Skip to content

OCPBUGS-94014: Rebase v3.6.13 on main (5.0/4.23)#392

Open
dusk125 wants to merge 29 commits into
openshift:mainfrom
dusk125:rebase-5.0-v3.6.13
Open

OCPBUGS-94014: Rebase v3.6.13 on main (5.0/4.23)#392
dusk125 wants to merge 29 commits into
openshift:mainfrom
dusk125:rebase-5.0-v3.6.13

Conversation

@dusk125

@dusk125 dusk125 commented Jul 6, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • New Features

    • Added support for CRL verification in TLS connections, including gRPC-only startup paths.
    • Added a new v2 deprecation option, write-only-skip-check, and documented it in help text.
  • Bug Fixes

    • Auth tokens now accept a Bearer prefix when read from gRPC metadata.
    • Maintenance status requests now require explicit auth information.
    • Cluster member updates now preserve learner status while updating peer URLs.
    • CLI commands now validate data directory and file paths before running.

silentred and others added 29 commits May 8, 2026 21:06
Signed-off-by: shenmu.wy <shenmu.wy@antfin.com>
Signed-off-by: shenmu.wy <shenmu.wy@antfin.com>
…mberupdate-learner

[release-3.6] bugfix: MemberUpdate implicitly and unexpectedly promotes a learner
… of panic when given non-existent paths

Signed-off-by: shenmu.wy <shenmu.wy@antfin.com>
…nvalid-datadir

[release-3.6] etcdutl: validate data file path instead of panic
- replace user.Current().Name == "root" with os.Getuid() == 0.
- drop os/user import and user.Current() error path.
- backport of etcd-io#21788
- address: etcd-io#21787

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
…elease-3.6

[release-3.6] client/pkg/fileutil: use os.Getuid() to skip TestIsDirWriteable as root
Signed-off-by: kunal.behbudzade <kunal.behbudzade@btsgrp.com>
Signed-off-by: Ian Chechin <ian00chechin@gmail.com>
[release-3.6] server: allow non-admin maintenance status
Co-authored-by: Benjamin Wang <benjamin.wang@broadcom.com>
Signed-off-by: Sahil Patel <smppatel999@gmail.com>
Signed-off-by: Ivan Valdes <iv@a.ki>
…check-for-3.6

[release-3.6] Add `write-only-skip-check` option for `--v2-deprecation` to bypass the v2 content check
Signed-off-by: AR21SM <mahajanashishar21sm@gmail.com>
Signed-off-by: AR21SM <mahajanashishar21sm@gmail.com>
…lease-3.6

[release-3.6] Bump golang.org/x/crypto to v0.52.0
Bumps distroless/static-debian12 from `20bc6c0` to `9c346e4`.

---
updated-dependencies:
- dependency-name: distroless/static-debian12
  dependency-version: 9c346e4be81b5ca7ff31a0d89eaeade58b0f95cfd3baed1f36083ddb47ca3160
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
…se-3.6/distroless/static-debian12-9c346e4be81b5ca7ff31a0d89eaeade58b0f95cfd3baed1f36083ddb47ca3160

build(deps): bump distroless/static-debian12 from `20bc6c0` to `9c346e4`
Signed-off-by: AR21SM <mahajanashishar21sm@gmail.com>
[release-3.6] Bump OpenTelemetry dependencies to v1.43.0
Signed-off-by: Sahil Patel <smppatel999@gmail.com>
…ry-pick-21910-to-release-3.6

[release-3.6] server/auth: accept bearer-prefixed auth tokens
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
[release-3.6] Reject the client request if the client certificate has been revoked
Signed-off-by: Ivan Valdes <iv@a.ki>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 6, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@dusk125: This pull request references Jira Issue OCPBUGS-94014, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sandeepknd

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jul 6, 2026
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dusk125

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Walkthrough

This PR bumps Go toolchain and module dependency versions across all go.mod files and the Dockerfile base image, adds TLS CRL verification support for gRPC-only mode, restricts UpdateRaftAttributes to only update PeerURLs, strips "Bearer " prefixes from auth tokens, introduces a V2Depr1WriteOnlySkipCheck deprecation stage, and adds input validation helpers to etcdutl commands.

Changes

Version and dependency bumps

Layer / File(s) Summary
Toolchain, image, and version bumps
.go-version, Dockerfile, api/version/version.go, */go.mod, tools/*/go.mod
Go toolchain updated to 1.25.11, distroless base image digest updated, Version bumped to 3.6.13, and golang.org/x/*/OpenTelemetry indirect dependencies upgraded across all modules.

CRL verification for gRPC-only mode

Layer / File(s) Summary
CRL method and wiring
client/pkg/transport/listener_tls.go, server/embed/serve.go, server/embed/etcd.go, tests/e2e/ctl_v3_kv_test.go
Adds TLSInfo.ConfigureCRLVerification wired into gRPC-only secure serving, fixes a log message, and adds an e2e test for revoked CRL under gRPC-only.

UpdateRaftAttributes scoped to PeerURLs

Layer / File(s) Summary
PeerURLs-only update and tests
server/etcdserver/api/membership/cluster.go, cluster_test.go, tests/integration/clientv3/cluster_test.go
UpdateRaftAttributes now updates only PeerURLs with existence checks; adds learner-member test coverage and an integration test with a getMemberByID helper.

Auth token normalization and Status RPC gate

Layer / File(s) Summary
Bearer stripping and auth gate
server/auth/store.go, store_test.go, server/etcdserver/api/v3rpc/maintenance.go, tests/common/maintenance_auth_test.go
AuthInfoFromCtx strips a "Bearer " prefix; authMaintenanceServer.Status now requires auth info instead of a permission check.

V2 deprecation skip-check option

Layer / File(s) Summary
New enum value and handling
server/config/v2_deprecation.go, server/etcdmain/config.go, help.go, server/storage/util.go
Adds V2Depr1WriteOnlySkipCheck constant, wires flag parsing/normalization, help text, and bypasses v2 content validation for the new stage.

etcdutl input validation

Layer / File(s) Summary
Validation helpers and command wiring
etcdutl/etcdutl/common.go, defrag_command.go, hashkv_command.go, migrate_command.go, snapshot_command.go, client/pkg/fileutil/fileutil_test.go
Adds validateDataDir/validateFilePath helpers applied early in defrag, hashkv, migrate, and snapshot commands; also simplifies a fileutil test's root-user check.

Estimated code review effort: 3 (Moderate) | ~30 minutes

Possibly related PRs

  • openshift/etcd#375: Shares the same api/version/version.go Version constant update and toolchain/dependency bump pattern.

Suggested labels: lgtm

Suggested reviewers: deads2k, tjungblu, sandeepknd

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: rebasing v3.6.13 onto main for the 5.0/4.23 line.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Touched tests use static names only; no Ginkgo titles or dynamic test-name data were added.
Test Structure And Quality ✅ Passed No Ginkgo tests were added/modified; the changed tests are standard Go tests with explicit cleanup and timeouts where needed.
Microshift Test Compatibility ✅ Passed PASS: The new e2e test is plain testing.T and only exercises TLS/CRL client behavior—no unsupported OpenShift APIs/features or MicroShift assumptions.
Single Node Openshift (Sno) Test Compatibility ✅ Passed New e2e test uses WithClusterSize(1) and TLS/CRL-only behavior; no multi-node, HA, scheduling, or failover assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed The patch only bumps versions and adjusts auth/CRL/revision logic; no deployment/controller scheduling code, node selectors, affinity, spread constraints, or PDBs were added.
Ote Binary Stdout Contract ✅ Passed No touched main/init/TestMain/suite-setup code gained stdout writes; changes are CLI helpers, auth logic, and tests only.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The added e2e test is a plain Go test, not Ginkgo, and it uses framework-generated localhost cluster URLs with no public hosts or hardcoded IPv4.
No-Weak-Crypto ✅ Passed The patch adds TLS CRL checks, Bearer-prefix trimming, and file-path validation; no MD5/SHA1/DES/RC4/3DES/Blowfish, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed No changed manifest adds privileged settings; the Dockerfile only updates the distroless digest and has no USER/privileged flags.
No-Sensitive-Data-In-Logs ✅ Passed No new sensitive data is logged; auth tokens are redacted, and added warnings/logs don’t include secrets or PII.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
server/etcdserver/api/membership/cluster.go (1)

622-637: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Minor: non-idiomatic var-block + misleading log message.

Two small nits:

  • var (m *Member; ok bool) followed by m, ok = c.members[id] is more verbosely written than idiomatic Go's if m, ok := c.members[id]; !ok {.
  • The log message "Skipped updating non-existent member in v2store" is misleading — the early return also skips the v3 backend update (c.be.MustSaveMemberToBackend), not just v2store.
✏️ Suggested tweak
-	var (
-		m  *Member
-		ok bool
-	)
-
-	if m, ok = c.members[id]; !ok {
-		c.lg.Info("Skipped updating non-existent member in v2store",
+	m, ok := c.members[id]
+	if !ok {
+		c.lg.Info("Skipped updating non-existent member",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/etcdserver/api/membership/cluster.go` around lines 622 - 637, The
member lookup in cluster.go is written with a separate var block and assignment,
which is less idiomatic Go; simplify the non-existent-member check in the
membership update path to use the usual short variable declaration in the
conditional around c.members[id]. Also update the log text in that same branch
in the cluster membership update flow to accurately describe that the early
return skips both the v2store and the v3 backend save, so the message matches
the behavior in the code path around c.be.MustSaveMemberToBackend.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@client/pkg/transport/listener_tls.go`:
- Around line 169-190: Add a focused unit test for ConfigureCRLVerification in
listener_tls.go that exercises the key branches: no-op when TLSInfo.CRLFile is
empty, existing cfg.VerifyConnection being called first and short-circuiting on
error, nil return when tls.ConnectionState has no PeerCertificates, and
delegation to checkCRL for a connection with a certificate. Use TLSInfo and
ConfigureCRLVerification to locate the code, and assert both revoked and
non-revoked outcomes via a tls.ConnectionState setup.

---

Nitpick comments:
In `@server/etcdserver/api/membership/cluster.go`:
- Around line 622-637: The member lookup in cluster.go is written with a
separate var block and assignment, which is less idiomatic Go; simplify the
non-existent-member check in the membership update path to use the usual short
variable declaration in the conditional around c.members[id]. Also update the
log text in that same branch in the cluster membership update flow to accurately
describe that the early return skips both the v2store and the v3 backend save,
so the message matches the behavior in the code path around
c.be.MustSaveMemberToBackend.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9e1f67e5-fa6e-428c-9765-b3cf88d54599

📥 Commits

Reviewing files that changed from the base of the PR and between bf6c009 and afedd47.

⛔ Files ignored due to path filters (12)
  • api/go.sum is excluded by !**/*.sum
  • client/pkg/go.sum is excluded by !**/*.sum
  • client/v3/go.sum is excluded by !**/*.sum
  • etcdctl/go.sum is excluded by !**/*.sum
  • etcdutl/go.sum is excluded by !**/*.sum
  • go.sum is excluded by !**/*.sum
  • pkg/go.sum is excluded by !**/*.sum
  • server/go.sum is excluded by !**/*.sum
  • tests/go.sum is excluded by !**/*.sum
  • tools/mod/go.sum is excluded by !**/*.sum
  • tools/rw-heatmaps/go.sum is excluded by !**/*.sum
  • tools/testgrid-analysis/go.sum is excluded by !**/*.sum
📒 Files selected for processing (36)
  • .go-version
  • Dockerfile
  • api/go.mod
  • api/version/version.go
  • client/pkg/fileutil/fileutil_test.go
  • client/pkg/go.mod
  • client/pkg/transport/listener_tls.go
  • client/v3/go.mod
  • etcdctl/go.mod
  • etcdutl/etcdutl/common.go
  • etcdutl/etcdutl/defrag_command.go
  • etcdutl/etcdutl/hashkv_command.go
  • etcdutl/etcdutl/migrate_command.go
  • etcdutl/etcdutl/snapshot_command.go
  • etcdutl/go.mod
  • go.mod
  • pkg/go.mod
  • server/auth/store.go
  • server/auth/store_test.go
  • server/config/v2_deprecation.go
  • server/embed/etcd.go
  • server/embed/serve.go
  • server/etcdmain/config.go
  • server/etcdmain/help.go
  • server/etcdserver/api/membership/cluster.go
  • server/etcdserver/api/membership/cluster_test.go
  • server/etcdserver/api/v3rpc/maintenance.go
  • server/go.mod
  • server/storage/util.go
  • tests/common/maintenance_auth_test.go
  • tests/e2e/ctl_v3_kv_test.go
  • tests/go.mod
  • tests/integration/clientv3/cluster_test.go
  • tools/mod/go.mod
  • tools/rw-heatmaps/go.mod
  • tools/testgrid-analysis/go.mod

Comment on lines +169 to +190
// ConfigureCRLVerification appends a VerifyConnection hook to cfg that
// rejects any peer certificate whose serial number appears in the CRL file
// configured on info. It is a no-op when CRLFile is empty. Any existing
// VerifyConnection hook is called first and its error short-circuits.
func (info TLSInfo) ConfigureCRLVerification(cfg *tls.Config) {
if len(info.CRLFile) == 0 {
return
}
crlFile := info.CRLFile
prev := cfg.VerifyConnection
cfg.VerifyConnection = func(cs tls.ConnectionState) error {
if prev != nil {
if err := prev(cs); err != nil {
return err
}
}
if len(cs.PeerCertificates) == 0 {
return nil
}
return checkCRL(crlFile, cs.PeerCertificates)
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add a unit test for ConfigureCRLVerification.

The method's logic (no-op when CRLFile empty, prior hook short-circuiting, allowing 0-cert connections, delegating to checkCRL) is a good candidate for a focused unit test (e.g., constructing a tls.ConnectionState with a revoked/non-revoked cert and asserting the returned error). Only an e2e test was added for this new security-relevant path.

As per coding guidelines, "All changes are expected to come with a unit test."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@client/pkg/transport/listener_tls.go` around lines 169 - 190, Add a focused
unit test for ConfigureCRLVerification in listener_tls.go that exercises the key
branches: no-op when TLSInfo.CRLFile is empty, existing cfg.VerifyConnection
being called first and short-circuiting on error, nil return when
tls.ConnectionState has no PeerCertificates, and delegation to checkCRL for a
connection with a certificate. Use TLSInfo and ConfigureCRLVerification to
locate the code, and assert both revoked and non-revoked outcomes via a
tls.ConnectionState setup.

Source: Coding guidelines

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

@dusk125: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn afedd47 link true /test e2e-aws-ovn
ci/prow/e2e-aws-ovn-upgrade afedd47 link true /test e2e-aws-ovn-upgrade
ci/prow/upstream-e2e afedd47 link false /test upstream-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants