Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions cmd/authentication-operator/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,16 @@ import (
"context"
"os"

"github.com/openshift/cluster-authentication-operator/pkg/cmd/kmshealthwriter"
"github.com/openshift/cluster-authentication-operator/pkg/cmd/mom"
"github.com/openshift/cluster-authentication-operator/pkg/cmd/operator"
"github.com/openshift/cluster-authentication-operator/pkg/cmd/render"
"github.com/spf13/cobra"
"k8s.io/cli-runtime/pkg/genericiooptions"
"k8s.io/client-go/rest"
"k8s.io/component-base/cli"

kmshealth "github.com/openshift/library-go/pkg/operator/encryption/kms/health"
kmspreflight "github.com/openshift/library-go/pkg/operator/encryption/kms/preflight"
"github.com/openshift/library-go/pkg/operator/v1helpers"
)

func main() {
Expand Down Expand Up @@ -42,11 +41,7 @@ func NewAuthenticationOperatorCommand() *cobra.Command {
cmd.AddCommand(mom.NewInputResourcesCommand(ioStreams))
cmd.AddCommand(mom.NewOutputResourcesCommand(ioStreams))
cmd.AddCommand(render.NewRender())
cmd.AddCommand(kmshealth.NewCommand(context.Background(), func(config *rest.Config) (v1helpers.OperatorClient, error) {
// TODO: replace with a real operator client once the health reporter's condition writer
// is implemented in library-go.
return nil, nil
}))
cmd.AddCommand(kmshealth.NewCommand(context.Background(), kmshealthwriter.NewEncryptionStatusWriter))
cmd.AddCommand(kmspreflight.NewCommand(context.Background()))

return cmd
Expand Down
6 changes: 4 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ require (
github.com/onsi/ginkgo/v2 v2.27.2
github.com/onsi/gomega v1.38.2
github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5
github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3
github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc
github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af
github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a
github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167
github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d
github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412
Expand Down Expand Up @@ -133,3 +133,5 @@ require (
)

replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1

replace github.com/openshift/library-go => /home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify no local filesystem replaces are committed in module workspace files.
fd -HI 'go\.(mod|work)$' -t f | while read -r f; do
  echo "== $f =="
  rg -n '^\s*replace\s+.+=>\s+(/|\.{1,2}/|[A-Za-z]:\\)' "$f" || true
done
# Expected for merge-ready state: no matches for local filesystem paths.

Repository: openshift/cluster-authentication-operator

Length of output: 340


Remove the machine-local replace directive before merge.

Line 137 pins github.com/openshift/library-go to an absolute workstation path (/home/ibihim/...), which breaks builds on other machines and CI systems lacking that exact path. This violates supply chain security requirements for reproducible dependency resolution.

Suggested fix
-replace github.com/openshift/library-go => /home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer

If local development requires this replace, move it to go.work instead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
replace github.com/openshift/library-go => /home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, Remove the replace directive for
github.com/openshift/library-go from go.mod that currently points to the
absolute local path
/home/ibihim/go/src/github.com/openshift/library-go-worktrees/CNTRLPLANE-3234-health-reporter-writer,
as this breaks reproducibility on other machines and CI systems. If this replace
is needed for local development, move it to go.work instead to keep it
machine-specific without affecting the committed module definition.

Source: Path instructions

10 changes: 4 additions & 6 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -146,14 +146,12 @@ github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5 h1:FJmsOMCeFpAakgnVhHUoITcHLLW9/DrJJSAY1CZaLCA=
github.com/openshift-eng/openshift-tests-extension v0.0.0-20260408205138-ec501c2bf4a5/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3 h1:ywnB6YgTcJlxYpnZ5xMWcvJoiC8eeCJrrolr06KlzeQ=
github.com/openshift/api v0.0.0-20260615110019-261e3a0546f3/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc h1:EOhLyqTo5g0sM3MVrKO7Zh2CoVyqNt7Q7zGE15S79Fg=
github.com/openshift/api v0.0.0-20260618083218-a3c8dea7f8bc/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE=
github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a h1:EKx2XhOKehd1C5ptY7IrLl4WV35E8kP0pRPnG5BUZXk=
github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a/go.mod h1:V933kvY/cb/Un7UCEOhXHUySNX327u7Epe8g9KNqg2Q=
github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6 h1:Dqs4Fod1A+jnnosihh85xdU9yQVh+R/NcVQLH8sVWr0=
github.com/openshift/library-go v0.0.0-20260618132022-b0f5231f2ed6/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A=
github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167 h1:TfqgEkvjjdzmVW3wkXWjh65rF+cjahnrBMbRdraT4Wo=
github.com/openshift/client-go v0.0.0-20260618131434-17fd91ed6167/go.mod h1:SYV1Wn6Pd27K9olD4WbUtjn4RWU83b9UjG1rbaQsTRE=
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d h1:Rzx23P63JFNNz5D23ubhC0FCN5rK8CeJhKcq5QKcdyU=
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d/go.mod h1:iVi9Bopa5cLhjG5ie9DoZVVqkH8BGb1FQVTtecOLn4I=
github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 h1:oDB0GmUXLp8y85fWz+LGRE0hM5JqbXTfNPi5GjEqiX0=
Expand Down
32 changes: 32 additions & 0 deletions pkg/cmd/kmshealthwriter/writer.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
package kmshealthwriter

import (
"context"

applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1"
operatorclient "github.com/openshift/client-go/operator/clientset/versioned"
"github.com/openshift/library-go/pkg/operator/encryption/kms/health"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/rest"
)

// NewEncryptionStatusWriter satisfies health.NewEncryptionStatusWriterFunc.
// Only the operator itself knows where to apply the KMSEncryptionStatus.
func NewEncryptionStatusWriter(restConfig *rest.Config, fieldManager string) (health.EncryptionStatusWriter, error) {
client, err := operatorclient.NewForConfig(restConfig)
if err != nil {
return nil, err
}

return func(ctx context.Context, status *applyoperatorv1.KMSEncryptionStatusApplyConfiguration) error {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mechanism sounds like a good idea to me

_, err := client.OperatorV1().Authentications().ApplyStatus(
ctx,
applyoperatorv1.Authentication("cluster").
WithStatus(applyoperatorv1.AuthenticationStatus().WithOAuthAPIServer(
applyoperatorv1.OAuthAPIServerStatus().WithEncryptionStatus(status),
)),
metav1.ApplyOptions{FieldManager: fieldManager, Force: true},
)
return err
}, nil
}
4 changes: 2 additions & 2 deletions vendor/github.com/openshift/api/features.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions vendor/github.com/openshift/api/features/features.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

80 changes: 80 additions & 0 deletions vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading