bump library-go funcs

[gangwgr]

Summary by CodeRabbit

• New Features
  • Expanded end-to-end encryption test coverage with additional KMS migration and on/off scenarios, including transitions between KMS providers.
  • Added KMS-to-KMS migration and KMS on/off test flows using shared token creation and encryption-state assertions.
• Bug Fixes
  • Improved encryption-related test assertions to more reliably validate encrypted vs unencrypted token data during KMS provider changes.
• Chores
  • Updated build module resolution to redirect library-go to the intended source/version for builds that use this go.mod.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

The PR adds a go.mod replace directive for library-go and updates KMS e2e tests to use library encryption helpers plus new KMS-to-KMS migration and on/off helpers.

Changes

Library-go replacement and KMS helper migration

Layer / File(s)	Summary
Module replacement go.mod	Adds a replace directive remapping github.com/openshift/library-go to github.com/gangwgr/library-go at a pinned pseudo-version.
KMS helper migration test/e2e-encryption-kms/encryption_kms.go	Replaces operatorencryption imports with library helpers, updates the on/off and provider-migration scenarios to use the new token and assertion helpers, and adds testKMSToKMSMigration and testKMSToKMSOnOff using librarykms.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 4

❌ Failed checks (3 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	testKMSToKMSMigration and testKMSToKMSOnOff are only defined; no Ginkgo spec invokes them, so the added scenarios never run.	Register the new scenarios with g.It (or remove the dead helpers) so the KMS-to-KMS coverage actually executes.
Microshift Test Compatibility	⚠️ Warning	The changed KMS e2e paths use oauth.openshift.io tokens and lack any MicroShift skip/guard; MicroShift serves neither OAuth API.	Add a [Skipped:MicroShift] or apigroup/runtime guard, or move this coverage behind a non-MicroShift CI job.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new KMS e2e paths call AssertTokens, which uses an etcd helper hardcoded to 127.0.0.1 for port-forwarding, so they assume IPv4 localhost.	Make the etcd port-forward client IPv6-aware (accept ::1/localhost or use dual-stack-safe addressing), then verify in the IPv6 disconnected CI job.
Title check	❓ Inconclusive	The title is related, but it is too vague to clearly describe the main change.	Use a more specific title such as "Update e2e KMS tests to use library-go encryption helpers".

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The only Ginkgo titles in the changed test file are static string literals; no dynamic values, timestamps, or generated identifiers appear.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo test has multi-node assumptions; the added KMS helpers only exercise encryption/token APIs and don’t inspect node topology or scheduling.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: workload scheduling uses node counts plus EnsureAtMostOnePodPerNode, with maxUnavailable derived from control-plane size; the operator manifest is excluded from hosted clusters.
Ote Binary Stdout Contract	✅ Passed	PASS: The PR only adds Ginkgo test cases/helpers; no stdout writes appear in main/TestMain/init or suite setup, and the test binary already routes klog to stderr.
No-Weak-Crypto	✅ Passed	Touched files only add KMS test wiring and a go.mod replace; no weak crypto primitives, custom crypto, or secret/token comparisons found.
Container-Privileges	✅ Passed	PR only changes go.mod and a Go test file; no container/K8s manifests or privileged securityContext fields are introduced.
No-Sensitive-Data-In-Logs	✅ Passed	The touched code adds test wiring only; no logging/printing calls or sensitive-value outputs are present.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[gangwgr]

/test e2e-aws-operator-encryption-kms

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign flavianmissi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e-encryption-kms/encryption_kms.go (1)

15-23: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Register the new KMS scenarios in the Ginkgo suite.

testKMSToKMSMigration and testKMSToKMSOnOff are never referenced here, so the new coverage never runs. golangci-lint is already flagging Line 92 and Line 116 as unused.

Possible fix

 g.It("TestKMSEncryptionProvidersMigration [OCPFeatureGate:KMSEncryption][Serial][Timeout:120m]", func(ctx context.Context) {
 	testKMSEncryptionProvidersMigration(ctx, g.GinkgoTB())
 })
+
+g.It("TestKMSToKMSMigration [OCPFeatureGate:KMSEncryption][Serial][Timeout:120m]", func(ctx context.Context) {
+	testKMSToKMSMigration(ctx, g.GinkgoTB())
+})
+
+g.It("TestKMSToKMSOnOff [OCPFeatureGate:KMSEncryption][Serial][Timeout:120m]", func(ctx context.Context) {
+	testKMSToKMSOnOff(ctx, g.GinkgoTB())
+})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` around lines 15 - 23, The new KMS
test helpers are not being invoked from the Ginkgo suite, so their coverage is
missing and they remain unused. Update the suite registration in the Describe
block to include both testKMSToKMSMigration and testKMSToKMSOnOff alongside the
existing KMS scenarios, using their existing Ginkgo.It wrappers so they execute
under the same KMSEncryption suite context and stop golangci-lint from reporting
them as unused.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 146: The go.mod replace is too broad because it rewires every
github.com/openshift/library-go import to the fork. Remove the repo-wide replace
and scope the change to the specific KMS helper dependency instead, or
vendor/upstream the needed patch so only the affected symbols are redirected.
Use the existing go.mod replace entry as the place to adjust the dependency
mapping.

In `@test/e2e-encryption-kms/encryption_kms.go`:
- Around line 47-49: The token creation callbacks are ignoring the test’s
cancellation and timeout by calling context.TODO(), which can let resource setup
outlive the test. Update all four CreateResourceFunc closures in
encryption_kms.go to pass through the surrounding ctx instead of using
context.TODO(), and keep the existing library.CreateAndStoreTokenOfLife call
structure unchanged.

---

Outside diff comments:
In `@test/e2e-encryption-kms/encryption_kms.go`:
- Around line 15-23: The new KMS test helpers are not being invoked from the
Ginkgo suite, so their coverage is missing and they remain unused. Update the
suite registration in the Describe block to include both testKMSToKMSMigration
and testKMSToKMSOnOff alongside the existing KMS scenarios, using their existing
Ginkgo.It wrappers so they execute under the same KMSEncryption suite context
and stop golangci-lint from reporting them as unused.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 61c2a0c4-4d7b-45aa-be8e-39f5409ad596

📥 Commits

Reviewing files that changed from the base of the PR and between 60f4dee and 8909e07.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/test/library/encryption/assertion_auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/assertion_oas.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers_auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers_oas.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Repo-wide library-go imports:"
rg -n --type=go '"github.com/openshift/library-go' .

echo
echo "go.mod replace directives:"
sed -n '140,150p' go.mod

echo
echo "Dependency override metadata (if present):"
fd 'deps\.diff$|go\.sum$' . -x sh -c 'echo "== $1 =="; sed -n "1,120p" "$1"' sh {}

Repository: openshift/cluster-authentication-operator

Length of output: 50397

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "go.mod replace block:"
sed -n '130,155p' go.mod

echo
echo "Any fork references in repo metadata:"
rg -n --hidden --glob '!vendor/**' 'gangwgr|replace github.com/openshift/library-go' go.mod vendor/modules.txt deps.diff . || true

echo
echo "library-go entries in vendor/modules.txt (if present):"
if [ -f vendor/modules.txt ]; then
  rg -n 'github.com/openshift/library-go|github.com/gangwgr/library-go' vendor/modules.txt
fi

Repository: openshift/cluster-authentication-operator

Length of output: 7318

---

Avoid the repo-wide library-go replace
This rewires every github.com/openshift/library-go import in the module, not just the KMS helpers. If this is carrying a local patch, keep it as an explicit vendored patch or upstream the helper instead of pinning the whole repo to the fork.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 146, The go.mod replace is too broad because it rewires every
github.com/openshift/library-go import to the fork. Remove the repo-wide replace
and scope the change to the specific KMS helper dependency instead, or
vendor/upstream the needed patch so only the affected symbols are redirected.
Use the existing go.mod replace entry as the place to adjust the dependency
mapping.

Sources: Coding guidelines, Path instructions

[coderabbitai]

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== file outline ==\n'
ast-grep outline test/e2e-encryption-kms/encryption_kms.go --view expanded || true

printf '\n== relevant lines ==\n'
nl -ba test/e2e-encryption-kms/encryption_kms.go | sed -n '1,220p'

printf '\n== search for CreateAndStoreTokenOfLife ==\n'
rg -n "CreateAndStoreTokenOfLife|CreateResourceFunc|context.TODO\(\)" test/e2e-encryption-kms test -g '*.go'

printf '\n== inspect function definition ==\n'
rg -n "func .*CreateAndStoreTokenOfLife|CreateAndStoreTokenOfLife\\(" -g '*.go'

Repository: openshift/cluster-authentication-operator

Length of output: 665

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== encryption_kms.go lines 30-150 ==\n'
sed -n '30,150p' test/e2e-encryption-kms/encryption_kms.go | cat -n

printf '\n== CreateAndStoreTokenOfLife definition and usages ==\n'
rg -n "func .*CreateAndStoreTokenOfLife|CreateAndStoreTokenOfLife\\(" -g '*.go' .

printf '\n== related helper signatures near library package ==\n'
rg -n "type .*ClientSet|CreateAndStoreTokenOfLife|GetClients\\(" test pkg -g '*.go'

Repository: openshift/cluster-authentication-operator

Length of output: 9902

---

Pass the test context through the token-creation callbacks.
context.TODO() drops the outer ctx’s timeout/cancellation, so these paths can outlive the test. Use ctx in all four CreateResourceFunc closures.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` around lines 47 - 49, The token
creation callbacks are ignoring the test’s cancellation and timeout by calling
context.TODO(), which can let resource setup outlive the test. Update all four
CreateResourceFunc closures in encryption_kms.go to pass through the surrounding
ctx instead of using context.TODO(), and keep the existing
library.CreateAndStoreTokenOfLife call structure unchanged.

Sources: Coding guidelines, Path instructions

[ardaguclu]

Suggested change

	ResourceFunc: func(_ testing.TB, _ string) runtime.Object { return library.TokenOfLife() },
	ResourceFunc: library.TokenOfLife()```

[ardaguclu]

Suggested change

	ResourceFunc: func(_ testing.TB, _ string) runtime.Object { return library.TokenOfLife() },
	ResourceFunc: library.TokenOfLife(),

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-encryption-kms/encryption_kms.go`:
- Around line 91-137: The new KMS-to-KMS helper scenarios in
testKMSToKMSMigration and testKMSToKMSOnOff are currently dead code because
nothing calls them from the test entrypoint. Update the existing encryption test
registration/dispatch path to invoke these helpers alongside the other scenarios
so the new coverage actually runs, keeping the wiring consistent with the
surrounding test functions in this package.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cd708cd8-5d0c-4386-852b-9ed454d78573

📥 Commits

Reviewing files that changed from the base of the PR and between 8909e07 and fe4549a.

⛔ Files ignored due to path filters (7)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/test/library/encryption/assertion_auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/assertion_oas.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers_auth.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers_oas.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

✅ Files skipped from review due to trivial changes (1)

• go.mod

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Wire these new scenarios into the test entrypoint.

Line 92 and Line 116 add helper functions that nothing invokes, so the new KMS-to-KMS migration/on-off paths never execute. Please register them alongside the existing encryption scenarios; otherwise this PR adds dead test code instead of coverage.

🧰 Tools

🪛 golangci-lint (2.12.2)

[error] 92-92: func testKMSToKMSMigration is unused

(unused)

---

[error] 116-116: func testKMSToKMSOnOff is unused

(unused)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` around lines 91 - 137, The new
KMS-to-KMS helper scenarios in testKMSToKMSMigration and testKMSToKMSOnOff are
currently dead code because nothing calls them from the test entrypoint. Update
the existing encryption test registration/dispatch path to invoke these helpers
alongside the other scenarios so the new coverage actually runs, keeping the
wiring consistent with the surrounding test functions in this package.

Source: Linters/SAST tools

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic	fe4549a	link	true	/test e2e-agnostic

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.