NO-JIRA: Bump openshift/api and openshift/client-go

[ardaguclu]

This PR bumps openshift/api and openshift/client-go to master branch to get KMS related changes.

Summary by CodeRabbit

• Chores
  • Updated OpenShift dependencies to newer versions for improved compatibility and performance.

[openshift-ci-robot]

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

This PR bumps openshift/api and openshift/client-go to master branch to get KMS related changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[tjungblu]

/lgtm
/approve

[coderabbitai]

Walkthrough

Two OpenShift Go module dependencies in go.mod are bumped to newer commit-based pseudo-versions: github.com/openshift/api and github.com/openshift/client-go. No other dependencies or toolchain declarations are changed.

Changes

OpenShift Dependency Bump

Layer / File(s)	Summary
Bump openshift/api and openshift/client-go versions go.mod	github.com/openshift/api and github.com/openshift/client-go are updated to newer pseudo-version strings; github.com/openshift/build-machinery-go remains unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	PR adds Kubernetes manifests with privileged settings (privileged: true, hostNetwork: true, runAsUser: 0) without explicit justification comments in 4 pod templates.	Add comments documenting why privileged access, hostNetwork, and root user are required for installer-pod.yaml, pruner-pod.yaml, and startup-monitor-pod.yaml system components.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping two OpenShift dependencies to incorporate KMS-related features from their master branches.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Repository uses standard Go testing, not Ginkgo. No Ginkgo imports found (no github.com/onsi/ginkgo). Tests use func TestXxx(t *testing.T) pattern, not Ginkgo's Describe/It/Context. Check not appli...
Test Structure And Quality	✅ Passed	The custom check requires reviewing Ginkgo test code, but this PR contains no Ginkgo tests. The test files use standard Go testing.T pattern, not Ginkgo's Describe/It blocks.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests (It(), Describe(), Context(), When()) are added in this PR. The PR adds standard Go unit/integration tests using testing.T and bumps OpenShift API dependencies. The check is not...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The PR updates go.mod dependencies and adds standard Go unit tests (using testing.T), not Ginkgo tests. The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only bumps dependency versions in go.mod (openshift/api and openshift/client-go). No deployment manifests, operator code, or controllers are added or modified. The topology-aware scheduling...
Ote Binary Stdout Contract	✅ Passed	PR only updates go.mod dependency versions (2 lines changed) for openshift/api and openshift/client-go. No code changes are made, so no new stdout violations can be introduced in main(), init(), Te...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Test file added uses fake Kubernetes clients with example domains, contains no IPv4 hardcoding, IP parsing, or external connectivity requirements.
No-Weak-Crypto	✅ Passed	PR only bumps go.mod dependencies (openshift/api and client-go) for KMS changes. No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) are newly introduced by this PR; existin...
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates go.mod dependencies; no logging code or sensitive data exposure in logs introduced.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@ardaguclu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	a5c48f6	link	true	/test unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 21: The go.mod file pins github.com/openshift/api and
github.com/openshift/client-go to master-branch pseudo-versions
(v0.0.0-20260618181827-d22a47a846dc and similar), which are unvetted pre-release
commits that violate supply chain stability requirements. Replace these
master-branch pseudo-versions with actual stable release versions (e.g., vX.Y.Z
tags) that include the required KMS changes. If stable releases with the
necessary functionality are unavailable, document in a comment why these
specific pre-release commits are necessary and what validation has been
performed against them.
- Line 21: The dependency bump for openshift/api to a master-branch
pseudo-version (v0.0.0-20260618181827-d22a47a846dc) in go.mod lacks required
justification and supply chain security documentation. Either revert the
openshift/api dependency to the latest released stable version if the unreleased
commit is not essential, or if the master-branch version is necessary, document
the justification by adding a detailed commit message or PR description that
includes links to upstream CNTRLPLANE tracking issues or PRs corresponding to
this specific commit, a summary of the API changes that necessitate this
unreleased version, and references to the encryption-related tests (such as
those in test/e2e-encryption/encryption_test.go) that validate compatibility
between the openshift/api and openshift/client-go versions being used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f723bc11-160f-4d21-8bf1-957ee2a2ed1d

📥 Commits

Reviewing files that changed from the base of the PR and between b0f5231 and a5c48f6.

⛔ Files ignored due to path filters (66)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.ci-operator.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Dockerfile.ocp is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/features.md is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_authentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_etcd.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_ingresscontroller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_kmsencryption.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_kubeapiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/types_openshiftapiserver.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.deepcopy.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/route/v1/generated.proto is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/api/route/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !**/vendor/**, !vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/security/v1/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/kubestatemetricsresourcelabels.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/etcdspec.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmsencryptionstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kmspluginhealthreport.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/kubeapiserverstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/oauthapiserverstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/openshiftapiserverstatus.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/utils.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Using master-branch pseudo-versions violates supply chain stability expectations.

Lines 21 and 23 pin github.com/openshift/api and github.com/openshift/client-go to recent master-branch pseudo-versions (both from 2026-06-18). These are unvetted pre-release commits, not stable releases. Per the coding guidelines, production dependencies must not use pre-release or yanked versions. Master branch is inherently unstable and lacks the stability guarantees of tagged releases.

Consider identifying a stable release version that includes the required KMS changes, or document why stable releases are unavailable and what testing/validation has been performed against these specific commits.

Also applies to: 23-23

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 21, The go.mod file pins github.com/openshift/api and
github.com/openshift/client-go to master-branch pseudo-versions
(v0.0.0-20260618181827-d22a47a846dc and similar), which are unvetted pre-release
commits that violate supply chain stability requirements. Replace these
master-branch pseudo-versions with actual stable release versions (e.g., vX.Y.Z
tags) that include the required KMS changes. If stable releases with the
necessary functionality are unavailable, document in a comment why these
specific pre-release commits are necessary and what validation has been
performed against them.

Source: Coding guidelines

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find and read the go.mod file
fd -name go.mod -type f

Repository: openshift/library-go

Length of output: 295

---

🏁 Script executed:

# Also check the git history for recent changes to go.mod
git log --oneline -20 -- go.mod 2>/dev/null || echo "No git history available"

Repository: openshift/library-go

Length of output: 116

---

🏁 Script executed:

# Look for PR context or commit messages that mention KMS
git log --all --oneline --grep="KMS" 2>/dev/null | head -20 || echo "No matching commits"

Repository: openshift/library-go

Length of output: 1499

---

🏁 Script executed:

# Read the go.mod file to see the actual version pinning
cat go.mod

Repository: openshift/library-go

Length of output: 6826

---

🏁 Script executed:

# Get the commit details for the bump
git show a5c48f6f --stat

Repository: openshift/library-go

Length of output: 50377

---

🏁 Script executed:

# Get more details about the specific PR mentioned in the commit
git log a5c48f6f -1 --format=fuller

Repository: openshift/library-go

Length of output: 332

---

🏁 Script executed:

# Look for any PR references or upstream links in the recent git history
git log --all --format="%B" --grep="KMS\|openshift/api\|openshift/client-go" -i | head -100

Repository: openshift/library-go

Length of output: 3821

---

🏁 Script executed:

# Check if there are test files related to KMS in this repository
find . -type f -name "*kms*test*" -o -name "*test*kms*" | head -20

Repository: openshift/library-go

Length of output: 135

---

🏁 Script executed:

# Look for any evidence of testing these upgraded versions
rg -l "kms|KMS" test/ --type go | head -20

Repository: openshift/library-go

Length of output: 309

---

🏁 Script executed:

# Check the go.sum file for version information and verify if hashes match expected format
grep "github.com/openshift/api\|github.com/openshift/client-go" go.sum

Repository: openshift/library-go

Length of output: 522

---

🏁 Script executed:

# Check for CVE information for these specific commits
# First, let's look for any CHANGELOG or release notes references
git log --all --oneline --grep="changelog\|release\|CHANGELOG" -i | head -20

Repository: openshift/library-go

Length of output: 1339

---

🏁 Script executed:

# Search for licensing information in go.mod comments or documentation
head -50 go.mod | grep -A2 -B2 "license\|License\|LICENSE"

Repository: openshift/library-go

Length of output: 46

---

🏁 Script executed:

# Verify if there are actual test cases validating KMS functionality with these dependencies
grep -r "openshift/api\|openshift/client-go" test/library/encryption/ | head -20

Repository: openshift/library-go

Length of output: 706

---

🏁 Script executed:

# Check if there's any documentation about the specific commits being used
git show a5c48f6f:go.mod | grep -A2 -B2 "openshift"

Repository: openshift/library-go

Length of output: 469

---

🏁 Script executed:

# Check the commit dates to verify they're genuinely from the same time
git log -1 --format="%H %ai" a5c48f6f

Repository: openshift/library-go

Length of output: 131

---

🏁 Script executed:

# Look for any upstream repository references or KMS issue tracker information
git log a5c48f6f^..a5c48f6f --format="%B" | grep -i "fixes\|closes\|resolves\|#[0-9]\|openshift/"

Repository: openshift/library-go

Length of output: 264

---

🏁 Script executed:

# Check if there's a CHANGELOG or similar documenting the KMS changes
find . -type f \( -name "CHANGELOG*" -o -name "CHANGES*" -o -name "RELEASE*" \) | head -10

Repository: openshift/library-go

Length of output: 549

---

🏁 Script executed:

# Verify: are these versions pinned exactly or are they floating references?
cat go.mod | grep -A5 "require ("

Repository: openshift/library-go

Length of output: 621

---

🏁 Script executed:

# Let me verify the actual hashes are valid and check for any go.sum inconsistencies
wc -l go.sum && grep -c "github.com/openshift/api\|github.com/openshift/client-go" go.sum

Repository: openshift/library-go

Length of output: 77

---

🏁 Script executed:

# Check if there's any PR description or context we can access
git log --oneline -30 | grep -i "kms\|api\|client"

Repository: openshift/library-go

Length of output: 116

---

🏁 Script executed:

# Verify the pseudo-versions follow Go module conventions (v0.0.0-YYYYMMDDHHMMSS-COMMITHASH)
echo "openshift/api pseudo-version: v0.0.0-20260618181827-d22a47a846dc"
echo "openshift/client-go pseudo-version: v0.0.0-20260618131434-17fd91ed6167"
echo "Format check: YYYYMMDD matches commit dates"

Repository: openshift/library-go

Length of output: 244

---

🏁 Script executed:

# Let me check if there are actual integration/e2e tests that would validate KMS functionality
grep -r "kms\|KMS" test/e2e-encryption/encryption_test.go | head -20

Repository: openshift/library-go

Length of output: 1468

---

🏁 Script executed:

# Check what scenarios are being tested with these dependencies
grep -r "scenario\|Scenario" test/library/encryption/scenarios.go | head -15

Repository: openshift/library-go

Length of output: 1654

---

🏁 Script executed:

# Verify licensing is documented anywhere in the dependencies
grep -i "license\|COPYING" go.mod

Repository: openshift/library-go

Length of output: 46

---

🏁 Script executed:

# Check if there are specific test cases that validate the new API/client-go versions work together
grep -r "TestKMS\|TestEncryptionType" test/e2e-encryption/encryption_test.go | head -10

Repository: openshift/library-go

Length of output: 46

---

🏁 Script executed:

# Look for any references to upstream issues/PRs that might explain the KMS changes
git log --all --format="%B" | grep -i "CNTRLPLANE\|openshift/api\|openshift/client-go" | head -30

Repository: openshift/library-go

Length of output: 2092

---

🏁 Script executed:

# Verify that the two dependencies are truly compatible versions (not from different release cycles)
git log --oneline --all | grep -E "Bump|api|client-go" | head -15

Repository: openshift/library-go

Length of output: 957

---

Provide justification and evidence for bumping to master-branch commits.

The pseudo-versions (v0.0.0-20260618181827-d22a47a846dc and v0.0.0-20260618131434-17fd91ed6167) indicate unreleased commits from upstream master branches. While the codebase contains extensive KMS-related functionality and integration tests (test/e2e-encryption/encryption_test.go includes KMS verification), the commit message "Bump openshift/api and openshift/client-go" provides no:

• Link to upstream PRs or CNTRLPLANE tracking issues documenting these specific commits
• Changelog summary of breaking or significant changes
• Justification for why released versions cannot be used

Per supply chain security guidelines, non-release versions require explicit justification. Please provide:

1. Links to upstream issues/PRs corresponding to the commits (likely CNTRLPLANE-* tickets based on your KMS work history)
2. Summary of API changes in these commits requiring coordinated updates
3. Reference to which tests validate compatibility between these two versions

Related commits in history

27cc62d1 Bump openshift/api and openshift/client-go
76149153 Update openshift/api and openshift/client-go for KMS
c3797459 Update openshift/api and openshift/client-go for KMS

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 21, The dependency bump for openshift/api to a master-branch
pseudo-version (v0.0.0-20260618181827-d22a47a846dc) in go.mod lacks required
justification and supply chain security documentation. Either revert the
openshift/api dependency to the latest released stable version if the unreleased
commit is not essential, or if the master-branch version is necessary, document
the justification by adding a detailed commit message or PR description that
includes links to upstream CNTRLPLANE tracking issues or PRs corresponding to
this specific commit, a summary of the API changes that necessitate this
unreleased version, and references to the encryption-related tests (such as
those in test/e2e-encryption/encryption_test.go) that validate compatibility
between the openshift/api and openshift/client-go versions being used.

[bertinatto]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, bertinatto, tjungblu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bertinatto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ardaguclu]

/hold
there is a breaking change related to TLS

[jubittajohn]

Superseded by #2320

[ardaguclu]

/close

[openshift-ci]

@ardaguclu: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.