CORENET-7108: Implement TLS profile compliance by tpantelis · Pull Request #720 · openshift/ingress-node-firewall

tpantelis · 2026-06-18T14:54:18Z

See individual commits for details.

Overview:

Use the centralized OCP TLS profile for the operator webhook and metrics servers
Use the centralized OCP TLS profile for the daemonset kube-rbac-proxy via templating
Removed the kube-rbac-proxy side car for the operator in lieu of using controller-runtime's native support for TLS and authorization. This eliminates having to deal with the hard-coded --tls args in the embedded bash script and restarting the container when the TLS profile is updated.

Summary by CodeRabbit

Summary

New Features
- Enabled TLS profile support for node firewall traffic, including dynamic TLS min-version and cipher suite selection (with safe fallback when unset).
Security & Maintenance
- Metrics are now served over HTTPS on :9300 using a required metrics certificate directory; removed the prior metrics proxy startup wrapper.
- Updated RBAC for TLS profile/API server reads and auth review capabilities.
- Migrated webhooks to typed handlers and expanded TLS-focused test coverage.
- Upgraded dependencies and operator build tooling.

openshift-ci-robot · 2026-06-18T14:54:23Z

@tpantelis: This pull request references CORENET-7108 which is a valid jira issue.

Details

In response to this:

See individual commits for details.

Overview:

Use the centralized OCP TLS profile for the operator webhook and metrics servers

Use the centralized OCP TLS profile for the daemonset kube-rbac-proxy via templating

Use the centralized OCP TLS profile for the operator kube-rbac-proxy. The embedded bash script was replaced with Go wrapper to facilitate setting the kube-rbac-proxy --tls args and restarting the container when the TLS profile is updated.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-06-18T14:55:00Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

The PR adds OpenShift TLS profile support across startup, controller reconciliation, webhook TLS, metrics serving, and generated manifests, while updating related RBAC, CRDs, dependencies, and build settings.

Changes

TLS profile rollout

Layer / File(s)	Summary
TLS profile library `pkg/tls/profile.go`, `pkg/tls/profile_test.go`, `pkg/tls/tls_suite_test.go`	Defines TLS profile lookup and watch wiring, with tests covering profile conversion, adherence handling, and watcher-triggered reconciliation.
Reconciler TLS template data `controllers/ingressnodefirewallconfig_controller.go`, `controllers/ingressnodefirewallconfig_controller_test.go`, `controllers/suite_test.go`	The reconciler accepts a TLS profile supplier, always sets TLS template values, and controller tests verify default and configured command output.
Startup wiring and RBAC `main.go`, `config/rbac/role.yaml`	`main.go` registers the OpenShift scheme, fetches TLS profile data, wires TLS options into servers, starts profile watching, and updates RBAC for review and API server access.
Manager and manifest updates `config/manager/manager.yaml`, `bindata/manifests/daemon/daemonset.yaml`, `bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml`, `manifests/stable/ingress-node-firewall.clusterserviceversion.yaml`, `config/manifests/bases/ingress-node-firewall.clusterserviceversion.yaml`, `manifests/stable/image-references`, `bundle/manifests/ingressnodefirewall.openshift.io_.yaml`, `manifests/stable/ingressnodefirewall.openshift.io_.yaml`	The manager deployment, CSVs, CRDs, and image references are updated for HTTPS metrics, TLS profile capability, and matching RBAC.
Webhook and dependency updates `pkg/webhook/webhook.go`, `go.mod`, `Makefile`, `.gitignore`	The webhook uses typed validation handlers, and the module, build, and ignore files update dependency versions, operator-sdk version, and editor ignore entries.

🎯 4 (Complex) | ⏱️ ~60 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 2 warnings)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	controllers/ingressnodefirewallnodestate_controller_test.go uses fmt.Sprintf in Ginkgo titles with a node name, so the test names are not static.	Replace those titles with fixed descriptive strings; keep the node name only in setup/assertions inside the test body.
Container-Privileges	❌ Error	Touched manifests still set `hostNetwork: true`, `hostPID: true`, and `runAsNonRoot: false`, which match the container-privileges flags.	Remove or justify the host namespace sharing and non-root settings; ensure container securityContext is restrictive and no privilege escalation is requested.
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	FAIL: one It in controllers/ingressnodefirewallconfig_controller_test.go mixes templating, TLS fallback, and nodeSelector updates; several Expect(err).NotTo(HaveOccurred()) calls lack context.	Split that It into focused specs, keep cluster mutations in dedicated cases, and add failure-context messages to the unadorned error assertions.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is concise and accurately summarizes the main change: TLS profile compliance updates for the operator.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Microshift Test Compatibility	✅ Passed	PASS: No new/changed e2e Ginkgo tests were added; the touched specs are unit/integration tests, and the e2e tree shows no MicroShift-incompatible APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Added Ginkgo specs are unit/envtest tests only; they don’t assume multiple nodes, HA, or rescheduling, so no SNO issue found.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: The PR only updates TLS/profile wiring and RBAC; no new anti-affinity, topology spread, control-plane nodeSelectors, PDBs, or replica/topology logic were added.
Ote Binary Stdout Contract	✅ Passed	No stdout writes in main/init/BeforeSuite/AfterSuite; the only os.Stdout usage is a test helper called from It blocks, which is allowed.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Added Ginkgo specs are unit/controller tests using fake clients/managers; no IPv4 literals, localhost assumptions, or external network calls found.
No-Weak-Crypto	✅ Passed	No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret-comparison code appeared in the touched files; TLS ciphers are AES-based only.
No-Sensitive-Data-In-Logs	✅ Passed	New logs only emit TLS profile status/cipher names and generic error contexts; no secrets, tokens, PII, hostnames, or customer data are logged.

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands.}

openshift-ci · 2026-06-18T14:55:20Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tpantelis
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

tpantelis · 2026-06-18T15:13:01Z

@coderabbitai Why was your review skipped? You indicated "An error occurred during the review process. Please try again later." in comment #720 (comment). What was the error?

coderabbitai · 2026-06-18T15:13:29Z

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh api repos/openshift/ingress-node-firewall/issues/comments/4743214043 --jq '{body: .body, created_at: .created_at, user: .user.login}'

Length of output: 33591

@tpantelis: The error that caused the review to be skipped was an internal infrastructure issue — specifically a "Ping-pong health check failed" error when attempting to run the review tooling. This is a transient server-side failure unrelated to the PR content. The walkthrough/summary were successfully generated, but the detailed file-by-file review comments were not produced as a result.

I can re-run the full review now if you'd like.

✅ Action performed

Full review finished.

tpantelis · 2026-06-18T15:15:50Z

I can re-run the full review now if you'd like.

@coderabbitai Please re-run the full review

coderabbitai · 2026-06-18T15:16:05Z

@tpantelis: Kicking off the full review now!

✅ Action performed

Full review finished.

tpantelis · 2026-06-18T15:46:25Z

/cc @jcaamano

coderabbitai

Actionable comments posted: 5

🧹 Nitpick comments (1)

config/manager/manager.yaml (1)
66-69: 💤 Low value

Consider adding readOnlyRootFilesystem: true to the manager container's securityContext.

Trivy flagged that the manager container lacks readOnlyRootFilesystem: true. If the manager doesn't require writing to the root filesystem, adding this would improve the security posture.
securityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/manager/manager.yaml` around lines 66 - 69, The manager container in
the Kubernetes deployment specification lacks a hardened securityContext
setting. Add or update the securityContext field within the manager container
definition to include readOnlyRootFilesystem set to true, which will prevent the
container from writing to the root filesystem and improve the security posture.
You may also consider adding allowPrivilegeEscalation set to false in the same
securityContext for additional hardening.
Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/ingressnodefirewallconfig_controller_test.go`:
- Around line 43-47: The test has a race condition where tlsProfileSpec is nil
when JustBeforeEach creates the config CR at line 46, triggering async
reconciliation that reads GetTLSProfileSpec() with uninitialized values. Move
the tlsProfileSpec initialization to occur before the k8sClient.Create call in
JustBeforeEach so that reconciliation sees the correct profile spec.
Additionally, replace the synchronous assertions on the DaemonSet (around lines
135-137) with eventual/eventually assertions that wait for content convergence
rather than just object existence, and update awaitDaemonset() to verify content
convergence with the expected TLS configuration, not just that the object
exists.

In `@controllers/ingressnodefirewallconfig_controller.go`:
- Line 168: The GetTLSProfileSpec function field on the
IngressNodeFirewallConfigReconciler struct may be nil when the reconciler is
instantiated outside the main constructor, which would cause a panic when called
on line 168. Add a nil check before calling r.GetTLSProfileSpec() to guard
against this, and handle the nil case by either returning an appropriate error
from the reconciliation function or skipping the TLS profile initialization
logic gracefully.

In `@controllers/suite_test.go`:
- Line 59: The AfterEach hook (lines 49-58) cleans up the config and daemonset
but does not reset the tlsProfileSpec atomic.Value variable, causing test
cross-contamination when tests run in different orders. Add a reset of the
tlsProfileSpec variable in the AfterEach hook to clear any TLS profile stored
from previous tests. This will ensure that the first test always sees the
default state (no TLS profile) regardless of test execution order, since the
reconciler callback (lines 116-122) reads from this shared package-level
variable.

In `@go.mod`:
- Line 110: Address the three critical CVEs by upgrading the affected indirect
dependencies in go.mod: upgrade google.golang.org/grpc to v1.79.3 or later,
upgrade go.opentelemetry.io/otel to v1.41.0 or later, and upgrade
go.opentelemetry.io/otel/sdk to v1.43.0 or later. After updating the version
constraints for these three packages, run go mod tidy to resolve the dependency
tree and ensure all transitive dependencies are properly updated.

In `@pkg/tls/profile_test.go`:
- Around line 322-324: In the anonymous function passed to the go statement
within the test helper, the error returned from the Reconcile method call is
being explicitly ignored using the blank identifier pattern. Modify the code to
capture the error return value from r.Reconcile(ctx, req) instead of discarding
it, and add appropriate error handling such as logging or assertion to ensure
that reconciliation failures are detected rather than silently masked during
test execution.

---

Nitpick comments:
In `@config/manager/manager.yaml`:
- Around line 66-69: The manager container in the Kubernetes deployment
specification lacks a hardened securityContext setting. Add or update the
securityContext field within the manager container definition to include
readOnlyRootFilesystem set to true, which will prevent the container from
writing to the root filesystem and improve the security posture. You may also
consider adding allowPrivilegeEscalation set to false in the same
securityContext for additional hardening.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 74f5b2a1-4b24-4f14-9053-8c1e0659dcd8

📥 Commits

Reviewing files that changed from the base of the PR and between 64f1873 and 5b8b432.

⛔ Files ignored due to path filters (287)

go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/README.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/WORKSPACE is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/regen_go_proto.sh is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/backoff.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/ticker.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/timer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/jsr311.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/route.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/capture_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/docs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/wrap_generated_gteq_1.8.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/wrap_generated_lt_1.8.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.editorconfig is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/mkdoc.zsh is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/funcr/slogsink.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/stdr/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/stdr/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/stdr/stdr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/proto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/wire.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/duration/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/timestamp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/cel.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/decls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/env.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/folding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/inlining.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/io.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/library.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/macro.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/optimizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/program.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/prompt.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/templates/authoring.tmpl is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/validator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/checker.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/cost.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/decls/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/decls/decls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/env.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/mapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/printer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/scopes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/ast.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/conversion.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/expr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/navigable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/containers/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/containers/container.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/cost.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/debug/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/debug/debug.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/decls/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/decls/decls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/env/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/env/env.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/functions/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/functions/functions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/location.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/operators/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/operators/operators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/overloads/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/overloads/overloads.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/runes/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/runes/buffer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/source.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/stdlib/standard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/any_value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/bool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/bytes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/compare.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/double.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/err.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/int.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/iterator.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

.gitignore
bindata/manifests/daemon/daemonset.yaml
config/manager/manager.yaml
config/rbac/role.yaml
controllers/ingressnodefirewallconfig_controller.go
controllers/ingressnodefirewallconfig_controller_test.go
controllers/suite_test.go
go.mod
main.go
pkg/tls/profile.go
pkg/tls/profile_test.go
pkg/tls/tls_suite_test.go
pkg/webhook/webhook.go

- Upgrade K8s dependencies from v0.32.3 to v0.35.1/v0.35.2 - Upgrade controller-runtime from v0.20.4 to v0.23.3 - Add openshift/api, library-go, and controller-runtime-common for future TLS compliance work - Update webhook validator to use controller-runtime v0.23 generics API Signed-off-by: Tom Pantelis <tompantelis@gmail.com>

Configure the daemonset's kube-rbac-proxy sidecar to use the cluster's TLS security profile for compliance with OpenShift TLS standards. Changes: - Add TLSProfileSpec field to IngressNodeFirewallConfigReconciler - Template TLS min version and cipher suites in daemonset.yaml - Pass TLS configuration from cluster APIServer to daemonset rendering - Maintain backward compatibility with default cipher suites when no TLS profile is available The TLS configuration is applied during daemonset manifest rendering, ensuring each node's firewall metrics endpoint honors the cluster's TLS security policy. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

config/manager/manager.yaml (1)

38-69: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden the manager container security context.

The changed container does not set readOnlyRootFilesystem, allowPrivilegeEscalation: false, or drop capabilities; Trivy also flags the missing read-only root filesystem.

As per coding guidelines: Kubernetes/OpenShift manifests should set runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, and drop ALL capabilities.

Suggested hardening

         image: controller:latest
         name: manager
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
         ports:
           - containerPort: 9300
             name: https

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/manager/manager.yaml` around lines 38 - 69, The manager container
specification in the Kubernetes manifest is missing critical security hardening
configurations. Add a securityContext field to the manager container (the
container with image: controller:latest and name: manager) that includes the
following security settings at the same indentation level as ports,
livenessProbe, and readinessProbe: set runAsNonRoot to true,
readOnlyRootFilesystem to true, allowPrivilegeEscalation to false, and include a
capabilities section with a drop array containing ALL to remove all Linux
capabilities.

Sources: Coding guidelines, Linters/SAST tools

🧹 Nitpick comments (1)

pkg/tls/profile_test.go (1)

124-126: ⚡ Quick win

Assert the mapped cipher IDs, not just the count.

HaveLen(2) would still pass if the implementation mapped the two known cipher names to the wrong Go cipher IDs. This test is more valuable if it verifies the exact TLS profile mapping.

Suggested assertion

 			tlsConfig := applyTLSOpts(profile.TLSOpts)
 			Expect(tlsConfig.MinVersion).To(Equal(uint16(tls.VersionTLS11)))
-			Expect(tlsConfig.CipherSuites).To(HaveLen(2))
+			Expect(tlsConfig.CipherSuites).To(Equal([]uint16{
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			}))
 		})
 	})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/tls/profile_test.go` around lines 124 - 126, The current assertion in the
test only verifies the length of CipherSuites is 2, but does not validate that
the correct cipher IDs are actually mapped. Replace the HaveLen(2) assertion
with explicit checks that verify the CipherSuites slice contains the exact
expected cipher ID values that should result from the TLS profile mapping. This
ensures the applyTLSOpts function is mapping the cipher names to the correct Go
tls cipher constants, not just producing the right count.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/manager/manager.yaml`:
- Line 35: The manager container in config/manager/manager.yaml exposes metrics
on port 9300 without authentication or a kube-rbac-proxy sidecar for protection.
Add a kube-rbac-proxy sidecar container (as used in the bundle manifests) that
handles TLS enforcement and certificate management with a wait script for cert
readiness, or alternatively configure authentication directly in the manager's
metrics server. Additionally, add security hardening to the manager container's
securityContext by setting readOnlyRootFilesystem to true and
allowPrivilegeEscalation to false to meet Kubernetes security guidelines.

In `@pkg/tls/profile_test.go`:
- Around line 185-202: The test setup for the manager and fake client uses
k8sscheme.Scheme, which lacks OpenShift types, but the code attempts to use
configv1.APIServer (an OpenShift-specific type) which will cause registration
errors. Replace k8sscheme.Scheme with t.clientScheme in both the ctrl.NewManager
call and the fake.NewClientBuilder WithScheme call. Additionally, ensure
t.clientScheme is properly initialized to include both Kubernetes core types and
OpenShift types by calling k8sscheme.AddToScheme() before installing the
OpenShift configv1 types into the scheme.

---

Outside diff comments:
In `@config/manager/manager.yaml`:
- Around line 38-69: The manager container specification in the Kubernetes
manifest is missing critical security hardening configurations. Add a
securityContext field to the manager container (the container with image:
controller:latest and name: manager) that includes the following security
settings at the same indentation level as ports, livenessProbe, and
readinessProbe: set runAsNonRoot to true, readOnlyRootFilesystem to true,
allowPrivilegeEscalation to false, and include a capabilities section with a
drop array containing ALL to remove all Linux capabilities.

---

Nitpick comments:
In `@pkg/tls/profile_test.go`:
- Around line 124-126: The current assertion in the test only verifies the
length of CipherSuites is 2, but does not validate that the correct cipher IDs
are actually mapped. Replace the HaveLen(2) assertion with explicit checks that
verify the CipherSuites slice contains the exact expected cipher ID values that
should result from the TLS profile mapping. This ensures the applyTLSOpts
function is mapping the cipher names to the correct Go tls cipher constants, not
just producing the right count.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 43979373-9537-46be-a5c4-f948d4383794

📥 Commits

Reviewing files that changed from the base of the PR and between 5b8b432 and 38e44f4.

⛔ Files ignored due to path filters (287)

go.sum is excluded by !**/*.sum
vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/README.md is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/WORKSPACE is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/regen_go_proto.sh is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !**/vendor/**, !vendor/**
vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/backoff.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/ticker.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/timer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/jsr311.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/emicklei/go-restful/v3/route.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/capture_metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/docs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/wrap_generated_gteq_1.8.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/felixge/httpsnoop/wrap_generated_lt_1.8.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.cirrus.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.editorconfig is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_fen.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_inotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_other.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/backend_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/fsnotify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_dragonfly.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_kqueue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_openbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_solaris.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/debug_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/unix2.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/internal/windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/mkdoc.zsh is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/shared.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/system_bsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fsnotify/fsnotify/system_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/bytestring.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/common.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/omitzero_go124.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/omitzero_pre_go124.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/simplevalue.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/structfields.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/fxamacker/cbor/v2/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/funcr/funcr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/logr/funcr/slogsink.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/stdr/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/stdr/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-logr/stdr/stdr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/clone.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/custom_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/duration_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/encode_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/equal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/extensions_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/lib.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/lib_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/message_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_reflect_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/pointer_unsafe_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/properties_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/skip_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_marshal_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_merge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/table_unmarshal_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/text_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/text_parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/timestamp_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/proto/wrappers_gogo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/gogo/protobuf/sortkeys/sortkeys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/discard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/properties.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/proto.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/wire.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/any.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/any/any.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/duration/duration.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/timestamp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/cel.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/decls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/env.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/folding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/inlining.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/io.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/library.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/macro.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/optimizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/program.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/prompt.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/templates/authoring.tmpl is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/cel/validator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/checker.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/cost.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/decls/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/decls/decls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/env.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/mapping.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/printer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/scopes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/checker/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/ast.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/conversion.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/expr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/ast/navigable.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/containers/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/containers/container.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/cost.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/debug/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/debug/debug.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/decls/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/decls/decls.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/env/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/env/env.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/functions/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/functions/functions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/location.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/operators/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/operators/operators.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/overloads/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/overloads/overloads.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/runes/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/runes/buffer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/source.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/stdlib/standard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/any_value.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/bool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/bytes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/compare.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/double.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/err.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/int.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/cel-go/common/types/iterator.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (13)

.gitignore
bindata/manifests/daemon/daemonset.yaml
config/manager/manager.yaml
config/rbac/role.yaml
controllers/ingressnodefirewallconfig_controller.go
controllers/ingressnodefirewallconfig_controller_test.go
controllers/suite_test.go
go.mod
main.go
pkg/tls/profile.go
pkg/tls/profile_test.go
pkg/tls/tls_suite_test.go
pkg/webhook/webhook.go

✅ Files skipped from review due to trivial changes (1)

.gitignore

🚧 Files skipped from review as they are similar to previous changes (9)

bindata/manifests/daemon/daemonset.yaml
pkg/tls/tls_suite_test.go
controllers/suite_test.go
config/rbac/role.yaml
controllers/ingressnodefirewallconfig_controller_test.go
controllers/ingressnodefirewallconfig_controller.go
pkg/tls/profile.go
pkg/webhook/webhook.go
main.go

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

manifests/stable/ingress-node-firewall.clusterserviceversion.yaml (1)
90-94: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Advertise TLS profile support in the stable CSV metadata.

Line 94 still declares features.operators.openshift.io/tls-profiles: "false" while this PR implements centralized OpenShift TLS profile handling. Keep the stable manifest consistent with the bundle and runtime behavior.
Proposed fix
-    features.operators.openshift.io/tls-profiles: "false"
+    features.operators.openshift.io/tls-profiles: "true"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/stable/ingress-node-firewall.clusterserviceversion.yaml` around
lines 90 - 94, The stable CSV manifest declares the tls-profiles feature as
unsupported with features.operators.openshift.io/tls-profiles set to "false",
but this PR implements centralized OpenShift TLS profile handling. Change the
value of features.operators.openshift.io/tls-profiles from "false" to "true" in
the ingress-node-firewall.clusterserviceversion.yaml file to accurately
advertise TLS profile support capability and keep the stable manifest consistent
with the bundle and runtime behavior.
bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml (1)
90-94: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Advertise TLS profile support in the CSV metadata.

Line 94 still declares features.operators.openshift.io/tls-profiles: "false" even though this PR wires the OpenShift TLS profile into the manager and DaemonSet paths. That makes the bundle metadata contradict the implemented compliance capability.
Proposed fix
-    features.operators.openshift.io/tls-profiles: "false"
+    features.operators.openshift.io/tls-profiles: "true"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml` around
lines 90 - 94, In the ingress-node-firewall.clusterserviceversion.yaml file,
locate the `features.operators.openshift.io/tls-profiles` property within the
metadata annotations section around line 94 and change its value from "false" to
"true" to accurately reflect that the manager and DaemonSet paths now include
OpenShift TLS profile support, ensuring the CSV metadata is consistent with the
actual implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml`:
- Around line 90-94: In the ingress-node-firewall.clusterserviceversion.yaml
file, locate the `features.operators.openshift.io/tls-profiles` property within
the metadata annotations section around line 94 and change its value from
"false" to "true" to accurately reflect that the manager and DaemonSet paths now
include OpenShift TLS profile support, ensuring the CSV metadata is consistent
with the actual implementation.

In `@manifests/stable/ingress-node-firewall.clusterserviceversion.yaml`:
- Around line 90-94: The stable CSV manifest declares the tls-profiles feature
as unsupported with features.operators.openshift.io/tls-profiles set to "false",
but this PR implements centralized OpenShift TLS profile handling. Change the
value of features.operators.openshift.io/tls-profiles from "false" to "true" in
the ingress-node-firewall.clusterserviceversion.yaml file to accurately
advertise TLS profile support capability and keep the stable manifest consistent
with the bundle and runtime behavior.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5e340b10-4547-46a7-a050-62faccd56847

📥 Commits

Reviewing files that changed from the base of the PR and between 38e44f4 and 3f2bc56.

📒 Files selected for processing (17)

.gitignore
Makefile
bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml
bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml
bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml
config/manager/manager.yaml
config/rbac/role.yaml
main.go
manifests/stable/image-references
manifests/stable/ingress-node-firewall.clusterserviceversion.yaml
manifests/stable/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
manifests/stable/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml
manifests/stable/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml
pkg/tls/profile.go
pkg/tls/profile_test.go
pkg/tls/tls_suite_test.go

💤 Files with no reviewable changes (1)

manifests/stable/image-references

✅ Files skipped from review due to trivial changes (6)

manifests/stable/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml
manifests/stable/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml
bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml
bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml
manifests/stable/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

.gitignore
pkg/tls/tls_suite_test.go
config/manager/manager.yaml
config/rbac/role.yaml
pkg/tls/profile.go
main.go

tpantelis · 2026-06-24T22:08:25Z

/retest

Configure the operator's webhook and metrics servers to use the cluster's TLS security profile for compliance with OpenShift TLS standards. Changes: - Fetch TLS profile from cluster APIServer configuration on startup - Apply TLS configuration to webhook server (port 9443) - Apply TLS configuration to metrics server (when --metrics-secure enabled) - Add getTLSProfileSpec() to fetch and validate cluster TLS profile - Honor TLS adherence policy from cluster APIServer - Pass TLS profile to IngressNodeFirewallConfigReconciler for daemonset rendering The operator now dynamically configures its webhook and metrics endpoints with the cluster's TLS profile, ensuring consistent security policy enforcement across the operator and its daemonset workloads. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>

The kube-rbac-proxy sidecar hard-codes the --tls flags which is not TLS profile compliant. Also restarting the container on TLS profile is problematic. A simpler approach is to remove the kube-rbac-proxy sidecar container from the operator deployment and use controller-runtime's native support for TLS. The kube-rbac-proxy also provides RBAC authorization but controller-runtime also provides this via the `filters.WithAuthenticationAndAuthorization` FilterProvider. This simplifies the deployment while maintaining TLS encryption and enabling dynamic TLS profile updates. Changes to main.go: - Enable secure metrics by default (--metrics-secure=true) - Change default metrics bind address from :39201 to :9300 - Add metrics-cert-dir flag for configurable certificate path - Configure metrics server with RBAC authorization via FilterProvider - Metrics server now serves TLS directly with dynamic profile support Changes to config/manager/manager.yaml: - Remove kube-rbac-proxy sidecar container entirely - Update manager container args: --metrics-bind-address=:9300 - Add --metrics-cert-dir arg for certificate directory configuration - Add metrics port exposure (9300/https) to manager container - Move certificate volume mount from sidecar to manager container - Retain service-ca secret volume for automatic certificate management Changes to config/rbac/role.yaml: - Add authentication.k8s.io/tokenreviews permission (for client auth) - Add authorization.k8s.io/subjectaccessreviews permission (for RBAC checks) - Required for FilterProvider.WithAuthenticationAndAuthorization Signed-off-by: Tom Pantelis <tompantelis@gmail.com>

openshift-ci · 2026-06-25T13:20:48Z

@tpantelis: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 18, 2026

openshift-ci Bot requested review from abhat and tssurya June 18, 2026 14:55

tpantelis force-pushed the tls_profile_compliance branch from be333f0 to 270d007 Compare June 18, 2026 15:44

openshift-ci Bot requested a review from jcaamano June 18, 2026 15:46

tpantelis force-pushed the tls_profile_compliance branch from 270d007 to 5b8b432 Compare June 18, 2026 18:49

coderabbitai Bot reviewed Jun 18, 2026

View reviewed changes

Comment thread controllers/ingressnodefirewallconfig_controller_test.go

Comment thread controllers/ingressnodefirewallconfig_controller.go

Comment thread controllers/suite_test.go

Comment thread go.mod Outdated

Comment thread pkg/tls/profile_test.go

tpantelis added 2 commits June 18, 2026 16:28

tpantelis force-pushed the tls_profile_compliance branch from 5b8b432 to 38e44f4 Compare June 18, 2026 20:28

coderabbitai Bot reviewed Jun 18, 2026

View reviewed changes

Comment thread config/manager/manager.yaml

Comment thread pkg/tls/profile_test.go

tpantelis force-pushed the tls_profile_compliance branch from 38e44f4 to 3f2bc56 Compare June 18, 2026 22:15

coderabbitai Bot reviewed Jun 18, 2026

View reviewed changes

tpantelis force-pushed the tls_profile_compliance branch 2 times, most recently from ef814c4 to 90648a0 Compare June 24, 2026 21:34

tpantelis force-pushed the tls_profile_compliance branch 2 times, most recently from 6ed99d2 to e267ae5 Compare June 25, 2026 05:01

tpantelis added 2 commits June 25, 2026 07:28

tpantelis force-pushed the tls_profile_compliance branch from e267ae5 to 23fa5db Compare June 25, 2026 11:29

Uh oh!

Conversation

tpantelis commented Jun 18, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Summary

Uh oh!

openshift-ci-robot commented Jun 18, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Pre-merge checks failed

❌ Failed checks (2 errors, 2 warnings)

Uh oh!

openshift-ci Bot commented Jun 18, 2026

Uh oh!

tpantelis commented Jun 18, 2026

Uh oh!

coderabbitai Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tpantelis commented Jun 18, 2026

Uh oh!

coderabbitai Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tpantelis commented Jun 18, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

tpantelis commented Jun 24, 2026

Uh oh!

openshift-ci Bot commented Jun 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

tpantelis commented Jun 18, 2026 •

edited by coderabbitai Bot

Loading

openshift-ci-robot commented Jun 18, 2026 •

edited by openshift-ci Bot

Loading

coderabbitai Bot commented Jun 18, 2026 •

edited

Loading

coderabbitai Bot commented Jun 18, 2026 •

edited

Loading

coderabbitai Bot commented Jun 18, 2026 •

edited

Loading