
• apis/vendor/github.com/gogo/protobuf/proto/equal.go
• apis/vendor/github.com/gogo/protobuf/proto/skip_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/deprecated.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go
• apis/vendor/github.com/gogo/protobuf/proto/duration.go
• apis/vendor/github.com/gogo/protobuf/proto/message_set.go
• apis/vendor/github.com/gogo/protobuf/proto/clone.go
• apis/vendor/github.com/gogo/protobuf/proto/discard.go
• apis/vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/properties.go
• apis/vendor/github.com/gogo/protobuf/proto/text.go
• apis/vendor/github.com/gogo/protobuf/LICENSE
• apis/vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions.go
• apis/vendor/github.com/gogo/protobuf/proto/text_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/lib.go
• apis/vendor/github.com/gogo/protobuf/proto/encode.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers.go
• apis/vendor/github.com/gogo/protobuf/proto/extensions_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/properties_gogo.go
• apis/vendor/github.com/gogo/protobuf/AUTHORS
• apis/vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go
• apis/vendor/github.com/gogo/protobuf/proto/duration_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/table_merge.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal.go
• apis/vendor/github.com/gogo/protobuf/proto/lib_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/text_parser.go
• apis/vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go
• apis/vendor/github.com/gogo/protobuf/proto/decode.go
• apis/vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go

✅ Files skipped from review due to trivial changes (20)

• apis/vendor/k8s.io/api/core/v1/doc.go
• .tekton/hive-push.yaml
• apis/vendor/github.com/openshift/api/config/v1/types_insights.go
• .tekton/hive-mce-217-push.yaml
• apis/vendor/k8s.io/api/authorization/v1/doc.go
• .tekton/hive-mce-211-pull-request.yaml
• apis/vendor/github.com/openshift/api/config/v1/types_scheduling.go
• apis/vendor/golang.org/x/text/secure/bidirule/bidirule.go
• .tekton/hive-mce-27-push.yaml
• .tekton/hive-pull-request.yaml
• apis/vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go
• .tekton/hive-mce-26-push.yaml
• Dockerfile
• apis/vendor/k8s.io/api/authorization/v1/zz_generated.model_name.go
• apis/vendor/github.com/openshift/api/config/v1/types_authentication.go
• .tekton/hive-mce-29-pull-request.yaml
• .tekton/hive-mce-51-push.yaml
• .tekton/hive-mce-28-pull-request.yaml
• .tekton/hive-mce-210-pull-request.yaml
• .tekton/hive-mce-50-pull-request.yaml

🚧 Files skipped from review as they are similar to previous changes (18)

• .tekton/hive-mce-28-push.yaml
• .tekton/hive-mce-50-push.yaml
• .tekton/hive-mce-26-pull-request.yaml
• .tekton/hive-mce-51-pull-request.yaml
• .tekton/hive-mce-211-push.yaml
• apis/vendor/github.com/openshift/api/config/v1/types_image_policy.go
• apis/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go
• apis/vendor/github.com/openshift/api/config/v1/types_ingress.go
• .tekton/hive-mce-29-push.yaml
• .tekton/hive-mce-217-pull-request.yaml
• apis/vendor/github.com/openshift/api/machine/v1/types_controlplanemachineset.go
• .tekton/hive-mce-210-push.yaml
• apis/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml
• .tekton/hive-mce-27-pull-request.yaml
• apis/vendor/github.com/openshift/api/config/v1/types_network.go
• apis/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml
• Makefile
• apis/vendor/github.com/openshift/api/machine/v1beta1/types_machine.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Preserve hostPlacement compatibility in v1beta1.

Commenting this field out removes it from the served schema entirely. Existing AWSMachineProviderConfig manifests/objects that still use hostPlacement will stop round-tripping in the same compatibility-level-2 API and can be silently pruned on write. Please keep the old JSON field as a deprecated/read-compatible alias, or add an explicit versioned conversion path before removing it in favor of placement.host.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go`
around lines 118 - 125, Restore the commented-out HostPlacement field in
AWSMachineProviderConfig (re-add the HostPlacement *HostPlacement
`json:"hostPlacement,omitempty"` field and keep its
+openshift:enable:FeatureGate=AWSDedicatedHosts and +optional markers) and mark
it as deprecated in the comment so the v1beta1 schema continues to accept the
old JSON name; then update the v1beta1 <-> internal conversion logic for
AWSMachineProviderConfig (the ConvertTo/ConvertFrom implementations or the
generated conversion functions for AWSMachineProviderConfig) to map
HostPlacement <-> Placement.Host (read HostPlacement into Placement.Host during
ConvertFrom and write Placement.Host back to HostPlacement during ConvertTo) so
existing manifests round-trip intact.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Reject bgpManagedConfig outside managed no-overlay mode.

The new rule only makes bgpManagedConfig required when noOverlayConfig.routing == "Managed", but it never forbids the inverse. As written, the API still accepts bgpManagedConfig when transport="Geneve" or routing="Unmanaged", which contradicts the field docs and leaves an unsupported config shape valid.

Also applies to: 499-506

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/operator/v1/types_network.go` around
lines 401 - 403, Add FeatureGateAwareXValidation rules to explicitly forbid
bgpManagedConfig unless we are in NoOverlay managed mode: update the validation
annotations around the existing rules that reference transport, noOverlayConfig
and noOverlayConfig.routing to include a rule that errors when
has(self.bgpManagedConfig) is true while either self.?transport.orValue('') !=
'NoOverlay' or self.?noOverlayConfig.routing.orValue('') != 'Managed'; ensure
the message matches the field docs (e.g., "bgpManagedConfig is forbidden unless
transport is NoOverlay and noOverlayConfig.routing is Managed") so
bgpManagedConfig is rejected outside the managed no-overlay case.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Allow the documented unset → Geneve transition.

Line 487 makes transport fully immutable, so an update from an omitted value to "Geneve" still fails even though the comment here and the struct-level rule at Line 404 explicitly allow that day-2 path. That blocks the documented “lock in the current default” flow on existing clusters. Either relax this field-level transition rule or move the exception entirely into the struct-level validation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/github.com/openshift/api/operator/v1/types_network.go` around
lines 476 - 489, The field-level immutability validation on Transport (Transport
TransportOption `json:"transport,omitempty"`) currently enforces "self ==
oldSelf" unconditionally, preventing an omission→"Geneve" update; change the
validation to allow the documented exception by replacing the strict equality
rule with a conditional that permits the transition when oldSelf is empty and
new self == "Geneve" (i.e., allow self == oldSelf OR (oldSelf == "" AND self ==
"Geneve")), or remove this field-level FeatureGateAwareXValidation tag and rely
on the struct-level validation that already implements the allowed
unset→"Geneve" transition. Ensure the message and FeatureGate=NoOverlayMode
metadata remain consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In RFC 9218 for HTTP/2, can multiple unopened request streams receive PRIORITY_UPDATE frames before they are opened, and should an implementation retain the most recent priority update per stream rather than in a single global buffer?

💡 Result:

Yes, in RFC 9218 for HTTP/2, multiple unopened (idle) request streams can receive PRIORITY_UPDATE frames before they are opened. Clients MAY send PRIORITY_UPDATE frames before the referenced stream is open, and servers are permitted to receive and process them for idle streams (with concurrency limits). Servers SHOULD buffer the most recently received PRIORITY_UPDATE frame per such stream and apply it once the stream opens, rather than using a single global buffer. This applies the latest priority signal, overriding prior ones including the Priority header, while bounding resource use by storing only the most recent per stream.

Citations:

• 1: https://httpwg.org/specs/rfc9218.html
• 2: https://www.rfc-editor.org/rfc/rfc9218.html
• 3: https://greenbytes.de/tech/webdav/rfc9218.html
• 4: https://datatracker.ietf.org/doc/html/rfc9218
• 5: https://ftp.surfnet.nl/documents/rfc/rfc9218.pdf
• 6: http://www.armware.dk/RFC/rfc/rfc9218.html

---

🏁 Script executed:

cat -n apis/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go | head -120

Repository: openshift/hive

Length of output: 4356

---

🏁 Script executed:

cat -n apis/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go | sed -n '107,115p'

Repository: openshift/hive

Length of output: 454

---

Buffer unopened PRIORITY_UPDATEs per stream, not in a single global slot.

This drops updates when two unopened streams receive PRIORITY_UPDATE before OpenStream(): the later update overwrites the earlier one, so the first stream opens with the wrong priority. RFC 9218 requires servers to buffer the most recent PRIORITY_UPDATE per stream, not in a single global buffer.

Suggested fix

 type priorityWriteSchedulerRFC9218 struct {
 	// control contains control frames (SETTINGS, PING, etc.).
 	control writeQueue
@@
-	// priorityUpdateBuf is used to buffer the most recent PRIORITY_UPDATE we
-	// receive per https://www.rfc-editor.org/rfc/rfc9218.html#name-the-priority_update-frame.
-	priorityUpdateBuf struct {
-		// streamID being 0 means that the buffer is empty. This is a safe
-		// assumption as PRIORITY_UPDATE for stream 0 is a PROTOCOL_ERROR.
-		streamID uint32
-		priority PriorityParam
-	}
+	// priorityUpdateBuf stores the most recent PRIORITY_UPDATE for each
+	// stream that has not been opened yet.
+	priorityUpdateBuf map[uint32]PriorityParam
 }
@@
 func newPriorityWriteSchedulerRFC9218() WriteScheduler {
 	ws := &priorityWriteSchedulerRFC9218{
-		streams: make(map[uint32]streamMetadata),
+		streams:           make(map[uint32]streamMetadata),
+		priorityUpdateBuf: make(map[uint32]PriorityParam),
 	}
 	return ws
 }
@@
-	if streamID == ws.priorityUpdateBuf.streamID {
-		ws.priorityUpdateBuf.streamID = 0
-		opt.priority = ws.priorityUpdateBuf.priority
+	if priority, ok := ws.priorityUpdateBuf[streamID]; ok {
+		delete(ws.priorityUpdateBuf, streamID)
+		opt.priority = priority
 	}
@@
 	if q == nil {
-		ws.priorityUpdateBuf.streamID = streamID
-		ws.priorityUpdateBuf.priority = priority
+		ws.priorityUpdateBuf[streamID] = priority
 		return
 	}

Also applies to: 62-65, 111-112

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apis/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go` around
lines 41 - 48, The current priorityUpdateBuf struct holds only a single global
slot (streamID + priority), which causes lost PRIORITY_UPDATEs when multiple
unopened streams get updates; change the buffering to track the most recent
PriorityParam per stream by replacing priorityUpdateBuf with a
map[uint32]PriorityParam (e.g., priorityUpdateBuf map[streamID]PriorityParam)
and update all code that reads/writes it: store incoming PRIORITY_UPDATEs keyed
by their stream ID, look up and consume the entry when OpenStream() (or the
method that applies buffered priority on stream creation) is called, and delete
the map entry after applying; ensure any code that previously checked
streamID==0 is adapted to check map presence.

[suhanime]

We do not make changes to the files that are vendored in (as that can be very hard to maintain), instead, if needed, we bump the dependency. With that in mind, are any of these suggestions important enough to need a fix/bump?

[coderabbitai]

@suhanime, that's a fair and practical policy — modifying vendored files creates maintenance burden. Let me assess the actual impact here.

Short answer: No, this is not important enough to require a version bump at this time.

Here's the reasoning:

1. Low practical impact for Hive: The RFC 9218 priority write scheduler is a new, non-default feature. HTTP/2 server priority signal support (RFC 9218) is brand-new as of Go 1.27, and the old round-robin behavior is still available if preferred. Unless the RFC 9218 scheduler is explicitly configured, this code path won't be exercised at all.

2. Best-effort optimization, not a correctness issue: The single-slot buffer only matters when two different unopened streams both receive PRIORITY_UPDATE frames before OpenStream() is called for either of them — a narrow race. Even if a priority update is "lost," the stream simply gets its default priority; no data is corrupted and no requests fail.

3. Upstream is still evolving: The RFC 9218 write scheduler was just introduced to x/net/http2 as part of an effort to move away from the buggy, deprecated RFC 7540 priority scheduler. The upstream proposal (#75500) is still in its final comment period, meaning the implementation is expected to continue evolving. A version bump for this specific issue alone would likely be premature.

4. Hive's workload: Hive manages OpenShift cluster lifecycle via Kubernetes API calls — not a high-throughput media/streaming server where fine-grained HTTP/2 priority tuning makes a meaningful difference.

I'll withdraw this as a blocking concern. It could be a good candidate for a future follow-up if Hive ever adopts the RFC 9218 scheduler explicitly.

---

📝 Learnings were identified and not saved (knowledge base disabled). Enable

[2uasimojo]

we should beef up our coderabbit rules to ignore apis/vendor.

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[suhanime]

/retest

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
hive-mce-210-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-211-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-217-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-26-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-27-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-28-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-29-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-50-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-mce-51-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request
hive-on-pull-request	CEL expression evaluation error: expression "event == \"pull_request\" && !body.pull_request.draft && target_branch == \"master\" && !files.all.all(x, x.matches('^docs/|\\\\.md$|^(?:.*/)?(?:\\\\.gitignore|OWNERS|PROJECT|LICENSE)$'))" failed to evaluate: no such key: pull_request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.38%. Comparing base (52fd62d) to head (ae18a9b).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2901      +/-   ##
==========================================
- Coverage   50.42%   50.38%   -0.05%     
==========================================
  Files         281      281              
  Lines       34345    34375      +30     
==========================================
  Hits        17320    17320              
- Misses      15673    15703      +30     
  Partials     1352     1352              

Files with missing lines	Coverage Δ
cmd/manager/main.go	0.00% <ø> (ø)
cmd/operator/main.go	0.00% <ø> (ø)
contrib/cmd/waitforjob/main.go	0.00% <ø> (ø)
contrib/pkg/adm/managedns/enable.go	0.00% <ø> (ø)
pkg/azureclient/mock/client_generated.go	91.19% <ø> (ø)
pkg/installmanager/installmanager.go	35.71% <ø> (ø)
pkg/operator/hive/hive_controller.go	0.00% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[suhanime]

/retest

[2uasimojo]

May need to fix this one too.

[openshift-ci]

@suhanime: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp	ae18a9b	link	true	/test e2e-gcp
ci/prow/e2e	ae18a9b	link	true	/test e2e
ci/prow/e2e-openstack	ae18a9b	link	true	/test e2e-openstack
ci/prow/e2e-pool	ae18a9b	link	true	/test e2e-pool
ci/prow/e2e-azure	ae18a9b	link	true	/test e2e-azure
ci/prow/e2e-vsphere	ae18a9b	link	true	/test e2e-vsphere

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.