OCPCLOUD-3327: Rewrite manifests-gen to support upgrade safety #434

mdbooth · 2025-12-16T17:33:00Z

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

Release Notes

New Features
- Added provider image metadata support for improved cluster API operator manifest handling and image resolution.
Infrastructure
- New RBAC permissions for cluster API operator to access pull-secret credentials.
- Added storage volume and configuration for provider image caching in cluster API operator deployment.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

openshift-ci-robot · 2025-12-16T17:33:03Z

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

coderabbitai · 2025-12-16T17:33:07Z

📝 Walkthrough

Walkthrough

The changes add provider image metadata support by threading provider image data through the operator's reconciliation pipeline. Core additions include a new providerimages module for extracting provider manifests from container images, refactoring manifest generation from unstructured to typed client.Object, and extending RBAC for pull-secret access.

Changes

Cohort / File(s)	Summary
Provider Image Threading `cmd/cluster-capi-operator/main.go`	Reads provider images from disk via `PROVIDER_IMAGE_DIR`, passes them through `setupPlatformReconcilers` and `setupReconcilers`, and injects into `CapiInstallerController`
Provider Image Module `pkg/providerimages/providerimages.go` `pkg/providerimages/providerimages_test.go` `pkg/providerimages/pullsecret.go`	New module for extracting provider manifests from container images; includes image fetching abstraction, Docker config keychain parsing, tar layer extraction, and comprehensive test coverage
CAPI Installer Reconciliation `pkg/controllers/capiinstaller/capi_installer_controller.go` `pkg/controllers/capiinstaller/capi_installer_controller_test.go`	Adds provider image field, reader-based manifest extraction, and new `reconcileProviderImages` and `applyProviderImage` methods; updates extraction to use io.Reader abstraction
Manifest Generation Refactoring `manifests-gen/customizations.go` `manifests-gen/generate.go` `manifests-gen/main.go` `manifests-gen/util.go` `manifests-gen/kustomization.yaml`	Migrates from unstructured to typed `client.Object`; introduces kustomize-based resource generation; adds validation for provider type, version, and platform; removes legacy provider-specific customization dispatch
Provider Customizations Removed `manifests-gen/providercustomizations.go` `manifests-gen/providers.go`	Entire provider-specific customization and manifest-writing pipeline removed; responsibility moved to typed handlers and external manifest generation
Dependency Updates `go.mod` `e2e/go.mod` `hack/tools/go.mod` `manifests-gen/go.mod`	Added docker-cli, go-containerregistry, openshift/api; updated golang.org/x/tools, golang.org/x/oauth2; manifests-gen adds controller-runtime and sigs.k8s.io dependencies with replace directive for cluster-capi-operator
RBAC & Deployment `manifests/0000_30_cluster-api_03_rbac_roles.yaml` `manifests/0000_30_cluster-api_04_rbac_bindings.yaml` `manifests/0000_30_cluster-api_11_deployment.yaml`	New Role and RoleBinding for pull-secret access in openshift-config; deployment adds `PROVIDER_IMAGE_DIR` env var and provider-images emptyDir volume
Minor Fixes `pkg/controllers/infracluster/azure.go` `pkg/conversion/capi2mapi/aws.go`	Removed linting directives (nolint:gosec) with no logic changes
Utility Changes `pkg/util/readconfig.go`	Removed YAML provider support; `ReadImagesFile` now parses JSON instead of YAML

Sequence Diagram(s)

sequenceDiagram
    participant Operator as Cluster CAPI Operator
    participant K8s as Kubernetes API
    participant Registry as Container Registry
    participant Disk as Local Disk Cache
    participant Reconciler as CAPI Installer<br/>Reconciler

    Operator->>K8s: Read pull-secret from openshift-config
    K8s-->>Operator: Pull secret credentials
    Operator->>Registry: Fetch provider image<br/>(with keychain auth)
    Registry-->>Operator: Image layers (tar.gz)
    Operator->>Operator: Extract metadata.yaml &<br/>manifests.yaml from layers
    Operator->>Disk: Write manifests to<br/>providerImageDir/<sanitized-ref>/
    Operator->>Operator: Compute SHA256<br/>ContentID
    Operator->>Reconciler: Inject ProviderImages[]<br/>with metadata & path
    Reconciler->>Disk: Read provider manifests<br/>from cache
    Reconciler->>K8s: Apply manifests to cluster
    K8s-->>Reconciler: Resources created/updated

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 Hops with glee!
Provider images now dance,
From registries fetched, tar layers unwrapped,
Manifests typed and cached on disk—
Pull secrets whisper credentials,
And reconcilers apply with grace! 🌟

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.56% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: rewriting manifests-gen to support upgrade safety by embedding CAPI installer manifests in provider images.

✨ Finishing touches

📝 Generate docstrings

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2025-12-16T17:33:07Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

openshift-ci · 2025-12-16T17:33:39Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign racheljpg for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2025-12-16T17:35:31Z

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Remove provider customisation for PowerVS

manifests-gen: Rewrite to support Update Safety

capiinstaller: Compatibility with new manifests-gen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

mdbooth · 2025-12-16T17:35:57Z

/test e2e-aws-ovn-techpreview

mdbooth · 2025-12-16T17:42:17Z

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

mdbooth · 2025-12-17T07:47:52Z

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

mdbooth · 2025-12-17T07:48:14Z

/test e2e-aws-ovn-techpreview

mdbooth · 2025-12-19T16:16:26Z

/test e2e-aws-ovn-techpreview
/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584

mdbooth · 2025-12-19T18:06:33Z

/test e2e-aws-ovn-techpreview

mdbooth · 2025-12-19T18:07:45Z

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

mdbooth · 2025-12-19T19:09:53Z

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

mdbooth · 2025-12-19T21:50:56Z

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

mdbooth · 2025-12-21T12:59:28Z

The e2e-aws-ovn-techpreview pass shows the modifications to the capiinstaller controller are backwards compatible with current transport configmaps.

openshift/cluster-api-provider-aws#584 and openshift/cluster-api#259 update CAPA and core CAPI to publish manifests only in the provider images. They do not publish transport configmaps.

The multi-pr test pass with these 2 PRs shows that pulling manifests from images is working.

openshift-ci-robot · 2026-01-05T14:21:44Z

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

New Features

Read and cache provider manifests directly from provider container images; process and surface provider metadata.

Infrastructure

Revamped manifest generation to compile kustomize outputs and write manifests and provider metadata files.

Manifest config input now expects JSON for image lists.

Added RBAC role/binding and a container env + volume for provider image access.

Tests

Added comprehensive tests for provider-image extraction.

Chores

Bumped various Go module dependencies.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

manifests-gen/go.mod (1)
19-25: Consolidate require blocks for Go convention.

The code uses two separate require blocks (lines 7–17 and 19–25). While technically valid in Go 1.17+, it's unconventional. Most Go projects consolidate all direct dependencies into a single require block for clarity and maintainability.
🔎 Proposed consolidation
 require (
 	github.com/cert-manager/cert-manager v1.18.2
 	k8s.io/api v0.34.1
 	k8s.io/apiextensions-apiserver v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
 	// Update kustomize when updating k8s
 	sigs.k8s.io/kustomize/api v0.20.1
 	sigs.k8s.io/kustomize/kyaml v0.20.1
 	sigs.k8s.io/yaml v1.6.0
+	github.com/google/go-containerregistry v0.20.7
+	github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
+	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
+	sigs.k8s.io/controller-runtime v0.22.4
 )
-
-require (
-	github.com/google/go-containerregistry v0.20.7
-	github.com/openshift/api v0.0.0-20251214014457-bfa868a22401
-	github.com/openshift/cluster-capi-operator v0.0.0-00010101000000-000000000000
-	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
-	sigs.k8s.io/controller-runtime v0.22.4
-)
Note: github.com/openshift/cluster-capi-operator should remain in the replace block (not in require) since it's satisfied by the relative replace directive.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 493d1f3 and e1df433.

⛔ Files ignored due to path filters (274)

e2e/go.sum is excluded by !**/*.sum
hack/tools/go.sum is excluded by !**/*.sum
vendor/github.com/MakeNowJust/heredoc/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/heredoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/PATENTS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/bitcurves/bitcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/brainpool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/rcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax_test_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_a.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/aes/keywrap/keywrap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/mpi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/oid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/literal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/notation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/ocfb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_mdc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userattribute.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read_write_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/base_dirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/config_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/userdirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/xdg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/isogeny.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/scalar.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistPoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistTables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist_basemult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/conv/conv.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/hashes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/keccakf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/rc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3_s390x.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/shake.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fuzzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/integer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/mlsbset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/power.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/primes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/wnaf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/modular.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/mult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey112.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/tables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/sign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/MAINTAINERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/distribution-logo.svg is excluded by !**/*.svg, !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/normalize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/reference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/regexp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/sort.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/command.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/helper.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/and/and_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/gzip/zip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/redact/redact.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/wait/kubernetes_apimachinery_wait.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/verify/verify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/anon.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/authn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/basic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/bearer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/multikeychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/logs/logs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/digest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/ref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/repository.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/layer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/match/match.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/rebase.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/uncompressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/with.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/platform.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/progress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/catalog.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/delete.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/fetcher.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

e2e/go.mod
hack/tools/go.mod
manifests-gen/go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

hack/tools/go.mod

🔇 Additional comments (5)

manifests-gen/go.mod (2)

20-20: Verify container image registry dependencies are acceptable.

The dependencies on google/go-containerregistry v0.20.7 (the latest available version) introduce transitive dependencies: docker/cli, docker/distribution, docker/docker-credential-helpers, containerd/stargz-snapshotter/estargz, opencontainers/image-spec, and container-related utilities. No known security advisories exist for v0.20.7.

Confirm that:

The binary size impact is acceptable for your use case.

Security scanning is in place for these dependencies.

These dependencies align with the provider image feature scope.

83-83: No action needed—the relative replace directive is correct for this Go workspace setup.

This repository uses Go 1.18+ workspaces (go.work), which properly handle relative paths in replace directives across multiple modules. The manifests-gen module references its parent module (github.com/openshift/cluster-capi-operator) via the relative path, which is standard practice and fully compatible with CI/CD pipelines since the entire repository structure is preserved during cloning.

e2e/go.mod (3)

5-10: Verify cleanup strategy for TODO replaces before merge.

The comment indicates these replace directives are temporary and should be removed when external PRs (cluster-api-actuator-pkg and cluster-api-provider-azure) are merged. Ensure there's a tracking mechanism for removal—either link to tracking issues or confirm the external PRs are already merged.

1-35: Changes align well with PR objectives.

The dependency updates support the new provider image metadata extraction feature:

Updated openshift/api and openshift/client-go enable image metadata reading

klauspost/compress (indirect) supports container image I/O

Standard toolchain updates (oauth2, tools) are appropriate

The e2e module correctly reflects the transitive dependencies introduced by provider image handling and manifest generation changes.

19-19: Dependency versions verified as secure.

All updated dependencies have been checked against known security advisories. No CVEs were found for:

openshift/api v0.0.0-20251214014457-bfa868a22401

klauspost/compress v1.18.1

openshift/client-go v0.0.0-20251205093018-96a6cbc1420c

golang.org/x/oauth2 v0.33.0 (safe from CVE-2025-22868, which was fixed in v0.27.0)

golang.org/x/tools v0.39.0

openshift-ci-robot · 2026-01-05T14:47:10Z

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

New Features

Read and cache provider manifests directly from provider container images and surface provider metadata.

Infrastructure

New manifest generator: compiles kustomize outputs, writes manifests and provider metadata, and adds a kustomize component to retain secrets.

Manifest input now expects JSON for image lists.

Operator deployment: env var and volume added to enable provider-image consumption; new RBAC Role & RoleBinding for pull-secret access.

Tests

Added comprehensive tests for provider-image extraction.

Chores

Bumped multiple Go module dependencies.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 2

Fix all issues with AI Agents 🤖

In @pkg/controllers/capiinstaller/capi_installer_controller.go:
- Around line 181-183: When reconcileProviderImages returns an error, set the
ClusterOperator degraded condition before returning the error; call the
controller's setDegradedCondition (same pattern used earlier) with a clear
reason like "ReconcileProviderImagesFailed" and include the error message, then
return the fmt.Errorf wrapping that error from reconcileProviderImages so the
degraded status is recorded consistently with the other failure paths.
- Around line 228-250: The defer that calls reader.Close() is inside the loop
and delays closing all readers until the outer function returns, causing a
resource leak; fix by moving the per-image processing into a helper (e.g., a new
function processProviderImage or reconcileProviderImage) that takes the
providerImage and ctx, calls providerManifestReader, defers reader.Close()
inside that helper, then calls extractManifests and r.applyProviderComponents
before returning; alternatively explicitly call reader.Close() immediately after
extractManifests/applyProviderComponents within the loop (ensuring any close
errors are handled/joined) so each reader is closed at the end of its iteration
rather than at function exit.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

manifests-gen/customizations.go (1)
163-165: Typo in panic message.

The panic message contains a typo: "cert:CustomResourceDefinition" should likely be just "cert: " to match the pattern in lines 138-139 and 152-153.
🔎 Proposed fix
-				panic("can't find secret from cert:CustomResourceDefinition " + certNN)
+				panic("can't find secret from cert: " + certNN)

🧹 Nitpick comments (5)

pkg/providerimages/providerimages_test.go (1)
196-216: Verify type comparison for OCPPlatform.

Line 204 compares manifest.OCPPlatform (type configv1.PlatformType) to the string "aws". This works because configv1.PlatformType is an alias for string, but consider using the constant configv1.AWSPlatformType for type safety and clarity.
🔎 Suggested improvement
-				g.Expect(manifest.OCPPlatform).To(Equal("aws"))
+				g.Expect(manifest.OCPPlatform).To(Equal(configv1.AWSPlatformType))
This would require adding configv1 "github.com/openshift/api/config/v1" to imports.
manifests/0000_30_cluster-api_11_deployment.yaml (1)
95-96: Consider adding a sizeLimit to the emptyDir volume.

While emptyDir is appropriate for ephemeral provider image caching, consider adding a sizeLimit to prevent unbounded disk usage:
- name: provider-images
  emptyDir:
    sizeLimit: "1Gi"
This ensures the cache doesn't consume excessive node storage if provider images are larger than expected.
manifests-gen/util.go (2)
5-11: Consider adding nil checks to getKind and getGroup.

While these helper functions are simple accessors, adding nil checks would prevent potential panics if called with nil objects:
🔎 Proposed enhancement
 func getKind(obj client.Object) string {
+	if obj == nil {
+		return ""
+	}
 	return obj.GetObjectKind().GroupVersionKind().Kind
 }
 
 func getGroup(obj client.Object) string {
+	if obj == nil {
+		return ""
+	}
 	return obj.GetObjectKind().GroupVersionKind().Group
 }
21-25: Enhance panic message with error context.

The mustConvert function panics without providing context about which conversion failed. Consider wrapping the error:
🔎 Proposed enhancement
 func mustConvert[T client.Object](from client.Object, to T) {
 	if err := convert(from, to); err != nil {
-		panic(err)
+		panic(fmt.Errorf("failed to convert %T to %T: %w", from, to, err))
 	}
 }
This would require adding "fmt" to the imports.
manifests-gen/customizations.go (1)
219-228: Typo in function name: replaceCertMangerServiceSecret.

The function name has a typo: "Manger" should be "Manager" for consistency with replaceCertManagerAnnotations.
🔎 Proposed fix
-func replaceCertMangerServiceSecret(obj client.Object, serviceSecretNames map[string]string) {
+func replaceCertManagerServiceSecret(obj client.Object, serviceSecretNames map[string]string) {
Also update the call site at line 69:
-			replaceCertMangerServiceSecret(obj, serviceSecretNames)
+			replaceCertManagerServiceSecret(obj, serviceSecretNames)

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between e1df433 and 080ea0b.

⛔ Files ignored due to path filters (260)

e2e/go.sum is excluded by !**/*.sum
go.sum is excluded by !**/*.sum
hack/tools/go.sum is excluded by !**/*.sum
manifests-gen/go.sum is excluded by !**/*.sum
vendor/github.com/MakeNowJust/heredoc/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/heredoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/PATENTS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/bitcurves/bitcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/brainpool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/rcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax_test_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_a.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/aes/keywrap/keywrap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/mpi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/oid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/literal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/notation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/ocfb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_mdc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userattribute.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read_write_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/base_dirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/config_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/userdirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/xdg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/isogeny.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/scalar.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistPoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistTables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist_basemult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/conv/conv.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/hashes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/keccakf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/rc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3_s390x.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/shake.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fuzzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/integer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/mlsbset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/power.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/primes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/wnaf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/modular.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/mult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey112.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/tables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/sign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/MAINTAINERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/distribution-logo.svg is excluded by !**/*.svg, !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/normalize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/reference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/regexp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/sort.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/command.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/helper.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/and/and_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/gzip/zip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/redact/redact.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/wait/kubernetes_apimachinery_wait.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/verify/verify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/anon.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/authn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/basic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/bearer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/multikeychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/logs/logs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/digest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/ref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/repository.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/layer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/match/match.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/rebase.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (24)

cmd/cluster-capi-operator/main.go
e2e/go.mod
go.mod
hack/tools/go.mod
manifests-gen/customizations.go
manifests-gen/generate.go
manifests-gen/go.mod
manifests-gen/kustomization.yaml
manifests-gen/main.go
manifests-gen/providercustomizations.go
manifests-gen/providers.go
manifests-gen/util.go
manifests/0000_30_cluster-api_03_rbac_roles.yaml
manifests/0000_30_cluster-api_04_rbac_bindings.yaml
manifests/0000_30_cluster-api_11_deployment.yaml
pkg/controllers/capiinstaller/capi_installer_controller.go
pkg/controllers/capiinstaller/capi_installer_controller_test.go
pkg/controllers/infracluster/azure.go
pkg/conversion/capi2mapi/aws.go
pkg/conversion/mapi2capi/aws_fuzz_test.go
pkg/providerimages/providerimages.go
pkg/providerimages/providerimages_test.go
pkg/providerimages/pullsecret.go
pkg/util/readconfig.go

💤 Files with no reviewable changes (4)

manifests-gen/providers.go
pkg/util/readconfig.go
pkg/conversion/capi2mapi/aws.go
manifests-gen/providercustomizations.go

🚧 Files skipped from review as they are similar to previous changes (4)

pkg/controllers/capiinstaller/capi_installer_controller_test.go
pkg/providerimages/providerimages.go
pkg/conversion/mapi2capi/aws_fuzz_test.go
e2e/go.mod

🧰 Additional context used

🧬 Code graph analysis (4)

manifests-gen/generate.go (1)

pkg/providerimages/providerimages.go (1)

ProviderMetadata (66-72)

pkg/controllers/capiinstaller/capi_installer_controller.go (1)

pkg/providerimages/providerimages.go (1)

ProviderImageManifests (56-63)

cmd/cluster-capi-operator/main.go (1)

pkg/providerimages/providerimages.go (2)

ReadProviderImages (117-131)

ProviderImageManifests (56-63)

pkg/providerimages/providerimages_test.go (1)

pkg/providerimages/providerimages.go (1)

ProviderImageManifests (56-63)

🪛 Checkov (3.2.334)

manifests/0000_30_cluster-api_11_deployment.yaml

[medium] 2-96: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 2-96: Minimize the admission of root containers

(CKV_K8S_23)

🔇 Additional comments (29)

manifests/0000_30_cluster-api_03_rbac_roles.yaml (1)

36-55: LGTM! Least-privilege RBAC for pull-secret access.

The new Role correctly grants minimal permissions (only get on the specific pull-secret in openshift-config) needed for the operator to access registry credentials when pulling provider images. The use of resourceNames restriction follows security best practices.

manifests/0000_30_cluster-api_04_rbac_bindings.yaml (1)

38-56: LGTM! RoleBinding correctly configured for cross-namespace access.

The RoleBinding is properly configured to grant the cluster-capi-operator ServiceAccount (from openshift-cluster-api namespace) access to the pull-secret Role in the openshift-config namespace. The role reference and subject are both correctly specified.

pkg/providerimages/pullsecret.go (2)

29-40: LGTM!

The parseDockerConfig function correctly handles the empty input case by returning the default keychain, and properly wraps parsing errors with context.

47-75: LGTM!

The Resolve method correctly:

Maps DefaultRegistry to DefaultAuthKey for docker.io compatibility

Handles empty auth configs by returning Anonymous

Properly constructs the authenticator with all relevant credential fields

The ServerAddress clearing on line 62 is safe since GetAuthConfig returns a value copy.

pkg/providerimages/providerimages_test.go (6)

39-60: LGTM!

The fakeImageFetcher implementation is well-structured:

Properly checks context cancellation before proceeding

Supports configurable errors and images for test scenarios

Returns a descriptive error for unknown references

62-93: LGTM!

The createTarLayer helper correctly constructs in-memory tar layers for testing, with proper error handling and closure of the tar writer.

95-123: LGTM!

The test image creation helpers are clean and follow go-containerregistry patterns correctly. Using empty.Image as a base with mutate.AppendLayers is the idiomatic approach.

125-162: LGTM!

Good approach deriving test path constants from production constants to keep tests in sync. The createMetadataYAML helper now correctly uses providerImageRef on line 160, addressing the previously noted issue.

164-174: LGTM!

The table-driven test structure is well-designed with appropriate fields for different test scenarios. The //nolint:gocognit,funlen directive is reasonable for comprehensive test functions that cover many edge cases.

533-598: LGTM!

The test runner is well-implemented:

Uses t.TempDir() for proper test isolation

Correctly handles optional context setup with proper defer placement

Validates both error conditions and output directory structure

Verifies manifest files exist and correspond to input container images

manifests/0000_30_cluster-api_11_deployment.yaml (2)

38-39: LGTM! Environment variable aligns with volume mount path.

The PROVIDER_IMAGE_DIR environment variable correctly points to the mounted provider-images volume path, enabling the operator to locate cached provider manifests.

58-59: LGTM! Volume mount correctly configured for provider image caching.

The writable mount at /var/lib/provider-images is appropriate for caching provider manifests extracted from images.

pkg/controllers/infracluster/azure.go (1)

280-280: LGTM! The nolint directive removal is appropriate.

The //nolint:gosec directive was removed from the port conversion. The inline comment on line 279 correctly explains that port numbers are always less than 65536, making the int64 to int32 conversion safe. If gosec flags this during CI, the directive can be re-added, but the conversion itself is correct.

manifests-gen/util.go (1)

13-19: LGTM! GVK synchronization after conversion is correct.

The convert function properly copies the GroupVersionKind from the source to the target after conversion. This ensures type information is preserved through the conversion process, which is essential for runtime object handling.

manifests-gen/go.mod (3)

29-59: LGTM! Indirect dependency additions support container image operations.

The new indirect dependencies (docker/cli, docker/distribution, containerd/stargz-snapshotter, etc.) are required for provider image extraction and manifest handling. These align with the PR's goal of embedding CAPI installer manifests in provider images.

83-83: LGTM! Replace directive is appropriate for local development.

The replace directive pointing to the parent directory is standard practice for a submodule that needs to reference the main module during development and builds.

20-25: All dependency versions are valid and properly resolved.

The versions listed in lines 20-25 all exist and are confirmed by entries in go.sum. The placeholder version v0.0.0-00010101000000-000000000000 for cluster-capi-operator is intentional and correct, as it uses a replace directive pointing to the parent directory (replace github.com/openshift/cluster-capi-operator => ..). All dependencies are actively used in the codebase and have recent, stable versions.

hack/tools/go.mod (1)

204-204: golang.org/x/tools v0.39.0 is available and compatible.

The indirect dependency version exists and is compatible with the current toolchain (Go 1.24.10 exceeds the minimum requirement of Go 1.23 for this version).

go.mod (1)

12-12: Dependency versions are valid and free from known security vulnerabilities.

github.com/docker/cli v29.0.3+incompatible and github.com/google/go-containerregistry v0.20.7 have no published CVEs affecting these specific versions. No action required.

cmd/cluster-capi-operator/main.go (5)

20-22: LGTM!

The new imports for maps and slices (Go 1.21+/1.23+) are appropriate for the collection operations used below.

74-79: LGTM!

New constants for provider image directory configuration follow the existing pattern in this file.

218-229: LGTM!

The provider image reading logic follows established patterns in this file. Using context.Background() is appropriate during startup before the manager's signal handler context is available.

275-309: LGTM!

The function signature updates and switch cases consistently propagate providerImages to all platform reconcilers.

348-360: LGTM!

The CapiInstallerController initialization correctly includes the new ProviderImages field.

manifests-gen/customizations.go (5)

30-32: Hardcoded registry may cause issues in different environments.

The expectedRegistry is hardcoded to registry.ci.openshift.org, which appears to be a CI-specific registry. This could break manifest generation in other environments or when images are mirrored.

Is this intentional for CI/build-time validation only? If this tool runs in other contexts, consider making this configurable or documenting the assumption.

34-99: LGTM!

The refactored processObjects function is well-structured with clear group/kind-based dispatch. Error handling for deployment customization properly propagates errors instead of panicking.

173-205: LGTM!

The deployment customization properly validates image references and returns errors instead of panicking, which is appropriate for recoverable validation failures.

242-308: No action required. The capiNamespace variable is properly defined as a package-level constant in manifests-gen/generate.go and is correctly accessible within the generateInfraClusterProtectionPolicy function.

310-334: The scheme variable is properly defined and initialized in manifests-gen/main.go (line 48) as a package-level variable. It is initialized with all required types, including ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding, via admissionregistration.AddToScheme(scheme) (line 54 in main.go). The setTypeMetadataFromScheme function in customizations.go correctly uses this scheme.

Likely an incorrect or invalid review comment.

coderabbitai · 2026-01-05T14:50:09Z

pkg/controllers/capiinstaller/capi_installer_controller.go

+	if err := r.reconcileProviderImages(ctx, log); err != nil {
+		return ctrl.Result{}, fmt.Errorf("error reconciling CAPI provider images: %w", err)
+	}


⚠️ Potential issue | 🟡 Minor

Missing degraded condition when reconcileProviderImages fails.

When reconcileProviderImages returns an error, the code immediately returns without setting the ClusterOperator degraded condition. This is inconsistent with the error handling pattern used earlier in the reconcile function (lines 143-147, 159-164, 171-176), where setDegradedCondition is called before returning errors.

🔎 Suggested fix

if err := r.reconcileProviderImages(ctx, log); err != nil { + if err := r.setDegradedCondition(ctx, log); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to set conditions for CAPI Installer controller: %w", err) + } + return ctrl.Result{}, fmt.Errorf("error reconciling CAPI provider images: %w", err) }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

if err := r.reconcileProviderImages(ctx, log); err != nil {

return ctrl.Result{}, fmt.Errorf("error reconciling CAPI provider images: %w", err)

}

if err := r.reconcileProviderImages(ctx, log); err != nil {

if err := r.setDegradedCondition(ctx, log); err != nil {

return ctrl.Result{}, fmt.Errorf("failed to set conditions for CAPI Installer controller: %w", err)

}

return ctrl.Result{}, fmt.Errorf("error reconciling CAPI provider images: %w", err)

}

🤖 Prompt for AI Agents

In @pkg/controllers/capiinstaller/capi_installer_controller.go around lines 181-183, When reconcileProviderImages returns an error, set the ClusterOperator degraded condition before returning the error; call the controller's setDegradedCondition (same pattern used earlier) with a clear reason like "ReconcileProviderImagesFailed" and include the error message, then return the fmt.Errorf wrapping that error from reconcileProviderImages so the degraded status is recorded consistently with the other failure paths.

pkg/controllers/capiinstaller/capi_installer_controller.go

openshift-ci-robot · 2026-01-05T15:25:44Z

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

New Features

Read and cache provider manifests directly from provider container images; surface provider metadata.

Infrastructure

New manifest generator: compiles kustomize outputs, writes manifests.yaml and metadata.yaml, adds kustomize component to retain secrets.

Manifest input now expects JSON for image lists.

Operator deployment: env var and volume added to enable provider-image consumption; new RBAC Role & RoleBinding for pull-secret access.

Tests

Added comprehensive tests for provider-image extraction.

Chores

Bumped multiple Go module dependencies.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 080ea0b and 896f00c.

⛔ Files ignored due to path filters (276)

e2e/go.sum is excluded by !**/*.sum
go.sum is excluded by !**/*.sum
go.work.sum is excluded by !**/*.sum
hack/tools/go.sum is excluded by !**/*.sum
manifests-gen/go.sum is excluded by !**/*.sum
vendor/github.com/MakeNowJust/heredoc/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/heredoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/PATENTS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/bitcurves/bitcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/brainpool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/rcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax_test_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_a.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/aes/keywrap/keywrap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/mpi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/oid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/literal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/notation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/ocfb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_mdc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userattribute.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read_write_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/base_dirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/config_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/userdirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/xdg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/isogeny.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/scalar.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistPoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistTables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist_basemult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/conv/conv.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/hashes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/keccakf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/rc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3_s390x.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/shake.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fuzzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/integer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/mlsbset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/power.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/primes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/wnaf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/modular.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/mult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey112.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/tables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/sign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/MAINTAINERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/distribution-logo.svg is excluded by !**/*.svg, !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/normalize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/reference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/regexp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/sort.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/command.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/helper.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/and/and_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/gzip/zip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/redact/redact.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/wait/kubernetes_apimachinery_wait.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/verify/verify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/anon.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/authn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/basic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/bearer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/multikeychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/logs/logs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/digest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/ref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/repository.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/layer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/match/match.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/rebase.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/uncompressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/with.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/platform.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/progress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/catalog.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/delete.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/doc.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

e2e/go.mod
go.mod
hack/tools/go.mod
manifests-gen/go.mod

🔇 Additional comments (6)

hack/tools/go.mod (1)

204-204: Aligned tooling dependency update.

The minor version bump to golang.org/x/tools v0.39.0 is consistent across the repository modules and poses no functional risk to development tooling.

e2e/go.mod (1)

80-80: E2E module dependencies properly aligned with manifests-gen changes.

The addition of klauspost/compress (line 80) and updates to golang.org/x/oauth2 and golang.org/x/tools reflect transitive dependencies introduced by new container image handling in manifests-gen. The OpenShift API/client-go updates align with API changes needed for provider image support.

Please verify that klauspost/compress v1.18.1 is compatible with existing container image operations in the e2e test suite and that no conflicts arise from the new transitive dependency chain introduced by google/go-containerregistry.

Also applies to: 115-115, 121-121

manifests-gen/go.mod (2)

20-25: Container image extraction dependencies appropriately added.

The new direct dependencies reflect the core functional change: manifests-gen now extracts CAPI manifests from provider container images. The choices are sound:

google/go-containerregistry is the standard library for OCI image operations.

controller-runtime and openshift/api enable Kubernetes object handling.

k8s.io/utils provides helper utilities.

The local replace directive (line 83) for cluster-capi-operator is the expected pattern for multi-module workspace organization.

Please verify that:

google/go-containerregistry v0.20.7 and associated Docker/OCI libraries are actively maintained and free of known CVEs.

The +incompatible suffix on Docker packages reflects legacy versioning (expected) rather than obsolete versions.

29-33: Correct line number references in dependency locations.

The Docker client libraries, image handling tools, and logging dependencies are present in manifests-gen/go.mod (at lines 5–9, not 29–33), and the bump to klauspost/compress v1.18.1 (line 23) and golang.org/x/oauth2 v0.33.0 (line 41) align with ecosystem updates. go mod verify confirms all modules are valid with no version conflicts detected across the container registry dependency chain.

go.mod (2)

106-106: Indirect OCI/container ecosystem dependency changes are aligned with image extraction use case.

The updates to indirect dependencies (containerd/stargz-snapshotter, docker/distribution, opencontainers/*, vbatts/tar-split, golang.org/x/oauth2, gopkg.in/yaml.v2) are consistent with supporting provider image metadata reading and tar extraction. These are transitively pulled by go-containerregistry and related container tooling.

Also applies to: 111-112, 220-221, 272-272, 302-302, 315-315

12-12: No concerns—docker/cli is intentionally and appropriately used for Docker configuration parsing.

The direct dependency on docker/cli v29.0.3+incompatible is not a transitive dependency accident. The code in pkg/providerimages/pullsecret.go directly imports Docker CLI config modules (github.com/docker/cli/cli/config*) to parse Docker credentials from the host's Docker configuration. Combined with go-containerregistry v0.20.7 for registry operations, this is the correct approach for reading pull secrets from Docker config files.

Both versions are current and secure:

google/go-containerregistry v0.20.7 is the latest v0.20 release (Nov 2025)

docker/cli v29.0.3 is well beyond the CVE-2021-41092 fix threshold (v20.10.9+incompatible)

The +incompatible suffix is standard for pre-module Go modules and poses no concerns.

coderabbitai · 2026-01-05T15:27:34Z

go.mod

 	github.com/google/uuid v1.6.0
 	github.com/gophercloud/gophercloud/v2 v2.9.0
-	github.com/klauspost/compress v1.18.0
+	github.com/klauspost/compress v1.18.1


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n go.mod | head -40

Repository: openshift/cluster-capi-operator

Length of output: 1943

🏁 Script executed:

grep -n "cluster-api\|sigs.k8s.io" go.mod | head -20

Repository: openshift/cluster-capi-operator

Length of output: 1358

🌐 Web query:

golang.org/x/sync v0.18.0 golang.org/x/tools v0.39.0 Kubernetes v0.34.1 cluster-api v1.11.3 compatibility

💡 Result:

Do you mean Kubernetes v1.34.1 (not v0.34.1)? If so — short answer:

Cluster API v1.11.3 declares support for Kubernetes management clusters v1.30.x → v1.34.x (workload clusters v1.28.x → v1.34.x). [1][2]

The Cluster API v1.11.x release notes show golang.org/x/sync was bumped to v0.18.0 in the v1.11 line; golang.org/x/tools was bumped in the v1.11 series (noting some release candidates used v0.38.x). Check the project go.mod for the exact pinned versions for v1.11.3. [2][3]

If you want I can:

fetch the exact go.mod from the cluster-api v1.11.3 tag and confirm whether golang.org/x/tools v0.39.0 is pinned; or

verify compatibility of golang.org/x/sync v0.18.0 and golang.org/x/tools v0.39.0 with a specific Go toolchain version you care about.

Sources:
[1] Cluster API version support docs.
[2] cluster-api v1.11.3 release notes (dependencies & Kubernetes support).
[3] Cluster API versions reference (support matrix).

🌐 Web query:

cluster-api v1.11.3 go.mod golang.org/x/tools version

💡 Result:

In v1.11.3, golang.org/x/tools is set to v0.38.0. [1]

Sources:
[1] kubernetes-sigs/cluster-api release notes (v1.11.3) — dependency list showing golang.org/x/tools: v0.37.0 → v0.38.0.

Align golang.org/x/tools with cluster-api v1.11.3 dependency.

The current go.mod pins golang.org/x/tools v0.39.0, but cluster-api v1.11.3 uses v0.38.0. Consider aligning to v0.38.0 for consistency with upstream dependencies. golang.org/x/sync v0.18.0 is confirmed compatible with cluster-api v1.11.3 and Kubernetes v0.34.1.

Also applies to: lines 32-33

openshift-ci-robot · 2026-01-05T15:50:26Z

@mdbooth: This pull request references OCPCLOUD-3327 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Rewrite manifests-gen to support embedding CAPI installer manifests in the provider image instead of in a transport configmap.

Update the CAPI installer controller to support the new embedded manifests in addition to the existing transport configmaps. This allows us to have a smooth transition period while we update all providers.

Summary by CodeRabbit

Release Notes

New Features

Added provider image metadata support for improved cluster API operator manifest handling and image resolution.

Infrastructure

New RBAC permissions for cluster API operator to access pull-secret credentials.

Added storage volume and configuration for provider image caching in cluster API operator deployment.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

manifests-gen/customizations.go (2)
101-171: Consider returning errors instead of panic.

The function uses panic() at lines 138, 152, and 164 when unable to find secrets from certificates. This can crash the entire manifests-gen tool.

Additionally, line 164 has a typo in the panic message: "cert:CustomResourceDefinition " should be "cert: ".
🔎 Suggested refactor to return errors

Update the function signature to return an error:
-func findWebhookServiceSecretName(objs []client.Object) map[string]string {
+func findWebhookServiceSecretName(objs []client.Object) (map[string]string, error) {
 	serviceSecretNames := map[string]string{}
 	certSecretNames := map[string]string{}
 
 	secretFromCertNN := func(certNN string) (string, bool) {
 		// ... existing code ...
 	}
Then replace panic calls with error returns:
 			if certNN, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok {
 				secretName, ok := secretFromCertNN(certNN)
 				if !ok {
-					panic("can't find secret from cert: " + certNN)
+					return nil, fmt.Errorf("can't find secret from cert: %s", certNN)
 				}
Apply similar changes to lines 152 and 164, and update the caller in processObjects to handle the error.
219-228: Fix typo in function name.

The function name replaceCertMangerServiceSecret has a typo: "Manger" should be "Manager" to match replaceCertManagerAnnotations on line 207.
🔎 Proposed fix
-func replaceCertMangerServiceSecret(obj client.Object, serviceSecretNames map[string]string) {
+func replaceCertManagerServiceSecret(obj client.Object, serviceSecretNames map[string]string) {
Also update the call site at line 69:
-			replaceCertMangerServiceSecret(obj, serviceSecretNames)
+			replaceCertManagerServiceSecret(obj, serviceSecretNames)

♻️ Duplicate comments (1)

pkg/controllers/capiinstaller/capi_installer_controller.go (1)
181-183: Missing degraded condition when reconcileProviderImages fails.

When reconcileProviderImages returns an error, the code returns immediately without setting the ClusterOperator degraded condition. This is inconsistent with the error handling pattern used earlier in the reconcile function (lines 143-147, 159-164, 171-176), where setDegradedCondition is called before returning errors.
🔎 Suggested fix
 	if err := r.reconcileProviderImages(ctx, log); err != nil {
+		if err := r.setDegradedCondition(ctx, log); err != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to set conditions for CAPI Installer controller: %w", err)
+		}
+
 		return ctrl.Result{}, fmt.Errorf("error reconciling CAPI provider images: %w", err)
 	}

🧹 Nitpick comments (4)

manifests-gen/generate.go (2)
95-128: Redundant O_APPEND flag with O_TRUNC.

The O_APPEND flag on line 98 is redundant when used with O_TRUNC. O_TRUNC truncates the file to zero length, and since you're writing sequentially from the beginning, O_APPEND has no practical effect. The same applies to line 133.
🔎 Suggested fix
-	manifestsFile, err := os.OpenFile(manifestsPathname, os.O_CREATE|os.O_TRUNC|os.O_WRONLY|os.O_APPEND, 0600)
+	manifestsFile, err := os.OpenFile(manifestsPathname, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
83-89: Variable shadows imported package name.

The variable unstructured on line 83 shadows the imported unstructured package from line 13. While this works, it can cause confusion.
🔎 Suggested fix
-		var unstructured unstructured.Unstructured
-		err = json.Unmarshal(data, &unstructured)
+		var obj unstructured.Unstructured
+		err = json.Unmarshal(data, &obj)
 		if err != nil {
 			return nil, fmt.Errorf("error unmarshalling resource to unstructured: %w", err)
 		}

-		resources = append(resources, &unstructured)
+		resources = append(resources, &obj)
pkg/providerimages/providerimages.go (1)

139-189: Unconventional errgroup usage pattern.

The code uses errgroup but ignores the returned error from goroutines (line 156 returns nil), collecting errors via a channel instead. While functional, this defeats the purpose of errgroup's error propagation. Consider either:

Using errgroup properly with error returns and stopping on first error, or

Using a simple sync.WaitGroup since you're collecting errors manually anyway.

The current approach works but may confuse readers expecting standard errgroup semantics.
manifests-gen/customizations.go (1)
310-334: Consider error returns, but panics are acceptable for generation tools.

The stripStatus and setTypeMetadataFromScheme helper functions use panic() for error handling. While this is generally discouraged, it's more acceptable in code-generation tools like manifests-gen that fail fast on invalid input.

However, for consistency and better error messages, consider returning errors instead.
🔎 Optional refactor to return errors
-func stripStatus(obj client.Object) client.Object {
+func stripStatus(obj client.Object) (client.Object, error) {
 	unstructuredObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
 	if err != nil {
-		panic(err)
+		return nil, fmt.Errorf("failed to convert to unstructured: %w", err)
 	}
 	delete(unstructuredObj, "status")
-	return &unstructured.Unstructured{Object: unstructuredObj}
+	return &unstructured.Unstructured{Object: unstructuredObj}, nil
 }
 
-func setTypeMetadataFromScheme(obj client.Object, version string) {
+func setTypeMetadataFromScheme(obj client.Object, version string) error {
 	gvks, _, err := scheme.ObjectKinds(obj)
 	if err != nil {
-		panic(err)
+		return fmt.Errorf("failed to get object kinds: %w", err)
 	}
 
 	for _, gvk := range gvks {
 		if gvk.Version == version {
 			obj.GetObjectKind().SetGroupVersionKind(gvk)
-			return
+			return nil
 		}
 	}
-	panic("no " + version + " GVK found")
+	return fmt.Errorf("no %s GVK found for object type %T", version, obj)
 }
Then update callers to handle errors.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 896f00c and 3da26fb.

⛔ Files ignored due to path filters (277)

e2e/go.sum is excluded by !**/*.sum
go.sum is excluded by !**/*.sum
go.work.sum is excluded by !**/*.sum
hack/tools/go.sum is excluded by !**/*.sum
manifests-gen/go.sum is excluded by !**/*.sum
vendor/github.com/MakeNowJust/heredoc/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/MakeNowJust/heredoc/heredoc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/CONTRIBUTORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/PATENTS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/bitcurves/bitcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/brainpool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/brainpool/rcurve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/eax_test_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/eax/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/internal/byteutil/byteutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/ocb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/random_vectors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_a.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/aes/keywrap/keywrap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/mpi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/oid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/key_generation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/keys_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_crypter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/aead_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/encrypted_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/literal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/notation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/ocfb.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/one_pass_signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/packet.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/private_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/public_key_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/reader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/signature.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetric_key_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_aead.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/symmetrically_encrypted_mdc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userattribute.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/packet/userid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/read_write_test_data.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/s2k/s2k.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/ProtonMail/go-crypto/openpgp/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/base_dirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/pathutil/pathutil_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/config_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/internal/userdirs/userdirs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/paths_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/adrg/xdg/xdg.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x25519/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/curve_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/key.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/dh/x448/table.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/isogeny.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/scalar.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistPoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twistTables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/twist_basemult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/conv/conv.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/hashes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/keccakf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/rc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/sha3_s390x.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/shake.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp25519/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.h is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_amd64.s is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_generic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fp_noasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/fp448/fuzzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/integer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/mlsbset.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/mlsbset/power.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/primes.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/math/wnaf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/modular.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/mult.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/pubkey112.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/tables.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/ed448.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed448/signapi.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/sign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/errorutil/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/gzip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/testutil.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/stargz-snapshotter/estargz/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitattributes is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/MAINTAINERS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/Makefile is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/distribution-logo.svg is excluded by !**/*.svg, !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/normalize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/reference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/regexp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/distribution/reference/sort.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/AUTHORS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/configfile/file_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/default_store_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/file_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/credentials/native_store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/memorystore/store.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/cli/cli/config/types/authconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/addr.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/distribution/registry/client/auth/challenge/authchallenge.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/client/command.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/helper.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker-credential-helpers/credentials/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/and/and_closer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/estargz/estargz.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/gzip/zip.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/redact/redact.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/retry/wait/kubernetes_apimachinery_wait.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/verify/verify.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/internal/zstd/zstd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/anon.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/authn.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/basic.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/bearer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/keychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/authn/multikeychain.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/compression/compression.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/logs/logs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/digest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/ref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/repository.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/name/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/config.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/empty/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/layer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/manifest.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/match/match.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/mutate/rebase.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/compressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/image.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/uncompressed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/partial/with.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/platform.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/progress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/catalog.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/check.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/delete.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/descriptor.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/google/go-containerregistry/pkg/v1/remote/fetcher.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (23)

cmd/cluster-capi-operator/main.go
e2e/go.mod
go.mod
hack/tools/go.mod
manifests-gen/customizations.go
manifests-gen/generate.go
manifests-gen/go.mod
manifests-gen/kustomization.yaml
manifests-gen/main.go
manifests-gen/providercustomizations.go
manifests-gen/providers.go
manifests-gen/util.go
manifests/0000_30_cluster-api_03_rbac_roles.yaml
manifests/0000_30_cluster-api_04_rbac_bindings.yaml
manifests/0000_30_cluster-api_11_deployment.yaml
pkg/controllers/capiinstaller/capi_installer_controller.go
pkg/controllers/capiinstaller/capi_installer_controller_test.go
pkg/controllers/infracluster/azure.go
pkg/conversion/capi2mapi/aws.go
pkg/providerimages/providerimages.go
pkg/providerimages/providerimages_test.go
pkg/providerimages/pullsecret.go
pkg/util/readconfig.go

💤 Files with no reviewable changes (4)

pkg/conversion/capi2mapi/aws.go
pkg/util/readconfig.go
manifests-gen/providercustomizations.go
manifests-gen/providers.go

🚧 Files skipped from review as they are similar to previous changes (6)

pkg/controllers/infracluster/azure.go
e2e/go.mod
manifests/0000_30_cluster-api_04_rbac_bindings.yaml
manifests-gen/main.go
hack/tools/go.mod
pkg/providerimages/providerimages_test.go

🧰 Additional context used

🧬 Code graph analysis (3)

manifests-gen/generate.go (1)

pkg/providerimages/providerimages.go (1)

ProviderMetadata (66-72)

cmd/cluster-capi-operator/main.go (1)

pkg/providerimages/providerimages.go (2)

ReadProviderImages (117-131)

ProviderImageManifests (56-63)

pkg/controllers/capiinstaller/capi_installer_controller.go (1)

pkg/providerimages/providerimages.go (1)

ProviderImageManifests (56-63)

🪛 Checkov (3.2.334)

manifests/0000_30_cluster-api_11_deployment.yaml

[medium] 2-96: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[medium] 2-96: Minimize the admission of root containers

(CKV_K8S_23)

🔇 Additional comments (24)

manifests-gen/kustomization.yaml (1)

1-17: LGTM! Well-structured kustomize component.

The Component manifest correctly patches Secret resources to retain them locally during kustomization without emitting them. The config.kubernetes.io/local-config: "true" annotation is the standard approach for this pattern.

manifests-gen/go.mod (2)

20-25: LGTM! Dependencies align with provider image metadata support.

The added dependencies correctly support the new provider image operations:

go-containerregistry for image/manifest extraction

openshift/api and controller-runtime for typed Kubernetes objects

The placeholder version for cluster-capi-operator is expected given the replace directive

83-83: Replace directive correctly configured.

The replace directive pointing to .. (parent directory) is the standard approach for referencing the main module from this manifests-gen submodule.

pkg/controllers/capiinstaller/capi_installer_controller_test.go (1)

96-102: Properly addresses previous nil reader concern.

The test now correctly handles the error case by checking configMapReader's error return and exiting early before calling extractManifests. This prevents passing a nil reader and aligns with the reader-based extraction flow introduced in the provider image changes.

manifests/0000_30_cluster-api_11_deployment.yaml (1)

38-39: LGTM! Provider image volume configuration is correct.

The added environment variable, volume mount, and emptyDir volume properly support the provider image metadata functionality. The path /var/lib/provider-images aligns with the provider image directory handling introduced elsewhere in the PR.

Note: The static analysis warnings about privilege escalation and root containers apply to the entire deployment manifest and are not introduced by these changes.

Also applies to: 58-59, 95-96

go.mod (2)

12-12: The github.com/docker/cli v29.0.3+incompatible dependency is actively used in the codebase for Docker config file parsing in pkg/providerimages/pullsecret.go. The +incompatible suffix is the standard Go notation for docker/cli, which doesn't follow semantic versioning conventions—not a versioning error. Version 29.0.3 is a recent stable Docker release and is compatible with the provider image operations being added.

32-33: Correct the golang.org/x/tools version reference.

The original statement is incorrect: cluster-api v1.11.3 uses golang.org/x/tools v0.34.0, not v0.38.0. The bump to v0.39.0 represents an intentional and safe update—changes between these versions are primarily gopls performance improvements and new/enhanced analyzers (unusedfunc, hostport), which do not introduce breaking changes for this project's usage of golang.org/x/tools/go/packages.

Likely an incorrect or invalid review comment.

manifests-gen/util.go (1)

1-25: LGTM!

Clean utility functions for working with client.Object. The generic convert function properly preserves GVK after scheme conversion, which is important for maintaining type information. The mustConvert wrapper is appropriate for internal tooling where conversion failures should be fatal.

pkg/providerimages/pullsecret.go (1)

29-75: LGTM!

Well-structured Docker config keychain implementation. The Resolve method correctly handles the DefaultRegistry to DefaultAuthKey mapping for Docker Hub, and properly falls back to anonymous authentication when no credentials are configured. Error messages provide good context for debugging.

manifests-gen/generate.go (1)

130-158: LGTM!

The metadata writing function has proper error handling with the errors.Join pattern in the deferred close. The same O_APPEND cleanup noted above applies to line 133.

pkg/controllers/capiinstaller/capi_installer_controller.go (4)

188-235: Well-structured provider image reconciliation.

The filtering by platform and priority-based sorting (core → infrastructure → other) ensures deterministic and correct ordering of provider installation. Using slices.SortStableFunc preserves relative order within the same priority level, and the secondary sort by name provides additional determinism.

237-262: LGTM!

The extraction of provider image processing into its own function applyProviderImage properly addresses the resource leak concern from previous reviews. The defer now executes at the end of each function call, ensuring files are closed promptly.

517-541: LGTM!

The refactoring to return io.ReadCloser properly addresses the resource leak concerns from previous reviews. Using io.NopCloser for the string reader and reader.IOReadCloser() for the zstd decoder ensures consistent close semantics.

358-363: Good defensive check.

Skipping empty manifests after YAML splitting prevents spurious parsing errors from trailing document separators or whitespace-only sections.

cmd/cluster-capi-operator/main.go (2)

218-229: Provider image loading during startup.

The operator reads provider image metadata synchronously during startup. If this fails (e.g., pull secret unavailable, image fetch fails), the operator will exit. This is a reasonable design choice for an operator that depends on provider images to function, but be aware this could delay startup in environments with slow registry access.

275-320: LGTM!

Clean threading of providerImages through the reconciler setup chain. The parameter is consistently passed to all platform-specific reconciler paths and ultimately to CapiInstallerController.

pkg/providerimages/providerimages.go (3)

246-306: LGTM!

The layer extraction logic correctly iterates layers in reverse order (top-to-bottom) to respect OCI layer semantics where higher layers override lower layers. The early exit optimization and proper error distinction between missing directory vs. missing individual files is well implemented.

360-388: LGTM!

Efficient implementation using io.MultiWriter to simultaneously write to disk and compute the SHA256 hash in a single pass. The strings.Replacer.WriteString provides streaming replacement without materializing the entire modified content in memory.

308-347: LGTM!

Good implementation of tar file extraction. Using path.Clean (not filepath) is correct since tar paths always use forward slashes regardless of OS. The set-based lookup and early exit optimization are efficient.

manifests/0000_30_cluster-api_03_rbac_roles.yaml (1)

36-55: LGTM!

The new Role follows the principle of least privilege: it grants only get access to the specific pull-secret Secret in the openshift-config namespace. The annotations are consistent with the existing RBAC resources in this file. The corresponding RoleBinding exists in manifests/0000_30_cluster-api_04_rbac_bindings.yaml and properly binds the Role to the cluster-capi-operator ServiceAccount in the openshift-cluster-api namespace.

manifests-gen/customizations.go (4)

4-18: LGTM: Import additions support the refactoring.

The new imports correctly support the migration to typed client.Object handling and the addition of image registry validation. The go-containerregistry package is appropriate for parsing and validating container image references.

Also applies to: 30-31

34-99: Helper functions are properly defined and available.

All three helpers—getGroup(), getKind(), and mustConvert()—are defined in manifests-gen/util.go and accessible to the processObjects function. The refactor to typed client.Object with group/kind dispatch is well-structured and all dependencies are in place.

173-205: No action needed on image registry validation.

The customizeDeployment function's strict validation of the image registry is appropriate. A search of the manifests confirms all images already reference registry.ci.openshift.org, so the validation will not fail during the transition period.

242-308: No changes needed. Both scheme (manifests-gen/main.go) and capiNamespace (manifests-gen/generate.go) are properly defined as package-level variables in the manifests-gen package and are accessible to customizations.go. The code is correct and will compile without issues.

Likely an incorrect or invalid review comment.

mdbooth · 2026-01-05T16:32:07Z

/override okd-scos-images

This never passes and nobody knows what it does. We should stop running it.

openshift-ci · 2026-01-05T16:32:30Z

@mdbooth: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

okd-scos-images

Only the following failed contexts/checkruns were expected:

CodeRabbit
ci/prow/build
ci/prow/e2e-aws-capi-techpreview
ci/prow/e2e-aws-ovn
ci/prow/e2e-aws-ovn-serial-1of2
ci/prow/e2e-aws-ovn-serial-2of2
ci/prow/e2e-aws-ovn-techpreview
ci/prow/e2e-aws-ovn-techpreview-upgrade
ci/prow/e2e-azure-capi-techpreview
ci/prow/e2e-azure-ovn-techpreview
ci/prow/e2e-azure-ovn-techpreview-upgrade
ci/prow/e2e-gcp-capi-techpreview
ci/prow/e2e-gcp-ovn-techpreview
ci/prow/e2e-metal3-capi-techpreview
ci/prow/e2e-openstack-capi-techpreview
ci/prow/e2e-openstack-ovn-techpreview
ci/prow/e2e-vsphere-capi-techpreview
ci/prow/images
ci/prow/lint
ci/prow/okd-scos-images
ci/prow/regression-clusterinfra-aws-ipi-techpreview-capi
ci/prow/unit
ci/prow/vendor
ci/prow/verify-deps
pull-ci-openshift-cluster-capi-operator-main-build
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-capi-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-serial-1of2
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-serial-2of2
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-aws-ovn-techpreview-upgrade
pull-ci-openshift-cluster-capi-operator-main-e2e-azure-capi-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-azure-ovn-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-azure-ovn-techpreview-upgrade
pull-ci-openshift-cluster-capi-operator-main-e2e-gcp-capi-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-gcp-ovn-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-metal3-capi-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-openstack-capi-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-openstack-ovn-techpreview
pull-ci-openshift-cluster-capi-operator-main-e2e-vsphere-capi-techpreview
pull-ci-openshift-cluster-capi-operator-main-images
pull-ci-openshift-cluster-capi-operator-main-lint
pull-ci-openshift-cluster-capi-operator-main-okd-scos-images
pull-ci-openshift-cluster-capi-operator-main-regression-clusterinfra-aws-ipi-techpreview-capi
pull-ci-openshift-cluster-capi-operator-main-unit
pull-ci-openshift-cluster-capi-operator-main-vendor
pull-ci-openshift-cluster-capi-operator-main-verify-deps
tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override okd-scos-images

This never passes and nobody knows what it does. We should stop running it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

mdbooth · 2026-01-05T16:33:12Z

/override ci/prow/okd-scos-images

openshift-ci · 2026-01-05T16:35:10Z

@mdbooth: Overrode contexts on behalf of mdbooth: ci/prow/okd-scos-images

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

mdbooth · 2026-01-05T17:05:55Z

The existing tests will demonstrate that the PR continues to work with existing transport configmaps.

The following test will demonstrate that the PR works with updated providers which use image-based manifests.

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

mdbooth · 2026-01-05T17:32:31Z

/testwith openshift/cluster-capi-operator/main/e2e-aws-ovn-techpreview openshift/cluster-api-provider-aws#584 openshift/cluster-api#259

mdbooth · 2026-01-05T18:01:37Z

/pipeline required

openshift-ci-robot · 2026-01-05T18:01:42Z

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-capi-techpreview
/test e2e-aws-ovn
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-aws-ovn-techpreview
/test e2e-aws-ovn-techpreview-upgrade
/test e2e-azure-capi-techpreview
/test e2e-azure-ovn-techpreview
/test e2e-azure-ovn-techpreview-upgrade
/test e2e-gcp-capi-techpreview
/test e2e-gcp-ovn-techpreview
/test e2e-metal3-capi-techpreview
/test e2e-openstack-capi-techpreview
/test e2e-openstack-ovn-techpreview
/test e2e-vsphere-capi-techpreview
/test regression-clusterinfra-aws-ipi-techpreview-capi

mdbooth · 2026-01-05T20:51:37Z

/retest-required

mdbooth · 2026-01-06T08:44:41Z

/retest-required

mdbooth · 2026-01-06T08:47:18Z

/test e2e-azure-ovn-techpreview
/test e2e-metal3-capi-techpreview

openshift-ci · 2026-01-06T12:33:49Z

@mdbooth: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal3-capi-techpreview	`3da26fb`	link	false	`/test e2e-metal3-capi-techpreview`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 16, 2025

mdbooth changed the title ~~Rewrite manifests-gen to support upgrade safety~~ OCPCLOUD-3327: Rewrite manifests-gen to support upgrade safety Dec 16, 2025

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Dec 16, 2025

mdbooth force-pushed the manifests-gen branch from 1ab7f33 to 5087e3b Compare December 16, 2025 18:19

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 18, 2025

mdbooth force-pushed the manifests-gen branch from dab2c52 to 7c0b761 Compare December 18, 2025 16:34

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 18, 2025

mdbooth force-pushed the manifests-gen branch 3 times, most recently from f3ba06c to a8a93e3 Compare December 18, 2025 16:54

mdbooth force-pushed the manifests-gen branch from 7f9fc54 to 493d1f3 Compare January 5, 2026 13:07

mdbooth marked this pull request as ready for review January 5, 2026 13:09

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 5, 2026

openshift-ci bot requested review from nrb and theobarberbany January 5, 2026 13:09

coderabbitai bot reviewed Jan 5, 2026

View reviewed changes

mdbooth force-pushed the manifests-gen branch 2 times, most recently from fdbc9bf to 080ea0b Compare January 5, 2026 14:43

coderabbitai bot reviewed Jan 5, 2026

View reviewed changes

mdbooth mentioned this pull request Jan 5, 2026

OCPCLOUD-3324: Update to new manifests-gen openshift/cluster-api-provider-azure#357

Draft

1 task

mdbooth force-pushed the manifests-gen branch from 080ea0b to 896f00c Compare January 5, 2026 15:23

coderabbitai bot reviewed Jan 5, 2026

View reviewed changes

mdbooth added 3 commits January 5, 2026 15:43

manifests-gen: Generate image-based manifests

a4f3847

installer: Support image-based manifests

e1a750b

make vendor

3da26fb

mdbooth force-pushed the manifests-gen branch from 896f00c to 3da26fb Compare January 5, 2026 15:45

coderabbitai bot reviewed Jan 5, 2026

View reviewed changes

mdbooth mentioned this pull request Jan 5, 2026

OCPCLOUD-3320: Use new manifests-gen openshift/cluster-api#259

Draft

1 task

mdbooth mentioned this pull request Jan 5, 2026

OCPCLOUD-3325: Update to new manifests-gen openshift/cluster-api-provider-gcp#258

Draft

1 task

OCPCLOUD-3327: Rewrite manifests-gen to support upgrade safety #434

Are you sure you want to change the base?

OCPCLOUD-3327: Rewrite manifests-gen to support upgrade safety #434

Conversation

mdbooth commented Dec 16, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Release Notes

Uh oh!

openshift-ci-robot commented Dec 16, 2025

Uh oh!

coderabbitai bot commented Dec 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Pre-merge checks and finishing touches

Uh oh!

openshift-ci bot commented Dec 16, 2025

Uh oh!

openshift-ci bot commented Dec 16, 2025

Uh oh!

openshift-ci-robot commented Dec 16, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mdbooth commented Dec 16, 2025

Uh oh!

mdbooth commented Dec 16, 2025

Uh oh!

mdbooth commented Dec 17, 2025

Uh oh!

mdbooth commented Dec 17, 2025

Uh oh!

mdbooth commented Dec 19, 2025

Uh oh!

mdbooth commented Dec 19, 2025

Uh oh!

mdbooth commented Dec 19, 2025

Uh oh!

mdbooth commented Dec 19, 2025

Uh oh!

mdbooth commented Dec 19, 2025

Uh oh!

mdbooth commented Dec 21, 2025

Uh oh!

openshift-ci-robot commented Jan 5, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Jan 5, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 5, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci-robot commented Jan 5, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 5, 2026

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Jan 5, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Release Notes

Uh oh!

mdbooth commented Dec 16, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Dec 16, 2025 •

edited

Loading

openshift-ci-robot commented Dec 16, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jan 5, 2026 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jan 5, 2026 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jan 5, 2026 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Jan 5, 2026 •

edited by openshift-ci bot

Loading