CNTRPLANE-3226: kms: bump library-go to get KMS plugin security context

[bertinatto]

Summary by CodeRabbit

• Chores
  • Updated a core dependency to a newer pinned version to keep the project aligned with upstream fixes and improvements.
  • Maintained the existing redirect for the testing framework dependency so test behavior remains unchanged.

[bertinatto]

/test e2e-aws-operator-encryption-kms

[coderabbitai]

Walkthrough

Bump the require version of github.com/openshift/library-go in go.mod to a newer pseudo-version; no other module requirements or replace directives were changed.

Changes

Dependency version update

Layer / File(s)	Summary
Bump library-go require version go.mod	Updated the require entry for github.com/openshift/library-go to a newer pseudo-version (single-line change).

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Possibly related PRs:

  • openshift/cluster-authentication-operator#913: Also updates the go.mod require version for github.com/openshift/library-go.

• Suggested reviewers:

  • atiratree
  • ingvagabund

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping library-go to obtain a KMS plugin security context fix, which aligns with the go.mod dependency version update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Repo scan found no Ginkgo/Go test titles using dynamic pod/namespace/node/IP/UUID/timestamps; PR content appears limited to dependency bump (go.mod/go.sum).
Test Structure And Quality	✅ Passed	PR #916 changes only go.mod/go.sum (and vendored deps), with no Ginkgo test code added/modified, so the test-structure quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PR updates only go.mod (library-go pseudo-version bump; keeps ginkgo replace). No new Ginkgo e2e tests were added, so MicroShift API compatibility check is not triggered.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #916 only changes go.mod/go.sum and vendored deps; no new Ginkgo e2e tests were added, so SNO compatibility assumptions are not introduced.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only changes go.mod dependency version; no deployment manifests, operator code, or controller modifications. The check requires changes to these files to apply.
Ote Binary Stdout Contract	✅ Passed	cmd/cluster-authentication-operator-tests-ext/main.go sets klog.LogToStderr(true) and no fmt.Print/os.Stdout/log.Print/klog.Print stdout writes found in main/init/TestMain in test/e2e packages.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR #916 only changes go.mod/go.sum (dependency bump) and vendored library-go files; no new Ginkgo e2e tests (It/Describe/Context) were added to flag IPv4/external connectivity assumptions.
No-Weak-Crypto	✅ Passed	Non-vendor scan found 0 uses of MD5/SHA1/DES/3DES/RC4/Blowfish/ECB and 0 subtle.ConstantTimeCompare/bytes.Equal(secret/token) patterns; go.mod change is dependency-only.
Container-Privileges	✅ Passed	PR changes only go.mod/go.sum and vendor library-go KMS sidecar code; in the changed files, AllowPrivilegeEscalation is set to false and no privileged/hostPID/hostNetwork/hostIPC or SYS_ADMIN appears.
No-Sensitive-Data-In-Logs	✅ Passed	PR #916 changes only go.mod via dependency replace directives; no code/logging statements were added or modified, so no sensitive data can be exposed in logs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 137: Remove the personal-fork replace directive pointing library-go (the
line with "replace github.com/openshift/library-go =>
github.com/bertinatto/library-go ..."), restore the dependency to the official
module, and instead open a PR against github.com/openshift/library-go with your
required patches so the project can consume an upstream released version; after
that, update go.mod to reference the appropriate upstream released version (no
local replace), run automated CVE/OSV scanning (e.g., osv.dev) against the
chosen upstream version, and ensure any build/artifact provenance, attestation,
or signing requirements are satisfied before merging.
- Line 135: Update the repository documentation to justify the go.mod
replacement of github.com/onsi/ginkgo/v2 with
github.com/openshift/onsi-ginkgo/v2 (the replace line in go.mod); state what
functional/behavioral changes or bugfixes in the OpenShift fork are required
(cite specific commits, features, or incompatibilities vs upstream ginkgo that
our code depends on), and indicate whether this override is temporary or
permanent plus the plan and timeline to upstream the changes and revert the
replace (or reasons for keeping it permanently). Reference the exact replace
directive and both module names (github.com/onsi/ginkgo/v2 and
github.com/openshift/onsi-ginkgo/v2) so reviewers can locate the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 34e8750e-90ab-47d8-8481-982557740f0c

📥 Commits

Reviewing files that changed from the base of the PR and between 4c8a2c0 and 2fd71ce.

⛔ Files ignored due to path filters (9)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/encryptiondata/secret.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/kms/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for CVEs affecting the ginkgo fork version

# Query GitHub security advisories for ginkgo
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/onsi/ginkgo/v2") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

# Also check the OpenShift fork
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/openshift/onsi-ginkgo/v2") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/cluster-authentication-operator

Length of output: 421

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ver="v2.6.1-0.20251001123353-fd5b1fb35db1"
for pkg in "github.com/onsi/ginkgo/v2" "github.com/openshift/onsi-ginkgo/v2"; do
  curl -s https://api.osv.dev/v1/query \
    -H 'content-type: application/json' \
    -d "{\"package\":{\"name\":\"$pkg\"},\"version\":\"$ver\"}"
  echo
done

Repository: openshift/cluster-authentication-operator

Length of output: 91

---

Justify the OpenShift Ginkgo fork in go.mod

For go.mod’s replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1, OSV reports no vulnerabilities for that pinned pseudo-version for both github.com/onsi/ginkgo/v2 and github.com/openshift/onsi-ginkgo/v2.

Please still document:

• Why the OpenShift onsi-ginkgo fork is required (what changes differ from upstream)
• Whether the override is temporary or permanent, and the upstreaming/reversion plan if temporary

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 135, Update the repository documentation to justify the
go.mod replacement of github.com/onsi/ginkgo/v2 with
github.com/openshift/onsi-ginkgo/v2 (the replace line in go.mod); state what
functional/behavioral changes or bugfixes in the OpenShift fork are required
(cite specific commits, features, or incompatibilities vs upstream ginkgo that
our code depends on), and indicate whether this override is temporary or
permanent plus the plan and timeline to upstream the changes and revert the
replace (or reasons for keeping it permanently). Reference the exact replace
directive and both module names (github.com/onsi/ginkgo/v2 and
github.com/openshift/onsi-ginkgo/v2) so reviewers can locate the change.

Source: Coding guidelines

[openshift-ci-robot]

@bertinatto: No Jira issue with key CNTRPLANE-3226 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Updated project dependencies to pinned versions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bertinatto: No Jira issue with key CNTRPLANE-3226 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Updated a core dependency to a newer pinned version to keep the project aligned with upstream fixes and improvements.
• Maintained the existing redirect for the testing framework dependency so test behavior remains unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

go.mod (1)

135-135: ⚡ Quick win

Document the OpenShift Ginkgo fork override (pre-existing, still applies).

The replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1 directive persists from earlier review feedback. If this override is still in use, please add a comment in go.mod or the project documentation explaining:

• Why the OpenShift fork is required (specific bug fixes, backports, or features not in upstream ginkgo).
• Whether the override is permanent or temporary, and if temporary, the plan/timeline to upstream changes and revert to upstream ginkgo.

This supports supply-chain transparency and future maintainability.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 135, Add a short explanatory comment next to the existing
replace directive "replace github.com/onsi/ginkgo/v2 =>
github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1" (or in
project docs) that states why the OpenShift fork is required (specific
bug/PR/backport or feature) and whether this override is permanent or temporary;
if temporary, include the plan/timeline and the criteria for reverting to
upstream ginkgo so future maintainers can understand and remove the override
when appropriate.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 17: Add a one-line rationale and migration plan for the pseudo-version
pin of github.com/openshift/library-go in the PR: insert a brief comment (e.g.,
// pinned to pseudo-version for testing KMS sidecar restrictions; will move to
upstream tag before main/prod) near the go.mod entry for
github.com/openshift/library-go and add a TODO in the repo docs or PR
description that commits the plan to update to a tagged upstream release; also
double-check there is no unintended replace directive for
github.com/openshift/library-go (no replace github.com/bertinatto/library-go)
and mention that check in the PR description.

---

Nitpick comments:
In `@go.mod`:
- Line 135: Add a short explanatory comment next to the existing replace
directive "replace github.com/onsi/ginkgo/v2 =>
github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251001123353-fd5b1fb35db1" (or in
project docs) that states why the OpenShift fork is required (specific
bug/PR/backport or feature) and whether this override is permanent or temporary;
if temporary, include the plan/timeline and the criteria for reverting to
upstream ginkgo so future maintainers can understand and remove the override
when appropriate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e6e0c5eb-8b60-4f5e-8a53-5bde3777da69

📥 Commits

Reviewing files that changed from the base of the PR and between 2fd71ce and df3d7b1.

⛔ Files ignored due to path filters (5)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/reference_data_resolver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/sidecar.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/kms/pluginlifecycle/vault.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check CVEs for the bumped library-go pseudo-version
PSEUDO_VER="v0.0.0-20260612181855-acbfa3c5590f"

echo "=== Checking OSV advisories for github.com/openshift/library-go $PSEUDO_VER ==="
curl -s https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d "{\"package\":{\"name\":\"github.com/openshift/library-go\"},\"version\":\"$PSEUDO_VER\"}"

echo
echo "=== Verifying no replace directive for bertinatto/library-go ==="
rg -n "replace\s+github\.com/openshift/library-go\s+=>\s+github\.com/bertinatto/library-go" go.mod || echo "✓ No bertinatto fork replace found"

echo
echo "=== Current library-go require line ==="
rg -n "github\.com/openshift/library-go\s+" go.mod | grep -v "^[[:space:]]*#" | head -1

Repository: openshift/cluster-authentication-operator

Length of output: 403

---

Require rationale for github.com/openshift/library-go pseudo-version bump (go.mod:17)

• go.mod pins github.com/openshift/library-go to v0.0.0-20260612181855-acbfa3c5590f; add PR-specific justification (e.g., “testing KMS sidecar restrictions”) and document a plan to move to a tagged upstream release before this reaches production/main.
• osv.dev reports no advisories for this exact pseudo-version, and go.mod contains no replace github.com/openshift/library-go => github.com/bertinatto/library-go.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 17, Add a one-line rationale and migration plan for the
pseudo-version pin of github.com/openshift/library-go in the PR: insert a brief
comment (e.g., // pinned to pseudo-version for testing KMS sidecar restrictions;
will move to upstream tag before main/prod) near the go.mod entry for
github.com/openshift/library-go and add a TODO in the repo docs or PR
description that commits the plan to update to a tagged upstream release; also
double-check there is no unintended replace directive for
github.com/openshift/library-go (no replace github.com/bertinatto/library-go)
and mention that check in the PR description.

Source: Coding guidelines

[openshift-ci]

@bertinatto: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.