Skip to content

CORS-4423: GCP: Use WithCredentialsJSON when Possible#10624

Open
patrickdillon wants to merge 2 commits into
openshift:mainfrom
patrickdillon:gcp-creds-json
Open

CORS-4423: GCP: Use WithCredentialsJSON when Possible#10624
patrickdillon wants to merge 2 commits into
openshift:mainfrom
patrickdillon:gcp-creds-json

Conversation

@patrickdillon

@patrickdillon patrickdillon commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. This updates the GCP auth to use option.WithCredentialsJSON, determine the universe domain and set it. Using option.WithCredentialsJSON is necessary because it uses a different authentication flow utilizing a self-signed JWT rather than oauth2. See more details in the commit message.

Summary by CodeRabbit

  • Refactor
    • Improved GCP authentication for Key Management and Cloud Monitoring by automatically selecting the appropriate credential method, including JSON-based service account support.
    • Ensures the correct universe domain is used when configured.
  • Bug Fixes
    • Added clearer, earlier error handling when credential options cannot be prepared, reducing confusing runtime failures.
  • Chores
    • Updated Google Cloud and related Go dependencies to newer versions.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 15, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: This pull request references CORS-4509 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. The GCP SDK codepath for WithCredentialsJSON will correctly determine the Universe Domain, so we should call that whenever our credentials contain the private key.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

GCP credential option handling is centralized and reused by KMS and monitoring client setup. go.mod also updates multiple Google Cloud, golang.org/x, OpenTelemetry, gRPC, and related dependencies.

Changes

GCP credential handling and dependency refresh

Layer / File(s) Summary
Shared credential options
pkg/asset/installconfig/gcp/services.go
Builds client options from JSON-backed or fallback credentials, then appends a universe-domain option when needed.
KMS and monitoring client wiring
pkg/asset/installconfig/gcp/client.go, pkg/quota/gcp/gcp.go
KMS and quota monitoring setup now call the shared helper and return wrapped errors when option construction fails.
Module version updates
go.mod
Updates direct and indirect dependency versions across Google Cloud, golang.org/x, OpenTelemetry, gRPC, and related modules.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No test files or Ginkgo titles were changed; the PR only updates GCP credential/client code and go.mod.
Test Structure And Quality ✅ Passed No Ginkgo tests were changed; the PR only updates production GCP credential code and vendor deps.
Microshift Test Compatibility ✅ Passed The PR only changes GCP client/auth code and go.mod; no new Ginkgo e2e tests or MicroShift-unsafe OpenShift APIs were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No test files were modified; changes are limited to GCP credential code and dependency bumps, so SNO e2e compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Touched code only changes GCP credential/client options; no manifests, controllers, or scheduling constraints were introduced.
Ote Binary Stdout Contract ✅ Passed Touched files are library-only and contain no main/init/TestMain/suite setup or stdout logging calls.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only GCP auth/service/quota code and dependency updates changed; no new Ginkgo e2e tests or network assertions were added.
No-Weak-Crypto ✅ Passed Touched GCP files only adjust credential option plumbing; no MD5/SHA1/DES/RC4/ECB/custom crypto or secret/token comparisons appear.
Container-Privileges ✅ Passed Only Go code and go.mod changed; no container/K8s manifests or privilege settings (privileged, hostPID, allowPrivilegeEscalation, etc.) were introduced.
No-Sensitive-Data-In-Logs ✅ Passed No new logging was added; touched files only wrap errors and build GCP client options, with no log calls or secret-bearing messages.
Title check ✅ Passed The title matches the main change: GCP credential handling now prefers a JSON-based credentials path when possible.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/asset/installconfig/gcp/services.go (1)

62-71: ⚡ Quick win

Add nil guards for exported function.

CredentialOption is exported, so external callers could pass a nil *Session or a session with nil Credentials, causing a panic at ssn.Credentials.JSON. Internal callers all validate via GetSession() first, but defensive checks here prevent misuse.

Also, per coding guidelines, this new exported function in pkg/ needs unit test coverage.

Proposed nil guard
 func CredentialOption(ssn *Session) option.ClientOption {
+	if ssn == nil || ssn.Credentials == nil {
+		return nil
+	}
 	if len(ssn.Credentials.JSON) > 0 {
 		return option.WithCredentialsJSON(ssn.Credentials.JSON)
 	}
 	return option.WithCredentials(ssn.Credentials)
 }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/asset/installconfig/gcp/services.go` around lines 62 - 71, The exported
function CredentialOption lacks defensive nil checks, so external callers
passing a nil *Session or a session with nil Credentials would cause a panic
when accessing ssn.Credentials.JSON. Add nil guard checks at the start of the
CredentialOption function to validate that both ssn and ssn.Credentials are not
nil, returning an appropriate zero value or error when either is nil.
Additionally, add unit test coverage in
pkg/asset/installconfig/gcp/services_test.go to verify the function handles
these nil input cases gracefully, as required for exported functions in pkg/.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/asset/installconfig/gcp/services.go`:
- Around line 62-71: The exported function CredentialOption lacks defensive nil
checks, so external callers passing a nil *Session or a session with nil
Credentials would cause a panic when accessing ssn.Credentials.JSON. Add nil
guard checks at the start of the CredentialOption function to validate that both
ssn and ssn.Credentials are not nil, returning an appropriate zero value or
error when either is nil. Additionally, add unit test coverage in
pkg/asset/installconfig/gcp/services_test.go to verify the function handles
these nil input cases gracefully, as required for exported functions in pkg/.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7f9625b2-456f-41f3-8dc6-9a89d35bb56c

📥 Commits

Reviewing files that changed from the base of the PR and between e114840 and 47b89bd.

📒 Files selected for processing (3)
  • pkg/asset/installconfig/gcp/client.go
  • pkg/asset/installconfig/gcp/services.go
  • pkg/quota/gcp/gcp.go

@barbacbd barbacbd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 15, 2026
Comment thread pkg/asset/installconfig/gcp/services.go Outdated

@tthvo tthvo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci openshift-ci Bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Jun 16, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 16, 2026
@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tthvo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/hold cancel

Updated to use the non-deprecated function. Still need to test again in gcd, but let's kick off the ci regression tests.

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 6-7: The go.mod file pins google.golang.org/api to version
v0.285.0, which does not exist and violates supply chain security guidelines.
Update the google.golang.org/api dependency to the latest stable version
v0.284.0 (released June 9, 2026) which is compatible with the KMS and Monitoring
library versions already specified (v1.26.0 and v1.24.3 respectively) and
supports the required functionality for universe domain configuration and
authentication.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 46d976ad-452b-42ba-83c9-4d4c613eef28

📥 Commits

Reviewing files that changed from the base of the PR and between 47b89bd and 472487b.

⛔ Files ignored due to path filters (296)
  • go.sum is excluded by !**/*.sum
  • vendor/cloud.google.com/go/.release-please-manifest-individual.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/.release-please-manifest-submodules.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/.release-please-manifest.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/go.work is excluded by !**/*.work, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/go.work.sum is excluded by !**/*.sum, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/autokey_admin_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/autokey_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/auxiliary.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/ekm_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/hsm_management_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/key_management_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_admin_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/autokey_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/ekm_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/hsm_management.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/hsm_management_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/resources.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/apiv1/kmspb/service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/kms/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/.repo-metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/longrunningpb/operations_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/longrunning/autogen/operations_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/release-please-config-individual.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/annotations/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/udpa/type/v1/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/migrate.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/security.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/sensitive.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/status.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/annotations/v3/versioning.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/authority.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/cidr.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/collection_entry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/context_params.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/resource_locator.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/core/v3/resource_name.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/data/orca/v3/orca_load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/service/orca/v3/orca_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/domain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/http_inputs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/ip.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/regex.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/matcher/v3/string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/v3/range.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/cncf/xds/go/xds/type/v3/typed_struct.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/certs.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/clusters.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/config_dump_shared.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/init_dump.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/listeners.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/memory.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/metrics.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/mutex_stats.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/server_info.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/server_info.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/server_info_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/tap.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/admin/v3/tap.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/annotations/deprecation.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/annotations/resource.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/annotations/resource.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3/accesslog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3/accesslog.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3/bootstrap.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3/bootstrap.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3/bootstrap_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/circuit_breaker.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/circuit_breaker.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/cluster.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/cluster.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/cluster_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/filter.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/filter.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/outlier_detection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3/outlier_detection.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3/matcher.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3/matcher.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3/mutation_rules.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3/mutation_rules.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/address.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/address.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/backoff.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/backoff.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/base.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/base.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/cel.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/cel.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/cel_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/config_source.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/config_source.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/event_service_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/event_service_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/extension.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/extension.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_method_list.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_method_list.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/grpc_service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/health_check.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/health_check.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_uri.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/http_uri.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/protocol.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/protocol.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/protocol_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/proxy_protocol.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/proxy_protocol.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/resolver.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/resolver.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_cmsg_headers.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_cmsg_headers.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_option.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/socket_option.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/substitution_format_string.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/substitution_format_string.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/udp_socket_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/core/v3/udp_socket_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint_components.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/endpoint_components.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/load_report.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3/load_report.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/api_listener.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/api_listener.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener_components.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener_components.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/listener_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/quic_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/quic_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/quic_config_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/udp_listener_config.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/listener/v3/udp_listener_config.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/metrics_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/metrics_service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/metrics_service_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/stats.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3/stats.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/overload/v3/overload.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/overload/v3/overload.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3/rbac.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3/rbac.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3/rbac_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_components.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_components.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_components_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/route_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/scoped_route.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/route/v3/scoped_route.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/tap/v3/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/tap/v3/common.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/datadog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/datadog.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/dynamic_ot.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/dynamic_ot.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/http_tracer.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/http_tracer.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/lightstep.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/lightstep.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/opentelemetry.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/opentelemetry.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/service.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/skywalking.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/skywalking.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/trace.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/xray.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/xray.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/zipkin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/config/trace/v3/zipkin.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3/accesslog.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3/accesslog.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/aggregate/v3/cluster.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/aggregate/v3/cluster.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/fault/v3/fault.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/fault/v3/fault.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3/fault.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/fault/v3/fault.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3/rbac.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3/rbac.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3/router.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3/router.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3/router_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager_vtproto.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3/common.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/least_request/v3/least_request.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/least_request/v3/least_request.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3/stream.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3/stream.pb.validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3/cert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
📒 Files selected for processing (4)
  • go.mod
  • pkg/asset/installconfig/gcp/client.go
  • pkg/asset/installconfig/gcp/services.go
  • pkg/quota/gcp/gcp.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • pkg/asset/installconfig/gcp/client.go
  • pkg/asset/installconfig/gcp/services.go
  • pkg/quota/gcp/gcp.go

Comment thread go.mod Outdated
@tthvo

tthvo commented Jun 16, 2026

Copy link
Copy Markdown
Member

/test gcp-custom-endpoints-proxy-wif

@tthvo tthvo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 17, 2026
@patrickdillon

Copy link
Copy Markdown
Contributor Author

/hold

https://pkg.go.dev/golang.org/x/oauth2/google#CredentialsFromJSONWithTypeAndParams
Actually seems like the best option

@openshift-ci openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jun 23, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 24, 2026
@openshift-ci

openshift-ci Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/asset/installconfig/gcp/services.go`:
- Around line 72-78: The JSON-backed auth branch in services.go is too
permissive because it trusts the caller-supplied type field and can pass
non-service-account configs into option.WithAuthCredentialsJSON. Update the
credential handling in the JSON check to only use option.WithAuthCredentialsJSON
when the parsed type is service_account and the JSON includes a non-empty
private_key; for all other cases, fall back to option.WithCredentials in the
same code path.
- Around line 83-96: CredentialOptions currently swallows GetUniverseDomain()
errors, which can hide non-default universe settings and fall back to
googleapis.com. Update CredentialOptions in both gcp/services.go and
gcp/client.go to return ([]option.ClientOption, error) instead of silently
ignoring lookup failures, and thread that error through getOptions and the
client/service creation callers so they fail fast with the universe-domain
error. Use the existing CredentialOptions and getOptions symbols to keep the
changes consistent across the two call paths.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread pkg/asset/installconfig/gcp/services.go Outdated
Comment thread pkg/asset/installconfig/gcp/services.go Outdated
@patrickdillon

Copy link
Copy Markdown
Contributor Author

/test verify-vendor

Comment thread pkg/asset/installconfig/gcp/services.go
Comment thread pkg/asset/installconfig/gcp/services.go Outdated
PrivateKey string `json:"private_key"`
}
if json.Unmarshal(ssn.Credentials.JSON, &f) == nil && f.Type == option.ServiceAccount && f.PrivateKey != "" {
opts = append(opts, option.WithAuthCredentialsJSON(f.Type, ssn.Credentials.JSON))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is another deprecated func in v0.36.0 with the same risk according to docs:

func (f *contentLoader) Load(ctx context.Context) (*googleoauth.Credentials, error) {
return googleoauth.CredentialsFromJSON(ctx, []byte(f.content), compute.CloudPlatformScope)
}

Also , there are quite a few types here. Should we:

  • Parse the type from JSON
  • Validate that it is a known type
  • Optionally validate other fields (e.g. private_key)? It seems like user's responsibility to check it instead of the installer?

Reference: https://github.com/argoproj/argo-cd/pull/27883/changes

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I have been considering this, and added a comment in the commit message. The priority is for the installer to work in every auth manner supported by GCP. So given that, I'm not sure it is viable for us to authenticate the user creds. For standard installer users, we would not consider them externally provided credentials, but in the case where a system is built on top of the installer, such as managed services, that could potentially accept external credentials, in which case those layered applications, would need to validate the credentials themselves.

@patrickdillon patrickdillon changed the title CORS-4509: GCP: Use WithCredentialsJSON when Possible CORS-4423: GCP: Use WithCredentialsJSON when Possible Jun 25, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: This pull request references CORS-4423 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Prior to this commit, using a GCP Service Account with a Key failed in scenarios where an alternate UNIVERSE_DOMAIN is needed. The GCP SDK codepath for WithCredentialsJSON will correctly determine the Universe Domain, so we should call that whenever our credentials contain the private key.

Summary by CodeRabbit

  • Refactor
  • Improved GCP authentication for Cloud Monitoring and Key Management by selecting the most appropriate credential method, including support for JSON-based credentials when available.
  • Added more robust credential-option error handling during client setup.
  • Ensures requests use the correct universe domain when configured.
  • Chores
  • Updated Google Cloud and related Go dependencies to newer versions for upstream improvements and fixes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@patrickdillon

Copy link
Copy Markdown
Contributor Author

/jira-refresh

@tthvo

tthvo commented Jul 1, 2026

Copy link
Copy Markdown
Member

/jira refresh

@openshift-ci-robot

openshift-ci-robot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@tthvo: This pull request references CORS-4423 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tthvo

tthvo commented Jul 1, 2026

Copy link
Copy Markdown
Member

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@tthvo

tthvo commented Jul 1, 2026

Copy link
Copy Markdown
Member

@coderabbitai Mind adjusting your PR summary based on Patrick's #10624 (comment)? The WithCredentialsJSON allows both recognizing non-default universe domain and self-signed JWTs (due to no oauth2 token endpoint in GCD).

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

@tthvo Got it — I'll regenerate the summary to reflect that WithCredentialsJSON is used not just for recognizing a non-default universe domain, but also to enable self-signed JWTs, since GCD has no OAuth2 token endpoint.

Feedback to incorporate: In pkg/asset/installconfig/gcp/services.go, the CredentialOptions function's use of option.WithAuthCredentialsJSON (when a private key is present) should be described as serving two purposes: (1) correctly determining a non-default UNIVERSE_DOMAIN, and (2) enabling self-signed JWT authentication, since GCD (GCP Cloud Deploy target environment referenced in this context) has no OAuth2 token endpoint.


✏️ Learnings added
Learnt from: tthvo
URL: https://github.com/openshift/installer/pull/10624

Timestamp: 2026-07-01T20:34:15.811Z
Learning: In `pkg/asset/installconfig/gcp/services.go`, the `CredentialOptions` function uses `option.WithAuthCredentialsJSON` when credentials contain a private key (service account key), instead of `option.WithCredentials`. This is intentional for two reasons: (1) the GCP SDK's WithCredentialsJSON/WithAuthCredentialsJSON codepath correctly determines a non-default UNIVERSE_DOMAIN, and (2) it enables self-signed JWT authentication, which is required in environments like GCD (GCP-related target with no OAuth2 token endpoint). This context comes from PR `#10624` (CORS-4423) discussion between patrickdillon and tthvo.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

✅ Action performed

Summary regeneration triggered.

Updates GCP client initialization to support alternate universe
domains. option.WithCredentialsJSON is used to handle most auth
cases because it utilizes a different authentication flow using
a self-signed JWT which is sent directly to GCP/GCD, rather
than oauth2.

The oauth2 flow of option.WithCredentials is problematic for GCD
because service account keys (and other JSON creds), for some reason,
set their token uri to https://oauth2.apis-berlin-build0.goog/token,
an endpoint that doesn't exist; it is clearly documented in GCD
docs that oauth2 should still use googleapis. Nevertheless, the
option.WithCredentials will always use the token uri in the JSON
even when it is correct.

To get around this issue we use option.WithCredentialsJSON, which
does not need the oauth2 token endpoint at all. We fallback to
option.WithCredentials for authenticating via a service account
attached to a VM, in which case there is no JSON to parse.

Note that option.WithCredentialsJSON is deprecated in the GCP
package because if credentials are accepted from an external
source, there are potential vulnerabilities. See:

https://docs.cloud.google.com/docs/authentication/client-libraries#external-credentials

The installer is built to work under any circumstances as it serves
a diverse set of needs. Clients built on top of the installer may
accept external credentials, but it is up to those clients to
validate the inputs.
Until CAPG has built in universe domain support, we can explicitly
set the universe domain as an environment variable.
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@patrickdillon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-xpn-dedicated-dns-project 40e300c link false /test e2e-gcp-xpn-dedicated-dns-project
ci/prow/e2e-gcp-custom-endpoints 40e300c link false /test e2e-gcp-custom-endpoints
ci/prow/e2e-gcp-custom-dns 40e300c link false /test e2e-gcp-custom-dns
ci/prow/e2e-gcp-xpn-custom-dns 40e300c link false /test e2e-gcp-xpn-custom-dns
ci/prow/gcp-custom-endpoints-proxy-wif 40e300c link false /test gcp-custom-endpoints-proxy-wif
ci/prow/e2e-gcp-ovn-byo-vpc 40e300c link false /test e2e-gcp-ovn-byo-vpc
ci/prow/e2e-gcp-ovn-xpn 40e300c link false /test e2e-gcp-ovn-xpn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants