CNTRLPLANE-2241: Update library-go to get KMS encryption

[ardaguclu]

This PR is to update library-go to get openshift/library-go#2086

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

Walkthrough

The go.mod file was updated: the required module github.com/openshift/api bumped to a newer pseudo-version, the single-line replace was expanded into a block, preserving the github.com/onsi/ginkgo/v2 mapping and adding a new github.com/openshift/library-go => fork replacement.

Changes

Cohort / File(s)	Summary
Module requirements go.mod	Updated require for github.com/openshift/api from v0.0.0-20260126183958-606bd613f9f7 to v0.0.0-20260212193555-c06ab675261f.
Replace directive (module replacements) go.mod	Converted single-line replace to a block. Kept github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 and added github.com/openshift/library-go => github.com/ardaguclu/library-go v0.0.0-20260217073437-5a7a2b2a33d9.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@go.mod`:
- Around line 134-137: The go.mod replace directive temporarily points
github.com/openshift/library-go to a personal fork
(github.com/ardaguclu/library-go); remove that replace entry (or change it to
the official module/version) so the project depends on the upstream
github.com/openshift/library-go instead of the personal fork, ensuring the
replace block no longer references github.com/ardaguclu/library-go.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check the repository context and understand the go.mod file
pwd
git ls-files go.mod | head -20

Repository: openshift/cluster-authentication-operator

Length of output: 110

---

🏁 Script executed:

# Check the full go.mod file to understand the context
head -150 go.mod | tail -50

Repository: openshift/cluster-authentication-operator

Length of output: 2590

---

🏁 Script executed:

# Look for any PR metadata or documentation files
git ls-files | grep -E "(DESCRIPTION|PR|NOTES|TODO|README)" | head -20

Repository: openshift/cluster-authentication-operator

Length of output: 955

---

🏁 Script executed:

# Search for any comments or TODOs mentioning library-go or kms
rg -i "library-go|kms" --type md --type txt -A 2 -B 2

Repository: openshift/cluster-authentication-operator

Length of output: 15965

---

🏁 Script executed:

# Check git log for this specific change
git log --all --oneline --grep="library-go" -i | head -10
git log --all --oneline --grep="kms" -i | head -10

Repository: openshift/cluster-authentication-operator

Length of output: 1138

---

🏁 Script executed:

# Check if there are any CI/CD configuration files that might indicate test-only status
git ls-files | grep -E "(\.github|\.gitlab|\.circleci|Makefile|\.mk)" | head -20

Repository: openshift/cluster-authentication-operator

Length of output: 1099

---

🏁 Script executed:

# Check current branch and which branches contain this commit
git rev-parse --abbrev-ref HEAD
git branch -a --contains 8fa97618

# Check the most recent commit on main/master
git log main --oneline -1 2>/dev/null || git log master --oneline -1

# Check if the replace directive change is in the current default branch
git show main:go.mod 2>/dev/null | grep -A 5 "^replace" || git show master:go.mod 2>/dev/null | grep -A 5 "^replace"

Repository: openshift/cluster-authentication-operator

Length of output: 289

---

🏁 Script executed:

# Check the status of the working directory to see if go.mod has uncommitted changes
git status go.mod

# Show the current go.mod replace directive
git show HEAD:go.mod | grep -A 5 "^replace"

Repository: openshift/cluster-authentication-operator

Length of output: 368

---

🏁 Script executed:

# Look for any PR or issue context that might indicate this is temporary
# Check for any TODO, FIXME, or comments about reverting this change
rg -i "TODO|FIXME|revert|temporary|temp" go.mod -B 3 -A 3
git log --all --grep="revert\|temporary\|temp" -i --oneline | grep -i library-go

Repository: openshift/cluster-authentication-operator

Length of output: 67

---

Remove personal fork replacement before merging to production.

The replace directive points github.com/openshift/library-go to a personal fork (github.com/ardaguclu/library-go). While the commit message confirms this is for testing KMS functionality, this must be reverted before merging to the master branch, as personal forks introduce security risks (potential supply chain vulnerabilities) and maintainability issues (forks may diverge from the official library). Ensure the original github.com/openshift/library-go is restored in the final version.

🤖 Prompt for AI Agents

In `@go.mod` around lines 134 - 137, The go.mod replace directive temporarily
points github.com/openshift/library-go to a personal fork
(github.com/ardaguclu/library-go); remove that replace entry (or change it to
the official module/version) so the project depends on the upstream
github.com/openshift/library-go instead of the personal fork, ensuring the
replace block no longer references github.com/ardaguclu/library-go.

[p0lyn0mial]

/test e2e-gcp-operator-encryption

[ardaguclu]

/retest

[ardaguclu]

/retest

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ardaguclu: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR is to update library-go to get openshift/library-go#2086

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[p0lyn0mial]

/lgtm

/hold

let's wait for the encryption (optional) CI jobs.

[p0lyn0mial]

/assign @liouk

for approval

[ardaguclu]

/retest-required

[openshift-ci]

@ardaguclu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-2of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-perf-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-perf-serial-ote-1of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-perf-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-1of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-rotation-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-rotation-serial-ote-2of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-rotation-serial-ote-2of2
ci/prow/e2e-aws-operator-encryption-serial-ote-1of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-serial-ote-1of2
ci/prow/e2e-aws-operator-encryption-serial-ote-2of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-serial-ote-2of2
ci/prow/e2e-aws-operator-serial-ote	63fa7c0	link	false	/test e2e-aws-operator-serial-ote
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-1of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-kms-serial-ote-1of2
ci/prow/e2e-aws-operator-parallel-ote	63fa7c0	link	false	/test e2e-aws-operator-parallel-ote
ci/prow/e2e-aws-operator-encryption-kms-serial-ote-2of2	63fa7c0	link	false	/test e2e-aws-operator-encryption-kms-serial-ote-2of2

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ardaguclu]

This can be considered a safe change because imported changes can only be used by enabling KMSEncryption feature gate AND KMS encryption mode on apiserver.config.openshift.io. Besides, this is important functionality we want to deliver soon to immediately start working on TechPreview v2.
/label acknowledge-critical-fixes-only

[ardaguclu]

/verified by e2e-gcp-operator-encryption-kms ci

[openshift-ci-robot]

@ardaguclu: This PR has been marked as verified by e2e-gcp-operator-encryption-kms ci.

Details

In response to this:

/verified by e2e-gcp-operator-encryption-kms ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

/hold cancel

[liouk]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, liouk, p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [liouk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment