Skip to content

CORS-4423: GCP: Use WithCredentialsJSON when Possible#10624

Open
patrickdillon wants to merge 3 commits into
openshift:mainfrom
patrickdillon:gcp-creds-json
Open

CORS-4423: GCP: Use WithCredentialsJSON when Possible#10624
patrickdillon wants to merge 3 commits into
openshift:mainfrom
patrickdillon:gcp-creds-json

Conversation

@patrickdillon

@patrickdillon patrickdillon commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. The GCP SDK codepath for WithCredentialsJSON will correctly determine the Universe Domain, so we should call that whenever our credentials contain the private key.

Summary by CodeRabbit

  • Refactor
    • Improved GCP authentication for Cloud Monitoring and Key Management by selecting the most appropriate credential method, including support for JSON-based credentials when available.
    • Added more robust credential-option error handling during client setup.
    • Ensures requests use the correct universe domain when configured.
  • Chores
    • Updated Google Cloud and related Go dependencies to newer versions for upstream improvements and fixes.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 15, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: This pull request references CORS-4509 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. The GCP SDK codepath for WithCredentialsJSON will correctly determine the Universe Domain, so we should call that whenever our credentials contain the private key.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

GCP client authentication now uses a shared helper that can select JSON-backed credentials, fallback credentials, and universe-domain options. Dependency versions are also updated in go.mod.

Changes

GCP credential options and dependency updates

Layer / File(s) Summary
Shared credential helper
pkg/asset/installconfig/gcp/services.go
Parses raw credential JSON, selects client options, and returns universe-domain errors from the shared helper.
Client wiring to shared options
pkg/asset/installconfig/gcp/client.go, pkg/quota/gcp/gcp.go
KMS client creation and quota metrics client setup now call the shared credential helper and propagate its errors.
Module version updates
go.mod
Updates direct and indirect Google Cloud, golang.org/x, OpenTelemetry, gRPC, and related dependency versions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No test files or Ginkgo titles were changed; the PR only updates GCP credential/client code and go.mod.
Test Structure And Quality ✅ Passed No Ginkgo tests were changed; the PR only updates production GCP credential code and vendor deps.
Microshift Test Compatibility ✅ Passed The PR only changes GCP client/auth code and go.mod; no new Ginkgo e2e tests or MicroShift-unsafe OpenShift APIs were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No test files were modified; changes are limited to GCP credential code and dependency bumps, so SNO e2e compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Touched code only changes GCP credential/client options; no manifests, controllers, or scheduling constraints were introduced.
Ote Binary Stdout Contract ✅ Passed Touched files are library-only and contain no main/init/TestMain/suite setup or stdout logging calls.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only GCP auth/service/quota code and dependency updates changed; no new Ginkgo e2e tests or network assertions were added.
No-Weak-Crypto ✅ Passed Touched GCP files only adjust credential option plumbing; no MD5/SHA1/DES/RC4/ECB/custom crypto or secret/token comparisons appear.
Container-Privileges ✅ Passed Only Go code and go.mod changed; no container/K8s manifests or privilege settings (privileged, hostPID, allowPrivilegeEscalation, etc.) were introduced.
No-Sensitive-Data-In-Logs ✅ Passed No new logging was added; touched files only wrap errors and build GCP client options, with no log calls or secret-bearing messages.
Title check ✅ Passed The title matches the main change: GCP credential handling now prefers a JSON-based credentials path when possible.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/asset/installconfig/gcp/services.go (1)

62-71: ⚡ Quick win

Add nil guards for exported function.

CredentialOption is exported, so external callers could pass a nil *Session or a session with nil Credentials, causing a panic at ssn.Credentials.JSON. Internal callers all validate via GetSession() first, but defensive checks here prevent misuse.

Also, per coding guidelines, this new exported function in pkg/ needs unit test coverage.

Proposed nil guard
 func CredentialOption(ssn *Session) option.ClientOption {
+	if ssn == nil || ssn.Credentials == nil {
+		return nil
+	}
 	if len(ssn.Credentials.JSON) > 0 {
 		return option.WithCredentialsJSON(ssn.Credentials.JSON)
 	}
 	return option.WithCredentials(ssn.Credentials)
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/asset/installconfig/gcp/services.go` around lines 62 - 71, The exported
function CredentialOption lacks defensive nil checks, so external callers
passing a nil *Session or a session with nil Credentials would cause a panic
when accessing ssn.Credentials.JSON. Add nil guard checks at the start of the
CredentialOption function to validate that both ssn and ssn.Credentials are not
nil, returning an appropriate zero value or error when either is nil.
Additionally, add unit test coverage in
pkg/asset/installconfig/gcp/services_test.go to verify the function handles
these nil input cases gracefully, as required for exported functions in pkg/.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/asset/installconfig/gcp/services.go`:
- Around line 62-71: The exported function CredentialOption lacks defensive nil
checks, so external callers passing a nil *Session or a session with nil
Credentials would cause a panic when accessing ssn.Credentials.JSON. Add nil
guard checks at the start of the CredentialOption function to validate that both
ssn and ssn.Credentials are not nil, returning an appropriate zero value or
error when either is nil. Additionally, add unit test coverage in
pkg/asset/installconfig/gcp/services_test.go to verify the function handles
these nil input cases gracefully, as required for exported functions in pkg/.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7f9625b2-456f-41f3-8dc6-9a89d35bb56c

📥 Commits

Reviewing files that changed from the base of the PR and between e114840 and 47b89bd.

📒 Files selected for processing (3)
  • pkg/asset/installconfig/gcp/client.go
  • pkg/asset/installconfig/gcp/services.go
  • pkg/quota/gcp/gcp.go

@barbacbd barbacbd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 15, 2026
Comment thread pkg/asset/installconfig/gcp/services.go Outdated

@tthvo tthvo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci openshift-ci Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Jun 16, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 16, 2026
@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tthvo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/hold cancel

Updated to use the non-deprecated function. Still need to test again in gcd, but let's kick off the ci regression tests.

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 6-7: The go.mod file pins google.golang.org/api to version
v0.285.0, which does not exist and violates supply chain security guidelines.
Update the google.golang.org/api dependency to the latest stable version
v0.284.0 (released June 9, 2026) which is compatible with the KMS and Monitoring
library versions already specified (v1.26.0 and v1.24.3 respectively) and
supports the required functionality for universe domain configuration and
authentication.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 46d976ad-452b-42ba-83c9-4d4c613eef28

📥 Commits

Reviewing files that changed from the base of the PR and between 47b89bd and 472487b.

⛔ Files ignored due to path filters (296)
  • go.sum is excluded by !**/*.sum
  • vendor/cloud.google.com/go/.release-please-manifest-individual.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/.release-please-manifest-submodules.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/.release-please-manifest.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/go.work is excluded by !**/*.work, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/autokey_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/auxiliary.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/ekm_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/hsm_management_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/key_management_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/hsm_management.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/hsm_management_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/operations_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/release-please-config-individual.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/server_info.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/server_info.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/server_info_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/tap.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/tap.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/annotations/deprecation.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/annotations/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/annotations/resource.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3/accesslog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3/accesslog.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3/bootstrap.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3/bootstrap.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3/bootstrap_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/circuit_breaker.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/circuit_breaker.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/cluster.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/cluster.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/cluster_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/filter.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/filter.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/outlier_detection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/outlier_detection.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3/matcher.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3/mutation_rules.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3/mutation_rules.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/address.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/address.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/backoff.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/backoff.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/base.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/base.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/cel.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/cel_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/config_source.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/config_source.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/event_service_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/event_service_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/extension.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_method_list.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_method_list.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/health_check.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/health_check.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_uri.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_uri.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/protocol.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/protocol.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/protocol_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/proxy_protocol.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/proxy_protocol.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/resolver.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/resolver.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_cmsg_headers.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_cmsg_headers.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_option.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_option.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/substitution_format_string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/substitution_format_string.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/udp_socket_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/udp_socket_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint_components.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint_components.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/load_report.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/api_listener.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/api_listener.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener_components.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener_components.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/quic_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/quic_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/quic_config_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/udp_listener_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/udp_listener_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/metrics_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/metrics_service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/metrics_service_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/stats.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/stats.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/overload/v3/overload.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/overload/v3/overload.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3/rbac.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3/rbac.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3/rbac_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_components.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_components.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_components_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/scoped_route.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/scoped_route.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/tap/v3/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/tap/v3/common.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/datadog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/datadog.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/dynamic_ot.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/dynamic_ot.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/http_tracer.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/http_tracer.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/lightstep.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/lightstep.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/opentelemetry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/opentelemetry.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/skywalking.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/skywalking.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/trace.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/xray.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/xray.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/zipkin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/zipkin.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3/accesslog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3/accesslog.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/aggregate/v3/cluster.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/aggregate/v3/cluster.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/fault/v3/fault.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/fault/v3/fault.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3/fault.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3/fault.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3/rbac.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3/rbac.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3/router.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3/router.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3/router_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3/common.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/least_request/v3/least_request.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/least_request/v3/least_request.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3/stream.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3/stream.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3/cert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
📒 Files selected for processing (4)
  • go.mod
  • pkg/asset/installconfig/gcp/client.go
  • pkg/asset/installconfig/gcp/services.go
  • pkg/quota/gcp/gcp.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • pkg/asset/installconfig/gcp/client.go
  • pkg/asset/installconfig/gcp/services.go
  • pkg/quota/gcp/gcp.go

Comment thread go.mod
@tthvo

tthvo commented Jun 16, 2026

Copy link
Copy Markdown
Member

/test gcp-custom-endpoints-proxy-wif

@tthvo tthvo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 17, 2026
@patrickdillon

Copy link
Copy Markdown
Contributor Author

/hold

https://pkg.go.dev/golang.org/x/oauth2/google#CredentialsFromJSONWithTypeAndParams
Actually seems like the best option

@openshift-ci openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jun 23, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 24, 2026
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/asset/installconfig/gcp/services.go`:
- Around line 72-78: The JSON-backed auth branch in services.go is too
permissive because it trusts the caller-supplied type field and can pass
non-service-account configs into option.WithAuthCredentialsJSON. Update the
credential handling in the JSON check to only use option.WithAuthCredentialsJSON
when the parsed type is service_account and the JSON includes a non-empty
private_key; for all other cases, fall back to option.WithCredentials in the
same code path.
- Around line 83-96: CredentialOptions currently swallows GetUniverseDomain()
errors, which can hide non-default universe settings and fall back to
googleapis.com. Update CredentialOptions in both gcp/services.go and
gcp/client.go to return ([]option.ClientOption, error) instead of silently
ignoring lookup failures, and thread that error through getOptions and the
client/service creation callers so they fail fast with the universe-domain
error. Use the existing CredentialOptions and getOptions symbols to keep the
changes consistent across the two call paths.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread pkg/asset/installconfig/gcp/services.go
Comment thread pkg/asset/installconfig/gcp/services.go Outdated
@patrickdillon

Copy link
Copy Markdown
Contributor Author

/test verify-vendor

Prior to this commit, authenticating in
alternate universe domains would fail, because default googleapis.com
would be used instead of the alternate universe domain.

This commit uses the latest packages to include the WithAuthCredentialsJSON
function to be compatible with non-default universe domains.
vendors the latest version of the gcp go sdk api package to include
updated authentication packages.
go mod tidy && go mod vendor
Comment on lines +86 to +92
ud, err := ssn.Credentials.GetUniverseDomain()
if err != nil {
return nil, fmt.Errorf("failed to get universe domain: %w", err)
}
if ud != "googleapis.com" {
opts = append(opts, option.WithUniverseDomain(ud))
}

@tthvo tthvo Jun 24, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, our goal is to pick up the universe domain in the SA credential file. If we're able to call ssn.Credentials.GetUniverseDomain() and set WithUniverseDomain explicitly, then we can simply continue to use WithCredentials, right?

options := []option.ClientOption{
    option.WithCredentials(ssn.Credentials),
}
ud, err := ssn.Credentials.GetUniverseDomain()
if err != nil {
    return nil, fmt.Errorf("failed to get universe domain: %w", err)
}
if ud != "googleapis.com" {
    options = append(options, option.WithUniverseDomain(ud))
}

@tthvo tthvo Jun 24, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran a quick check with the code above and a mock JSON:

{
  "type": "service_account",
  "project_id": "redacted-id",
  "private_key_id": "redacted-private-key-id",
  "private_key": "redacted-key",
  "client_email": "redacted-email",
  "client_id": "redacted",
  "auth_uri": "redacted-auth-url",
  "token_uri": "redacted-token-url",
  "auth_provider_x509_cert_url": "redacted-url",
  "client_x509_cert_url": "redacted-url",
  "universe_domain": "cloud.berlin-build0.goog" <-- setting to GCD domain
}
$ GOOGLE_APPLICATION_CREDENTIALS=$PWD/tmp.json ./openshift-install create manifests
INFO Credentials loaded from environment variable "GOOGLE_APPLICATION_CREDENTIALS", file "./tmp.json" 
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: failed to find project permissions: failed to get Iam permissions:
Post "https://cloudresourcemanager.cloud.berlin-build0.goog/v3/projects/openshift-dev-installer:testIamPermissions?alt=json&prettyPrint=false": private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1: structure error: tags don't match (16 vs {class:1 tag:18 length:101 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pkcs1PrivateKey @2 

Or via env var:

$ GOOGLE_CLOUD_UNIVERSE_DOMAIN=s3nsapis.fr ./openshift-install create manifests
INFO Credentials loaded from gcloud CLI defaults  
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: failed to find project permissions: failed to get Iam permissions:
Post "https://cloudresourcemanager.s3nsapis.fr/v3/projects/openshift-dev-installer:testIamPermissions?alt=json&prettyPrint=false": the configured universe domain ("s3nsapis.fr") does not match the universe domain found in the credentials ("googleapis.com"). If you haven't configured the universe domain explicitly, "googleapis.com" is the default 

It looks like the GCP SDK is making the request using the correct universe domain 🤔

PrivateKey string `json:"private_key"`
}
if json.Unmarshal(ssn.Credentials.JSON, &f) == nil && f.Type == option.ServiceAccount && f.PrivateKey != "" {
opts = append(opts, option.WithAuthCredentialsJSON(f.Type, ssn.Credentials.JSON))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is another deprecated func in v0.36.0 with the same risk according to docs:

func (f *contentLoader) Load(ctx context.Context) (*googleoauth.Credentials, error) {
return googleoauth.CredentialsFromJSON(ctx, []byte(f.content), compute.CloudPlatformScope)
}

Also , there are quite a few types here. Should we:

  • Parse the type from JSON
  • Validate that it is a known type
  • Optionally validate other fields (e.g. private_key)? It seems like user's responsibility to check it instead of the installer?

Reference: https://github.com/argoproj/argo-cd/pull/27883/changes

@openshift-ci

openshift-ci Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gcp-private be15709 link false /test gcp-private
ci/prow/e2e-gcp-xpn-dedicated-dns-project be15709 link false /test e2e-gcp-xpn-dedicated-dns-project
ci/prow/e2e-gcp-xpn-custom-dns be15709 link false /test e2e-gcp-xpn-custom-dns
ci/prow/e2e-gcp-ovn be15709 link true /test e2e-gcp-ovn
ci/prow/e2e-gcp-ovn-xpn be15709 link false /test e2e-gcp-ovn-xpn
ci/prow/e2e-gcp-default-config be15709 link false /test e2e-gcp-default-config
ci/prow/gcp-custom-endpoints-proxy-wif be15709 link false /test gcp-custom-endpoints-proxy-wif
ci/prow/e2e-gcp-custom-endpoints be15709 link false /test e2e-gcp-custom-endpoints
ci/prow/golint be15709 link true /test golint
ci/prow/e2e-gcp-ovn-byo-vpc be15709 link false /test e2e-gcp-ovn-byo-vpc
ci/prow/e2e-gcp-custom-dns be15709 link false /test e2e-gcp-custom-dns
ci/prow/e2e-gcp-secureboot be15709 link false /test e2e-gcp-secureboot

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@patrickdillon patrickdillon changed the title CORS-4509: GCP: Use WithCredentialsJSON when Possible CORS-4423: GCP: Use WithCredentialsJSON when Possible Jun 25, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: This pull request references CORS-4423 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. The GCP SDK codepath for WithCredentialsJSON will correctly determine the Universe Domain, so we should call that whenever our credentials contain the private key.

Summary by CodeRabbit

  • Refactor
  • Improved GCP authentication for Cloud Monitoring and Key Management by selecting the most appropriate credential method, including support for JSON-based credentials when available.
  • Added more robust credential-option error handling during client setup.
  • Ensures requests use the correct universe domain when configured.
  • Chores
  • Updated Google Cloud and related Go dependencies to newer versions for upstream improvements and fixes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/jira-refresh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants