Skip to content

NO-ISSUE: Synchronize From Upstream Repositories#1338

Open
openshift-bot wants to merge 5 commits into
openshift:mainfrom
openshift-bot:synchronize-upstream
Open

NO-ISSUE: Synchronize From Upstream Repositories#1338
openshift-bot wants to merge 5 commits into
openshift:mainfrom
openshift-bot:synchronize-upstream

Conversation

@openshift-bot

@openshift-bot openshift-bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

The staging/ and vendor/ directories have been synchronized from the upstream repositories, pulling in the following commits:

Date Commit Author Message
2026-07-14 06:41:26 operator-framework/operator-lifecycle-manager@396954f dependabot[bot] 🌱 Bump golang.org/x/sync from 0.21.0 to 0.22.0 (#3870)
2026-07-14 06:46:57 operator-framework/operator-lifecycle-manager@fdd5594 dependabot[bot] 🌱 Bump github.com/prometheus/common from 0.69.0 to 0.70.0 (#3869)
2026-07-14 10:46:25 operator-framework/operator-lifecycle-manager@a4f060a dependabot[bot] 🌱 Bump golang.org/x/net from 0.56.0 to 0.57.0 (#3868)
2026-07-15 10:15:40 operator-framework/operator-lifecycle-manager@174dccd Jordan Keister deploy/chart: add static NetworkPolicies for CatalogSource gRPC ingress and bundle unpack egress (#3863)
2026-07-15 21:14:14 operator-framework/operator-lifecycle-manager@b0123be Chiman Jain Migrate deprecated gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#3865)

This pull request is expected to merge without any human intervention. If tests are failing here, changes must land upstream to fix any issues so that future downstreaming efforts succeed.

/assign @openshift/openshift-team-operator-runtime

@openshift-bot openshift-bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. labels Jul 15, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 15, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@openshift-bot: This pull request explicitly references no jira issue.

Details

In response to this:

The staging/ and vendor/ directories have been synchronized from the upstream repositories, pulling in the following commits:

Date Commit Author Message
2026-07-14 06:41:26 operator-framework/operator-lifecycle-manager@396954f dependabot[bot] 🌱 Bump golang.org/x/sync from 0.21.0 to 0.22.0 (#3870)
2026-07-14 06:46:57 operator-framework/operator-lifecycle-manager@fdd5594 dependabot[bot] 🌱 Bump github.com/prometheus/common from 0.69.0 to 0.70.0 (#3869)
2026-07-14 10:46:25 operator-framework/operator-lifecycle-manager@a4f060a dependabot[bot] 🌱 Bump golang.org/x/net from 0.56.0 to 0.57.0 (#3868)

This pull request is expected to merge without any human intervention. If tests are failing here, changes must land upstream to fix any issues so that future downstreaming efforts succeed.

/assign @openshift/openshift-team-operator-runtime

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Walkthrough

Updated Prometheus and golang.org/x dependency versions, reclassified YAML dependencies, switched the CPB YAML import, and added OLM catalog ingress and bundle-unpack egress policies to static and templated manifests. Test formatting was also updated without behavior changes.

Changes

OLM dependency and network policy updates

Layer / File(s) Summary
Dependency declarations and YAML import
go.mod, staging/operator-lifecycle-manager/go.mod, staging/operator-lifecycle-manager/util/cpb/main.go
Updated Prometheus and golang.org/x versions, moved gopkg.in/yaml.v3 to indirect use, added go.yaml.in/yaml/v3, and updated the CPB import.
Network policy resources
manifests/..., microshift-manifests/..., staging/operator-lifecycle-manager/deploy/chart/templates/...
Added catalog gRPC ingress on port 50051 and unrestricted bundle-unpack egress policies.
Operator test formatting
staging/operator-lifecycle-manager/pkg/controller/operators/catalog/operator_test.go
Reformatted imports, test cases, fake operator setup, and whitespace without changing behavior.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Suggested reviewers: joelanford, tmshort, chimanjain, perdasilva, rashmigottipati

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No changed Ginkgo titles were found, and all t.Run names in the modified test file are static literals without dynamic data.
Test Structure And Quality ✅ Passed PASS: The only test-file changes are formatting/import reordering in a non-Ginkgo testing.T suite; no Describe/It/Eventually blocks or behavioral changes were introduced.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the test-file changes are formatting/import-only, so no MicroShift-incompatible test coverage was introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the touched test file only has formatting/import updates in standard Go tests.
Topology-Aware Scheduling Compatibility ✅ Passed No topology-sensitive scheduling constraints were introduced; the changes are NetworkPolicies, dependency bumps, and YAML import migration only.
Ote Binary Stdout Contract ✅ Passed PASS: The only change in the process-level binary file is a YAML import swap; no new stdout writes were added in main/init/TestMain/BeforeSuite setup.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the only test file changes are formatting-only, and no new IPv4 or external-connectivity assumptions appear in the diff.
No-Weak-Crypto ✅ Passed Touched files only update deps, YAML import, tests, and NetworkPolicies; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret comparisons found.
Container-Privileges ✅ Passed The changed YAML files are NetworkPolicies only; none add privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed Changed hunks only update imports/formatting/manifests; no new logging or secret-bearing fields were added, and changed lines contain no sensitive keywords.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the upstream synchronization and matches the main change in the pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci
openshift-ci Bot requested review from joelanford and tmshort July 15, 2026 00:08
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: openshift-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci

openshift-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: openshift-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@perdasilva

Copy link
Copy Markdown
Contributor

/retest

dependabot Bot and others added 5 commits July 16, 2026 00:05
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.21.0 to 0.22.0.
- [Commits](golang/sync@v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-version: 0.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: 396954f2ceb5cc5e68ee364fb161525c05390b9e
Bumps [github.com/prometheus/common](https://github.com/prometheus/common) from 0.69.0 to 0.70.0.
- [Release notes](https://github.com/prometheus/common/releases)
- [Changelog](https://github.com/prometheus/common/blob/main/CHANGELOG.md)
- [Commits](prometheus/common@v0.69.0...v0.70.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/common
  dependency-version: 0.70.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: fdd559459e09fce51148f8662f452018b55ea513
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.56.0 to 0.57.0.
- [Commits](golang/net@v0.56.0...v0.57.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.57.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: a4f060a9b8a125234a14099bb0f834219b5598eb
…ss and bundle unpack egress (#3863)

* deploy/chart: add static NetworkPolicies for CatalogSource gRPC ingress and bundle unpack egress

The Helm chart's default-deny-all-traffic policy blocked two critical
traffic paths that are not covered by the existing static NetworkPolicies:

1. CatalogSource registry pods need to accept inbound gRPC connections on
   port 50051 from within the cluster. The catalog-operator reconciler
   already creates per-CatalogSource NetworkPolicies for this, but there
   is a bootstrapping gap between when default-deny-all-traffic is applied
   and when the controller first reconciles each CatalogSource.

2. Bundle-unpack Job pods need egress to reach the Kubernetes API server
   and container registries. The API server port is not statically
   specifiable because it varies across Kubernetes implementations, so a
   wildcard egress rule is used.

Adds two new NetworkPolicies to the chart:
- catalog-source-grpc-server: selects all pods carrying the
  olm.catalogSource label and allows ingress on the gRPC port.
- bundle-unpack-egress: selects all pods carrying both the
  olm.managed=true and operatorframework.io/bundle-unpack-ref labels and
  allows unrestricted egress.

Fixes: operator-framework/operator-lifecycle-manager#3676

Signed-off-by: grokspawn <jordan@nimblewidget.com>

* deploy/chart: use catalog_namespace for CatalogSource and bundle-unpack NPs

CatalogSource registry pods and bundle-unpack Jobs run in the namespace
determined by .Values.catalog_namespace, not .Values.namespace. When a
user overrides catalog_namespace to differ from namespace, the
NetworkPolicies must be created in catalog_namespace to actually apply
to those pods.

Fixes review feedback on #3863.

Signed-off-by: grokspawn <jordan@nimblewidget.com>

---------

Signed-off-by: grokspawn <jordan@nimblewidget.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: 174dccd0bd85f25fa9671839bbb21dc3a23cffc6
* chore: migrate deprecated gopkg.in/yaml.v3 to go.yaml.in/yaml/v3

Signed-off-by: Chiman Jain <chimanjain15@gmail.com>

* chore: run go mod tidy

Signed-off-by: Chiman Jain <chimanjain15@gmail.com>

---------

Signed-off-by: Chiman Jain <chimanjain15@gmail.com>
Upstream-repository: operator-lifecycle-manager
Upstream-commit: b0123beceac05a5d08b6d5734b1b7772a4fda921
@openshift-bot
openshift-bot force-pushed the synchronize-upstream branch from 636c4d3 to 0711859 Compare July 16, 2026 00:08
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 16, 2026
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-console-olm 0711859 link true /test e2e-gcp-console-olm
ci/prow/e2e-gcp-olm 0711859 link true /test e2e-gcp-olm
ci/prow/okd-scos-images 0711859 link true /test okd-scos-images
ci/prow/e2e-gcp-ovn 0711859 link true /test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-bot openshift-bot added the lgtm Indicates that a PR is ready to be merged. label Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants