Skip to content

[WIP] Replace kube-rbac-proxy sidecar with controller-runtime FilterProvider#502

Open
alebedev87 wants to merge 1 commit into
openshift:mainfrom
alebedev87:metrics-cmd
Open

[WIP] Replace kube-rbac-proxy sidecar with controller-runtime FilterProvider#502
alebedev87 wants to merge 1 commit into
openshift:mainfrom
alebedev87:metrics-cmd

Conversation

@alebedev87

@alebedev87 alebedev87 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@alebedev87
Replace kube-rbac-proxy sidecar with controller-runtime `FilterProv…
d164ba4 
…ider`

WIP — temporary commit to save progress.

Co-Authored-By: Claude
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2026
@openshift-ci openshift-ci Bot requested review from jcmoraisjr and rikatz June 17, 2026 11:38
@coderabbitai

coderabbitai Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The PR removes the kube-rbac-proxy sidecar and replaces it with controller-runtime's native secure metrics serving. The operator's Config struct gains SecureMetrics and MetricsTLSCertDir fields with new defaults (:8443, /var/run/secrets/serving-cert). In operator.go, metrics options are conditionally built with TLS configuration and a WithAuthenticationAndAuthorization filter provider. The tokenreviews and subjectaccessreviews RBAC permissions previously held by the auth-proxy ClusterRole are moved into the main operator ClusterRole; the separate auth-proxy ClusterRole and ClusterRoleBinding files are deleted. All Kubernetes deployment manifests and the OLM bundle CSV are updated to reflect the sidecar removal and the new :8443 secure metrics endpoint.

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Ote Binary Stdout Contract ❌ Error The PR introduces test/e2e/operator_test.go and test/e2e_sharedvpc/shared_vpc_test.go with TestMain() functions that write to stdout via fmt.Printf(), violating OTE Binary Stdout Contract requireme... Remove or redirect TestMain() stdout writes in test files. These are e2e tests (not the main operator binary), but fmt.Printf in TestMain can break OTE test listing. Redirect error messages to stderr instead.
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ❓ Inconclusive No description was provided by the author, making it impossible to assess whether the description relates to the changeset. Add a pull request description explaining the motivation, implementation approach, and impact of replacing kube-rbac-proxy with controller-runtime FilterProvider.
✅ Passed checks (12 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: replacing kube-rbac-proxy sidecar with controller-runtime FilterProvider for secure metrics.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names in this PR use stable, static strings with no dynamic content like pod names, timestamps, UUIDs, node names, or generated suffixes.
Test Structure And Quality ✅ Passed No Ginkgo test files are modified in this PR; the changes focus on configuration and operator code for secure metrics serving. The custom check is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. The changes only include Kubernetes manifests, Go source code, and dependency updates—no test files were modified.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. The changes are limited to Kubernetes manifests, configuration files, and Go source modifications for metrics security. The SNO compatibility check is...
Topology-Aware Scheduling Compatibility ✅ Passed The PR does not introduce scheduling constraints that assume HA topology. The operator uses a single replica deployment with Recreate strategy, no pod affinity rules, no topology spread constraints...
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR contains no new Ginkgo e2e tests. Changes are limited to manifests, operator code, and dependencies.
No-Weak-Crypto ✅ Passed PR uses only secure cryptographic algorithms (SHA256 for integrity checks, FNV for non-security naming) and standard Go TLS. No weak crypto (MD5, SHA1, DES, RC4), custom implementations, or non-con...
Container-Privileges ✅ Passed No privileged containers, hostPID/hostNetwork/hostIPC, SYS_ADMIN caps, root users without justification, or allowPrivilegeEscalation found; all containers set to unprivileged with dropped capabilit...
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data (passwords, tokens, API keys, PII, session IDs, internal hostnames, or customer data) is exposed through logging. The PR adds MetricsTLSCertDir and SecureMetrics configuration fie...
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Azure/azure-sdk-for-go@v60.1.0+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Azure/go-autorest/autorest@v0.11.27: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Azure/go-autorest/autorest/adal@v0.9.20: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/aws/aws-sdk-go-v2@v1.41.7: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/aws/aws-sdk-go-v2/config@v1.32.17: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/aws/aws-sdk-go-v2/credentials@v1.19.16: is explicitly required in go.mod, but not marked as explicit in vendor/module

... [truncated 17324 characters] ...

red in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/kustomize/cmd/config@v0.14.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/kustomize/kyaml@v0.17.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v4@v4.6.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/yaml@v1.4.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rikatz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai[bot]
coderabbitai Bot reviewed Jun 17, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/default/manager_insecure_tls_auth_proxy_patch.yaml`:
- Around line 1-3: The patch omits the `--metrics-tls-cert-dir` flag, causing
the operator to default to `/var/run/secrets/serving-cert` even though no cert
volume is mounted in this development/testing configuration. Add an explicit
`--metrics-tls-cert-dir` argument to the manager container args in the patch and
set it to an empty string or a temporary directory path so that self-signed
metrics certificates are generated in a writable location instead of the missing
mounted volume.

In `@go.mod`:
- Line 115: The go.opentelemetry.io/otel/sdk dependency is pinned to v1.33.0
which contains security vulnerabilities that are only fixed in v1.43.0 or later.
Update the go.opentelemetry.io/otel/sdk version from v1.33.0 to v1.43.0 in the
go.mod file. After updating, also refresh any dependent OTLP modules that
reference go.opentelemetry.io/otel/sdk to maintain version coherence across all
module dependencies.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c21c0e2e-83b7-4804-8a26-62c854f58c6d

📥 Commits

Reviewing files that changed from the base of the PR and between 08ec426 and d164ba4.

⛔ Files ignored due to path filters (287)
  • go.sum is excluded by !**/*.sum
  • vendor/cel.dev/expr/.bazelversion is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/.gitattributes is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/GOVERNANCE.md is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/MODULE.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/WORKSPACE is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/cloudbuild.yaml is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/regen_go_proto.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/antlrdoc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_config.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_config_set.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_deserialization_options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_deserializer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_simulator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/atn_type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/char_stream.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/common_token_factory.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/common_token_stream.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/comparators.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/configuration.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/dfa.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/dfa_serializer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/dfa_state.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/diagnostic_error_listener.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/error_listener.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/error_strategy.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/file_stream.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/input_stream.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/int_stream.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/interval_set.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/jcollect.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/lexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/lexer_action.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/lexer_action_executor.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/lexer_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/ll1_analyzer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/nostatistics.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/parser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/parser_atn_simulator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/parser_rule_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/prediction_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/prediction_context_cache.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/prediction_mode.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/recognizer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/rule_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/semantic_context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/statistics.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/stats_data.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/token.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/token_source.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/token_stream.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/tokenstream_rewriter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/trace_listener.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/transition.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/tree.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/trees.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/antlr4-go/antlr/v4/utils.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/backoff.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/ticker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/timer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/cel.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/decls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/env.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/folding.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/inlining.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/io.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/library.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/macro.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/optimizer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/program.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/cel/validator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/checker.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/cost.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/decls/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/decls/decls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/env.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/format.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/mapping.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/printer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/scopes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/checker/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/ast/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/ast/ast.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/ast/conversion.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/ast/expr.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/ast/factory.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/ast/navigable.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/containers/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/containers/container.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/cost.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/debug/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/debug/debug.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/decls/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/decls/decls.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/error.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/functions/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/functions/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/location.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/operators/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/operators/operators.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/overloads/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/overloads/overloads.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/runes/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/runes/buffer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/source.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/stdlib/standard.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/any_value.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/bool.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/bytes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/compare.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/double.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/duration.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/err.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/int.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/iterator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/json_value.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/list.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/map.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/null.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/object.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/optional.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/overflow.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/checked.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/enum.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/equal.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/file.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/pb.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/pb/type.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/ref/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/ref/provider.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/ref/reference.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/string.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/timestamp.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/comparer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/container.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/field_tester.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/indexer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/iterator.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/lister.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/mapper.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/matcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/math.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/receiver.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/sizer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/traits.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/traits/zeroer.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/uint.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/unknown.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/common/types/util.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/bindings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/comprehensions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/encoders.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/formatting.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/guards.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/lists.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/math.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/native.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/protos.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/sets.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/ext/strings.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/activation.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/attribute_patterns.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/attributes.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/decorators.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/dispatcher.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/evalstate.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/functions/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/functions/functions.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/interpretable.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/interpreter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/optimizations.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/planner.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/prune.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/interpreter/runtimecost.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/BUILD.bazel is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/CEL.g4 is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/CEL.interp is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/CEL.tokens is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/CELLexer.interp is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/CELLexer.tokens is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/cel_base_listener.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/cel_base_visitor.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/cel_lexer.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/cel_listener.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/cel_parser.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/cel_visitor.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/doc.go is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/gen/generate.sh is excluded by !**/gen/**, !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/helper.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/input.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/macro.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/options.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/parser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/unescape.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/google/cel-go/parser/unparser.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/compile.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/fuzz.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/parse.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule/types.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/context.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/errors.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/fieldmask.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/handler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_httpbodyproto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_json.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_jsonpb.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshal_proto.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshaler.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/marshaler_registry.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/mux.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/pattern.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/proto2_convert.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/runtime/query.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/BUILD.bazel is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/pattern.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/readerfactory.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/string_array_flag.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/grpc-ecosystem/grpc-gateway/v2/utilities/trie.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/.gitignore is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/.golangci.yml is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/camel.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/helper.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/kebab.go is excluded by !**/vendor/**, !vendor/**
  • vendor/github.com/stoewer/go-strcase/snake.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/LICENSE is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/README.md is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/clients.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/doc.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/exporter.go is excluded by !**/vendor/**, !vendor/**
  • vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/attribute.go is excluded by !**/vendor/**, !vendor/**
📒 Files selected for processing (13)
  • bundle/manifests/external-dns-operator.clusterserviceversion.yaml
  • config/default/kustomization.yaml
  • config/default/manager_auth_proxy_patch.yaml
  • config/default/manager_insecure_tls_auth_proxy_patch.yaml
  • config/manager/manager.yaml
  • config/rbac/auth_proxy_role.yaml
  • config/rbac/auth_proxy_role_binding.yaml
  • config/rbac/kustomization.yaml
  • config/rbac/role.yaml
  • go.mod
  • main.go
  • pkg/operator/config/config.go
  • pkg/operator/operator.go
💤 Files with no reviewable changes (3)
  • config/rbac/kustomization.yaml
  • config/rbac/auth_proxy_role.yaml
  • config/rbac/auth_proxy_role_binding.yaml

Comment thread config/default/manager_insecure_tls_auth_proxy_patch.yaml
Comment on lines +1 to +3
# This patch configures metrics with secure serving but without
# external TLS certificates (controller-runtime will generate self-signed certs).
# Use for development/testing environments only.

@coderabbitai coderabbitai Bot Jun 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Expect to see a non-empty DefaultMetricsTLSCertDir and operator wiring that assigns it to metrics CertDir.
rg -n -C3 'DefaultMetricsTLSCertDir|MetricsTLSCertDir|metrics-tls-cert-dir|SecureMetrics|CertDir' --glob '*.go' --glob '*.yaml' --glob '*.yml'

python - <<'PY'
from pathlib import Path

patch = Path("config/default/manager_insecure_tls_auth_proxy_patch.yaml").read_text()
print("insecure patch has metrics-tls-cert-dir arg:", "--metrics-tls-cert-dir" in patch)
print("insecure patch mounts serving-cert path:", "/var/run/secrets/serving-cert" in patch)
PY

Repository: openshift/external-dns-operator

Length of output: 32244

Override the TLS cert dir for the self-signed metrics patch.

This patch omits --metrics-tls-cert-dir, so the operator defaults to /var/run/secrets/serving-cert even though no cert volume is mounted. For self-signed metrics in development/testing, explicitly pass an empty cert dir to use the temporary directory.

Proposed fix 
         - --metrics-bind-address=:8443
         - --secure-metrics
+        - --metrics-tls-cert-dir=
         - --operator-namespace=$(OPERATOR_NAMESPACE)
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/default/manager_insecure_tls_auth_proxy_patch.yaml` around lines 1 -
3, The patch omits the `--metrics-tls-cert-dir` flag, causing the operator to
default to `/var/run/secrets/serving-cert` even though no cert volume is mounted
in this development/testing configuration. Add an explicit
`--metrics-tls-cert-dir` argument to the manager container args in the patch and
set it to an empty string or a temporary directory path so that self-signed
metrics certificates are generated in a writable location instead of the missing
mounted volume.

Comment thread go.mod
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
go.opentelemetry.io/otel/metric v1.33.0 // indirect
go.opentelemetry.io/otel/sdk v1.33.0 // indirect

@coderabbitai coderabbitai Bot Jun 17, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

curl -sS https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"ecosystem":"Go","name":"go.opentelemetry.io/otel/sdk"},
    "version":"1.33.0"
  }' | jq '{id: .id, aliases: .aliases, summary: .summary, affected: .affected}'

Repository: openshift/external-dns-operator

Length of output: 150

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Query OSV for ALL vulnerabilities in this package (not pinned to version)
curl -sS https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{
    "package": {"ecosystem":"Go","name":"go.opentelemetry.io/otel/sdk"}
  }' | jq '.vulns[] | {id, aliases, summary, affected: (.affected[0] | {versions, ranges})}'

Repository: openshift/external-dns-operator

Length of output: 1413

🌐 Web query:

GO-2026-4394 vulnerability go.opentelemetry.io/otel/sdk

💡 Result:

GO-2026-4394 is a security vulnerability in the go.opentelemetry.io/otel/sdk package, identified by CVE-2026-24051 and GHSA-9h8m-3fm2-qjrq [1][2]. Vulnerability Details: The vulnerability is an Untrusted Search Path issue (CWE-426) affecting the resource detection code within the SDK [3][4]. Specifically, the SDK would execute system commands using a bare name, which allowed the PATH environment variable to be manipulated to point to a malicious binary [3][4]. By placing a malicious executable earlier in the search path, an attacker with local access could achieve arbitrary code execution in the context of the application [3][4]. Affected Versions and Fixes: The vulnerability was introduced in version 1.21.0 and addressed in version 1.40.0, which updated the SDK to use absolute paths for the affected commands [1][5][4]. Note on Related Vulnerabilities: A follow-up vulnerability, CVE-2026-39883 (GHSA-hfvc-g4fc-pqhx), was identified because the fix for GO-2026-4394 only addressed the issue for macOS/Darwin systems while leaving other BSD and Solaris platforms vulnerable [6][7]. That subsequent issue was fixed in version 1.43.0 [6]. Users are advised to upgrade to the latest available version of the SDK to ensure both issues are mitigated [6][8].

Citations:

Upgrade go.opentelemetry.io/otel/sdk to v1.43.0 or later before merge.

Line 115 pins go.opentelemetry.io/otel/sdk v1.33.0, which is vulnerable to GO-2026-4394 (CVE-2026-24051 / GHSA-9h8m-3fm2-qjrq). This PATH hijacking vulnerability enables arbitrary code execution in versions 1.21.0 through 1.39.0. While v1.40.0 fixes this issue, a follow-up vulnerability (CVE-2026-39883) was discovered in the same code path, fixed only in v1.43.0. Upgrade to v1.43.0 and refresh dependent OTLP modules to keep versions coherent.

🧰 Tools
🪛 OSV Scanner (2.3.8)

[HIGH] 115-115: go.opentelemetry.io/otel/sdk 1.33.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk

(GO-2026-4394)

[HIGH] 115-115: go.opentelemetry.io/otel/sdk 1.33.0: OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking

(GHSA-9h8m-3fm2-qjrq)

[HIGH] 115-115: go.opentelemetry.io/otel/sdk 1.33.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 115, The go.opentelemetry.io/otel/sdk dependency is pinned to
v1.33.0 which contains security vulnerabilities that are only fixed in v1.43.0
or later. Update the go.opentelemetry.io/otel/sdk version from v1.33.0 to
v1.43.0 in the go.mod file. After updating, also refresh any dependent OTLP
modules that reference go.opentelemetry.io/otel/sdk to maintain version
coherence across all module dependencies.

Sources: Coding guidelines, Linters/SAST tools

@openshift-ci

openshift-ci Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments
@jcmoraisjr jcmoraisjr Awaiting requested review from jcmoraisjr
@rikatz rikatz Awaiting requested review from rikatz

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alebedev87