CNTRLPLANE-3380: Merge https://github.com/kubernetes-sigs/apiserver-network-proxy:master (588e629) into main by bryan-cox · Pull Request #109 · openshift/apiserver-network-proxy

bryan-cox · 2026-05-18T13:12:50Z

Summary by CodeRabbit

New Features
- Added --graceful-shutdown-timeout CLI flag to configure graceful shutdown behavior for the proxy.
Dependencies
- Updated Go toolchain to 1.25.0/1.26.2.
- Updated golangci-lint to 2.9.0.
- Upgraded multiple core dependencies including gRPC, Kubernetes modules, and OpenTelemetry libraries.

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Introduce a `sync.Pool` to reuse read buffers in the `ServeHTTP` handler for the http-connect mode. Previously, a new 32KB buffer was allocated for every hijacked connection, causing high GC pressure in high-throughput scenarios. By pooling and reusing these buffers, we significantly reduce the number of memory allocations, which improves CPU usage and lowers request latency by decreasing the impact of garbage collection. Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v8...v9) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

if leaseController is enabled and graceful shutdown is enabled as well, without this lease controller will terminate while the servers would continue to shutdown gracefully. Potentially causing a situtaion where the leases will be deleted while the existing connections are still served upto shutdown point. Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Replace 'intialized' with 'initialized' in log message

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5 to 7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v5...v7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

…t/github_actions/actions/upload-artifact-6 chore(deps): bump actions/upload-artifact from 4 to 6

…for-http-connect http-connect: reduce memory allocations

…t/github_actions/golangci/golangci-lint-action-9 chore(deps): bump golangci/golangci-lint-action from 8 to 9

…t/github_actions/actions/checkout-6 chore(deps): bump actions/checkout from 5 to 6

…t/github_actions/actions/download-artifact-7 chore(deps): bump actions/download-artifact from 5 to 7

…rmination-for-server Graceful termination for server

…ajor fix: add missing ProtoMajor in response

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

This commit adds a fallback in the case where all the agents in system are draining. Rather than drop the request with error, we fallback to the existing behavior i.e continue to the send the request to the agent even if its draining. As for the agent side issue, if the agent has sent the DRAIN signal to the server, ideally it should stop doing the syncOnce with the server. This mistakes the server the agent is back ready. Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

…erver-agent-draining implement server agent draining

…t/github_actions/actions/upload-artifact-7 chore(deps): bump actions/upload-artifact from 6 to 7

…t/github_actions/actions/download-artifact-8 chore(deps): bump actions/download-artifact from 7 to 8

prompt: Please upgrade the go.mod in this directory to match https://github.com/kubernetes/kubernetes/blob/release-1.33/go.mod Added agent.md to help correct ML based upgrades.

Adding full sha to git commands.

Updated konnectivity-client dependencies

coderabbitai · 2026-05-18T13:13:10Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

This PR introduces graceful shutdown timeout support for the proxy server, updates Go to 1.25.0 with dependency refreshes, hardens GitHub Actions workflows through commit SHA pinning, upgrades Kubernetes test versions, and updates the konnectivity-client module independently.

Changes

Graceful Shutdown, Build Infrastructure, and CI/CD Updates

Layer / File(s)	Summary
Graceful shutdown timeout option contract `cmd/server/app/options/options.go`	New `GracefulShutdownTimeout` field added to `ProxyRunOptions` with `--graceful-shutdown-timeout` CLI flag, validation enforcing non-negative values, default zero initialization, and logging integration.
Graceful shutdown option tests `cmd/server/app/options/options_test.go`	Tests assert default value of zero, validate rejection of negative durations with formatted error messages, and support duration values in reflection-based test field setting.
Graceful shutdown server implementation `cmd/server/app/server.go`	`StopFunc` type refactored to context-aware error-returning signature. Shutdown logic conditionally performs immediate (timeout=0) or graceful (timeout>0) shutdown using `WaitGroup` and goroutines for component coordination. Frontend stop functions (UDS and mTLS gRPC/HTTP) updated to new contract. Lease controller lifecycle managed via outer-scoped variable.
Go toolchain and build configuration updates `Makefile`, `.github/workflows/golangci-lint.yaml`, `go.mod`	Go version bumped to 1.25.0 (main) and 1.26.2 (Makefile), golangci-lint to 2.9.0. Makefile `test` target refactored to compute filtered test package list from `go list -test` and run coverage on computed list.
GitHub Actions and CI/CD security hardening `.github/workflows/e2e.yaml`, `.github/dependabot.yml`, `cloudbuild.yaml`	Actions pinned to commit SHAs for checkout, setup-go, artifact operations, and golangci-lint-action. E2E Kubernetes versions updated to v1.33.7/v1.34.3/v1.35.1. Dependabot excludes `konnectivity-client/**` from updates and changes interval to daily. Cloud Build image updated to digest-pinned reference.
Konnectivity-client module and documentation `konnectivity-client/go.mod`, `konnectivity-client/agent.md`	Konnectivity-client Go updated to 1.24.0 with refreshed dependencies (Prometheus, goleak, grpc, protobuf, klog, otel). New `agent.md` documents library usage, Kubernetes version alignment, and mutation restrictions.
Minor formatting fix `cmd/test-client/main.go`	Test client options logging uses integer format (`%d`) instead of quoted format (`%q`) for `TestRequests`.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Repository uses Go testing, not Ginkgo. All test names are static and descriptive with no dynamic content. Check not applicable to this codebase.
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test code. The modified test file uses standard Go testing package, not Ginkgo, making the custom check not applicable.
Microshift Test Compatibility	✅ Passed	This PR does not add Ginkgo e2e tests. Repository uses standard Go testing and sigs.k8s.io/e2e-framework, not Ginkgo. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The custom check for SNO e2e test compatibility is not applicable—only unit tests and configuration changes are present.
Topology-Aware Scheduling Compatibility	✅ Passed	No deployment manifests, operator code, or controllers with scheduling constraints were added or modified. Changes are limited to build, dependencies, and shutdown functionality.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations found. All process-level code uses klog (writes to stderr by default). No fmt.Print calls to stdout detected. Format specifier fix in test-client is safe.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. Changes consist of configuration updates, build system changes, module version bumps, and unit tests. The check is not applicable.
Title check	✅ Passed	The title accurately describes the main change—merging upstream commits from kubernetes-sigs/apiserver-network-proxy into the main branch, which aligns with all the file changes shown (dependency updates, workflow improvements, new feature addition).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/server/app/server.go`:
- Around line 191-210: The frontendStop functions currently only perform
graceful shutdown (e.g., grpc.Server.GracefulStop() and http.Server.Shutdown())
which can block indefinitely; update every frontend shutdown implementation
referenced by frontendStop (apply to both UDS and mTLS frontend branches) to
enforce a hard stop after the graceful timeout: run the graceful shutdown on a
context with the configured timeout, and if it doesn't complete, escalate to the
forced stop path (call grpc.Server.Stop() for gRPC frontends and
http.Server.Close() or close the listener for HTTP frontends) so shutdown always
completes even when GracefulShutdownTimeout==0 or the graceful path stalls;
ensure these forced-stop calls are invoked alongside existing teardown for
p.agentServer, p.adminServer, p.healthServer and leaseController logic.

In `@konnectivity-client/agent.md`:
- Around line 1-6: The guidance text is overly broad and self-contradictory;
replace the final sentence "Please do not make changes in
apiserver-network-proxy and anywhere else in apiserver-network-proxy." with a
scoped restriction such as "Do not make changes to the
apiserver-network-proxy/konnectivity-client subtree without prior approval." and
tighten lines 1–4 to state that dependencies must remain compatible with the
oldest supported Kubernetes release (include the kubernetes.io/releases link)
and that the primary consumer is the kubernetes-apiserver; ensure the wording
clearly bounds the maintenance scope to the konnectivity-client subtree and
removes the blanket ban on the whole repo.

In `@konnectivity-client/go.mod`:
- Line 11: Update the grpc module in go.mod from google.golang.org/grpc v1.68.1
to v1.79.3 (or later) to remediate the authorization bypass; edit the module
line referencing google.golang.org/grpc to the new version and then run `go mod
tidy` / `go get` to refresh module locks and update go.sum so the dependency
graph and checksums are consistent with v1.79.3+.

In `@Makefile`:
- Around line 87-90: The TEST_LIST derivation is filtering out most packages by
relying on bracketed output from "go list -test"; update TEST_LIST to mirror the
fast-test approach: use "go list ./..." (instead of "go list -test ./... | egrep
' \\[.*\\]' | cut -d' ' -f1") and then apply the same e2e exclusion (grep -v -e
"/e2e$$" -e "/e2e/.*") so TEST_LIST includes all non-e2e packages; keep the
existing echo and go test invocation that uses $(TEST_LIST).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 329a6efa-dd60-4f77-b4ea-d3389c75bfd0

📥 Commits

Reviewing files that changed from the base of the PR and between 5c263ca and 1836689.

⛔ Files ignored due to path filters (269)

go.sum is excluded by !**/*.sum
konnectivity-client/go.sum is excluded by !**/*.sum
vendor/github.com/go-logr/logr/.golangci.yaml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/connection.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/PATENTS is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/dictionary.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/read.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/moby/spdystream/spdy/write.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/assertion_compare.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/assertion_format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/assertion_forward.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/assertion_order.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/assertions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/http_assertions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/yaml/yaml_custom.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/yaml/yaml_default.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/stretchr/testify/assert/yaml/yaml_fail.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/internal/xxhash/xxhash.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/internal/gen.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/internal/rawhelpers.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/README.md is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/error_type.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/exception.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/semconv/v1.39.0/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/internal/telemetry/span.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/internal/telemetry/status.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/internal/telemetry/traces.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/span.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/escape.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/iter.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config_go124.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config_go125.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config_go126.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/gotrack.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/hpack/tables.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/timer.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/internal/socks/socks.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/net/websocket/hybi.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/deviceauth.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/oauth2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/pkce.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/token.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/oauth2/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/aliases.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/dll_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/term/term_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/genproto/googleapis/rpc/status/status.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/MAINTAINERS.md is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/README.md is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/attributes/attributes.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/balancer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/base/balancer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/pickfirst/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer/subconn.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/balancer_wrapper.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/clientconn.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/credentials/insecure/insecure.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/credentials/tls.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/dialoptions.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/encoding/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/encoding/proto/proto.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/experimental/stats/metricregistry.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/experimental/stats/metrics.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/interceptor.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/balancer/weight/weight.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/buffer/unbounded.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/channelz/trace.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/credentials/credentials.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/envconfig/envconfig.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/envconfig/xds.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/experimental.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/grpcsync/callback_serializer.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/grpcsync/event.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/idle/idle.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/internal.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/resolver/dns/dns_resolver.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/stats/metrics_recorder_list.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/status/status.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/client_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/controlbuf.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/defaults.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/flowcontrol.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/handler_server.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/http2_client.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/http2_server.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/http_util.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/server_stream.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/internal/transport/transport.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/mem/buffer_pool.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/mem/buffer_slice.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/mem/buffers.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/picker_wrapper.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/preloader.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/resolver/map.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/resolver/resolver.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/resolver_wrapper.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/rpc_util.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/server.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/stats/handlers.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/stats/stats.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/grpc/version.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/encoding/protowire/wire.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/editiondefaults/editions_defaults.binpb is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc_init.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/editions.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/filedesc/presence.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/api_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
vendor/google.golang.org/protobuf/internal/impl/codec_message_opaque.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (31)

.github/dependabot.yml
.github/workflows/e2e.yaml
.github/workflows/golangci-lint.yaml
Makefile
cloudbuild.yaml
cmd/server/app/options/options.go
cmd/server/app/options/options_test.go
cmd/server/app/server.go
cmd/test-client/main.go
go.mod
konnectivity-client/agent.md
konnectivity-client/go.mod
pkg/agent/clientset.go
pkg/agent/metrics/metrics.go
pkg/server/backend_manager.go
pkg/server/backend_manager_test.go
pkg/server/metrics/metrics.go
pkg/server/server.go
pkg/server/tunnel.go
pkg/testing/leases.go
pkg/testing/metrics/metrics.go
pkg/util/certificates.go
pkg/util/flags.go
pkg/util/handlers.go
pkg/util/leases.go
pkg/util/leases_test.go
pkg/util/net.go
pkg/util/net_test.go
pkg/util/url.go
pkg/util/util.go
pkg/util/util_test.go

coderabbitai · 2026-05-18T13:22:07Z

+	// If graceful shutdown timeout is 0, use the old behavior (immediate shutdown)
+	if o.GracefulShutdownTimeout == 0 {
+		if frontendStop != nil {
+			if err := frontendStop(context.Background()); err != nil {
+				klog.ErrorS(err, "failed to stop frontend server")
+			}
+		}
+		if p.agentServer != nil {
+			p.agentServer.Stop()
+		}
+		if p.adminServer != nil {
+			p.adminServer.Close()
+		}
+		if p.healthServer != nil {
+			p.healthServer.Close()
+		}
+		if leaseController != nil {
+			leaseController.Stop()
+		}
+		return nil


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In Go, does grpc.Server.GracefulStop()honor a context or timeout, and whennet/http.Server.Shutdown(ctx)returns becausectxexpired, must the caller invokeClose() to force termination?

💡 Result:

In Go, grpc.Server.GracefulStop does not accept a context or timeout [1][2]. It blocks indefinitely until all pending RPCs have completed [1][3]. Because it does not honor a timeout, it is a standard and recommended practice to implement a "safety net" by running GracefulStop in a goroutine and using a select statement with a timer or context to trigger a forceful s.Stop if the graceful shutdown takes too long [3][4][5][6]. Regarding net/http.Server.Shutdown(ctx), when the provided context expires, the method returns immediately with the context's error (e.g., context.DeadlineExceeded) [7]. It does not automatically force-close active connections when the context expires [7]. Consequently, if you want to ensure the server terminates after the timeout, you must explicitly handle the cleanup, typically by calling Close to force the termination of any remaining connections [7][8].

Citations:

1: https://pkg.go.dev/google.golang.org/grpc/examples/features/gracefulstop

2: https://grpc.io/docs/guides/server-graceful-stop/

3: https://github.com/grpc/grpc-go/blob/49e224f832c21df2cd3fe833189c8a50244f0eee/examples/features/gracefulstop/server/main.go

4: https://gist.github.com/skwair/c67d328e1040f638a07bf841be94fd11

5: Health Server Graceful Shutdown grpc/grpc-go#8776

6: https://stackoverflow.com/questions/58480775/how-to-close-all-grpc-server-streams-using-gracefulstop

7: https://dev.to/gabrielanhaia/gos-nethttp-servershutdown-the-three-stage-drain-you-probably-skip-1dgl

8: proposal: net/http: context based graceful server shutdown golang/go#52805

Add forced-stop paths to all frontend shutdown implementations.

frontendStop is graceful-only in every implementation. With the default GracefulShutdownTimeout=0, the zero-timeout branch calls it with context.Background(), allowing active frontend connections to block shutdown indefinitely. In the timed path, the timeout never escalates the frontend to a hard stop, despite the caller's assumption. grpc.Server.GracefulStop() blocks indefinitely without context awareness, and net/http.Server.Shutdown() doesn't force-close connections after timeout expiry—both require explicit escalation paths.

Implementation pattern

For gRPC (UDS and mTLS):

- stop = func(_ context.Context) error { - grpcServer.GracefulStop() - return nil - } + stop = func(shutdownCtx context.Context) error { + done := make(chan struct{}) + go func() { + grpcServer.GracefulStop() + close(done) + }() + select { + case <-done: + return nil + case <-shutdownCtx.Done(): + grpcServer.Stop() + <-done + return shutdownCtx.Err() + } + }

For HTTP (UDS and mTLS):

- stop = func(shutdownCtx context.Context) error { - return server.Shutdown(shutdownCtx) - } + stop = func(shutdownCtx context.Context) error { + if err := server.Shutdown(shutdownCtx); err != nil { + if shutdownCtx.Err() != nil { + _ = server.Close() + } + return err + } + return nil + }

Apply to both UDS and mTLS frontend branches (lines 282-295, 369-383, 467-483).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/server/app/server.go` around lines 191 - 210, The frontendStop functions currently only perform graceful shutdown (e.g., grpc.Server.GracefulStop() and http.Server.Shutdown()) which can block indefinitely; update every frontend shutdown implementation referenced by frontendStop (apply to both UDS and mTLS frontend branches) to enforce a hard stop after the graceful timeout: run the graceful shutdown on a context with the configured timeout, and if it doesn't complete, escalate to the forced stop path (call grpc.Server.Stop() for gRPC frontends and http.Server.Close() or close the listener for HTTP frontends) so shutdown always completes even when GracefulShutdownTimeout==0 or the graceful path stalls; ensure these forced-stop calls are invoked alongside existing teardown for p.agentServer, p.adminServer, p.healthServer and leaseController logic.

coderabbitai · 2026-05-18T13:22:07Z

+This is the client library meant to be imported by users apiserver-network-proxy.
+The primary user of this library is the kubernetes-apiserver from https://github.com/kubernetes/kubernetes. 
+The dependencies for this library should be kept in line with the old supported version of Kubernetes.
+The oldest supported version of kubernetes can be found at https://kubernetes.io/releases/
+
+Please do not make changes in apiserver-network-proxy/konnectivity-client and anywhere else in apiserver-network-proxy.


⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

The maintenance guidance is overbroad and contradictory.

Line 6 says not to change konnectivity-client and anywhere else in apiserver-network-proxy, which effectively forbids all repo changes. Please narrow this to the intended scope (likely this subtree only) and tighten wording in Lines 1-4.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@konnectivity-client/agent.md` around lines 1 - 6, The guidance text is overly broad and self-contradictory; replace the final sentence "Please do not make changes in apiserver-network-proxy and anywhere else in apiserver-network-proxy." with a scoped restriction such as "Do not make changes to the apiserver-network-proxy/konnectivity-client subtree without prior approval." and tighten lines 1–4 to state that dependencies must remain compatible with the oldest supported Kubernetes release (include the kubernetes.io/releases link) and that the primary consumer is the kubernetes-apiserver; ensure the wording clearly bounds the maintenance scope to the konnectivity-client subtree and removes the blanket ban on the whole repo.

coderabbitai · 2026-05-18T13:22:08Z

GHSA-p77j-4mvh-x3m3

+	github.com/prometheus/client_golang v1.22.0
+	go.uber.org/goleak v1.3.0
+	golang.org/x/net v0.38.0 // indirect
+	google.golang.org/grpc v1.68.1


⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the first patched version of google.golang.org/grpc for GO-2026-4762 (GHSA-p77j-4mvh-x3m3)?

💡 Result:

The first patched version of google.golang.org/grpc for the vulnerability GO-2026-4762 (also tracked as GHSA-p77j-4mvh-x3m3 and CVE-2026-33186) is v1.79.3 [1][2][3]. Users are advised to upgrade to this version or newer to address the authorization bypass issue caused by missing leading slashes in the:path pseudo-header [2][4].

Citations:

1: https://pkg.go.dev/vuln/GO-2026-4762

2: https://test.osv.dev/vulnerability/GHSA-p77j-4mvh-x3m3

3: https://test.osv.dev/vulnerability/GO-2026-4762

4: https://cve.circl.lu/vuln/ghsa-p77j-4mvh-x3m3

Upgrade gRPC to v1.79.3 or later immediately.

Line 11 references google.golang.org/grpc v1.68.1, which is vulnerable to a critical authorization bypass (GO-2026-4762 / GHSA-p77j-4mvh-x3m3) caused by missing leading slashes in the:path pseudo-header. Bump to v1.79.3 or newer and refresh module locks.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@konnectivity-client/go.mod` at line 11, Update the grpc module in go.mod from google.golang.org/grpc v1.68.1 to v1.79.3 (or later) to remediate the authorization bypass; edit the module line referencing google.golang.org/grpc to the new version and then run `go mod tidy` / `go get` to refresh module locks and update go.sum so the dependency graph and checksums are consistent with v1.79.3+.

coderabbitai · 2026-05-18T13:22:08Z

+	$(eval TEST_LIST := $(shell go list -test ./... | egrep " \[.*\]" | cut -d' ' -f1 | grep -v -e "/e2e$$" -e "/e2e/.*"))
+	echo "Running tests on $(TEST_LIST)"
+	$(info GOTOOLCHAIN is $(GOTOOLCHAIN))
+	go test -v -mod=vendor -race -covermode=atomic -coverprofile=konnectivity.out $(TEST_LIST) && go tool cover -html=konnectivity.out -o=konnectivity.html


⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the default output format of go list -test ./...? Does it include bracketed entries like pkg [pkg.test]without using-deps?

💡 Result:

The default output format of the go list command is the package import path, which is equivalent to using the format flag -f '{{.ImportPath}}' [1][2][3]. When you use the -test flag with go list, the command reports not only the named packages but also their associated test binaries [1]. The output will include these test binaries, which are identified by the import path of the package followed by a.test suffix (e.g., math/rand.test) [1]. Regarding your question about bracketed entries like pkg [pkg.test]: Yes, go list -test will include these entries even without the -deps flag [1]. When building a test, the Go toolchain may need to recompile certain dependencies specifically for that test binary [1]. In these cases, the reported import path of the recompiled package is followed by a space and the name of the test binary in brackets, such as math/rand [math/rand.test] [1]. This behavior is intended to convey exactly how test binaries are constructed [1].

Citations:

1: https://go.dev/cmd/go/internal/list%40go1.25.1

2: https://stackoverflow.com/questions/69783479/what-does-go-list-do-in-gos-toolset

3: https://dave.cheney.net/2014/09/14/go-list-your-swiss-army-knife

🏁 Script executed:

# First, let's examine the Makefile at the specified lines fd -type f -name "Makefile" | head -5

Repository: openshift/apiserver-network-proxy

Length of output: 248

🏁 Script executed:

# Once we have the Makefile path, let's read the relevant section cat -n Makefile | sed -n '80,100p'

Repository: openshift/apiserver-network-proxy

Length of output: 1289

🏁 Script executed:

# Let's also check if there are any comments or related code that might explain the intent cat -n Makefile | sed -n '75,105p'

Repository: openshift/apiserver-network-proxy

Length of output: 1928

TEST_LIST derivation is filtering out most packages, reducing CI test coverage.

Line 87 uses go list -test ./... with an egrep " \[.*\]" filter that matches only packages with bracket notation (e.g., pkg [pkg.test]). However, go list -test produces bracketed output only for packages that require recompilation specifically for testing—most packages output without brackets and are excluded by this filter. This leaves $(TEST_LIST) with only a small subset of packages, causing Line 90 to skip coverage for the majority of the codebase.

The fast-test target (line 81) uses the simpler and correct approach: go list ./... with just e2e filtering. Apply the same pattern here.

Proposed fix

- $(eval TEST_LIST := $(shell go list -test ./... | egrep " \[.*\]" | cut -d' ' -f1 | grep -v -e "/e2e$$" -e "/e2e/.*")) + $(eval TEST_LIST := $(shell go list ./... | grep -v -e "/e2e$$" -e "/e2e/.*"))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

$(eval TEST_LIST := $(shell go list -test ./... | egrep " \[.*\]" | cut -d' ' -f1 | grep -v -e "/e2e$$" -e "/e2e/.*"))

echo "Running tests on $(TEST_LIST)"

$(info GOTOOLCHAIN is $(GOTOOLCHAIN))

go test -v -mod=vendor -race -covermode=atomic -coverprofile=konnectivity.out $(TEST_LIST) && go tool cover -html=konnectivity.out -o=konnectivity.html

$(eval TEST_LIST := $(shell go list ./... | grep -v -e "/e2e$$" -e "/e2e/.*"))

echo "Running tests on $(TEST_LIST)"

$(info GOTOOLCHAIN is $(GOTOOLCHAIN))

go test -v -mod=vendor -race -covermode=atomic -coverprofile=konnectivity.out $(TEST_LIST) && go tool cover -html=konnectivity.out -o=konnectivity.html

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Makefile` around lines 87 - 90, The TEST_LIST derivation is filtering out most packages by relying on bracketed output from "go list -test"; update TEST_LIST to mirror the fast-test approach: use "go list ./..." (instead of "go list -test ./... | egrep ' \\[.*\\]' | cut -d' ' -f1") and then apply the same e2e exclusion (grep -v -e "/e2e$$" -e "/e2e/.*") so TEST_LIST includes all non-e2e packages; keep the existing echo and go test invocation that uses $(TEST_LIST).

…e team

… rebase

bryan-cox · 2026-05-18T18:38:27Z

/test e2e-hypershift

openshift-ci · 2026-05-19T13:02:29Z

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

bryan-cox · 2026-05-19T13:03:34Z

/retest

bryan-cox · 2026-05-19T13:06:15Z

/test commitchecker

openshift-ci · 2026-05-19T13:06:35Z

@bryan-cox: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test e2e-hypershift

/test images

/test okd-scos-images

/test unit

/test verify

/test verify-commits

/test verify-deps

The following commands are available to trigger optional jobs:

/test okd-scos-e2e-aws-ovn

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-apiserver-network-proxy-main-e2e-hypershift

pull-ci-openshift-apiserver-network-proxy-main-images

pull-ci-openshift-apiserver-network-proxy-main-okd-scos-images

pull-ci-openshift-apiserver-network-proxy-main-unit

pull-ci-openshift-apiserver-network-proxy-main-verify

pull-ci-openshift-apiserver-network-proxy-main-verify-commits

pull-ci-openshift-apiserver-network-proxy-main-verify-deps

Details

In response to this:

/test commitchecker

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci-robot · 2026-05-19T13:34:55Z

@bryan-cox: This pull request references CNTRLPLANE-3380 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

New Features

Added --graceful-shutdown-timeout CLI flag to configure graceful shutdown behavior for the proxy.

Dependencies

Updated Go toolchain to 1.25.0/1.26.2.

Updated golangci-lint to 2.9.0.

Upgraded multiple core dependencies including gRPC, Kubernetes modules, and OpenTelemetry libraries.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

jparrill

Dropped some comments. Thanks!

jparrill · 2026-05-19T19:56:03Z

+	}
+}
+
+func TestDestHostBackendManager_Backend_DrainingFallback(t *testing.T) {


This test expects DestHostBackendManager.Backend() to filter out draining backends, but pkg/server/desthost_backend_manager.go wasn't modified in this PR. Line 85 still does dibm.backends[destHost][dibm.random.Intn(len(bes))] with no IsDraining() check.

Upstream master does have this logic (iterates backends, skips draining ones, falls back if all are draining). Looks like it got dropped during the rebase. Without this change, this test will be flaky or fail outright.

jparrill · 2026-05-19T19:56:03Z

+	go func() {
+		defer wg.Done()
+		klog.V(1).Infoln("Gracefully stopping agent server...")
+		p.agentServer.GracefulStop()


The immediate shutdown path (line 198) checks if p.agentServer != nil before calling Stop(), but the graceful path here doesn't. It's unlikely to be nil at this point, but the inconsistency is suspicious — if you guard it in one place, guard it in both.

jparrill · 2026-05-19T19:56:03Z

+		if p.healthServer != nil {
+			p.healthServer.Close()
+		}
+		// frontend server's force-stop is handled by its StopFunc


This comment says "frontend server's force-stop is handled by its StopFunc", but the gRPC frontend's StopFunc is grpcServer.GracefulStop() which blocks indefinitely and doesn't accept a context. If the frontend's graceful stop hangs, there's no way to force it. Admin/health get Close(), the agent server gets Stop() — but the gRPC frontend has no equivalent. Consider calling grpcServer.Stop() here as well in the timeout path.

jparrill · 2026-05-19T19:56:03Z

+	// Test 2: Non-draining backends are returned
+	b, err := p.Backend(context.Background())
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)


If err != nil, b is likely nil and the next line (b.IsDraining()) panics. Use t.Fatalf instead of t.Errorf so the test stops on error rather than crashing with a nil pointer dereference. Same pattern repeats at several other assertions in these tests.

jparrill · 2026-05-19T19:56:03Z

@@ -999,6 +1000,8 @@ func (s *ProxyServer) serveRecvBackend(backend *Backend, agentID string, recvCh

 		case client.PacketType_DRAIN:
 			klog.V(2).InfoS("agent is draining", "agentID", agentID)
+			backend.SetDraining()
+			klog.V(2).InfoS("marked backend as draining, will not route new requests to this agent", "agentID", agentID)


Two log lines at the same verbosity level for the same event. The first one (line above) was already there, this one is new. I'd consolidate into one after SetDraining().

jparrill · 2026-05-19T19:56:03Z

+// bufferPool is a pool of byte slices used for reading data from hijacked connections.
+// This reduces memory allocations and GC pressure by reusing buffers across connections.
+var bufferPool = sync.Pool{
+	New: func() interface{} {


nit: with go 1.25.0 in go.mod, any is the idiomatic form. interface{} works the same but it's the legacy style.

jparrill · 2026-05-19T19:56:03Z

 		)
 		go runpprof.Do(context.Background(), labels, func(context.Context) { grpcServer.Serve(lis) })
-		stop = grpcServer.GracefulStop
+		stop = func(_ context.Context) error {


nit: the StopFunc contract is func(context.Context) error, which implies the context controls the deadline. But here it's ignored because GracefulStop() doesn't accept a context. Not a bug (the timeout fallback in Run() compensates for the agent server), but a brief inline comment explaining why the context is ignored would help readers.

jparrill · 2026-05-19T19:56:03Z

    steps:
    - name: Check out code
-      uses: actions/checkout@v5
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2


Why are there GH Workflow changes in this PR? Is this intended?

jparrill · 2026-05-19T19:56:03Z

+    - "konnectivity-client/**"
  schedule:
-    interval: weekly
+    interval: daily


Why change the schedule from weekly to daily?

jparrill · 2026-05-20T08:55:11Z

Alright after talking in slack we agree that this PR contains:

Bump from Upstream
Changes in GH Workflows necessary to work properly.

Having that, let's move on.

jparrill · 2026-05-20T08:55:16Z

/lgtm

openshift-ci · 2026-05-20T08:55:38Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, jparrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [bryan-cox,jparrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ipochi and others added 30 commits October 27, 2025 21:52

implements graceful termination for server

dedeefa

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

fix golangci-lint failures

2dfa6b7

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

addressing review

cc87190

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

fix: add missing ProtoMajor in response

a01ffaa

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Replace 'intialized' with 'initialized' in log message

ef59fbe

Merge pull request kubernetes-sigs#804 from cjd/intialized-typo

201488d

Replace 'intialized' with 'initialized' in log message

Merge pull request kubernetes-sigs#806 from kubernetes-sigs/dependabo…

204fce7

…t/github_actions/actions/upload-artifact-6 chore(deps): bump actions/upload-artifact from 4 to 6

Merge pull request kubernetes-sigs#796 from kinvolk/imran/bufferpool-…

e02cc7c

…for-http-connect http-connect: reduce memory allocations

Merge pull request kubernetes-sigs#800 from kubernetes-sigs/dependabo…

3f8c064

…t/github_actions/golangci/golangci-lint-action-9 chore(deps): bump golangci/golangci-lint-action from 8 to 9

Merge pull request kubernetes-sigs#802 from kubernetes-sigs/dependabo…

c397bfd

…t/github_actions/actions/checkout-6 chore(deps): bump actions/checkout from 5 to 6

Merge pull request kubernetes-sigs#807 from kubernetes-sigs/dependabo…

3a7339c

…t/github_actions/actions/download-artifact-7 chore(deps): bump actions/download-artifact from 5 to 7

Merge pull request kubernetes-sigs#794 from kinvolk/imran/graceful-te…

5b2cec5

…rmination-for-server Graceful termination for server

Merge pull request kubernetes-sigs#803 from kinvolk/imran/add-proto-m…

d6ea7d8

…ajor fix: add missing ProtoMajor in response

implement server agent draining

129aa90

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

addressing feedback

5e6bfcc

Signed-off-by: Imran Pochi <imranpochi@microsoft.com>

Merge pull request kubernetes-sigs#795 from kinvolk/imran/implement-s…

b924bd5

…erver-agent-draining implement server agent draining

Merge pull request kubernetes-sigs#813 from kubernetes-sigs/dependabo…

4be190a

…t/github_actions/actions/upload-artifact-7 chore(deps): bump actions/upload-artifact from 6 to 7

Merge pull request kubernetes-sigs#812 from kubernetes-sigs/dependabo…

1eec42c

…t/github_actions/actions/download-artifact-8 chore(deps): bump actions/download-artifact from 7 to 8

iUpdated konnectivity-client dependencies

a1ae248

prompt: Please upgrade the go.mod in this directory to match https://github.com/kubernetes/kubernetes/blob/release-1.33/go.mod Added agent.md to help correct ML based upgrades.

Fixed presubmit actions to be full sha.

f03b31f

Adding full sha to git commands.

Merge pull request kubernetes-sigs#824 from cheftako/upgrade

6f13e50

Updated konnectivity-client dependencies

merge upstream/master into main

aaa2b93

openshift-ci Bot requested review from Nirshal and jparrill May 18, 2026 13:13

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 18, 2026

bryan-cox force-pushed the rebase-bot-main branch from ca86bde to 1836689 Compare May 18, 2026 13:15

coderabbitai Bot reviewed May 18, 2026

View reviewed changes

bryan-cox added 4 commits May 18, 2026 09:50

UPSTREAM: <carry>: Add OpenShift files

8d22e73

UPSTREAM: <carry>: load balance traffic across redundant backends

64c83b7

UPSTREAM: <carry>: CNTRLPLANE-3380: Update OWNERS with HyperShift cor…

af75592

…e team

UPSTREAM: <drop>: Updating and vendoring go modules after an upstream…

261f7e3

… rebase

bryan-cox force-pushed the rebase-bot-main branch 2 times, most recently from 009a1c2 to 0012e91 Compare May 18, 2026 14:44

UPSTREAM: <drop>: Pin go directive to 1.25 for CI builder compatibility

f900d38

bryan-cox force-pushed the rebase-bot-main branch from 9f3c64f to f900d38 Compare May 19, 2026 10:05

bryan-cox changed the title ~~Merge https://github.com/kubernetes-sigs/apiserver-network-proxy:master (588e629) into main~~ CNTRLPLANE-3380: Merge https://github.com/kubernetes-sigs/apiserver-network-proxy:master (588e629) into main May 19, 2026

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 19, 2026

jparrill reviewed May 19, 2026

View reviewed changes

openshift-ci Bot assigned jparrill May 20, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 20, 2026

openshift-merge-bot Bot merged commit c2014a5 into openshift:main May 20, 2026
9 checks passed

Conversation

bryan-cox commented May 18, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

Uh oh!

bryan-cox commented May 18, 2026

Uh oh!

openshift-ci Bot commented May 19, 2026

Uh oh!

bryan-cox commented May 19, 2026

Uh oh!

bryan-cox commented May 19, 2026

Uh oh!

openshift-ci Bot commented May 19, 2026

Uh oh!

openshift-ci-robot commented May 19, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

jparrill left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jparrill commented May 20, 2026

Uh oh!

jparrill commented May 20, 2026

Uh oh!

openshift-ci Bot commented May 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

bryan-cox commented May 18, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 18, 2026 •

edited

Loading

openshift-ci-robot commented May 19, 2026 •

edited by openshift-ci Bot

Loading