From 86d976bcf1071b383e1366cd84d18aeb914ed099 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:38:05 +0000 Subject: [PATCH 1/8] update last_rebase.sh --- scripts/auto-rebase/last_rebase.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index dc4f6c8b4b..a6e1dfc45c 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-05-05-231020" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-05-06-233705" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release-5:5.0.0-0.nightly-2026-05-11-124243" "registry.ci.openshift.org/ocp-arm64/release-5-arm64:5.0.0-0.nightly-arm64-2026-05-12-005002" From 7a718e33d4b84ed216850178af448d1fde9479e8 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:38:07 +0000 Subject: [PATCH 2/8] update changelog --- scripts/auto-rebase/changelog.txt | 227 ++++++++++++++++++++++++------ scripts/auto-rebase/commits.txt | 34 ++--- 2 files changed, 204 insertions(+), 57 deletions(-) diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index 8d92762d0e..34e2fe10db 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -1,57 +1,204 @@ -- api embedded-component a49973eaef537f281362e1ffa3abeacf7ed85c62 to 28b45b8020c71ad7c056b3ad1d569eff94d6b878 - - e9c797fc 2026-05-01T11:53:18-04:00 Clarify cluster operator Progressing condition - - 3dd2dc4b 2026-04-29T11:06:20+02:00 MON-4561: API: Add softirqs node-exporter collector to ClusterMonitoring CRD +- api embedded-component 28b45b8020c71ad7c056b3ad1d569eff94d6b878 to 49ae21b8502fc80a351dc17ca4f0a16056797ab4 + - e0eecb43 2026-05-07T17:59:09+03:00 Rename KMSConfig Struct to KMSPluginConfig + - 223afd76 2026-05-07T13:27:50+05:30 chore: remove deprecated k8s.io/api packages removed in v0.36.0 + - d03b52fb 2026-05-06T15:30:59-04:00 Promote MutatingAdmissionPolicy to Default + - 28e53981 2026-05-05T16:20:40+02:00 Add OLMLifecycleAndCompatibility feature gate + - ebfb8f08 2026-04-28T12:16:15+05:30 Revert "OCPBUGS-83492: Allow :ref suffix in additionalLayerStores path for stargz-store to support lazy image pulling" + - 51fe56c7 2026-04-08T20:43:45+02:00 Promote EVPN Feature Gate -- cluster-ingress-operator embedded-component 98ff1a6fedd18fbf2ed6fec9796104d7b4bc952c to df64b34df475cd58b0342dd617c29a9180ea9e5e - - a846988 2026-04-10T00:51:18-04:00 waitForDeploymentEnvVar: Remove client parameter - - 9d2f210 2026-04-10T00:51:18-04:00 TestUnsupportedConfigOverride: Ignore featuregate - - 579b4de 2026-04-10T00:26:09-04:00 Add waitForDeploymentFunc test helper func - - 49371cb 2026-03-30T16:43:15-04:00 waitForDeploymentEnvVar: Fix godoc +- cluster-ingress-operator embedded-component df64b34df475cd58b0342dd617c29a9180ea9e5e to b2e02207a61e7fa07c6a64969345413853bf28da + - b99436e 2026-05-04T13:37:37-04:00 Allow host network connections to the ingress canary + - 083925f 2026-04-01T12:25:25-07:00 Tighten PEM bundle tests + - 8cdace8 2026-03-26T16:19:58-07:00 Fix malformed PEM bundle when tls.crt lacks trailing newline -- cluster-network-operator embedded-component 23f002049008db9e852694ff2baaa68cd5b84525 to b1101d16e850319c488a47cb5c756402075900b8 - - 7795779 2026-05-04T19:10:11+05:30 frr-k8s: enable BGP daemon to listen on standard port 179 - - a09d0c1 2026-05-04T19:10:11+05:30 ovn-k: grant routeadvertisements CRUD to control-plane SA in managed routing mode +- cluster-kube-apiserver-operator embedded-component 9b45cbafcea23be9c63e01947506495d030666d0 to ee66dc7fb78d4166621b65a37791c6e1285a90ac + - 93680a0 2026-05-07T10:15:34+05:30 Migrate KMS encryption tests to OTE + - c89b281 2026-05-07T10:15:30+05:30 Update library-go to include KMS mock plugin deployer and testing.TB interface + - ca5e71a 2026-04-28T11:50:35-04:00 vendor: bump library-go + - beb322c 2026-04-28T11:48:53-04:00 Use SkipInClusterAuthenticationLookup in check-endpoints -- kubernetes embedded-component 2447118a5cf501f71c2da4b2f4ff14f3492aec10 to 5f099ccd1e8345f615d10381290909a8ca581b66 - - 739e2eb2c 2026-04-30T16:11:47+01:00 UPSTREAM: : bump openshift/api dependency - - 568c860e4 2026-04-30T16:11:36+01:00 UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression - - 4bfac2def 2026-04-30T16:11:21+01:00 UPSTREAM: : Export email validation functions - -- machine-config-operator embedded-component 7eef4fdc72274bbf6845b1ea15d8af4723e42962 to 9d3ee9d972ed9373db03a498ca6ab831093d2420 - - 9c7c37f6 2026-04-29T23:26:51+08:00 AGENT-1443: Include platform VIPs in IRI cert SANs to match installer - - 95c47d22 2026-04-27T19:17:17+08:00 AGENT-1443: Add e2e test for IRI cert regeneration on MCS CA rotation - - da3b4783 2026-04-27T17:55:05+08:00 AGENT-1443: Add SAN validation to IRI cert rotation and wire mcfgClient - - 8be62adb 2026-04-27T17:55:05+08:00 AGENT-1443: Add feature gate, idempotency, and localhost SANs to IRI cert rotation - - 1c84abf9 2026-04-27T17:55:05+08:00 AGENT-1443: Add IRI certificate regeneration to MCS cert rotation controller - - 6c48b964 2026-04-24T12:19:32-04:00 crio: enable default_runtime metric - - 138f7a5e 2026-04-24T12:19:32-04:00 prom rules: add alert for nodes using runc - - 3d1f08bc 2026-04-22T13:20:08+05:30 Migrate MCO daemon test suite from openshift-tests-private - -- operator-framework-olm embedded-component 4201d40dfc99de60e8791d02b89bc7aebeaae930 to 2fcbb3e4a8a1445c2b557d3485ac3f63ba5127a1 +- cluster-network-operator embedded-component b1101d16e850319c488a47cb5c756402075900b8 to 6f47993888c3e88153028f22023ad5b36f710b9b + - bf486f8 2026-05-07T23:47:16Z Revert "OCPBUGS-83800: add remaining CNO NetworkPolicies" (#2959) + - a5d3f19 2026-05-06T21:04:21-04:00 NVIDIA-616: Bump Multus CNI API version to 1.1.0 + - 2a1363f 2026-05-06T21:04:16-04:00 NVIDIA-596: Enable DPU healthcheck + - f21e69a 2026-05-01T11:08:14-04:00 Add missing CNCC NetworkPolicies + - cbb9f4f 2026-05-01T11:08:11-04:00 Add proper CVO annotations to CNO default-deny NP + - f4734c5 2026-04-16T19:08:18-04:00 OCPBUGS-78731: Move enable-multicast from config maps to CLI flags + - 35ff348 2026-04-16T19:08:13-04:00 NVIDIA-554: DPU-host mode: use ConfigMap for OVN feature enablement instead of per-node script gating + - 411921c 2026-04-15T15:19:23-04:00 Remove dead OVN_MULTI_NETWORK_ENABLE template variable +- csi-external-snapshotter embedded-component d1bc3ffaa9759c13a06c2ec61c541342e71bd109 to 3219da7dcbb14fa762704746d21fb38131beb1f4 + - 72eb399 2026-04-21T11:21:53+02:00 UPSTREAM: 1392: Fix VolumeSnapshotContent deletion -- service-ca-operator embedded-component 2aa88ace39a1abe7647bc5b03e6a599985b31605 to e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b - - 73dd9f6 2026-04-27T14:48:36+05:30 test: network policy tests +- etcd embedded-component d8d67b8ce849f816d6d23c904098336632e2348f to c543fe15324510d13e896c31232ecd5d100d9de5 + - 67297a50 2026-05-07T11:39:17-04:00 DOWNSTREAM: : update images + - ec166e22 2026-05-01T11:50:30-07:00 version: bump up to 3.6.11 + - 633de82d 2026-04-29T10:12:10+01:00 Fix the 'read via PrevKv' and 'Put with lease' in TXN bypass rbac check issue + - fbbd0a16 2026-04-29T10:07:23+01:00 Add an integration test to reproduce the issue of PutWithLease in a TXN bypass RBAC check + - 3fe57463 2026-04-29T10:05:53+01:00 Add an integration test case to reproduce the read via PrevKv bypass rbac check issue + - c387fa54 2026-04-28T21:46:03+01:00 Get all Put related auth check into a separate function 'checkPutAuth' + - 20e6f233 2026-04-28T21:45:58+01:00 move function CheckTxnAuth from package txn to apply + - 3c521c33 2026-04-26T21:16:39+01:00 Bump golang.org/x/image to v0.39.0 to resolve GO-2026-4962 + - e989219f 2026-04-26T20:31:03+01:00 Fix the issue of not being able to adding new member when one existing member is down + - 9daef7ff 2026-04-26T20:26:51+01:00 Add an e2e test to reproduce the adding member failure when one member is down + - 00e1bcaf 2026-04-13T16:27:28-04:00 DOWNSTREAM: : Increase snapshot test new member wait timeout + - d39bc8b2 2026-04-09T14:40:52-04:00 DOWNSTREAM: : update images + - 29e8bb53 2026-04-09T13:19:39-04:00 UPSTREAM: : manually resolve conflicts + - e25d4802 2026-04-08T14:59:10-04:00 *: bump go to 1.25.9 + - eff7875e 2026-04-05T20:24:51+05:30 tests: Change max retries when removing a member from a cluster + - db8d13a5 2026-04-01T11:29:49-07:00 version: bump up to 3.6.10 + - c99cf0c3 2026-03-31T08:50:34-04:00 etcdserver: allow non-admin to fetch member list and alarms + - f2173cd4 2026-03-27T16:12:46Z Bump golang.org/x/image to v0.38.0 to resolve GO-2026-4815 + - e0f7af4d 2026-03-27T15:39:55Z Fix etcdctl endpoint command with option --cluster when auth is enabled + - 85651fa5 2026-03-20T11:04:03-07:00 version: bump up to 3.6.9 + - 15263501 2026-03-19T17:36:13-04:00 tests/integration: fix flaky testcase + - f8998013 2026-03-19T13:26:23-07:00 dependency: Bump google.golang.org/grpc from v1.75.0 to 1.79.3 + - 68551b32 2026-03-18T13:33:17-04:00 tests: update test for auth + - 7f73a57b 2026-03-18T12:25:41-04:00 server/etcdserver: guard unauthenticated endpoints with auth checks + - 3080527d 2026-03-18T12:09:02-04:00 server/etcdserver: enforce auth checks for nested txn ops + - fff31761 2026-03-08T12:54:43Z [release-3.6] devcontainer: remove devcontainer config + - cf9553d4 2026-03-06T15:20:21-08:00 Bump Go to 1.25.8 + - 02bec62b 2026-03-06T20:10:13Z build(deps): bump distroless/static-debian12 from `3f2b64e` to `20bc6c0` + - d131ca7a 2026-03-06T10:00:50+01:00 Revert "Reuse events between sync loops" + - 00bd77f6 2026-03-06T12:06:23+05:30 Bump golang.org/x/net@ v0.51.0 fixes GO-2026-4559 + - 200dbea8 2026-03-03T10:17:41+01:00 Don't reuse same ReadIndex + - 928b3c6b 2026-03-02T18:17:37Z devcontainer: bump Go image to 1.25 for release-3.6 + - 745da53a 2026-03-02T02:48:26+08:00 etcdctl: add license header + - 1d60990e 2026-03-02T02:47:54+08:00 etcdctl: add unit test for Argify + - 10068016 2026-03-02T02:47:02+08:00 etcdctl: fix slice bounds trimming single-quoted args + - 1f234c99 2026-03-01T08:21:54+08:00 [release-3.6] bump Go to 1.25.7 + - 51d12afd 2026-02-27T13:28:22-08:00 Add defer-recover block to prevent panic when cc is nil + - a395a60f 2026-02-27T12:42:34-08:00 Bump golangci lint to v2 + - a6e27ce8 2026-02-26T17:03:29Z Print the endpoint the grpc client connected to in unary interceptor + - fe194ee5 2026-02-26T15:56:32Z Fix unit test failure + - 179dcf87 2026-02-26T14:11:30Z Fix race berween read index and leader change causing a stale read + - d456631c 2026-02-24T01:01:42Z server/etcdmain: fix deadlock issue for grpcproxy + - e4522d80 2026-02-23T00:07:28+08:00 dependency: bump go.opentelemetry.io/otel/sdk from v1.34.0 to v1.40.0 + - f8692e28 2026-02-18T19:00:20Z server/etcdserver/api/v3rpc: run metrics interceptors before handlers + - 4e814e20 2026-02-13T10:39:11-08:00 version: bump up to 3.6.8 + - 2d3c79c3 2026-02-05T22:56:07-06:00 [release-3.6] Bump go version to 1.24.13 + - bf783366 2026-02-03T09:55:46Z Remove the use of grpc-go's Metadata field + - ef879964 2026-01-30T10:13:09Z Bump go version to 1.24.11 + - e8308218 2026-01-19T15:38:40Z Keep the --snapshot-count flag + - a8892448 2026-01-19T11:32:28Z Remove flag --max-snapshots in 3.8 rather than 3.7 + - 81c32a40 2025-12-18T16:45:22-08:00 tools: explicitly require golang.org/x/tools/cmd/goimports + - f767aa25 2025-12-18T14:53:28-08:00 dependency: Bump golang.org/x/crypto from 0.42.0 to 0.45.0 + - e838ef11 2025-12-18T03:39:29+08:00 version: bump up to 3.6.7 + - 61af088e 2025-12-15T22:51:44-06:00 dependency: Bump golang.org/x/net from 0.38.0 to 0.45.0 + - 97141e1f 2025-12-06T21:27:55+08:00 Bump go to 1.24.11 + - 554dc70e 2025-11-17T17:51:06Z Print token fingerprint instead of the original tokens in log messages + - d2809cf0 2025-11-12T00:12:43-05:00 version: bump up to 3.6.6 + - 145d927d 2025-11-07T15:41:12Z v3rpc: add and use getServerMetrics() with global metricsServerCached + - 2c0db321 2025-11-06T21:41:05-08:00 Bump from go1.24.9 to go1.24.10 + - 523100b1 2025-11-06T19:19:48Z Fix the '--force-new-cluster' can't clean up learners issue + - 7d3fc029 2025-11-06T19:19:48Z Add an e2e test cases to reproduce the '--force-new-cluster' can't remove learner issue + - db6be4c1 2025-10-31T01:21:20Z tests: use WaitLeader() in memberPromoteWithAuth() + - 76ee0bc9 2025-10-31T01:21:20Z etcdserver: follow convention to extract auth token in cluster_util.go + - 5377bb9d 2025-10-31T01:21:20Z etcdserver: fix cannot promote with auth from follower + - e88e142c 2025-10-31T01:21:20Z test: add promote with auth e2e tests + - 1e023019 2025-10-15T11:31:08+08:00 Bump go to 1.24.9 + - 4973fd42 2025-10-12T17:05:56+01:00 Fix endpoint status not retuning the correct storage quota + - ee85ed30 2025-10-01T15:39:50Z server/embed: Log EOF on DEBUG in TLS handshake + - 3bb44700 2025-09-23T17:47:02Z Reject watch request with -1 revision and make rangeEvents safe against negative revision -- router image-amd64 896390778ebe15f57f87e6ca78f11c96e64c2652 to dfaf1cb3116cd7e0a5ab2e23f4d371f3777f7853 - - c223ef7 2026-05-04T11:25:19-03:00 fix handling of host conflict +- kubernetes embedded-component 5f099ccd1e8345f615d10381290909a8ca581b66 to f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 + - a035288c5 2026-04-15T09:35:48-07:00 UPSTREAM: 138401: Improve WatchList test robustness -- kubernetes image-amd64 2447118a5cf501f71c2da4b2f4ff14f3492aec10 to 5f099ccd1e8345f615d10381290909a8ca581b66 - - 739e2eb2c 2026-04-30T16:11:47+01:00 UPSTREAM: : bump openshift/api dependency - - 568c860e4 2026-04-30T16:11:36+01:00 UPSTREAM: : authentication: enforce claims.email_verified usage when claims.email is used in username expression - - 4bfac2def 2026-04-30T16:11:21+01:00 UPSTREAM: : Export email validation functions +- machine-config-operator embedded-component 9d3ee9d972ed9373db03a498ca6ab831093d2420 to 3320406c26099d7395ce79417e5c7fd929aa895d + - c48e9be4 2026-05-06T11:37:52-04:00 daemon: skip bootupd when shim is safe + - 5e350d32 2026-05-06T10:24:44-04:00 Fix e2e-ocl-1of2 flake where MOSB is deleted by stale controller event + - ba342bf9 2026-05-06T10:24:26-04:00 Fix e2e-ocl-2of2 timeout flake for TestStaleAnnotationClearedOnLayerOnlyChange + - e0a0806e 2026-05-06T21:40:34+08:00 AGENT-1514: Add ML-KEM verification test for IRI registry + - a5bc08d4 2026-05-05T10:18:48+02:00 OCPBUGS-84661: Fix wrong early exit during kubelet MCs regeneration + - 31427064 2026-05-04T14:16:26-04:00 controller: add terminationMessagePolicy to build pod containers + - d54b9b4b 2026-05-04T11:27:52-04:00 daemon: use --delete-if-present for karg removal + - 867a618f 2026-04-29T12:37:55+02:00 OCPBUGS-83830: Apply password only if changes exist -- service-ca-operator image-amd64 2aa88ace39a1abe7647bc5b03e6a599985b31605 to e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b - - 73dd9f6 2026-04-27T14:48:36+05:30 test: network policy tests +- operator-framework-olm embedded-component 2fcbb3e4a8a1445c2b557d3485ac3f63ba5127a1 to 12c665225e64d6c3b9d8f294299fc874ef080e4d + - 2b05ab25 2026-05-08T10:11:54+02:00 feat: use resource-based RBAC for lifecycle-server auth + - 6c8ec2f7 2026-05-07T00:05:48Z don't derive explicit release version from substitutesFor/buildMetadata in CSV (#1966) + - 266ce866 2026-05-07T00:05:07Z Bump github.com/mattn/go-sqlite3 from 1.14.42 to 1.14.44 (#1969) + - 528ad7a1 2026-05-07T00:04:51Z Bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.3 (#1968) + - 4eb5d1f7 2026-05-07T00:04:36Z Bump github.com/onsi/gomega from 1.39.1 to 1.40.0 (#1967) + - ec10cb22 2026-05-07T00:04:05Z :seedling: Bump google.golang.org/grpc from 1.80.0 to 1.81.0 (#3822) + - 67d2172d 2026-05-07T00:03:48Z :seedling: Bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 (#3825) + - fe602386 2026-05-07T00:03:32Z :seedling: Bump github.com/operator-framework/operator-registry (#3823) + - 5a9d6c44 2026-05-06T09:42:25+02:00 Fix lifecycle-server readiness probe to allow empty index -- oc image-arm64 16d140aeefdc2b07f549945801c9cefab703ca68 to 6ac066994b962cb01886dab515d821720324ed52 +- oc image-amd64 16d140aeefdc2b07f549945801c9cefab703ca68 to 6ac066994b962cb01886dab515d821720324ed52 - d1931c31 2026-04-22T17:32:51+01:00 OCPBUGS-62799: Add required-scc annotation to node-joiner pod to prevent third-party SCC interference -- csi-external-snapshotter image-arm64 d1bc3ffaa9759c13a06c2ec61c541342e71bd109 to 3219da7dcbb14fa762704746d21fb38131beb1f4 +- csi-external-snapshotter image-amd64 d1bc3ffaa9759c13a06c2ec61c541342e71bd109 to 3219da7dcbb14fa762704746d21fb38131beb1f4 - 72eb399 2026-04-21T11:21:53+02:00 UPSTREAM: 1392: Fix VolumeSnapshotContent deletion -- router image-arm64 dfaf1cb3116cd7e0a5ab2e23f4d371f3777f7853 to 65271d2c19cb35fb5e802ee72fc4de502c5e16b6 +- router image-amd64 dfaf1cb3116cd7e0a5ab2e23f4d371f3777f7853 to b75bab261392d5eacb115db408f121618a23e41d - dc7e786 2026-04-23T15:52:51-03:00 move from option forwarded to manual header update - 313daa6 2026-04-23T11:09:02-03:00 fix forwarded header for IPv6 on IPv4 stack - 0500b49 2026-04-14T17:06:57-03:00 create self-signed crt if failing to read default + - 6c4ca66 2025-09-22T15:38:07-04:00 Reapply "OCPBUGS-55506: Prevent startup failures due to name resolution" + +- ovn-kubernetes image-amd64 952886fd8af2ca3ecf1717a2cb69311a32f25c06 to 22e9487ee7060a85cfe20886b73e11fce3249e36 + - 34cfe4e5 2026-04-30T10:09:06Z sync test annotations with upstream changes + - 0abdfe64 2026-04-30T10:06:55Z sync openshift/go.mod with upstream dependencies + - 3e586049 2026-04-29T11:24:31+02:00 Address set: add existing IPs check on setAddresses. + - ad46e42d 2026-04-28T08:54:17Z test: fix layer2 UDN controller test flake in kubevirt live-migration + - b66b0927 2026-04-28T10:05:39+02:00 fix UDN unit test to use new node controller constructor + - a0e535ac 2026-04-27T17:12:58Z EVPN: add allowas-in origin for BGP neighbors + - 4b7ffe0f 2026-04-27T16:49:36Z Bump the go_modules group across 3 directories with 2 updates + - 53822e35 2026-04-27T12:12:24-04:00 Fake NM: make it per network activity + - 5b9cf808 2026-04-27T12:12:24-04:00 cluster manager: integrate status manager with d-udn + - 726bdd19 2026-04-27T12:12:24-04:00 e2e egress fw: fixes for Dynamic UDN + - 267f18d2 2026-04-27T12:12:24-04:00 networkmanager: skip dynamic UDN for bare NADs + - 9c6e65bc 2026-04-27T12:12:24-04:00 cluster manager: fixes race with NAD deletion + - 9f7ece70 2026-04-27T12:12:24-04:00 Update e2e for Dynamic Subnet Allocation + - c1e81f8e 2026-04-27T12:12:24-04:00 Adds dynamic allocation for cluster manager + - 6760a289 2026-04-24T14:03:49-07:00 cleanup stale L2 primary UDN tunnel ID annotations on restart + - e1d509a8 2026-04-24T17:54:42+02:00 UT: get rid of the fake address set factory + - 7d049570 2026-04-24T17:54:38+02:00 Replace selectedNamespace = nil with more obvious struct. + - 960efda8 2026-04-24T17:18:18+02:00 Move hostNamespace handling to the addressset_manager.go + - f90bfac4 2026-04-24T11:07:08-04:00 Bump frr to 10.6.0 to pick up more coredump fixes + - caac89aa 2026-04-24T11:07:08-04:00 Bump metallb frr to 10.5.3 + - d58942dd 2026-04-24T16:03:30+02:00 UT: stop setting HostNetworkNamespace across unrelated UTs + - 5b649e92 2026-04-24T16:03:30+02:00 addresssetManager: fix resetting address sets on restart. + - cc84bac9 2026-04-24T16:03:30+02:00 AddresssetManager: add legacy netpol mode. + - e4b71f53 2026-04-21T14:51:08-04:00 e2e: preload netshoot image for no_overlay suite + - 1b2426bf 2026-04-21T14:51:08-04:00 e2e: preload netshoot image for kubevirt tests instead of iperf + - fe163a70 2026-03-12T11:48:25+01:00 Fix invalid characters in e2e artifact directory paths + +- kubernetes image-amd64 5f099ccd1e8345f615d10381290909a8ca581b66 to f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 + - a035288c5 2026-04-15T09:35:48-07:00 UPSTREAM: 138401: Improve WatchList test robustness + +- router image-arm64 65271d2c19cb35fb5e802ee72fc4de502c5e16b6 to b75bab261392d5eacb115db408f121618a23e41d + - 6c4ca66 2025-09-22T15:38:07-04:00 Reapply "OCPBUGS-55506: Prevent startup failures due to name resolution" + +- ovn-kubernetes image-arm64 952886fd8af2ca3ecf1717a2cb69311a32f25c06 to 22e9487ee7060a85cfe20886b73e11fce3249e36 + - 34cfe4e5 2026-04-30T10:09:06Z sync test annotations with upstream changes + - 0abdfe64 2026-04-30T10:06:55Z sync openshift/go.mod with upstream dependencies + - 3e586049 2026-04-29T11:24:31+02:00 Address set: add existing IPs check on setAddresses. + - ad46e42d 2026-04-28T08:54:17Z test: fix layer2 UDN controller test flake in kubevirt live-migration + - b66b0927 2026-04-28T10:05:39+02:00 fix UDN unit test to use new node controller constructor + - a0e535ac 2026-04-27T17:12:58Z EVPN: add allowas-in origin for BGP neighbors + - 4b7ffe0f 2026-04-27T16:49:36Z Bump the go_modules group across 3 directories with 2 updates + - 53822e35 2026-04-27T12:12:24-04:00 Fake NM: make it per network activity + - 5b9cf808 2026-04-27T12:12:24-04:00 cluster manager: integrate status manager with d-udn + - 726bdd19 2026-04-27T12:12:24-04:00 e2e egress fw: fixes for Dynamic UDN + - 267f18d2 2026-04-27T12:12:24-04:00 networkmanager: skip dynamic UDN for bare NADs + - 9c6e65bc 2026-04-27T12:12:24-04:00 cluster manager: fixes race with NAD deletion + - 9f7ece70 2026-04-27T12:12:24-04:00 Update e2e for Dynamic Subnet Allocation + - c1e81f8e 2026-04-27T12:12:24-04:00 Adds dynamic allocation for cluster manager + - 6760a289 2026-04-24T14:03:49-07:00 cleanup stale L2 primary UDN tunnel ID annotations on restart + - e1d509a8 2026-04-24T17:54:42+02:00 UT: get rid of the fake address set factory + - 7d049570 2026-04-24T17:54:38+02:00 Replace selectedNamespace = nil with more obvious struct. + - 960efda8 2026-04-24T17:18:18+02:00 Move hostNamespace handling to the addressset_manager.go + - f90bfac4 2026-04-24T11:07:08-04:00 Bump frr to 10.6.0 to pick up more coredump fixes + - caac89aa 2026-04-24T11:07:08-04:00 Bump metallb frr to 10.5.3 + - d58942dd 2026-04-24T16:03:30+02:00 UT: stop setting HostNetworkNamespace across unrelated UTs + - 5b649e92 2026-04-24T16:03:30+02:00 addresssetManager: fix resetting address sets on restart. + - cc84bac9 2026-04-24T16:03:30+02:00 AddresssetManager: add legacy netpol mode. + - e4b71f53 2026-04-21T14:51:08-04:00 e2e: preload netshoot image for no_overlay suite + - 1b2426bf 2026-04-21T14:51:08-04:00 e2e: preload netshoot image for kubevirt tests instead of iperf + - fe163a70 2026-03-12T11:48:25+01:00 Fix invalid characters in e2e artifact directory paths + +- kubernetes image-arm64 5f099ccd1e8345f615d10381290909a8ca581b66 to f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 + - a035288c5 2026-04-15T09:35:48-07:00 UPSTREAM: 138401: Improve WatchList test robustness diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index 772ec98ebd..130237185e 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -1,35 +1,35 @@ -https://github.com/openshift/api embedded-component 28b45b8020c71ad7c056b3ad1d569eff94d6b878 +https://github.com/openshift/api embedded-component 49ae21b8502fc80a351dc17ca4f0a16056797ab4 https://github.com/openshift/cluster-csi-snapshot-controller-operator embedded-component 108f37f0e378accc322cbeb68136ec500ec35b94 https://github.com/openshift/cluster-dns-operator embedded-component 3d2141182243cde1ec6417bd005c76d29aa88a01 -https://github.com/openshift/cluster-ingress-operator embedded-component df64b34df475cd58b0342dd617c29a9180ea9e5e -https://github.com/openshift/cluster-kube-apiserver-operator embedded-component 9b45cbafcea23be9c63e01947506495d030666d0 +https://github.com/openshift/cluster-ingress-operator embedded-component b2e02207a61e7fa07c6a64969345413853bf28da +https://github.com/openshift/cluster-kube-apiserver-operator embedded-component ee66dc7fb78d4166621b65a37791c6e1285a90ac https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component ca150c42a7982509b8bba34080308cff00c09310 https://github.com/openshift/cluster-kube-scheduler-operator embedded-component a0495853f80d38e19d07b98a225e1aa0e7972ac9 -https://github.com/openshift/cluster-network-operator embedded-component b1101d16e850319c488a47cb5c756402075900b8 +https://github.com/openshift/cluster-network-operator embedded-component 6f47993888c3e88153028f22023ad5b36f710b9b https://github.com/openshift/cluster-openshift-controller-manager-operator embedded-component c941a99dd2b9200c0de23606c4372d33d656a756 https://github.com/openshift/cluster-policy-controller embedded-component bb429f5b2a7d77791110b06d8ec5c017183e3ab9 -https://github.com/openshift/csi-external-snapshotter embedded-component d1bc3ffaa9759c13a06c2ec61c541342e71bd109 -https://github.com/openshift/etcd embedded-component d8d67b8ce849f816d6d23c904098336632e2348f -https://github.com/openshift/kubernetes embedded-component 5f099ccd1e8345f615d10381290909a8ca581b66 +https://github.com/openshift/csi-external-snapshotter embedded-component 3219da7dcbb14fa762704746d21fb38131beb1f4 +https://github.com/openshift/etcd embedded-component c543fe15324510d13e896c31232ecd5d100d9de5 +https://github.com/openshift/kubernetes embedded-component f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 https://github.com/openshift/kubernetes-kube-storage-version-migrator embedded-component 72835e43c7754356645e41031f3a99926b4d42e6 -https://github.com/openshift/machine-config-operator embedded-component 9d3ee9d972ed9373db03a498ca6ab831093d2420 +https://github.com/openshift/machine-config-operator embedded-component 3320406c26099d7395ce79417e5c7fd929aa895d https://github.com/openshift/openshift-controller-manager embedded-component 731d7429a788e0d70e3556e40f82c1ba9d55abe7 -https://github.com/openshift/operator-framework-olm embedded-component 2fcbb3e4a8a1445c2b557d3485ac3f63ba5127a1 +https://github.com/openshift/operator-framework-olm embedded-component 12c665225e64d6c3b9d8f294299fc874ef080e4d https://github.com/openshift/route-controller-manager embedded-component 624742d93f3a7885cf7f70985f1e23ff60da580d https://github.com/openshift/service-ca-operator embedded-component e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b -https://github.com/openshift/oc image-amd64 16d140aeefdc2b07f549945801c9cefab703ca68 +https://github.com/openshift/oc image-amd64 6ac066994b962cb01886dab515d821720324ed52 https://github.com/openshift/coredns image-amd64 0dded2d232dab43c107b1dab9d0d9fdfd8259622 -https://github.com/openshift/csi-external-snapshotter image-amd64 d1bc3ffaa9759c13a06c2ec61c541342e71bd109 -https://github.com/openshift/router image-amd64 dfaf1cb3116cd7e0a5ab2e23f4d371f3777f7853 +https://github.com/openshift/csi-external-snapshotter image-amd64 3219da7dcbb14fa762704746d21fb38131beb1f4 +https://github.com/openshift/router image-amd64 b75bab261392d5eacb115db408f121618a23e41d https://github.com/openshift/kube-rbac-proxy image-amd64 d12e274605248f6c59373240a7eae7a7a357dcb3 -https://github.com/openshift/ovn-kubernetes image-amd64 952886fd8af2ca3ecf1717a2cb69311a32f25c06 -https://github.com/openshift/kubernetes image-amd64 5f099ccd1e8345f615d10381290909a8ca581b66 +https://github.com/openshift/ovn-kubernetes image-amd64 22e9487ee7060a85cfe20886b73e11fce3249e36 +https://github.com/openshift/kubernetes image-amd64 f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 https://github.com/openshift/service-ca-operator image-amd64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b https://github.com/openshift/oc image-arm64 6ac066994b962cb01886dab515d821720324ed52 https://github.com/openshift/coredns image-arm64 0dded2d232dab43c107b1dab9d0d9fdfd8259622 https://github.com/openshift/csi-external-snapshotter image-arm64 3219da7dcbb14fa762704746d21fb38131beb1f4 -https://github.com/openshift/router image-arm64 65271d2c19cb35fb5e802ee72fc4de502c5e16b6 +https://github.com/openshift/router image-arm64 b75bab261392d5eacb115db408f121618a23e41d https://github.com/openshift/kube-rbac-proxy image-arm64 d12e274605248f6c59373240a7eae7a7a357dcb3 -https://github.com/openshift/ovn-kubernetes image-arm64 952886fd8af2ca3ecf1717a2cb69311a32f25c06 -https://github.com/openshift/kubernetes image-arm64 5f099ccd1e8345f615d10381290909a8ca581b66 +https://github.com/openshift/ovn-kubernetes image-arm64 22e9487ee7060a85cfe20886b73e11fce3249e36 +https://github.com/openshift/kubernetes image-arm64 f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 https://github.com/openshift/service-ca-operator image-arm64 e7ccfa308e69ce4ad1f2afcd1d7c8ff25144374b From 89d66c337a22877afe98bfdda51e96544443f159 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:40:04 +0000 Subject: [PATCH 3/8] update microshift/deps --- .../kubernetes/test/e2e/apimachinery/watchlist.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/deps/github.com/openshift/kubernetes/test/e2e/apimachinery/watchlist.go b/deps/github.com/openshift/kubernetes/test/e2e/apimachinery/watchlist.go index baf85229ac..3948590f60 100644 --- a/deps/github.com/openshift/kubernetes/test/e2e/apimachinery/watchlist.go +++ b/deps/github.com/openshift/kubernetes/test/e2e/apimachinery/watchlist.go @@ -103,11 +103,13 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate( f.Namespace.Name, time.Duration(0), nil, - nil, + func(options *metav1.ListOptions) { + options.LabelSelector = "watchlist=true" + }, ) _ = addWellKnownSecrets(ctx, f) - expectedSecrets, err := metadataClient.Resource(v1.SchemeGroupVersion.WithResource("secrets")).Namespace(f.Namespace.Name).List(ctx, metav1.ListOptions{}) + expectedSecrets, err := metadataClient.Resource(v1.SchemeGroupVersion.WithResource("secrets")).Namespace(f.Namespace.Name).List(ctx, metav1.ListOptions{LabelSelector: "watchlist=true"}) framework.ExpectNoError(err) ginkgo.By("Starting the secret meta informer") @@ -131,7 +133,7 @@ var _ = SIGDescribe("API Streaming (aka. WatchList)", framework.WithFeatureGate( _, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Update(ctx, secret, metav1.UpdateOptions{}) framework.ExpectNoError(err) - expectedSecrets, err = metadataClient.Resource(v1.SchemeGroupVersion.WithResource("secrets")).Namespace(f.Namespace.Name).List(ctx, metav1.ListOptions{}) + expectedSecrets, err = metadataClient.Resource(v1.SchemeGroupVersion.WithResource("secrets")).Namespace(f.Namespace.Name).List(ctx, metav1.ListOptions{LabelSelector: "watchlist=true"}) framework.ExpectNoError(err) verifyStoreFor(ctx, verifyPartialObjectMetadataStore(toPointerSlice(expectedSecrets.Items), secretMetaInformer.Informer().GetStore())) }) From ce319a12b560b8e4116cc77a4e3eecfe63691d23 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:40:29 +0000 Subject: [PATCH 4/8] update etcd/go.mod --- etcd/go.mod | 26 +++++++++++++------------- etcd/go.sum | 44 ++++++++++++++++++++++---------------------- 2 files changed, 35 insertions(+), 35 deletions(-) diff --git a/etcd/go.mod b/etcd/go.mod index 79da3f080f..6758473eed 100644 --- a/etcd/go.mod +++ b/etcd/go.mod @@ -87,12 +87,12 @@ require ( go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.yaml.in/yaml/v2 v2.4.4 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/net v0.51.0 // indirect + golang.org/x/net v0.52.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect golang.org/x/sync v0.20.0 // indirect golang.org/x/sys v0.42.0 // indirect - golang.org/x/term v0.40.0 // indirect - golang.org/x/text v0.34.0 // indirect + golang.org/x/term v0.41.0 // indirect + golang.org/x/text v0.36.0 // indirect golang.org/x/time v0.15.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect @@ -133,13 +133,13 @@ require ( github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect go.etcd.io/bbolt v1.4.3 // indirect - go.etcd.io/etcd/api/v3 v3.6.8 - go.etcd.io/etcd/client/pkg/v3 v3.6.8 // indirect - go.etcd.io/etcd/client/v3 v3.6.8 // indirect - go.etcd.io/etcd/pkg/v3 v3.6.5 // indirect + go.etcd.io/etcd/api/v3 v3.6.11 + go.etcd.io/etcd/client/pkg/v3 v3.6.11 // indirect + go.etcd.io/etcd/client/v3 v3.6.11 // indirect + go.etcd.io/etcd/pkg/v3 v3.6.11 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.1 // indirect - golang.org/x/crypto v0.48.0 // indirect + golang.org/x/crypto v0.49.0 // indirect google.golang.org/grpc v1.79.3 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect @@ -148,11 +148,11 @@ require ( replace ( github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 // from kubernetes - go.etcd.io/etcd/api/v3 => github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 // from etcd - go.etcd.io/etcd/client/pkg/v3 => github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260312150232-d8d67b8ce849 // from etcd - go.etcd.io/etcd/client/v3 => github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 // from etcd - go.etcd.io/etcd/pkg/v3 => github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 // from etcd - go.etcd.io/etcd/server/v3 => github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 // from etcd + go.etcd.io/etcd/api/v3 => github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 // from etcd + go.etcd.io/etcd/client/pkg/v3 => github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260508194201-c543fe153245 // from etcd + go.etcd.io/etcd/client/v3 => github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 // from etcd + go.etcd.io/etcd/pkg/v3 => github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 // from etcd + go.etcd.io/etcd/server/v3 => github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 // from etcd ) replace ( diff --git a/etcd/go.sum b/etcd/go.sum index c08def41d7..6304e89e35 100644 --- a/etcd/go.sum +++ b/etcd/go.sum @@ -156,16 +156,16 @@ github.com/openshift/api v0.0.0-20260424174501-4f63a40a2970 h1:xyz8VL2VnskV4YTDa github.com/openshift/api v0.0.0-20260424174501-4f63a40a2970/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:UiYYMi/CCV+kwWrXuXfuUSOY2yNXOpWpNVgHc6aLQlE= github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= -github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 h1:em2blvFukNrVPlEZuMA1rHioi0eFjSk5qvV/Yp02HxQ= -github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ= -github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260312150232-d8d67b8ce849 h1:IHmQZQqmppUSP3doRyoYTndWzAkv3yZZKmkZVCkYAEQ= -github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260312150232-d8d67b8ce849/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk= -github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 h1:ACAywB7ALdktn2jASAPydpnJEJwPPcXQ61Fbj18lhiQ= -github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo= -github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 h1:TtbQ9q5f7h8HjtVTeSXpIJnB8ByCH/plpoOc2VV2SQo= -github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849/go.mod h1:uqrXrzmMIJDEy5j00bCqhVLzR5jEJIwDp5wTlLwPGOU= -github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 h1:JSJaR8X2bzx3LVc674I2nrvTUC4g7rVHaf6gqo08zr8= -github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849/go.mod h1:PLuhyVXz8WWRhzXDsl3A3zv/+aK9e4A9lpQkqawIaH0= +github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 h1:8YsERr2Pg/hIfxcdwdXzZg8yZGNc+CtxpRmaYFVHKhA= +github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245/go.mod h1:HYfTh0jyh+uFgp6gMbxJteIDYY97yMuYz85Rnw6Gy9o= +github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260508194201-c543fe153245 h1:Rpg4gRsQ3KgxS6P7kIyjwwrvxGfoVzEkYpf0MTzxWB8= +github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260508194201-c543fe153245/go.mod h1:DysuMe/inqRyC/1tjRR6hReH/VV9Lufs27YKSKBWWJg= +github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 h1:++zoFBX5EUFEj75nsJNh6I/FkvRWKjm95cSwFV0FhYY= +github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245/go.mod h1:vOTDMCo+fGPEClJqcFEFSqZ+8e7WKV7AyqJjX//HR2w= +github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 h1:KLbp27TVKtrrCxWpoyMb86M7Pw9xiD91YciRej1XXCM= +github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245/go.mod h1:L/M2AmhhJ1+3WFRMiJv4Ra0z2hJGYVcsU6q+58NDFfc= +github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 h1:s+OzXjBwHuoUIucTcyhwLpwFj/WhYfT3mIbZOw/CFMs= +github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245/go.mod h1:WGWPgjHk4fWKoC1ftSMuPvUbdOBqeqvc/pDBPQgN1aw= github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6 h1:xjqy0OolrFdJ+ofI/aD0+2k9+MSk5anP5dXifFt539Q= github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6/go.mod h1:D797O/ssKTNglbrGchjIguFq+DbyRYdeds5w4/VTrKM= github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 h1:02E4Ttpu+7yCQLQxtY42JfcfHU7TBGnje6uB2ytBSdU= @@ -263,20 +263,20 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= -golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= +golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= +golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8= -golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w= +golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= +golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= -golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -298,21 +298,21 @@ golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= -golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= -golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k= -golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0= +golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= +golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From c03b6fe53fd1be9f5506ba41fda6e30016b9a3c5 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:40:36 +0000 Subject: [PATCH 5/8] update etcd/vendor --- .../openshift/microshift/pkg/config/c2cc.go | 25 ++- .../openshift/microshift/pkg/config/config.go | 3 + .../openshift/microshift/pkg/config/dns.go | 85 +++++++--- .../go.etcd.io/etcd/api/v3/version/version.go | 2 +- .../client/v3/internal/resolver/resolver.go | 12 +- .../etcd/client/v3/retry_interceptor.go | 4 + .../go.etcd.io/etcd/server/v3/auth/jwt.go | 12 +- .../etcd/server/v3/auth/simple_token.go | 3 +- .../go.etcd.io/etcd/server/v3/auth/store.go | 19 ++- .../go.etcd.io/etcd/server/v3/embed/config.go | 12 +- .../etcd/server/v3/embed/config_logging.go | 10 +- .../server/v3/etcdserver/api/etcdhttp/peer.go | 11 +- .../server/v3/etcdserver/api/v3rpc/auth.go | 16 ++ .../server/v3/etcdserver/api/v3rpc/grpc.go | 39 +++-- .../server/v3/etcdserver/api/v3rpc/key.go | 7 +- .../v3/etcdserver/api/v3rpc/maintenance.go | 18 +++ .../server/v3/etcdserver/api/v3rpc/member.go | 10 +- .../server/v3/etcdserver/api/v3rpc/watch.go | 16 ++ .../server/v3/etcdserver/apply/apply_auth.go | 105 ++++++++++-- .../etcd/server/v3/etcdserver/cluster_util.go | 16 ++ .../etcd/server/v3/etcdserver/server.go | 18 ++- .../etcd/server/v3/etcdserver/txn/txn.go | 56 ------- .../etcd/server/v3/etcdserver/util.go | 28 +++- .../etcd/server/v3/etcdserver/v3_server.go | 151 ++++++++++++++++-- .../server/v3/storage/mvcc/watchable_store.go | 61 +++---- .../go.etcd.io/etcd/server/v3/storage/util.go | 3 + etcd/vendor/golang.org/x/net/http2/http2.go | 16 +- etcd/vendor/golang.org/x/net/http2/server.go | 2 + .../golang.org/x/net/http2/transport.go | 8 - .../golang.org/x/net/http2/writesched.go | 6 + .../net/http2/writesched_priority_rfc7540.go | 5 + .../x/net/http2/writesched_random.go | 2 + etcd/vendor/modules.txt | 44 ++--- 33 files changed, 585 insertions(+), 240 deletions(-) diff --git a/etcd/vendor/github.com/openshift/microshift/pkg/config/c2cc.go b/etcd/vendor/github.com/openshift/microshift/pkg/config/c2cc.go index cf758251e6..ff77458eb0 100644 --- a/etcd/vendor/github.com/openshift/microshift/pkg/config/c2cc.go +++ b/etcd/vendor/github.com/openshift/microshift/pkg/config/c2cc.go @@ -17,7 +17,8 @@ type C2CC struct { RemoteClusters []RemoteCluster `json:"remoteClusters,omitempty"` // Populated during validation with parsed network objects. - Resolved []ResolvedRemoteCluster `json:"-"` + Resolved []ResolvedRemoteCluster `json:"-"` + ResolvedAllCIDRs []*net.IPNet `json:"-"` } type RemoteCluster struct { @@ -40,6 +41,13 @@ type ResolvedRemoteCluster struct { Domain string } +func (rc *ResolvedRemoteCluster) AllCIDRs() []*net.IPNet { + all := make([]*net.IPNet, 0, len(rc.ClusterNetwork)+len(rc.ServiceNetwork)) + all = append(all, rc.ClusterNetwork...) + all = append(all, rc.ServiceNetwork...) + return all +} + type labeledCIDR struct { net *net.IPNet str string @@ -49,6 +57,14 @@ func (c *C2CC) IsEnabled() bool { return len(c.RemoteClusters) > 0 } +func (c *C2CC) AllRemoteCIDRStrings() []string { + strs := make([]string, len(c.ResolvedAllCIDRs)) + for i, cidr := range c.ResolvedAllCIDRs { + strs[i] = cidr.String() + } + return strs +} + func (rc *RemoteCluster) isEmpty() bool { return rc.NextHop == "" && len(rc.ClusterNetwork) == 0 && len(rc.ServiceNetwork) == 0 && rc.Domain == "" } @@ -202,6 +218,13 @@ func (c *C2CC) validate(cfg *Config) error { } c.Resolved = resolved + + var allCIDRs []*net.IPNet + for i := range resolved { + allCIDRs = append(allCIDRs, resolved[i].AllCIDRs()...) + } + c.ResolvedAllCIDRs = allCIDRs + return nil } diff --git a/etcd/vendor/github.com/openshift/microshift/pkg/config/config.go b/etcd/vendor/github.com/openshift/microshift/pkg/config/config.go index cffb723f2c..192ee26d73 100644 --- a/etcd/vendor/github.com/openshift/microshift/pkg/config/config.go +++ b/etcd/vendor/github.com/openshift/microshift/pkg/config/config.go @@ -212,6 +212,9 @@ func (c *Config) incorporateUserSettings(u *Config) { if u.DNS.BaseDomain != "" { c.DNS.BaseDomain = u.DNS.BaseDomain } + if u.DNS.ConfigFile != "" { + c.DNS.ConfigFile = u.DNS.ConfigFile + } if u.Network.CNIPlugin != "" { c.Network.CNIPlugin = u.Network.CNIPlugin diff --git a/etcd/vendor/github.com/openshift/microshift/pkg/config/dns.go b/etcd/vendor/github.com/openshift/microshift/pkg/config/dns.go index d8948449c9..b567cbbc08 100644 --- a/etcd/vendor/github.com/openshift/microshift/pkg/config/dns.go +++ b/etcd/vendor/github.com/openshift/microshift/pkg/config/dns.go @@ -27,6 +27,15 @@ type DNS struct { // +kubebuilder:example=microshift.example.com BaseDomain string `json:"baseDomain"` + // configFile is the path to a custom CoreDNS Corefile on the host filesystem. + // When set, MicroShift uses this file as the Corefile in the dns-default ConfigMap, + // fully replacing the default template-rendered configuration. + // Changes to this file are detected at runtime and applied without restarting MicroShift. + // Mutually exclusive with dns.hosts: setting both causes a startup error. + // +optional + // +kubebuilder:example="/etc/microshift/dns/Corefile" + ConfigFile string `json:"configFile,omitempty"` + // Hosts contains configuration for the hosts file. Hosts HostsConfig `json:"hosts,omitempty"` } @@ -59,36 +68,31 @@ func dnsDefaults() DNS { } func (t *DNS) validate() error { - switch t.Hosts.Status { - case HostsStatusEnabled: - if t.Hosts.File == "" { - break - } + if t.ConfigFile != "" && t.Hosts.Status == HostsStatusEnabled { + return fmt.Errorf("dns.configFile and dns.hosts are mutually exclusive") + } - cleanPath := filepath.Clean(t.Hosts.File) + if err := t.validateConfigFile(); err != nil { + return err + } - fi, err := os.Stat(cleanPath) - // Enforce ConfigMap requirement: the file must not exceed 1MiB, as it will be mounted into a ConfigMap. - if err == nil && fi.Size() > 1048576 { - return fmt.Errorf("hosts file %s exceeds 1MiB ConfigMap (and internal buffer) size limit (got %d bytes)", t.Hosts.File, fi.Size()) - } - if !filepath.IsAbs(cleanPath) { - return fmt.Errorf("hosts file path must be absolute: got %s", t.Hosts.File) - } + return t.validateHosts() +} - _, err = os.Stat(cleanPath) - if os.IsNotExist(err) { - return fmt.Errorf("hosts file %s does not exist", t.Hosts.File) - } else if err != nil { - return fmt.Errorf("error checking hosts file %s: %v", t.Hosts.File, err) - } +func (t *DNS) validateConfigFile() error { + if t.ConfigFile == "" { + return nil + } + return validateFilePath(t.ConfigFile, "dns config file") +} - file, err := os.Open(t.Hosts.File) - if err != nil { - return fmt.Errorf("hosts file %s is not readable: %v", t.Hosts.File, err) +func (t *DNS) validateHosts() error { + switch t.Hosts.Status { + case HostsStatusEnabled: + if t.Hosts.File == "" { + break } - return file.Close() - + return validateFilePath(t.Hosts.File, "hosts file") case HostsStatusDisabled: return nil default: @@ -96,3 +100,34 @@ func (t *DNS) validate() error { } return nil } + +func validateFilePath(path, label string) error { + cleanPath := filepath.Clean(path) + if !filepath.IsAbs(cleanPath) { + return fmt.Errorf("%s path must be absolute: got %s", label, path) + } + + fi, err := os.Stat(cleanPath) + if os.IsNotExist(err) { + return fmt.Errorf("%s %s does not exist", label, path) + } else if err != nil { + return fmt.Errorf("error checking %s %s: %v", label, path, err) + } + if !fi.Mode().IsRegular() { + return fmt.Errorf("%s %s must be a regular file", label, path) + } + + if fi.Size() == 0 { + return fmt.Errorf("%s %s is empty", label, path) + } + + if fi.Size() > 1048576 { + return fmt.Errorf("%s %s exceeds 1MiB size limit (got %d bytes)", label, path, fi.Size()) + } + + file, err := os.Open(cleanPath) + if err != nil { + return fmt.Errorf("%s %s is not readable: %v", label, path, err) + } + return file.Close() +} diff --git a/etcd/vendor/go.etcd.io/etcd/api/v3/version/version.go b/etcd/vendor/go.etcd.io/etcd/api/v3/version/version.go index 9e7bc64c17..5d748b563c 100644 --- a/etcd/vendor/go.etcd.io/etcd/api/v3/version/version.go +++ b/etcd/vendor/go.etcd.io/etcd/api/v3/version/version.go @@ -26,7 +26,7 @@ import ( var ( // MinClusterVersion is the min cluster version this etcd binary is compatible with. MinClusterVersion = "3.0.0" - Version = "3.6.5" + Version = "3.6.11" APIVersion = "unknown" // Git SHA Value will be set during build diff --git a/etcd/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go b/etcd/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go index 403b745cb7..c7f9fb1aee 100644 --- a/etcd/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go +++ b/etcd/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go @@ -60,7 +60,7 @@ func (r *EtcdManualResolver) SetEndpoints(endpoints []string) { } func (r EtcdManualResolver) updateState() { - if r.CC != nil { + if getCC(r) != nil { eps := make([]resolver.Endpoint, len(r.endpoints)) for i, ep := range r.endpoints { addr, serverName := endpoint.Interpret(ep) @@ -75,3 +75,13 @@ func (r EtcdManualResolver) updateState() { r.UpdateState(state) } } + +func getCC(r EtcdManualResolver) (cc resolver.ClientConn) { + defer func() { + if rec := recover(); rec != nil { + cc = nil + } + }() + + return r.CC() +} diff --git a/etcd/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go b/etcd/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go index 7703e673b0..9b4bd0219b 100644 --- a/etcd/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go +++ b/etcd/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go @@ -28,6 +28,7 @@ import ( "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/metadata" + "google.golang.org/grpc/peer" "google.golang.org/grpc/status" "go.etcd.io/etcd/api/v3/v3rpc/rpctypes" @@ -42,6 +43,8 @@ func (c *Client) unaryClientInterceptor(optFuncs ...retryOption) grpc.UnaryClien return func(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error { ctx = withVersion(ctx) grpcOpts, retryOpts := filterCallOptions(opts) + var p peer.Peer + grpcOpts = append(grpcOpts, grpc.Peer(&p)) callOpts := reuseOrNewWithCallOptions(intOpts, retryOpts) // short circuit for simplicity, and avoiding allocations. if callOpts.max == 0 { @@ -65,6 +68,7 @@ func (c *Client) unaryClientInterceptor(optFuncs ...retryOption) grpc.UnaryClien c.GetLogger().Warn( "retrying of unary invoker failed", zap.String("target", cc.Target()), + zap.String("peer", p.String()), zap.String("method", method), zap.Uint("attempt", attempt), zap.Error(lastErr), diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/auth/jwt.go b/etcd/vendor/go.etcd.io/etcd/server/v3/auth/jwt.go index e6aad1857d..90e3a963cb 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/auth/jwt.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/auth/jwt.go @@ -115,12 +115,12 @@ func (t *tokenJWT) assign(ctx context.Context, username string, revision uint64) return "", err } - t.lg.Debug( - "created/assigned a new JWT token", - zap.String("user-name", username), - zap.Uint64("revision", revision), - zap.String("token", token), - ) + if ce := t.lg.Check(zap.DebugLevel, "created/assigned a new JWT token"); ce != nil { + tokenFingerprint := redactToken(token) + ce.Write(zap.String("user-name", username), + zap.Uint64("revision", revision), + zap.String("token-fingerprint", tokenFingerprint)) + } return token, err } diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/auth/simple_token.go b/etcd/vendor/go.etcd.io/etcd/server/v3/auth/simple_token.go index f8272b185d..04312c8421 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/auth/simple_token.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/auth/simple_token.go @@ -131,10 +131,11 @@ func (t *tokenSimple) assignSimpleTokenToUser(username, token string) { _, ok := t.simpleTokens[token] if ok { + tokenFingerprint := redactToken(token) t.lg.Panic( "failed to assign already-used simple token to a user", zap.String("user-name", username), - zap.String("token", token), + zap.String("token-fingerprint", tokenFingerprint), ) } diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/auth/store.go b/etcd/vendor/go.etcd.io/etcd/server/v3/auth/store.go index cfacfb001c..b31fee3eff 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/auth/store.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/auth/store.go @@ -17,7 +17,9 @@ package auth import ( "bytes" "context" + "crypto/sha256" "encoding/base64" + "encoding/hex" "errors" "sort" "strings" @@ -349,11 +351,10 @@ func (as *authStore) Authenticate(ctx context.Context, username, password string return nil, err } - as.lg.Debug( - "authenticated a user", - zap.String("user-name", username), - zap.String("token", token), - ) + if ce := as.lg.Check(zap.DebugLevel, "authenticated a user"); ce != nil { + tokenFingerprint := redactToken(token) + ce.Write(zap.String("user-name", username), zap.String("token-fingerprint", tokenFingerprint)) + } return &pb.AuthenticateResponse{Token: token}, nil } @@ -1074,7 +1075,8 @@ func (as *authStore) AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error) { token := ts[0] authInfo, uok := as.authInfoFromToken(ctx, token) if !uok { - as.lg.Warn("invalid auth token", zap.String("token", token)) + tokenFingerprint := redactToken(token) + as.lg.Warn("invalid auth token", zap.String("token-fingerprint", tokenFingerprint)) return nil, ErrInvalidAuthToken } @@ -1228,3 +1230,8 @@ func (as *authStore) setupMetricsReporter() { } reportCurrentAuthRevMu.Unlock() } + +func redactToken(token string) string { + sum := sha256.Sum256([]byte(token)) + return hex.EncodeToString(sum[:])[:12] +} diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config.go b/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config.go index a344edc3d0..fcb282d325 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config.go @@ -195,9 +195,7 @@ type Config struct { //revive:disable-next-line:var-naming WalDir string `json:"wal-dir"` - // SnapshotCount is the number of committed transactions that trigger a snapshot to disk. - // TODO: remove it in 3.7. - // Deprecated: Will be decommissioned in v3.7. + // SnapshotCount is the number of committed transactions that trigger a snapshot. SnapshotCount uint64 `json:"snapshot-count"` // ExperimentalSnapshotCatchUpEntries is the number of entries for a slow follower @@ -219,8 +217,8 @@ type Config struct { SnapshotCatchUpEntries uint64 `json:"snapshot-catchup-entries"` // MaxSnapFiles is the maximum number of snapshot files. - // TODO: remove it in 3.7. - // Deprecated: Will be removed in v3.7. + // TODO: remove it in 3.8. + // Deprecated: Will be removed in v3.8. MaxSnapFiles uint `json:"max-snapshots"` //revive:disable-next-line:var-naming MaxWalFiles uint `json:"max-wals"` @@ -772,10 +770,10 @@ func (cfg *Config) AddFlags(fs *flag.FlagSet) { "listen-metrics-urls", "List of URLs to listen on for the metrics and health endpoints.", ) - fs.UintVar(&cfg.MaxSnapFiles, "max-snapshots", cfg.MaxSnapFiles, "Maximum number of snapshot files to retain (0 is unlimited). Deprecated in v3.6 and will be decommissioned in v3.7.") + fs.UintVar(&cfg.MaxSnapFiles, "max-snapshots", cfg.MaxSnapFiles, "Maximum number of snapshot files to retain (0 is unlimited). Deprecated in v3.6 and will be decommissioned in v3.8.") fs.UintVar(&cfg.MaxWalFiles, "max-wals", cfg.MaxWalFiles, "Maximum number of wal files to retain (0 is unlimited).") fs.StringVar(&cfg.Name, "name", cfg.Name, "Human-readable name for this member.") - fs.Uint64Var(&cfg.SnapshotCount, "snapshot-count", cfg.SnapshotCount, "Number of committed transactions to trigger a snapshot to disk. Deprecated in v3.6 and will be decommissioned in v3.7.") + fs.Uint64Var(&cfg.SnapshotCount, "snapshot-count", cfg.SnapshotCount, "Number of committed transactions to trigger a snapshot.") fs.UintVar(&cfg.TickMs, "heartbeat-interval", cfg.TickMs, "Time (in milliseconds) of a heartbeat interval.") fs.UintVar(&cfg.ElectionMs, "election-timeout", cfg.ElectionMs, "Time (in milliseconds) for an election to timeout.") fs.BoolVar(&cfg.InitialElectionTickAdvance, "initial-election-tick-advance", cfg.InitialElectionTickAdvance, "Whether to fast-forward initial election ticks on boot for faster election.") diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config_logging.go b/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config_logging.go index c9da6260d5..1a2e24d83e 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config_logging.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/embed/config_logging.go @@ -167,6 +167,12 @@ func (cfg *Config) setupLogging() error { logTLSHandshakeFailureFunc := func(msg string) func(conn *tls.Conn, err error) { return func(conn *tls.Conn, err error) { + // Log EOF errors on DEBUG not to spam logs too much. + logFunc := cfg.logger.Warn + if errors.Is(err, io.EOF) { + logFunc = cfg.logger.Debug + } + state := conn.ConnectionState() remoteAddr := conn.RemoteAddr().String() serverName := state.ServerName @@ -176,7 +182,7 @@ func (cfg *Config) setupLogging() error { for i := range cert.IPAddresses { ips[i] = cert.IPAddresses[i].String() } - cfg.logger.Warn( + logFunc( msg, zap.String("remote-addr", remoteAddr), zap.String("server-name", serverName), @@ -185,7 +191,7 @@ func (cfg *Config) setupLogging() error { zap.Error(err), ) } else { - cfg.logger.Warn( + logFunc( msg, zap.String("remote-addr", remoteAddr), zap.String("server-name", serverName), diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/etcdhttp/peer.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/etcdhttp/peer.go index de5948d30f..2df6c0d88d 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/etcdhttp/peer.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/etcdhttp/peer.go @@ -23,7 +23,9 @@ import ( "strings" "go.uber.org/zap" + "google.golang.org/grpc/metadata" + "go.etcd.io/etcd/api/v3/v3rpc/rpctypes" "go.etcd.io/etcd/client/pkg/v3/types" "go.etcd.io/etcd/server/v3/etcdserver" "go.etcd.io/etcd/server/v3/etcdserver/api" @@ -137,7 +139,14 @@ func (h *peerMemberPromoteHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ return } - resp, err := h.server.PromoteMember(r.Context(), id) + // reconstruct gRPC metadata from HTTP header (if present) so admin check can pass + ctx := r.Context() + if tok := r.Header.Get("Authorization"); tok != "" { + md := metadata.New(map[string]string{rpctypes.TokenFieldNameGRPC: tok}) + ctx = metadata.NewIncomingContext(ctx, md) + } + + resp, err := h.server.PromoteMember(ctx, id) if err != nil { switch { case errorspkg.Is(err, membership.ErrIDNotFound): diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/auth.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/auth.go index 6c5db76cb8..15ef5f3477 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/auth.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/auth.go @@ -185,3 +185,19 @@ func (aa *AuthAdmin) isPermitted(ctx context.Context) error { return aa.ag.AuthStore().IsAdminPermitted(authInfo) } + +func (aa *AuthAdmin) requireAuthInfo(ctx context.Context) error { + if !aa.ag.AuthStore().IsAuthEnabled() { + return nil + } + + authInfo, err := aa.ag.AuthInfoFromCtx(ctx) + if err != nil { + return err + } + + if authInfo == nil { + return auth.ErrUserEmpty + } + return nil +} diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/grpc.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/grpc.go index efa151437d..57ed6eabb8 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/grpc.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/grpc.go @@ -17,6 +17,7 @@ package v3rpc import ( "crypto/tls" "math" + "sync" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus" "github.com/prometheus/client_golang/prometheus" @@ -35,6 +36,11 @@ const ( maxSendBytes = math.MaxInt32 ) +var ( + metricsServerLock sync.Mutex + metricsServerCached *grpc_prometheus.ServerMetrics +) + func Server(s *etcdserver.EtcdServer, tls *tls.Config, interceptor grpc.UnaryServerInterceptor, gopts ...grpc.ServerOption) *grpc.Server { var opts []grpc.ServerOption opts = append(opts, grpc.CustomCodec(&codec{})) @@ -42,28 +48,20 @@ func Server(s *etcdserver.EtcdServer, tls *tls.Config, interceptor grpc.UnarySer opts = append(opts, grpc.Creds(credentials.NewTransportCredential(tls))) } - var mopts []grpc_prometheus.ServerMetricsOption - if s.Cfg.Metrics == "extensive" { - mopts = append(mopts, grpc_prometheus.WithServerHandlingTimeHistogram()) - } - serverMetrics := grpc_prometheus.NewServerMetrics(mopts...) - err := prometheus.Register(serverMetrics) - if err != nil { - s.Cfg.Logger.Warn("etcdserver: failed to register grpc metrics", zap.Error(err)) - } + serverMetrics := getServerMetrics(s.Cfg.Metrics, s.Cfg.Logger) chainUnaryInterceptors := []grpc.UnaryServerInterceptor{ newLogUnaryInterceptor(s), - newUnaryInterceptor(s), serverMetrics.UnaryServerInterceptor(), + newUnaryInterceptor(s), } if interceptor != nil { chainUnaryInterceptors = append(chainUnaryInterceptors, interceptor) } chainStreamInterceptors := []grpc.StreamServerInterceptor{ - newStreamInterceptor(s), serverMetrics.StreamServerInterceptor(), + newStreamInterceptor(s), } if s.Cfg.EnableDistributedTracing { @@ -95,3 +93,22 @@ func Server(s *etcdserver.EtcdServer, tls *tls.Config, interceptor grpc.UnarySer return grpcServer } + +func getServerMetrics(metricType string, lg *zap.Logger) *grpc_prometheus.ServerMetrics { + metricsServerLock.Lock() + defer metricsServerLock.Unlock() + + if metricsServerCached == nil { + var mopts []grpc_prometheus.ServerMetricsOption + if metricType == "extensive" { + mopts = append(mopts, grpc_prometheus.WithServerHandlingTimeHistogram()) + } + metricsServerCached = grpc_prometheus.NewServerMetrics(mopts...) + err := prometheus.Register(metricsServerCached) + if err != nil { + lg.Warn("etcdserver: failed to register grpc metrics", zap.Error(err)) + } + } + + return metricsServerCached +} diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/key.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/key.go index 2c1de2a90d..3da35922c2 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/key.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/key.go @@ -27,6 +27,7 @@ import ( type kvServer struct { hdr header kv etcdserver.RaftKV + aa *AuthAdmin // maxTxnOps is the max operations per txn. // e.g suppose maxTxnOps = 128. // Txn.Success can have at most 128 operations, @@ -35,7 +36,7 @@ type kvServer struct { } func NewKVServer(s *etcdserver.EtcdServer) pb.KVServer { - return &kvServer{hdr: newHeader(s), kv: s, maxTxnOps: s.Cfg.MaxTxnOps} + return &kvServer{hdr: newHeader(s), kv: s, aa: &AuthAdmin{s}, maxTxnOps: s.Cfg.MaxTxnOps} } func (s *kvServer) Range(ctx context.Context, r *pb.RangeRequest) (*pb.RangeResponse, error) { @@ -102,6 +103,10 @@ func (s *kvServer) Txn(ctx context.Context, r *pb.TxnRequest) (*pb.TxnResponse, } func (s *kvServer) Compact(ctx context.Context, r *pb.CompactionRequest) (*pb.CompactionResponse, error) { + if err := s.aa.isPermitted(ctx); err != nil { + return nil, togRPCError(err) + } + resp, err := s.kv.Compact(ctx, r) if err != nil { return nil, togRPCError(err) diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go index ec7de4467e..cf65dad0da 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/maintenance.go @@ -32,6 +32,7 @@ import ( "go.etcd.io/etcd/server/v3/etcdserver/apply" "go.etcd.io/etcd/server/v3/etcdserver/errors" serverversion "go.etcd.io/etcd/server/v3/etcdserver/version" + "go.etcd.io/etcd/server/v3/storage" "go.etcd.io/etcd/server/v3/storage/backend" "go.etcd.io/etcd/server/v3/storage/mvcc" "go.etcd.io/etcd/server/v3/storage/schema" @@ -270,6 +271,9 @@ func (ms *maintenanceServer) Status(ctx context.Context, ar *pb.StatusRequest) ( DbSizeQuota: ms.cg.Config().QuotaBackendBytes, DowngradeInfo: &pb.DowngradeInfo{Enabled: false}, } + if resp.DbSizeQuota == 0 { + resp.DbSizeQuota = storage.DefaultQuotaBytes + } if storageVersion := ms.vs.GetStorageVersion(); storageVersion != nil { resp.StorageVersion = storageVersion.String() } @@ -345,6 +349,20 @@ func (ams *authMaintenanceServer) HashKV(ctx context.Context, r *pb.HashKVReques return ams.maintenanceServer.HashKV(ctx, r) } +func (ams *authMaintenanceServer) Alarm(ctx context.Context, ar *pb.AlarmRequest) (*pb.AlarmResponse, error) { + switch ar.GetAction() { + case pb.AlarmRequest_GET: + if err := ams.requireAuthInfo(ctx); err != nil { + return nil, togRPCError(err) + } + default: + if err := ams.isPermitted(ctx); err != nil { + return nil, togRPCError(err) + } + } + return ams.maintenanceServer.Alarm(ctx, ar) +} + func (ams *authMaintenanceServer) Status(ctx context.Context, ar *pb.StatusRequest) (*pb.StatusResponse, error) { if err := ams.isPermitted(ctx); err != nil { return nil, togRPCError(err) diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/member.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/member.go index 7fd68fe2d6..57768b3925 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/member.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/member.go @@ -88,12 +88,12 @@ func (cs *ClusterServer) MemberUpdate(ctx context.Context, r *pb.MemberUpdateReq } func (cs *ClusterServer) MemberList(ctx context.Context, r *pb.MemberListRequest) (*pb.MemberListResponse, error) { - if r.Linearizable { - if err := cs.server.LinearizableReadNotify(ctx); err != nil { - return nil, togRPCError(err) - } + members, err := cs.server.MemberList(ctx, r) + if err != nil { + return nil, togRPCError(err) } - membs := membersToProtoMembers(cs.cluster.Members()) + + membs := membersToProtoMembers(members) return &pb.MemberListResponse{Header: cs.header(), Members: membs}, nil } diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/watch.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/watch.go index d4a5bc3514..02aa7c1bf2 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/watch.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/api/v3rpc/watch.go @@ -269,6 +269,22 @@ func (sws *serverWatchStream) recvLoop() error { // support >= key queries creq.RangeEnd = []byte{} } + if creq.StartRevision < 0 { + wr := &pb.WatchResponse{ + Header: sws.newResponseHeader(sws.watchStream.Rev()), + WatchId: clientv3.InvalidWatchID, + Canceled: true, + Created: true, + CancelReason: rpctypes.ErrCompacted.Error(), + } + + select { + case sws.ctrlStream <- wr: + continue + case <-sws.closec: + return nil + } + } err := sws.isWatchPermitted(creq) if err != nil { diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/apply/apply_auth.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/apply/apply_auth.go index 3922deebd0..6c01ea3967 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/apply/apply_auth.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/apply/apply_auth.go @@ -20,7 +20,6 @@ import ( pb "go.etcd.io/etcd/api/v3/etcdserverpb" "go.etcd.io/etcd/pkg/v3/traceutil" "go.etcd.io/etcd/server/v3/auth" - "go.etcd.io/etcd/server/v3/etcdserver/txn" "go.etcd.io/etcd/server/v3/lease" ) @@ -63,25 +62,34 @@ func (aa *authApplierV3) Apply(r *pb.InternalRaftRequest, applyFunc applyFunc) * } func (aa *authApplierV3) Put(r *pb.PutRequest) (*pb.PutResponse, *traceutil.Trace, error) { - if err := aa.as.IsPutPermitted(&aa.authInfo, r.Key); err != nil { + if err := checkPutAuth(aa.as, &aa.authInfo, aa.lessor, r); err != nil { return nil, nil, err } - if err := aa.checkLeasePuts(lease.LeaseID(r.Lease)); err != nil { + return aa.applierV3.Put(r) +} + +func checkPutAuth(as auth.AuthStore, ai *auth.AuthInfo, lessor lease.Lessor, r *pb.PutRequest) error { + if err := as.IsPutPermitted(ai, r.Key); err != nil { + return err + } + + if err := checkLeasePuts(as, ai, lessor, lease.LeaseID(r.Lease)); err != nil { // The specified lease is already attached with a key that cannot // be written by this user. It means the user cannot revoke the // lease so attaching the lease to the newly written key should // be forbidden. - return nil, nil, err + return err } if r.PrevKv { - err := aa.as.IsRangePermitted(&aa.authInfo, r.Key, nil) + err := as.IsRangePermitted(ai, r.Key, nil) if err != nil { - return nil, nil, err + return err } } - return aa.applierV3.Put(r) + + return nil } func (aa *authApplierV3) Range(r *pb.RangeRequest) (*pb.RangeResponse, *traceutil.Trace, error) { @@ -106,37 +114,104 @@ func (aa *authApplierV3) DeleteRange(r *pb.DeleteRangeRequest) (*pb.DeleteRangeR } func (aa *authApplierV3) Txn(rt *pb.TxnRequest) (*pb.TxnResponse, *traceutil.Trace, error) { - if err := txn.CheckTxnAuth(aa.as, &aa.authInfo, rt); err != nil { + if err := CheckTxnAuth(aa.as, &aa.authInfo, aa.lessor, rt); err != nil { return nil, nil, err } return aa.applierV3.Txn(rt) } +func CheckTxnAuth(as auth.AuthStore, ai *auth.AuthInfo, lessor lease.Lessor, rt *pb.TxnRequest) error { + return checkTxnPermission(as, ai, lessor, rt) +} + +func checkTxnPermission(as auth.AuthStore, ai *auth.AuthInfo, lessor lease.Lessor, rt *pb.TxnRequest) error { + for _, c := range rt.Compare { + if err := as.IsRangePermitted(ai, c.Key, c.RangeEnd); err != nil { + return err + } + } + if err := checkTxnReqsPermission(as, ai, lessor, rt.Success); err != nil { + return err + } + return checkTxnReqsPermission(as, ai, lessor, rt.Failure) +} + +func checkTxnReqsPermission(as auth.AuthStore, ai *auth.AuthInfo, lessor lease.Lessor, reqs []*pb.RequestOp) error { + for _, requ := range reqs { + switch tv := requ.Request.(type) { + case *pb.RequestOp_RequestRange: + if tv.RequestRange == nil { + continue + } + + if err := as.IsRangePermitted(ai, tv.RequestRange.Key, tv.RequestRange.RangeEnd); err != nil { + return err + } + + case *pb.RequestOp_RequestPut: + if tv.RequestPut == nil { + continue + } + + if err := checkPutAuth(as, ai, lessor, tv.RequestPut); err != nil { + return err + } + case *pb.RequestOp_RequestDeleteRange: + if tv.RequestDeleteRange == nil { + continue + } + + if tv.RequestDeleteRange.PrevKv { + err := as.IsRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) + if err != nil { + return err + } + } + + err := as.IsDeleteRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) + if err != nil { + return err + } + case *pb.RequestOp_RequestTxn: + if tv.RequestTxn == nil { + continue + } + + err := checkTxnPermission(as, ai, lessor, tv.RequestTxn) + if err != nil { + return err + } + } + } + + return nil +} + func (aa *authApplierV3) LeaseRevoke(lc *pb.LeaseRevokeRequest) (*pb.LeaseRevokeResponse, error) { - if err := aa.checkLeasePuts(lease.LeaseID(lc.ID)); err != nil { + if err := checkLeasePuts(aa.as, &aa.authInfo, aa.lessor, lease.LeaseID(lc.ID)); err != nil { return nil, err } return aa.applierV3.LeaseRevoke(lc) } -func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error { - l := aa.lessor.Lookup(leaseID) +func checkLeasePuts(as auth.AuthStore, ai *auth.AuthInfo, lessor lease.Lessor, leaseID lease.LeaseID) error { + l := lessor.Lookup(leaseID) if l != nil { - return aa.checkLeasePutsKeys(l) + return checkLeasePutsKeys(as, ai, l) } return nil } -func (aa *authApplierV3) checkLeasePutsKeys(l *lease.Lease) error { +func checkLeasePutsKeys(as auth.AuthStore, ai *auth.AuthInfo, l *lease.Lease) error { // early return for most-common scenario of either disabled auth or admin user. // IsAdminPermitted also checks whether auth is enabled - if err := aa.as.IsAdminPermitted(&aa.authInfo); err == nil { + if err := as.IsAdminPermitted(ai); err == nil { return nil } for _, key := range l.Keys() { - if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil { + if err := as.IsPutPermitted(ai, []byte(key)); err != nil { return err } } diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/cluster_util.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/cluster_util.go index 425ed971cd..d791907c43 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/cluster_util.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/cluster_util.go @@ -27,7 +27,9 @@ import ( "github.com/coreos/go-semver/semver" "go.uber.org/zap" + "google.golang.org/grpc/metadata" + "go.etcd.io/etcd/api/v3/v3rpc/rpctypes" "go.etcd.io/etcd/api/v3/version" "go.etcd.io/etcd/client/pkg/v3/types" "go.etcd.io/etcd/server/v3/etcdserver/api/membership" @@ -305,6 +307,20 @@ func promoteMemberHTTP(ctx context.Context, url string, id uint64, peerRt http.R if err != nil { return nil, err } + + // add the auth token via HTTP header if present in gRPC metadata + if md, ok := metadata.FromIncomingContext(ctx); ok { + ts, ok := md[rpctypes.TokenFieldNameGRPC] + if !ok { + ts, ok = md[rpctypes.TokenFieldNameSwagger] + } + + if ok && len(ts) > 0 { + token := ts[0] + req.Header.Set("Authorization", token) + } + } + req = req.WithContext(ctx) resp, err := cc.Do(req) if err != nil { diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go index 0eb16b7d3c..5338815ae9 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/server.go @@ -1428,9 +1428,10 @@ func (s *EtcdServer) mayAddMember(memb membership.Member) error { return errors.ErrNotEnoughStartedMembers } - if !isConnectedFullySince(s.r.transport, time.Now().Add(-HealthInterval), s.MemberID(), s.cluster.VotingMembers()) { + // Treat the new member as unavailable when checking quorum safety. + if !isConnectedToQuorumAfterAddingNewMemberSince(s.r.transport, time.Now().Add(-HealthInterval), s.MemberID(), s.cluster.VotingMembers()) { lg.Warn( - "rejecting member add request; local member has not been connected to all peers, reconfigure breaks active quorum", + "rejecting member add request; local member has not been connected to majority peers, reconfigure breaks active quorum", zap.String("local-member-id", s.MemberID().String()), zap.String("requested-member-add", fmt.Sprintf("%+v", memb)), zap.Error(errors.ErrUnhealthy), @@ -1670,6 +1671,19 @@ func (s *EtcdServer) UpdateMember(ctx context.Context, memb membership.Member) ( return s.configure(ctx, cc) } +func (s *EtcdServer) MemberList(ctx context.Context, r *pb.MemberListRequest) ([]*membership.Member, error) { + if r.Linearizable { + if err := s.LinearizableReadNotify(ctx); err != nil { + return nil, err + } + } + + if err := s.requireAuthInfo(ctx); err != nil { + return nil, err + } + return s.cluster.Members(), nil +} + func (s *EtcdServer) setCommittedIndex(v uint64) { atomic.StoreUint64(&s.committedIndex, v) } diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/txn/txn.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/txn/txn.go index 51f70a06a4..59da1b8054 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/txn/txn.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/txn/txn.go @@ -26,7 +26,6 @@ import ( pb "go.etcd.io/etcd/api/v3/etcdserverpb" "go.etcd.io/etcd/api/v3/mvccpb" "go.etcd.io/etcd/pkg/v3/traceutil" - "go.etcd.io/etcd/server/v3/auth" "go.etcd.io/etcd/server/v3/etcdserver/errors" "go.etcd.io/etcd/server/v3/lease" "go.etcd.io/etcd/server/v3/storage/mvcc" @@ -666,58 +665,3 @@ func IsTxnReadonly(r *pb.TxnRequest) bool { } return true } - -func CheckTxnAuth(as auth.AuthStore, ai *auth.AuthInfo, rt *pb.TxnRequest) error { - for _, c := range rt.Compare { - if err := as.IsRangePermitted(ai, c.Key, c.RangeEnd); err != nil { - return err - } - } - if err := checkTxnReqsPermission(as, ai, rt.Success); err != nil { - return err - } - return checkTxnReqsPermission(as, ai, rt.Failure) -} - -func checkTxnReqsPermission(as auth.AuthStore, ai *auth.AuthInfo, reqs []*pb.RequestOp) error { - for _, requ := range reqs { - switch tv := requ.Request.(type) { - case *pb.RequestOp_RequestRange: - if tv.RequestRange == nil { - continue - } - - if err := as.IsRangePermitted(ai, tv.RequestRange.Key, tv.RequestRange.RangeEnd); err != nil { - return err - } - - case *pb.RequestOp_RequestPut: - if tv.RequestPut == nil { - continue - } - - if err := as.IsPutPermitted(ai, tv.RequestPut.Key); err != nil { - return err - } - - case *pb.RequestOp_RequestDeleteRange: - if tv.RequestDeleteRange == nil { - continue - } - - if tv.RequestDeleteRange.PrevKv { - err := as.IsRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) - if err != nil { - return err - } - } - - err := as.IsDeleteRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd) - if err != nil { - return err - } - } - } - - return nil -} diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/util.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/util.go index fbba5491b0..32c129b5c7 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/util.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/util.go @@ -23,12 +23,30 @@ import ( "go.etcd.io/etcd/server/v3/etcdserver/api/rafthttp" ) -// isConnectedToQuorumSince checks whether the local member is connected to the -// quorum of the cluster since the given time. +// isConnectedToQuorumSince reports whether the local member has been connected +// to a quorum of the current cluster continuously since the given time. func isConnectedToQuorumSince(transport rafthttp.Transporter, since time.Time, self types.ID, members []*membership.Member) bool { return numConnectedSince(transport, since, self, members) >= (len(members)/2)+1 } +// isConnectedToQuorumAfterAddingNewMemberSince reports whether the local member +// has been connected to a quorum continuously since the given time, assuming a +// new member is being added to the cluster. +// +// For a single-member cluster, it always returns true to allow membership +// expansion. +func isConnectedToQuorumAfterAddingNewMemberSince(transport rafthttp.Transporter, since time.Time, self types.ID, members []*membership.Member) bool { + if len(members) == 1 { + // If it's a single member cluster, we should allow adding a new member + return true + } + return numConnectedSince(transport, since, self, members) >= quorum(len(members)+1) +} + +func quorum(num int) int { + return num/2 + 1 +} + // isConnectedSince checks whether the local member is connected to the // remote member since the given time. func isConnectedSince(transport rafthttp.Transporter, since time.Time, remote types.ID) bool { @@ -36,12 +54,6 @@ func isConnectedSince(transport rafthttp.Transporter, since time.Time, remote ty return !t.IsZero() && t.Before(since) } -// isConnectedFullySince checks whether the local member is connected to all -// members in the cluster since the given time. -func isConnectedFullySince(transport rafthttp.Transporter, since time.Time, self types.ID, members []*membership.Member) bool { - return numConnectedSince(transport, since, self, members) == len(members) -} - // numConnectedSince counts how many members are connected to the local member // since the given time. func numConnectedSince(transport rafthttp.Transporter, since time.Time, self types.ID, members []*membership.Member) int { diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/v3_server.go b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/v3_server.go index c6953604aa..027163ad8a 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/v3_server.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/etcdserver/v3_server.go @@ -15,7 +15,6 @@ package etcdserver import ( - "bytes" "context" "encoding/base64" "encoding/binary" @@ -175,7 +174,7 @@ func (s *EtcdServer) Txn(ctx context.Context, r *pb.TxnRequest) (*pb.TxnResponse var resp *pb.TxnResponse var err error chk := func(ai *auth.AuthInfo) error { - return txn.CheckTxnAuth(s.authStore, ai, r) + return apply2.CheckTxnAuth(s.authStore, ai, s.lessor, r) } defer func(start time.Time) { @@ -251,6 +250,11 @@ func (s *EtcdServer) LeaseGrant(ctx context.Context, r *pb.LeaseGrantRequest) (* // only use positive int64 id's r.ID = int64(s.reqIDGen.Next() & ((1 << 63) - 1)) } + + if err := s.requireAuthInfo(ctx); err != nil { + return nil, err + } + resp, err := s.raftRequestOnce(ctx, pb.InternalRaftRequest{LeaseGrant: r}) if err != nil { return nil, err @@ -271,6 +275,10 @@ func (s *EtcdServer) waitAppliedIndex() error { } func (s *EtcdServer) LeaseRevoke(ctx context.Context, r *pb.LeaseRevokeRequest) (*pb.LeaseRevokeResponse, error) { + if err := s.requireAuthInfo(ctx); err != nil { + return nil, err + } + resp, err := s.raftRequestOnce(ctx, pb.InternalRaftRequest{LeaseRevoke: r}) if err != nil { return nil, err @@ -294,6 +302,10 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e return 0, err } + if err := s.checkLeaseRenew(ctx, id); err != nil { + return 0, err + } + ttl, err := s.lessor.Renew(id) if err == nil { // already requested to primary lessor(leader) return ttl, nil @@ -312,6 +324,11 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e if lerr != nil { return -1, lerr } + + if err := s.checkLeaseRenew(ctx, id); err != nil { + return 0, err + } + for _, url := range leader.PeerURLs { lurl := url + leasehttp.LeasePrefix ttl, err := leasehttp.RenewHTTP(cctx, id, lurl, s.peerRt) @@ -329,6 +346,39 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e return -1, errors.ErrCanceled } +func (s *EtcdServer) checkLeaseRenew(ctx context.Context, leaseID lease.LeaseID) error { + rev := s.AuthStore().Revision() + if !s.AuthStore().IsAuthEnabled() { + return nil + } + + authInfo, err := s.AuthInfoFromCtx(ctx) + if err != nil { + return err + } + if authInfo == nil { + return auth.ErrUserEmpty + } + + if s.AuthStore().IsAdminPermitted(authInfo) == nil { + return nil + } + + l := s.lessor.Lookup(leaseID) + if l != nil { + for _, key := range l.Keys() { + if err := s.AuthStore().IsPutPermitted(authInfo, []byte(key)); err != nil { + return err + } + } + } + + if rev != s.AuthStore().Revision() { + return auth.ErrAuthOldRevision + } + return nil +} + func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (uint64, error) { rev := s.AuthStore().Revision() if !s.AuthStore().IsAuthEnabled() { @@ -342,6 +392,10 @@ func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.Lea return rev, auth.ErrUserEmpty } + if s.AuthStore().IsAdminPermitted(authInfo) == nil { + return rev, nil + } + l := s.lessor.Lookup(leaseID) if l != nil { for _, key := range l.Keys() { @@ -417,6 +471,10 @@ func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR } func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { + if err := s.requireAuthInfo(ctx); err != nil { + return nil, err + } + var rev uint64 var err error if r.Keys { @@ -450,8 +508,13 @@ func (s *EtcdServer) newHeader() *pb.ResponseHeader { } // LeaseLeases is really ListLeases !??? -func (s *EtcdServer) LeaseLeases(_ context.Context, _ *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) { +func (s *EtcdServer) LeaseLeases(ctx context.Context, _ *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) { ls := s.lessor.Leases() + + if err := s.checkLeaseLeases(ctx, ls); err != nil { + return nil, err + } + lss := make([]*pb.LeaseStatus, len(ls)) for i := range ls { lss[i] = &pb.LeaseStatus{ID: int64(ls[i].ID)} @@ -459,6 +522,40 @@ func (s *EtcdServer) LeaseLeases(_ context.Context, _ *pb.LeaseLeasesRequest) (* return &pb.LeaseLeasesResponse{Header: s.newHeader(), Leases: lss}, nil } +func (s *EtcdServer) checkLeaseLeases(ctx context.Context, leases []*lease.Lease) error { + rev := s.AuthStore().Revision() + + if !s.AuthStore().IsAuthEnabled() { + return nil + } + + authInfo, err := s.AuthInfoFromCtx(ctx) + if err != nil { + return err + } + + if authInfo == nil { + return auth.ErrUserEmpty + } + + if err := s.AuthStore().IsAdminPermitted(authInfo); err == nil { + return nil + } + + for _, l := range leases { + for _, key := range l.Keys() { + if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil { + return err + } + } + } + + if rev != s.AuthStore().Revision() { + return auth.ErrAuthOldRevision + } + return nil +} + func (s *EtcdServer) waitLeader(ctx context.Context) (*membership.Member, error) { leader := s.cluster.Member(s.Leader()) for leader == nil { @@ -804,7 +901,6 @@ func (s *EtcdServer) Watchable() mvcc.WatchableKV { return s.KV() } func (s *EtcdServer) linearizableReadLoop() { for { - requestID := s.reqIDGen.Next() leaderChangedNotifier := s.leaderChanged.Receive() select { case <-leaderChangedNotifier: @@ -824,7 +920,7 @@ func (s *EtcdServer) linearizableReadLoop() { s.readNotifier = nextnr s.readMu.Unlock() - confirmedIndex, err := s.requestCurrentIndex(leaderChangedNotifier, requestID) + confirmedIndex, err := s.requestCurrentIndex(leaderChangedNotifier) if isStopped(err) { return } @@ -859,7 +955,10 @@ func isStopped(err error) bool { return errorspkg.Is(err, raft.ErrStopped) || errorspkg.Is(err, errors.ErrStopped) } -func (s *EtcdServer) requestCurrentIndex(leaderChangedNotifier <-chan struct{}, requestID uint64) (uint64, error) { +func (s *EtcdServer) requestCurrentIndex(leaderChangedNotifier <-chan struct{}) (uint64, error) { + requestIDs := map[uint64]struct{}{} + requestID := s.reqIDGen.Next() + requestIDs[requestID] = struct{}{} err := s.sendReadIndex(requestID) if err != nil { return 0, err @@ -876,18 +975,22 @@ func (s *EtcdServer) requestCurrentIndex(leaderChangedNotifier <-chan struct{}, for { select { case rs := <-s.r.readStateC: - requestIDBytes := uint64ToBigEndianBytes(requestID) - gotOwnResponse := bytes.Equal(rs.RequestCtx, requestIDBytes) - if !gotOwnResponse { + // Check again if leader changed as when multiple channels are ready, select picks randomly. + select { + case <-leaderChangedNotifier: + readIndexFailed.Inc() + return 0, errors.ErrLeaderChanged + default: + } + responseID := uint64(0) + if len(rs.RequestCtx) == 8 { + responseID = binary.BigEndian.Uint64(rs.RequestCtx) + } + if _, ok := requestIDs[responseID]; !ok { // a previous request might time out. now we should ignore the response of it and // continue waiting for the response of the current requests. - responseID := uint64(0) - if len(rs.RequestCtx) == 8 { - responseID = binary.BigEndian.Uint64(rs.RequestCtx) - } lg.Warn( "ignored out-of-date read index response; local node read indexes queueing up and waiting to be in sync with leader", - zap.Uint64("sent-request-id", requestID), zap.Uint64("received-request-id", responseID), ) slowReadIndex.Inc() @@ -901,6 +1004,8 @@ func (s *EtcdServer) requestCurrentIndex(leaderChangedNotifier <-chan struct{}, case <-firstCommitInTermNotifier: firstCommitInTermNotifier = s.firstCommitInTerm.Receive() lg.Info("first commit in current term: resending ReadIndex request") + requestID = s.reqIDGen.Next() + requestIDs[requestID] = struct{}{} err := s.sendReadIndex(requestID) if err != nil { return 0, err @@ -913,6 +1018,8 @@ func (s *EtcdServer) requestCurrentIndex(leaderChangedNotifier <-chan struct{}, zap.Uint64("sent-request-id", requestID), zap.Duration("retry-timeout", readIndexRetryTime), ) + requestID = s.reqIDGen.Next() + requestIDs[requestID] = struct{}{} err := s.sendReadIndex(requestID) if err != nil { return 0, err @@ -1052,3 +1159,19 @@ func (s *EtcdServer) downgradeCancel(ctx context.Context) (*pb.DowngradeResponse resp := pb.DowngradeResponse{Version: version.Cluster(s.ClusterVersion().String())} return &resp, nil } + +func (s *EtcdServer) requireAuthInfo(ctx context.Context) error { + if !s.authStore.IsAuthEnabled() { + return nil + } + + authInfo, err := s.AuthInfoFromCtx(ctx) + if err != nil { + return err + } + + if authInfo == nil { + return auth.ErrUserEmpty + } + return nil +} diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/storage/mvcc/watchable_store.go b/etcd/vendor/go.etcd.io/etcd/server/v3/storage/mvcc/watchable_store.go index 67b2d7f2d3..1a1d99fed4 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/storage/mvcc/watchable_store.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/storage/mvcc/watchable_store.go @@ -226,7 +226,6 @@ func (s *watchableStore) syncWatchersLoop() { delayTicker := time.NewTicker(watchResyncPeriod) defer delayTicker.Stop() - var evs []mvccpb.Event for { s.mu.RLock() @@ -236,7 +235,7 @@ func (s *watchableStore) syncWatchersLoop() { unsyncedWatchers := 0 if lastUnsyncedWatchers > 0 { - unsyncedWatchers, evs = s.syncWatchers(evs) + unsyncedWatchers = s.syncWatchers() } syncDuration := time.Since(st) @@ -344,12 +343,12 @@ func (s *watchableStore) moveVictims() (moved int) { // 2. iterate over the set to get the minimum revision and remove compacted watchers // 3. use minimum revision to get all key-value pairs and send those events to watchers // 4. remove synced watchers in set from unsynced group and move to synced group -func (s *watchableStore) syncWatchers(evs []mvccpb.Event) (int, []mvccpb.Event) { +func (s *watchableStore) syncWatchers() int { s.mu.Lock() defer s.mu.Unlock() if s.unsynced.size() == 0 { - return 0, []mvccpb.Event{} + return 0 } s.store.revMu.RLock() @@ -362,7 +361,7 @@ func (s *watchableStore) syncWatchers(evs []mvccpb.Event) (int, []mvccpb.Event) compactionRev := s.store.compactMainRev wg, minRev := s.unsynced.choose(maxWatchersPerSync, curRev, compactionRev) - evs = rangeEventsWithReuse(s.store.lg, s.store.b, evs, minRev, curRev+1) + evs := rangeEvents(s.store.lg, s.store.b, minRev, curRev+1, wg) victims := make(watcherBatch) wb := newWatcherBatch(wg, evs) @@ -411,43 +410,15 @@ func (s *watchableStore) syncWatchers(evs []mvccpb.Event) (int, []mvccpb.Event) } slowWatcherGauge.Set(float64(s.unsynced.size() + vsz)) - return s.unsynced.size(), evs -} - -// rangeEventsWithReuse returns events in range [minRev, maxRev), while reusing already provided events. -func rangeEventsWithReuse(lg *zap.Logger, b backend.Backend, evs []mvccpb.Event, minRev, maxRev int64) []mvccpb.Event { - if len(evs) == 0 { - return rangeEvents(lg, b, minRev, maxRev) - } - // append from left - if evs[0].Kv.ModRevision > minRev { - evs = append(rangeEvents(lg, b, minRev, evs[0].Kv.ModRevision), evs...) - } - // cut from left - prefixIndex := 0 - for prefixIndex < len(evs) && evs[prefixIndex].Kv.ModRevision < minRev { - prefixIndex++ - } - evs = evs[prefixIndex:] - - if len(evs) == 0 { - return rangeEvents(lg, b, minRev, maxRev) - } - // append from right - if evs[len(evs)-1].Kv.ModRevision+1 < maxRev { - evs = append(evs, rangeEvents(lg, b, evs[len(evs)-1].Kv.ModRevision+1, maxRev)...) - } - // cut from right - suffixIndex := len(evs) - 1 - for suffixIndex >= 0 && evs[suffixIndex].Kv.ModRevision >= maxRev { - suffixIndex-- - } - evs = evs[:suffixIndex+1] - return evs + return s.unsynced.size() } // rangeEvents returns events in range [minRev, maxRev). -func rangeEvents(lg *zap.Logger, b backend.Backend, minRev, maxRev int64) []mvccpb.Event { +func rangeEvents(lg *zap.Logger, b backend.Backend, minRev, maxRev int64, c contains) []mvccpb.Event { + if minRev < 0 { + lg.Warn("Unexpected negative revision range start", zap.Int64("minRev", minRev)) + minRev = 0 + } minBytes, maxBytes := NewRevBytes(), NewRevBytes() minBytes = RevToBytes(Revision{Main: minRev}, minBytes) maxBytes = RevToBytes(Revision{Main: maxRev}, maxBytes) @@ -457,7 +428,7 @@ func rangeEvents(lg *zap.Logger, b backend.Backend, minRev, maxRev int64) []mvcc tx := b.ReadTx() tx.RLock() revs, vs := tx.UnsafeRange(schema.Key, minBytes, maxBytes, 0) - evs := kvsToEvents(lg, revs, vs) + evs := kvsToEvents(lg, c, revs, vs) // Must unlock after kvsToEvents, because vs (come from boltdb memory) is not deep copy. // We can only unlock after Unmarshal, which will do deep copy. // Otherwise we will trigger SIGSEGV during boltdb re-mmap. @@ -465,14 +436,22 @@ func rangeEvents(lg *zap.Logger, b backend.Backend, minRev, maxRev int64) []mvcc return evs } +type contains interface { + contains(string) bool +} + // kvsToEvents gets all events for the watchers from all key-value pairs -func kvsToEvents(lg *zap.Logger, revs, vals [][]byte) (evs []mvccpb.Event) { +func kvsToEvents(lg *zap.Logger, c contains, revs, vals [][]byte) (evs []mvccpb.Event) { for i, v := range vals { var kv mvccpb.KeyValue if err := kv.Unmarshal(v); err != nil { lg.Panic("failed to unmarshal mvccpb.KeyValue", zap.Error(err)) } + if !c.contains(string(kv.Key)) { + continue + } + ty := mvccpb.PUT if isTombstone(revs[i]) { ty = mvccpb.DELETE diff --git a/etcd/vendor/go.etcd.io/etcd/server/v3/storage/util.go b/etcd/vendor/go.etcd.io/etcd/server/v3/storage/util.go index 0dc7f1c6d3..b6ca2ac88e 100644 --- a/etcd/vendor/go.etcd.io/etcd/server/v3/storage/util.go +++ b/etcd/vendor/go.etcd.io/etcd/server/v3/storage/util.go @@ -131,6 +131,9 @@ func GetEffectiveNodeIDsFromWALEntries(lg *zap.Logger, snap *raftpb.Snapshot, en for _, id := range snap.Metadata.ConfState.Voters { ids[id] = true } + for _, id := range snap.Metadata.ConfState.Learners { + ids[id] = true + } } for _, e := range ents { if e.Type != raftpb.EntryConfChange { diff --git a/etcd/vendor/golang.org/x/net/http2/http2.go b/etcd/vendor/golang.org/x/net/http2/http2.go index 6320f4eb4c..0b99d832fa 100644 --- a/etcd/vendor/golang.org/x/net/http2/http2.go +++ b/etcd/vendor/golang.org/x/net/http2/http2.go @@ -4,13 +4,17 @@ // Package http2 implements the HTTP/2 protocol. // -// This package is low-level and intended to be used directly by very -// few people. Most users will use it indirectly through the automatic -// use by the net/http package (from Go 1.6 and later). -// For use in earlier Go versions see ConfigureServer. (Transport support -// requires Go 1.6 or later) +// Almost no users should need to import this package directly. +// The net/http package supports HTTP/2 natively. // -// See https://http2.github.io/ for more information on HTTP/2. +// To enable or disable HTTP/2 support in net/http clients and servers, see +// [http.Transport.Protocols] and [http.Server.Protocols]. +// +// To configure HTTP/2 parameters, see +// [http.Transport.HTTP2] and [http.Server.HTTP2]. +// +// To create HTTP/1 or HTTP/2 connections, see +// [http.Transport.NewClientConn]. package http2 // import "golang.org/x/net/http2" import ( diff --git a/etcd/vendor/golang.org/x/net/http2/server.go b/etcd/vendor/golang.org/x/net/http2/server.go index 7ef807f79d..65da5175c9 100644 --- a/etcd/vendor/golang.org/x/net/http2/server.go +++ b/etcd/vendor/golang.org/x/net/http2/server.go @@ -164,6 +164,8 @@ type Server struct { // NewWriteScheduler constructs a write scheduler for a connection. // If nil, a default scheduler is chosen. + // + // Deprecated: User-provided write schedulers are deprecated. NewWriteScheduler func() WriteScheduler // CountError, if non-nil, is called on HTTP/2 server errors. diff --git a/etcd/vendor/golang.org/x/net/http2/transport.go b/etcd/vendor/golang.org/x/net/http2/transport.go index 8cf64b78e2..2e9c2f6a52 100644 --- a/etcd/vendor/golang.org/x/net/http2/transport.go +++ b/etcd/vendor/golang.org/x/net/http2/transport.go @@ -712,10 +712,6 @@ func canRetryError(err error) bool { return true } if se, ok := err.(StreamError); ok { - if se.Code == ErrCodeProtocol && se.Cause == errFromPeer { - // See golang/go#47635, golang/go#42777 - return true - } return se.Code == ErrCodeRefusedStream } return false @@ -3233,10 +3229,6 @@ func (gz *gzipReader) Close() error { return gz.body.Close() } -type errorReader struct{ err error } - -func (r errorReader) Read(p []byte) (int, error) { return 0, r.err } - // isConnectionCloseRequest reports whether req should use its own // connection for a single request and then close the connection. func isConnectionCloseRequest(req *http.Request) bool { diff --git a/etcd/vendor/golang.org/x/net/http2/writesched.go b/etcd/vendor/golang.org/x/net/http2/writesched.go index 7de27be525..551545f313 100644 --- a/etcd/vendor/golang.org/x/net/http2/writesched.go +++ b/etcd/vendor/golang.org/x/net/http2/writesched.go @@ -8,6 +8,8 @@ import "fmt" // WriteScheduler is the interface implemented by HTTP/2 write schedulers. // Methods are never called concurrently. +// +// Deprecated: User-provided write schedulers are deprecated. type WriteScheduler interface { // OpenStream opens a new stream in the write scheduler. // It is illegal to call this with streamID=0 or with a streamID that is @@ -38,6 +40,8 @@ type WriteScheduler interface { } // OpenStreamOptions specifies extra options for WriteScheduler.OpenStream. +// +// Deprecated: User-provided write schedulers are deprecated. type OpenStreamOptions struct { // PusherID is zero if the stream was initiated by the client. Otherwise, // PusherID names the stream that pushed the newly opened stream. @@ -47,6 +51,8 @@ type OpenStreamOptions struct { } // FrameWriteRequest is a request to write a frame. +// +// Deprecated: User-provided write schedulers are deprecated. type FrameWriteRequest struct { // write is the interface value that does the writing, once the // WriteScheduler has selected this frame to write. The write diff --git a/etcd/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go b/etcd/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go index 7803a9261b..c3d3e9bed6 100644 --- a/etcd/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go +++ b/etcd/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go @@ -14,6 +14,8 @@ import ( const priorityDefaultWeightRFC7540 = 15 // 16 = 15 + 1 // PriorityWriteSchedulerConfig configures a priorityWriteScheduler. +// +// Deprecated: User-provided write schedulers are deprecated. type PriorityWriteSchedulerConfig struct { // MaxClosedNodesInTree controls the maximum number of closed streams to // retain in the priority tree. Setting this to zero saves a small amount @@ -55,6 +57,9 @@ type PriorityWriteSchedulerConfig struct { // NewPriorityWriteScheduler constructs a WriteScheduler that schedules // frames by following HTTP/2 priorities as described in RFC 7540 Section 5.3. // If cfg is nil, default options are used. +// +// Deprecated: The RFC 7540 write scheduler has known bugs and performance issues, +// and RFC 7540 prioritization was deprecated in RFC 9113. func NewPriorityWriteScheduler(cfg *PriorityWriteSchedulerConfig) WriteScheduler { return newPriorityWriteSchedulerRFC7540(cfg) } diff --git a/etcd/vendor/golang.org/x/net/http2/writesched_random.go b/etcd/vendor/golang.org/x/net/http2/writesched_random.go index f2e55e05ce..d5d4e22148 100644 --- a/etcd/vendor/golang.org/x/net/http2/writesched_random.go +++ b/etcd/vendor/golang.org/x/net/http2/writesched_random.go @@ -10,6 +10,8 @@ import "math" // priorities. Control frames like SETTINGS and PING are written before DATA // frames, but if no control frames are queued and multiple streams have queued // HEADERS or DATA frames, Pop selects a ready stream arbitrarily. +// +// Deprecated: User-provided write schedulers are deprecated. func NewRandomWriteScheduler() WriteScheduler { return &randomWriteScheduler{sq: make(map[uint32]*writeQueue)} } diff --git a/etcd/vendor/modules.txt b/etcd/vendor/modules.txt index b66e9a1131..f365789f01 100644 --- a/etcd/vendor/modules.txt +++ b/etcd/vendor/modules.txt @@ -296,8 +296,8 @@ go.etcd.io/bbolt go.etcd.io/bbolt/errors go.etcd.io/bbolt/internal/common go.etcd.io/bbolt/internal/freelist -# go.etcd.io/etcd/api/v3 v3.6.8 => github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -## explicit; go 1.24 +# go.etcd.io/etcd/api/v3 v3.6.11 => github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +## explicit; go 1.25.0 go.etcd.io/etcd/api/v3/authpb go.etcd.io/etcd/api/v3/etcdserverpb go.etcd.io/etcd/api/v3/etcdserverpb/gw @@ -306,8 +306,8 @@ go.etcd.io/etcd/api/v3/mvccpb go.etcd.io/etcd/api/v3/v3rpc/rpctypes go.etcd.io/etcd/api/v3/version go.etcd.io/etcd/api/v3/versionpb -# go.etcd.io/etcd/client/pkg/v3 v3.6.8 => github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260312150232-d8d67b8ce849 -## explicit; go 1.24 +# go.etcd.io/etcd/client/pkg/v3 v3.6.11 => github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260508194201-c543fe153245 +## explicit; go 1.25.0 go.etcd.io/etcd/client/pkg/v3/fileutil go.etcd.io/etcd/client/pkg/v3/logutil go.etcd.io/etcd/client/pkg/v3/pathutil @@ -317,15 +317,15 @@ go.etcd.io/etcd/client/pkg/v3/tlsutil go.etcd.io/etcd/client/pkg/v3/transport go.etcd.io/etcd/client/pkg/v3/types go.etcd.io/etcd/client/pkg/v3/verify -# go.etcd.io/etcd/client/v3 v3.6.8 => github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -## explicit; go 1.24 +# go.etcd.io/etcd/client/v3 v3.6.11 => github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +## explicit; go 1.25.0 go.etcd.io/etcd/client/v3 go.etcd.io/etcd/client/v3/concurrency go.etcd.io/etcd/client/v3/credentials go.etcd.io/etcd/client/v3/internal/endpoint go.etcd.io/etcd/client/v3/internal/resolver -# go.etcd.io/etcd/pkg/v3 v3.6.5 => github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -## explicit; go 1.24 +# go.etcd.io/etcd/pkg/v3 v3.6.11 => github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +## explicit; go 1.25.0 go.etcd.io/etcd/pkg/v3/adt go.etcd.io/etcd/pkg/v3/contention go.etcd.io/etcd/pkg/v3/cpuutil @@ -343,8 +343,8 @@ go.etcd.io/etcd/pkg/v3/runtime go.etcd.io/etcd/pkg/v3/schedule go.etcd.io/etcd/pkg/v3/traceutil go.etcd.io/etcd/pkg/v3/wait -# go.etcd.io/etcd/server/v3 v3.6.5 => github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -## explicit; go 1.24 +# go.etcd.io/etcd/server/v3 v3.6.5 => github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +## explicit; go 1.25.0 go.etcd.io/etcd/server/v3/auth go.etcd.io/etcd/server/v3/config go.etcd.io/etcd/server/v3/embed @@ -484,11 +484,11 @@ go.yaml.in/yaml/v2 # go.yaml.in/yaml/v3 v3.0.4 ## explicit; go 1.16 go.yaml.in/yaml/v3 -# golang.org/x/crypto v0.48.0 -## explicit; go 1.24.0 +# golang.org/x/crypto v0.49.0 +## explicit; go 1.25.0 golang.org/x/crypto/bcrypt golang.org/x/crypto/blowfish -# golang.org/x/net v0.51.0 +# golang.org/x/net v0.52.0 ## explicit; go 1.25.0 golang.org/x/net/context golang.org/x/net/http/httpguts @@ -514,11 +514,11 @@ golang.org/x/sys/plan9 golang.org/x/sys/unix golang.org/x/sys/windows golang.org/x/sys/windows/registry -# golang.org/x/term v0.40.0 -## explicit; go 1.24.0 +# golang.org/x/term v0.41.0 +## explicit; go 1.25.0 golang.org/x/term -# golang.org/x/text v0.34.0 -## explicit; go 1.24.0 +# golang.org/x/text v0.36.0 +## explicit; go 1.25.0 golang.org/x/text/encoding golang.org/x/text/encoding/internal golang.org/x/text/encoding/internal/identifier @@ -1108,11 +1108,11 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/kyaml # github.com/openshift/microshift => ../ # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20251120221002-696928a6a0d7 -# go.etcd.io/etcd/api/v3 => github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -# go.etcd.io/etcd/client/pkg/v3 => github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260312150232-d8d67b8ce849 -# go.etcd.io/etcd/client/v3 => github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -# go.etcd.io/etcd/pkg/v3 => github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 -# go.etcd.io/etcd/server/v3 => github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260312150232-d8d67b8ce849 +# go.etcd.io/etcd/api/v3 => github.com/openshift/etcd/api/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +# go.etcd.io/etcd/client/pkg/v3 => github.com/openshift/etcd/client/pkg/v3 v3.0.0-20260508194201-c543fe153245 +# go.etcd.io/etcd/client/v3 => github.com/openshift/etcd/client/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +# go.etcd.io/etcd/pkg/v3 => github.com/openshift/etcd/pkg/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 +# go.etcd.io/etcd/server/v3 => github.com/openshift/etcd/server/v3 v3.5.0-alpha.0.0.20260508194201-c543fe153245 # k8s.io/api => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/api # k8s.io/apiextensions-apiserver => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apiextensions-apiserver # k8s.io/apimachinery => ../deps/github.com/openshift/kubernetes/staging/src/k8s.io/apimachinery From 12e0a3b850112bc4f3b51cfb5f443d1cc5dc2f0f Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:40:36 +0000 Subject: [PATCH 6/8] update component images --- packaging/crio.conf.d/10-microshift_amd64.conf | 2 +- packaging/crio.conf.d/10-microshift_arm64.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packaging/crio.conf.d/10-microshift_amd64.conf b/packaging/crio.conf.d/10-microshift_amd64.conf index c4e400d86d..61418ce9ab 100644 --- a/packaging/crio.conf.d/10-microshift_amd64.conf +++ b/packaging/crio.conf.d/10-microshift_amd64.conf @@ -2,6 +2,6 @@ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:928bc512af4f6a8372f90d9e3c1aae0e5f11def3ad36e94e96be9abf0e98c718" +pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:afcd66c0f0a7916c06e3e0e1a002865f87f4860ec9e5b0ceb4808f5caa4248dd" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" diff --git a/packaging/crio.conf.d/10-microshift_arm64.conf b/packaging/crio.conf.d/10-microshift_arm64.conf index 7c10be8155..1b8cca9a40 100644 --- a/packaging/crio.conf.d/10-microshift_arm64.conf +++ b/packaging/crio.conf.d/10-microshift_arm64.conf @@ -2,6 +2,6 @@ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cc92fce3d1515a67507dde231828df292e47d8c1e10bf399d12cf395ff9d5178" +pause_image = "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1ac9976abdc1f970ca46f8501acc9fb0138e05c563dbadf05feb54d26dec3266" pause_image_auth_file = "/etc/crio/openshift-pull-secret" pause_command = "/usr/bin/pod" From 1dd1d95df0e89c3a019bb62b167ed780ecea8bff Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:40:38 +0000 Subject: [PATCH 7/8] update manifests --- .../multus/kustomization.aarch64.yaml | 4 ++-- .../multus/kustomization.x86_64.yaml | 4 ++-- .../multus/release-multus-aarch64.json | 6 +++--- .../multus/release-multus-x86_64.json | 6 +++--- .../kustomization.aarch64.yaml | 10 +++++----- .../kustomization.x86_64.yaml | 10 +++++----- .../release-olm-aarch64.json | 8 ++++---- .../release-olm-x86_64.json | 8 ++++---- assets/release/release-aarch64.json | 18 +++++++++--------- assets/release/release-x86_64.json | 18 +++++++++--------- 10 files changed, 46 insertions(+), 46 deletions(-) diff --git a/assets/components/multus/kustomization.aarch64.yaml b/assets/components/multus/kustomization.aarch64.yaml index 0cb177a79c..4775e3db48 100644 --- a/assets/components/multus/kustomization.aarch64.yaml +++ b/assets/components/multus/kustomization.aarch64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:39553f8b8ee836be1f442665fc55be7642261b7766f4b2fff0b30718abc9dae2 + digest: sha256:73f11be8a6070813c96e4d8ff2d2e24e2a109605e3b841f9a9d3a3d8b55f3e4b - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:6cbb31dceaec7a3fd771c614b804176e0947bc4e5278e3af167b9b1ba744e740 + digest: sha256:149ee8fd8551c31560aa16d13735cfbba52170c9d8426c0976a948be977f20a0 diff --git a/assets/components/multus/kustomization.x86_64.yaml b/assets/components/multus/kustomization.x86_64.yaml index 6d76735ac0..6e381f8db5 100644 --- a/assets/components/multus/kustomization.x86_64.yaml +++ b/assets/components/multus/kustomization.x86_64.yaml @@ -2,7 +2,7 @@ images: - name: multus-cni-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:9e3d2bea43fd760020304e1b77e4d8b22c1effb0c575bb00efda8ce4c73f0ead + digest: sha256:e8415fc215551f96f07f530ef639f2d34a19a46cad9366dc6c9032e5d99fe072 - name: containernetworking-plugins-microshift newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:12943ba669bad24ae74176906654bd96b46827714f7e0bb46db338d920215ede + digest: sha256:ff48e2a9e74c7df6f9c32584f0e57042ee220b55f057250458c7f7d1b192958d diff --git a/assets/components/multus/release-multus-aarch64.json b/assets/components/multus/release-multus-aarch64.json index 270d1ba859..ef58853f2b 100644 --- a/assets/components/multus/release-multus-aarch64.json +++ b/assets/components/multus/release-multus-aarch64.json @@ -1,9 +1,9 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-05-06-233705" + "base": "5.0.0-0.nightly-arm64-2026-05-12-005002" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:39553f8b8ee836be1f442665fc55be7642261b7766f4b2fff0b30718abc9dae2", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6cbb31dceaec7a3fd771c614b804176e0947bc4e5278e3af167b9b1ba744e740" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:73f11be8a6070813c96e4d8ff2d2e24e2a109605e3b841f9a9d3a3d8b55f3e4b", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:149ee8fd8551c31560aa16d13735cfbba52170c9d8426c0976a948be977f20a0" } } diff --git a/assets/components/multus/release-multus-x86_64.json b/assets/components/multus/release-multus-x86_64.json index 5f972198f7..b84a985b38 100644 --- a/assets/components/multus/release-multus-x86_64.json +++ b/assets/components/multus/release-multus-x86_64.json @@ -1,9 +1,9 @@ { "release": { - "base": "5.0.0-0.nightly-2026-05-05-231020" + "base": "5.0.0-0.nightly-2026-05-11-124243" }, "images": { - "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9e3d2bea43fd760020304e1b77e4d8b22c1effb0c575bb00efda8ce4c73f0ead", - "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:12943ba669bad24ae74176906654bd96b46827714f7e0bb46db338d920215ede" + "multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e8415fc215551f96f07f530ef639f2d34a19a46cad9366dc6c9032e5d99fe072", + "containernetworking-plugins-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ff48e2a9e74c7df6f9c32584f0e57042ee220b55f057250458c7f7d1b192958d" } } diff --git a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml index f495f41c72..e8768285f1 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.aarch64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:882318cac95ca934668849dcd7d5da9a9198c968c6b561ac9bb43b28c5454ff2 + digest: sha256:21c33428b24b91c0a43f5d0cfdf36f7edd3fbb8993608ab8064f278c97db27dc - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:cf89dd206b52c7bb704d6609e90d47fe116a68bcf5c6e20525bebf9fe2d9b370 + digest: sha256:675807ed89d3bb4f0902ec755b5c274d1ab56cf5ca147234545be15385a1ea81 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:0446463c285378b96336a9bcfdc1560181ceb3c2c2c9d0e1274c4978d043a10e + digest: sha256:cec571651e2c2d3baa6563a668640de47885aa0edb29c50d0e0b9de801ed087a patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cf89dd206b52c7bb704d6609e90d47fe116a68bcf5c6e20525bebf9fe2d9b370 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:675807ed89d3bb4f0902ec755b5c274d1ab56cf5ca147234545be15385a1ea81 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:882318cac95ca934668849dcd7d5da9a9198c968c6b561ac9bb43b28c5454ff2 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:21c33428b24b91c0a43f5d0cfdf36f7edd3fbb8993608ab8064f278c97db27dc target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml index 18a959d93c..7dd8a0fbac 100644 --- a/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml +++ b/assets/optional/operator-lifecycle-manager/kustomization.x86_64.yaml @@ -2,13 +2,13 @@ images: - name: quay.io/operator-framework/olm newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:9af145c15f17fbc08ff3490c71e6a69fdb364914be5ae3c3cf0498d55cbc40c9 + digest: sha256:e57542abded69dd4d611b2d2b3d71cf822ec4723fd7f9fc84e7e2299006e3d34 - name: quay.io/operator-framework/configmap-operator-registry newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:bc549adfc831847203871fe9ebd1a4c9f54ab5f94843a3c4f20c9f9553984767 + digest: sha256:b0f06b001f73caed321f1aa4e47864a304e1c82088a6ca09c9dda41a923ff225 - name: quay.io/openshift/origin-kube-rbac-proxy newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev - digest: sha256:3482ea3d2b8dce334f07b89086fdb06543d1a1680b4e71f937fbd13a171c42cf + digest: sha256:f13c5c6ca411b698f12b86ae816dedf4c3955550567c99ed5f391219cda638a4 patches: - patch: |- @@ -16,12 +16,12 @@ patches: path: /spec/template/spec/containers/0/env/- value: name: OPERATOR_REGISTRY_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:bc549adfc831847203871fe9ebd1a4c9f54ab5f94843a3c4f20c9f9553984767 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b0f06b001f73caed321f1aa4e47864a304e1c82088a6ca09c9dda41a923ff225 - op: add path: /spec/template/spec/containers/0/env/- value: name: OLM_IMAGE - value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9af145c15f17fbc08ff3490c71e6a69fdb364914be5ae3c3cf0498d55cbc40c9 + value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e57542abded69dd4d611b2d2b3d71cf822ec4723fd7f9fc84e7e2299006e3d34 target: kind: Deployment labelSelector: app=catalog-operator diff --git a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json index 9f1a5b3ffa..7170a031c9 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-aarch64.json @@ -1,10 +1,10 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-05-06-233705" + "base": "5.0.0-0.nightly-arm64-2026-05-12-005002" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:882318cac95ca934668849dcd7d5da9a9198c968c6b561ac9bb43b28c5454ff2", - "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cf89dd206b52c7bb704d6609e90d47fe116a68bcf5c6e20525bebf9fe2d9b370", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0446463c285378b96336a9bcfdc1560181ceb3c2c2c9d0e1274c4978d043a10e" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:21c33428b24b91c0a43f5d0cfdf36f7edd3fbb8993608ab8064f278c97db27dc", + "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:675807ed89d3bb4f0902ec755b5c274d1ab56cf5ca147234545be15385a1ea81", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cec571651e2c2d3baa6563a668640de47885aa0edb29c50d0e0b9de801ed087a" } } diff --git a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json index d91fba0e84..257ac7a405 100644 --- a/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json +++ b/assets/optional/operator-lifecycle-manager/release-olm-x86_64.json @@ -1,10 +1,10 @@ { "release": { - "base": "5.0.0-0.nightly-2026-05-05-231020" + "base": "5.0.0-0.nightly-2026-05-11-124243" }, "images": { - "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:9af145c15f17fbc08ff3490c71e6a69fdb364914be5ae3c3cf0498d55cbc40c9", - "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:bc549adfc831847203871fe9ebd1a4c9f54ab5f94843a3c4f20c9f9553984767", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:3482ea3d2b8dce334f07b89086fdb06543d1a1680b4e71f937fbd13a171c42cf" + "operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e57542abded69dd4d611b2d2b3d71cf822ec4723fd7f9fc84e7e2299006e3d34", + "operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b0f06b001f73caed321f1aa4e47864a304e1c82088a6ca09c9dda41a923ff225", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f13c5c6ca411b698f12b86ae816dedf4c3955550567c99ed5f391219cda638a4" } } diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 7e694e1233..d046f2ef0e 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,16 +1,16 @@ { "release": { - "base": "5.0.0-0.nightly-arm64-2026-05-06-233705" + "base": "5.0.0-0.nightly-arm64-2026-05-12-005002" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:3277eaa3a85a72ce660972f7baebbe0748e7c9f011856c0a663dd46456275484", - "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e9864b5d80dfd8f55aabae4b59c1589d5c5632085def754a3857a34b8a371f73", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7f283ab977c67b26b55efc5476855e16e24a46b453a01a2d8ff389aca4db4547", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0446463c285378b96336a9bcfdc1560181ceb3c2c2c9d0e1274c4978d043a10e", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f571b5d5727dd2f1ab6093338bf12d9fad21d6672a2fa3f3a5db0997ebc76d25", - "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cc92fce3d1515a67507dde231828df292e47d8c1e10bf399d12cf395ff9d5178", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b6761de6a76f9dad5eaef988546747c4836b3ead5e619d20026824a9dc2b0893", + "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e86d9cc51e3a9fa6d60a74334b7e67605cabf06c21d20c8eeda451163e5ac6d7", + "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:d15b0434daaf74307dc657f01b0e839113975673b29631cabecf60b6b5d7ad41", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a7822f60917bfce09cff143e72a6b2390306758349d6427f5b6538b360762fe2", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cec571651e2c2d3baa6563a668640de47885aa0edb29c50d0e0b9de801ed087a", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a0c062b4b9d1c63228ee2e64f2685a7bc1bffa77b868ef26a8235914b91b9300", + "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1ac9976abdc1f970ca46f8501acc9fb0138e05c563dbadf05feb54d26dec3266", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:224586cfd55f819b3c5902fd9b4de5d5ac972367685401c3a900991adffc864a", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:3766640b19c336b443619ecdb35f36b479c79ea71b21de97febf024a5eaf6c84", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:ce0f839b8e9c87191ea14eb415d2e4da4f938f31d67e22b00ecea232528ed4c5" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6f26fbaa1f82868643a3cbea3e2653e8d2c0989a2f6cf89e5d56287171600e0b" } } diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index e43caa7540..b8dce96cfe 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,16 +1,16 @@ { "release": { - "base": "5.0.0-0.nightly-2026-05-05-231020" + "base": "5.0.0-0.nightly-2026-05-11-124243" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e8b207ab1f79cd199ed14b049e94c0b20575a432f345c6b26958e93f8bd0950f", - "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:304935bdd611c30672df711b3a2ef97166a103adbf8b001cdf5e4f4522da5271", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:0549986bcbce883d1025bf92e21226e3a651405f543b97e39a9cec663aa975ce", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:3482ea3d2b8dce334f07b89086fdb06543d1a1680b4e71f937fbd13a171c42cf", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a1665452c9943ca04b084e2f6b5016690ac820212687a3767ff1c89bdeb1a6f6", - "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:928bc512af4f6a8372f90d9e3c1aae0e5f11def3ad36e94e96be9abf0e98c718", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5e568f1c00750c8e248388b53d4c3b12a5cdb714e350a74a5199c52ec11c8613", + "cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:4af05674c7b071a474fc313fb5690ff3075c4570741ad4c9299b9faaf69047d2", + "coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:69861b394424bf154055f1686c29f33f0921a806950ac110be7729c708377562", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:74e83c0a70aba0011572975f16db81baacd50d2a4f475e6c01a6e16a4588a0d6", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f13c5c6ca411b698f12b86ae816dedf4c3955550567c99ed5f391219cda638a4", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1a9368809cdec543a6536cb5468f31b6b17d7fee5d19fcab10935502552bf633", + "pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:afcd66c0f0a7916c06e3e0e1a002865f87f4860ec9e5b0ceb4808f5caa4248dd", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f655382abcff36918f10887506d45788529526a5885a915615253076e0c1b976", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:58804d8baf922927b66cec9424d431a3bdb341d207024ce40cc8f0123bac03ee", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:2fb9d63f94d6f17f4ddd326d2dd8f78b041b8001747117919eb87e30a6a150f4" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:035898ef78e775142f00f4de268fd24aac0e3f52dc689b2a02f172d506bcea9b" } } From 93753068b5ce495170d29da4e773ae6cb2ce5fa1 Mon Sep 17 00:00:00 2001 From: ci-robot Date: Tue, 12 May 2026 04:40:39 +0000 Subject: [PATCH 8/8] update buildfiles --- Makefile.kube_git.var | 2 +- Makefile.version.aarch64.var | 2 +- Makefile.version.x86_64.var | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile.kube_git.var b/Makefile.kube_git.var index ccdbe721a4..92110a3cb2 100644 --- a/Makefile.kube_git.var +++ b/Makefile.kube_git.var @@ -1,5 +1,5 @@ KUBE_GIT_MAJOR=1 KUBE_GIT_MINOR=35 KUBE_GIT_VERSION=v1.35.3 -KUBE_GIT_COMMIT=5f099ccd1e8345f615d10381290909a8ca581b66 +KUBE_GIT_COMMIT=f9b62a69d4a05e10b2b7cf8d40afa37f9dcd0938 KUBE_GIT_TREE_STATE=clean diff --git a/Makefile.version.aarch64.var b/Makefile.version.aarch64.var index 362184f426..81dbdc33d3 100644 --- a/Makefile.version.aarch64.var +++ b/Makefile.version.aarch64.var @@ -1 +1 @@ -OCP_VERSION := 5.0.0-0.nightly-arm64-2026-05-06-233705 +OCP_VERSION := 5.0.0-0.nightly-arm64-2026-05-12-005002 diff --git a/Makefile.version.x86_64.var b/Makefile.version.x86_64.var index da111c0300..660ba4670c 100644 --- a/Makefile.version.x86_64.var +++ b/Makefile.version.x86_64.var @@ -1 +1 @@ -OCP_VERSION := 5.0.0-0.nightly-2026-05-05-231020 +OCP_VERSION := 5.0.0-0.nightly-2026-05-11-124243