Added labels support for ci-secret-bootstrap

[hector-vido]

Since we are using ci-secret-bootstrap to manage ArgoCD cluster secrets we need a way specify labels inside the secret stored on vault to avoid manual work.

ArgoCD identify cluster secrets based on the label argocd.argoproj.io/secret-type: cluster added to the secrets that maps a ServiceAccount and a token from other clusters inside openshift-gitops.

This PR add this possibility.

Labels support for ci-secret-bootstrap

This PR enables ci-secret-bootstrap to apply Kubernetes labels to Secrets it syncs from Vault so operators can manage label-dependent workflows (notably ArgoCD cluster-secret discovery) automatically.

What changed (practical impact)

• ci-secret-bootstrap (cmd/ci-secret-bootstrap)

  • Recognizes a new Vault metadata key (pkg/api/vault.SecretSyncTargetLabelsKey = "secretsync/target-labels") that contains comma-separated "key: value" label pairs.
  • Parses, trims and validates label keys and values against Kubernetes label rules; invalid entries are skipped and logged.
  • Merges validated labels with the existing ci-secret-bootstrap requester label and writes them to Secret.ObjectMeta.Labels when creating or updating Secrets.
  • Treats the secretsync/target-labels Vault key as reserved metadata so it is not stored in Secret.Data.
  • When deciding whether to update an existing Secret, compares desired vs existing ObjectMeta.Labels in addition to Secret.Data and performs in-place updates when labels differ, honoring the existing requester-label guard.

• vault-subpath-proxy (cmd/vault-subpath-proxy)

  • KV update request validation now treats the new secretsync/target-labels key as metadata (like secretsync/target-clusters) so it bypasses normal secret-key regex validation and is accepted as a metadata field.

Why this matters for CI operators

• Operators can store desired Kubernetes labels in Vault and have ci-secret-bootstrap apply them during sync. This eliminates manual post-sync labeling for workflows that depend on labels (for example adding argocd.argoproj.io/secret-type: cluster so ArgoCD discovers cluster secrets automatically).

Technical notes

• New exported constant: pkg/api/vault.SecretSyncTargetLabelsKey = "secretsync/target-labels".
• No public function signatures changed; go.mod dependency versions were updated as part of the commit.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds Vault-driven secret labels: a new exported Vault key, proxy validation skip for that key, parsing/validation and application of labels in ci-secret-bootstrap (including reserved-key handling), and update-on-label-drift for managed Secrets. go.mod dependency versions are also updated.

Changes

Secret sync target labels support

Layer / File(s)	Summary
Define secret sync target labels key pkg/api/vault/vault.go	New exported constant SecretSyncTargetLabelsKey defines the Vault key secretsync/target-labels for label data.
Skip labels key in Vault request validation cmd/vault-subpath-proxy/kv_update_transport.go	Validation loop now treats SecretSyncTargetLabelsKey as a reserved sync key, bypassing regex checks alongside the cluster target key.
Parse and apply sync labels from Vault cmd/ci-secret-bootstrap/main.go	fetchUserSecrets imports label validators, parses comma-separated validated key: value pairs from Vault, excludes the reserved sync key from Secret Data, and sets ObjectMeta.Labels on new and existing Secrets.
Detect and apply label changes cmd/ci-secret-bootstrap/main.go	updateSecrets computes deep-equality of desired vs existing Secret labels and includes label drift in the in-place update condition for Secrets managed by ci-secret-bootstrap.
Tooling and deps go.mod	Updates multiple direct and indirect module versions and a replace directive; Go toolchain version unchanged.
Tests: use cmp.Diff pkg/lease/client_test.go	Replace diff.ObjectDiff with cmp.Diff in mismatch output and remove the old import.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Go Error Handling	⚠️ Warning	In cmd/ci-secret-bootstrap/main.go, label parsing code accesses label[1] without bounds checking. strings.Split without colons returns <2 elements, causing panic.	Add len(label) >= 2 check before accessing label[1]; otherwise skip/warn the malformed label.
Test Coverage For New Features	⚠️ Warning	Label parsing and validation in fetchUserSecrets lack test coverage. No test cases verify label syncing functionality.	Add test cases for label parsing, validation, trimming, rejection of invalid labels, and label-based secret updates.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main feature added: labels support for ci-secret-bootstrap, which aligns with the core changes in the pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR does not use Ginkgo testing framework. All test files use standard Go testing package with table-driven tests. Test names are static and descriptive. Check is not applicable.
Test Structure And Quality	✅ Passed	PR does not add/modify Ginkgo tests. Repository uses standard Go testing (testing.T), not Ginkgo. Custom check is inapplicable.
Microshift Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It modifies existing code and unit test assertions. The custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. Changes are to internal tooling, constants, dependencies, and unit tests only. SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR does not add deployment manifests, operators, or controllers. Changes are to CLI tools that manipulate Kubernetes secrets' labels and dependencies. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout violations detected. Changes are pure logic modifications for label handling. Logging continues to use logrus (stderr). No os.Stdout, io.Stdout, or fmt.Print* calls added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes are production code and unit test assertions. The check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hector-vido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hector-vido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/ci-secret-bootstrap/main.go`:
- Around line 674-680: User-provided labels parsed from
secretKeys[vaultapi.SecretSyncTargetLabelsKey] can overwrite the seeded
controller label api.DPTPRequesterLabel in the labels map; update the parsing
logic (the block that builds labels from vaultValue in
cmd/ci-secret-bootstrap/main.go) to reject or ignore any entry whose key equals
api.DPTPRequesterLabel so the initially-seeded labels map entry is never
replaced (ensure the same behavior is enforced before updateSecrets is called).
- Around line 675-680: The current Vault label parsing loop can panic on
malformed entries; update the block that handles
secretKeys[vaultapi.SecretSyncTargetLabelsKey] (variables vaultValue and labels)
to robustly parse each label: use strings.SplitN(entry, ":", 2),
strings.TrimSpace on both key and value, validate that you got exactly 2
non-empty parts, and either skip invalid entries or return a contextual error
(with which entry failed) instead of letting label[1] panic; ensure the final
parsed key/value are stored into labels only after trimming and validation.

In `@cmd/vault-subpath-proxy/kv_update_transport.go`:
- Around line 125-126: The branch only updated the regex but you must treat
SecretSyncTargetLabelsKey as a reserved key throughout this transport: update
validateKeysDontConflict to ignore vault.SecretSyncTargetLabelsKey when checking
for claimed keys, change syncSecret so it does not include
vault.SecretSyncTargetLabelsKey in Secret.Data or write it as normal secret
data, and update any cache builder routines that enumerate keys (e.g., functions
building the local cache or mapping keys to clusters) to skip
vault.SecretSyncTargetLabelsKey so it is never persisted or compared in conflict
checks; keep the same logic/guard used for vault.SecretSyncTargetClusterKey for
consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1b2b4634-8cfc-4261-99af-ce14c9e57856

📥 Commits

Reviewing files that changed from the base of the PR and between e3ac258 and f93da75.

📒 Files selected for processing (3)

• cmd/ci-secret-bootstrap/main.go
• cmd/vault-subpath-proxy/kv_update_transport.go
• pkg/api/vault/vault.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Treat SecretSyncTargetLabelsKey as reserved everywhere in this transport.

This branch only fixes the regex check. validateKeysDontConflict and syncSecret still treat the new key as normal secret data, so a Vault write can both raise false "key ... is already claimed" conflicts and persist secretsync/target-labels into Secret.Data. Please extend the same reserved-key handling there as well, and keep the cache builders aligned too.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/vault-subpath-proxy/kv_update_transport.go` around lines 125 - 126, The
branch only updated the regex but you must treat SecretSyncTargetLabelsKey as a
reserved key throughout this transport: update validateKeysDontConflict to
ignore vault.SecretSyncTargetLabelsKey when checking for claimed keys, change
syncSecret so it does not include vault.SecretSyncTargetLabelsKey in Secret.Data
or write it as normal secret data, and update any cache builder routines that
enumerate keys (e.g., functions building the local cache or mapping keys to
clusters) to skip vault.SecretSyncTargetLabelsKey so it is never persisted or
compared in conflict checks; keep the same logic/guard used for
vault.SecretSyncTargetClusterKey for consistency.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 5: The go.mod replace directive downgrades github.com/docker/distribution
to v2.7.1, reintroducing known vulnerabilities; remove or update that replace
entry so the project uses v2.8.3 or newer (i.e., delete or change the line
"replace github.com/docker/distribution => github.com/docker/distribution
v2.7.1+incompatible" to omit the replace or point to v2.8.3+incompatible), then
run go mod tidy to ensure module graph is refreshed and the secure version is
used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 92bacdb6-52c2-4727-b315-c5086234b321

📥 Commits

Reviewing files that changed from the base of the PR and between f93da75 and ff9898d.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (4)

• cmd/ci-secret-bootstrap/main.go
• cmd/vault-subpath-proxy/kv_update_transport.go
• go.mod
• pkg/api/vault/vault.go

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/api/vault/vault.go
• cmd/vault-subpath-proxy/kv_update_transport.go
• cmd/ci-secret-bootstrap/main.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for security advisories on docker/distribution v2.7.1

gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "github.com/docker/distribution") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: openshift/ci-tools

Length of output: 801

---

Remove the docker/distribution downgrade to v2.7.1 — it reintroduces known security vulnerabilities.

The replace directive downgrades from v2.8.3 to v2.7.1, reintroducing at least two documented vulnerabilities:

• HIGH: Distribution catalog API endpoint can lead to OOM via malicious user input (published 2023-05-11, patched in 2.8.2-beta.1)
• LOW: OCI Manifest Type Confusion Issue (published 2022-02-08, patched in 2.8.0)

Keep the required version v2.8.3 or remove the replace directive entirely.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 5-5: github.com/docker/distribution 2.7.1+incompatible: Type confusion in github.com/docker/distribution

(GO-2022-0379)

---

[HIGH] 5-5: github.com/docker/distribution 2.7.1+incompatible: distribution catalog API endpoint can lead to OOM via malicious user input

(GHSA-hqxw-f8mx-cpmw)

---

[HIGH] 5-5: github.com/docker/distribution 2.7.1+incompatible: OCI Manifest Type Confusion Issue

(GHSA-qq97-vm5h-rrhg)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 5, The go.mod replace directive downgrades
github.com/docker/distribution to v2.7.1, reintroducing known vulnerabilities;
remove or update that replace entry so the project uses v2.8.3 or newer (i.e.,
delete or change the line "replace github.com/docker/distribution =>
github.com/docker/distribution v2.7.1+incompatible" to omit the replace or point
to v2.8.3+incompatible), then run go mod tidy to ensure module graph is
refreshed and the secure version is used.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 157: Update the pinned indirect dependency k8s.io/kubernetes in go.mod to
a patched 1.29.x release (at least v1.29.7) to eliminate CVE-2024-10220 and
CVE-2024-5321; open go.mod, replace the existing k8s.io/kubernetes v1.29.2 entry
with v1.29.7 (or later) and run go get k8s.io/kubernetes@v1.29.7 followed by go
mod tidy to update the lock file, or if the package is unnecessary remove the
k8s.io/kubernetes line and run go mod tidy to prune it from the module graph.
- Line 59: The go.mod currently pins k8s.io/apimachinery to v0.35.5 while other
Kubernetes modules (k8s.io/api, k8s.io/apiserver, k8s.io/client-go) remain at
v0.32.8 causing API/type/protobuf skew; update the Kubernetes module versions so
their minor versions match (e.g., set k8s.io/apimachinery to v0.32.x to match
k8s.io/api, k8s.io/apiserver, k8s.io/client-go or bump all peers to the same
v0.35.x), then run go get / go mod tidy to resolve transitive deps and ensure
builds pass — target the same minor for k8s.io/apimachinery, k8s.io/api,
k8s.io/apiserver, and k8s.io/client-go.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c20093fc-2c29-482d-a2d6-827116a19025

📥 Commits

Reviewing files that changed from the base of the PR and between ff9898d and 05c4a78.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (4)

• cmd/ci-secret-bootstrap/main.go
• cmd/vault-subpath-proxy/kv_update_transport.go
• go.mod
• pkg/api/vault/vault.go

🚧 Files skipped from review as they are similar to previous changes (3)

• cmd/vault-subpath-proxy/kv_update_transport.go
• pkg/api/vault/vault.go
• cmd/ci-secret-bootstrap/main.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Query OSV for known vulnerabilities on k8s.io/kubernetes v1.29.2
curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name": "k8s.io/kubernetes", "ecosystem": "Go"},
  "version": "1.29.2"
}' | jq .

Repository: openshift/ci-tools

Length of output: 50374

---

Pin k8s.io/kubernetes to a patched version to resolve HIGH severity vulnerabilities.

Version 1.29.2 contains at least two HIGH severity vulnerabilities: CVE-2024-10220 (kubelet arbitrary command execution) and CVE-2024-5321 (incorrect Windows container log permissions). Upgrade to 1.29.7 or later in the 1.29.x series to address these issues, or remove if unnecessary for the module graph.

🧰 Tools

🪛 OSV Scanner (2.3.8)

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes

(GO-2024-2746)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

(GO-2024-2994)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes

(GO-2024-3286)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes

(GO-2025-3465)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes

(GO-2025-3521)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes

(GO-2025-3522)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

(GO-2025-3547)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes

(GO-2025-3915)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes

(GO-2025-4240)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes kubelet arbitrary command execution

(GHSA-27wf-5967-98gx)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes GitRepo Volume Inadvertent Local Repository Access

(GHSA-3wgm-2gw2-vh5m)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes Nodes can delete themselves by adding an OwnerReference

(GHSA-4x4m-3c2p-qppc)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes sets incorrect permissions on Windows containers logs

(GHSA-82m2-cv7p-4m75)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Node Denial of Service via kubelet Checkpoint API

(GHSA-jgfp-53c3-624w)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

(GHSA-pxhw-596r-rwq5)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass

(GHSA-r6j8-c6r2-37rr)

---

[HIGH] 157-157: k8s.io/kubernetes 1.29.2: Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API

(GHSA-vv39-3w5q-974q)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 157, Update the pinned indirect dependency k8s.io/kubernetes
in go.mod to a patched 1.29.x release (at least v1.29.7) to eliminate
CVE-2024-10220 and CVE-2024-5321; open go.mod, replace the existing
k8s.io/kubernetes v1.29.2 entry with v1.29.7 (or later) and run go get
k8s.io/kubernetes@v1.29.7 followed by go mod tidy to update the lock file, or if
the package is unnecessary remove the k8s.io/kubernetes line and run go mod tidy
to prune it from the module graph.

[coderabbitai]

♻️ Duplicate comments (2)

go.mod (2)

5-5: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Remove the docker/distribution downgrade to v2.7.1 — it reintroduces known security vulnerabilities.

This issue was previously flagged and remains unresolved. The replace directive downgrades from v2.8.3 to v2.7.1, reintroducing HIGH severity vulnerabilities including OOM via malicious catalog API input and OCI manifest type confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 5, The go.mod contains a replace directive "replace
github.com/docker/distribution => github.com/docker/distribution
v2.7.1+incompatible" which downgrades to a vulnerable version; remove or update
that replace so the module uses a secure version (e.g., v2.8.3 or later) instead
of v2.7.1+incompatible: edit the go.mod to delete or change the replace line
referencing github.com/docker/distribution and run go mod tidy to ensure
dependencies are resolved to the non-vulnerable release.

---

157-157: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Pin k8s.io/kubernetes to a patched version to resolve HIGH severity vulnerabilities.

This issue was previously flagged and remains unresolved. Version 1.29.2 contains multiple HIGH severity vulnerabilities including CVE-2024-10220 (kubelet arbitrary command execution) and CVE-2024-5321 (incorrect Windows container log permissions). Upgrade to v1.29.7 or later in the 1.29.x series.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 157, Update the k8s.io/kubernetes module pin in go.mod
(currently "k8s.io/kubernetes v1.29.2") to a patched 1.29.x release (e.g.,
v1.29.7 or later) to address the reported HIGH severity CVEs, then run the Go
tooling to apply and verify the change (e.g., `go get
k8s.io/kubernetes@v1.29.7`, followed by `go mod tidy` and `go test`/build) so
go.sum is updated and the project still compiles/tests pass.

🧹 Nitpick comments (1)

go.mod (1)

191-191: ⚡ Quick win

Consider investigating the reason for pinning k8s.io/metrics to v0.32.0.

k8s.io/metrics is at v0.32.0 while core modules (k8s.io/api, k8s.io/apimachinery, k8s.io/apiserver, k8s.io/client-go) are at v0.35.5. The codebase uses it only in pkg/metrics/ (3 files) and there are no observed build or type compatibility issues. This version is likely pinned to satisfy a transitive dependency requirement (e.g., from sigs.k8s.io/prow). Verify whether aligning versions is safe or if the lower version is intentional for compatibility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 191, The go.mod pins k8s.io/metrics to v0.32.0 while core k8s
modules are v0.35.5; inspect whether this downgrade is required by a transitive
dependency and if it's safe to align to v0.35.5. In the repo, check usage in
pkg/metrics/* and run go list -m all / go mod graph to find which module
requires v0.32.0 (e.g., sigs.k8s.io/prow), attempt to update by running go get
k8s.io/metrics@v0.35.5 and go mod tidy, then build and run tests to confirm no
type/API breakage; if a transitive consumer prevents the bump, document that
dependency and keep the pin.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Line 5: The go.mod contains a replace directive "replace
github.com/docker/distribution => github.com/docker/distribution
v2.7.1+incompatible" which downgrades to a vulnerable version; remove or update
that replace so the module uses a secure version (e.g., v2.8.3 or later) instead
of v2.7.1+incompatible: edit the go.mod to delete or change the replace line
referencing github.com/docker/distribution and run go mod tidy to ensure
dependencies are resolved to the non-vulnerable release.
- Line 157: Update the k8s.io/kubernetes module pin in go.mod (currently
"k8s.io/kubernetes v1.29.2") to a patched 1.29.x release (e.g., v1.29.7 or
later) to address the reported HIGH severity CVEs, then run the Go tooling to
apply and verify the change (e.g., `go get k8s.io/kubernetes@v1.29.7`, followed
by `go mod tidy` and `go test`/build) so go.sum is updated and the project still
compiles/tests pass.

---

Nitpick comments:
In `@go.mod`:
- Line 191: The go.mod pins k8s.io/metrics to v0.32.0 while core k8s modules are
v0.35.5; inspect whether this downgrade is required by a transitive dependency
and if it's safe to align to v0.35.5. In the repo, check usage in pkg/metrics/*
and run go list -m all / go mod graph to find which module requires v0.32.0
(e.g., sigs.k8s.io/prow), attempt to update by running go get
k8s.io/metrics@v0.35.5 and go mod tidy, then build and run tests to confirm no
type/API breakage; if a transitive consumer prevents the bump, document that
dependency and keep the pin.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 76b6c04c-57c4-48f8-a89c-827a3173069b

📥 Commits

Reviewing files that changed from the base of the PR and between bea027f and 4bba3a9.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum, !go.sum

📒 Files selected for processing (5)

• cmd/ci-secret-bootstrap/main.go
• cmd/vault-subpath-proxy/kv_update_transport.go
• go.mod
• pkg/api/vault/vault.go
• pkg/lease/client_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/api/vault/vault.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/vault-subpath-proxy/kv_update_transport.go
• cmd/ci-secret-bootstrap/main.go

[hector-vido]

/test lint unit

[hector-vido]

/retest

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e

[openshift-ci]

@hector-vido: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.