Master submodule update 06 09

[jrvaldes]

Summary by CodeRabbit

• Chores
  • Updated Kubernetes kubelet build revision to include latest patches.
  • Updated container networking plugins and infrastructure component submodules.
  • Bumped Go module dependencies for API, networking, and utility packages.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates pinned versions across the Windows Machine Config Operator dependency tree. The changes encompass the kubelet build-time Git revision, OpenShift platform libraries, go-openapi tooling modules, Kubernetes OpenAPI machinery, and three key infrastructure submodules: cloud-provider-aws, containernetworking-plugins, and ovn-kubernetes. Each dependency shift moves to a more recent commit or release, bringing transitive updates to build outputs and runtime behavior across Windows and Linux orchestration paths.

Suggested reviewers

• mansikulkarni96

🚥 Pre-merge checks | ✅ 17 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Go Best Practices & Build Tags	⚠️ Warning	cmd/operator/main.go violates build tag requirement: Linux-only code must have //go:build !windows, but currently has none.	Add //go:build !windows as the first line in cmd/operator/main.go to enforce Linux-only compilation for the operator.
Topology-Aware Scheduling Compatibility	⚠️ Warning	PR modifies config/manager/manager.yaml deployment with nodeSelector targeting control-plane nodes and single replica, incompatible with SNO/HyperShift topologies.	Add topology checks to reconcile replicas based on infrastructure.Status.ControlPlaneTopology; replace control-plane nodeSelector with topology-aware scheduling or affinity rules.
Title check	❓ Inconclusive	The title 'Master submodule update 06 09' is vague and generic, using date-based notation that lacks descriptive specificity about which components or purpose.	Consider a more descriptive title like 'Update kubelet, cloud-provider-aws, ovn-kubernetes, and dependencies' to clearly communicate the scope of submodule and dependency updates.

✅ Passed checks (17 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security: Secrets, Ssh & Csr	✅ Passed	Submodule/dependency updates only—no application code changes. SSH sessions properly closed; secrets never logged; CSR validation checks node identity and certificate requirements.
Kubernetes Controller Patterns	✅ Passed	PR makes no changes to application controller code—only updates Makefile, submodule pointers, go.mod, and vendored dependencies. Check is not applicable.
Windows Service Management	✅ Passed	PR contains only submodule and dependency updates (Makefile, go.mod, vendor packages); no Windows service management code was modified, so the check is not applicable.
Platform-Specific Requirements	✅ Passed	PR is a pure dependency/submodule maintenance update with no platform-specific code, documentation, or functionality changes. No new platform-specific constraints or limitations are introduced.
Stable And Deterministic Test Names	✅ Passed	No test files (*.go test code) were modified in this PR. The changes are limited to submodule updates, Makefile, and go.mod dependency updates. Check is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo test files were modified in this PR. Changes are limited to Makefile, submodules, go.mod/go.sum, and vendored dependencies, making the test structure review check not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR—only infrastructure/dependency updates (Makefile, submodules, go.mod). The MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains no new Ginkgo e2e tests. The change is a submodule/dependency update with no Ginkgo test additions, so the SNO compatibility check is not applicable.
Ote Binary Stdout Contract	✅ Passed	OTE binary (wmco-tests-ext) in PR contains no stdout violations: no fmt.Print/Println/Printf calls, no klog writes, and proper use of OTE framework for JSON communication.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; it only updates submodules, Makefile, and go.mod dependencies. The check does not apply.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) detected. Uses golang.org/x/crypto/openpgp with AES-128 encryption, no custom crypto implementations.
Container-Privileges	✅ Passed	PR only modifies Makefile, go.mod, and submodule references—no K8s manifests or container configs changed. No privileged settings introduced.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements expose passwords, tokens, API keys, PII, session IDs, or sensitive data. All logging uses structured logging with safe metadata only (names, namespaces, errors).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jrvaldes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jrvaldes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 67-68: Verify compatibility of the indirect go-openapi bumps by
running the project's OpenAPI/schema checks: ensure the upgrade of
github.com/go-openapi/jsonpointer and github.com/go-openapi/jsonreference
doesn't change generated JSON names by exercising the swagger toolchain that
pulls in swag/jsonname (check swag v0.26.x behavior); run the standard
verification target (e.g., make verify) and inspect any diffs in generated
OpenAPI specs or schema name mappings (pay special attention to swag/jsonname
behavior and k8s.io/kube-openapi vendored usage), and if regressions appear, pin
or update swag/jsonname usage or adjust generation code to restore previous json
name behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ec8775e0-49ad-4ace-adc5-13b727f99805

📥 Commits

Reviewing files that changed from the base of the PR and between 3eea65e and 32616f8.

⛔ Files ignored due to path filters (57)

• go.sum is excluded by !**/*.sum, !go.sum
• vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/ifaces.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/ifaces.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/api/machineconfiguration/v1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/types_osimagestream.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/types_etcd.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*
• vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated.*.go, !**/zz_generated*
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (6)

• Makefile
• cloud-provider-aws
• containernetworking-plugins
• go.mod
• kubelet
• ovn-kubernetes

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for direct usage of go-openapi packages in the codebase
echo "=== Checking for direct go-openapi usage ==="
rg -n --type=go "github.com/go-openapi/(jsonpointer|jsonreference|swag)" --no-heading

# Check the go-openapi/swag changelog for v0.26.x breaking changes
echo -e "\n=== Checking go-openapi/swag release notes ==="
gh api repos/go-openapi/swag/releases --jq '.[] | select(.tag_name | startswith("v0.26")) | {tag_name, published_at, body}'

Repository: openshift/windows-machine-config-operator

Length of output: 43504

---

Check swag/jsonname behavior change compatibility for the indirect go-openapi bumps.

The jsonpointer/jsonreference updates are indirect, and current usage shows up only via vendored k8s.io/kube-openapi. The swag/jsonname jump is the main risk: swag v0.26.0 introduces a new json name provider, and v0.26.1 adds a loading sandbox with security implications. Run the usual verification (e.g., make verify) to catch any OpenAPI/schema naming regressions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 67 - 68, Verify compatibility of the indirect go-openapi
bumps by running the project's OpenAPI/schema checks: ensure the upgrade of
github.com/go-openapi/jsonpointer and github.com/go-openapi/jsonreference
doesn't change generated JSON names by exercising the swagger toolchain that
pulls in swag/jsonname (check swag v0.26.x behavior); run the standard
verification target (e.g., make verify) and inspect any diffs in generated
OpenAPI specs or schema name mappings (pay special attention to swag/jsonname
behavior and k8s.io/kube-openapi vendored usage), and if regressions appear, pin
or update swag/jsonname usage or adjust generation code to restore previous json
name behavior.

Source: Coding guidelines

[jrvaldes]

/retest-required

[jrvaldes]

/retest-required

[openshift-ci]

@jrvaldes: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/vsphere-disconnected-e2e-operator	32616f8	link	true	/test vsphere-disconnected-e2e-operator
ci/prow/vsphere-proxy-e2e-operator	32616f8	link	true	/test vsphere-proxy-e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jrvaldes]

/retest-required