NO-JIRA: chore(deps): weekly dependabot consolidation

[hypershift-jira-solve-ci]

Summary

Weekly consolidation of dependabot dependency updates.

Consolidated PRs

• build(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 #8335: chore(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0
• build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 #8188: chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0

Commits

1. chore(deps): update root module dependencies
2. chore(deps): update vendored dependencies

---

Assisted-by: Claude (via Claude Code)

---

Note: This PR was auto-generated by the dependabot-triage periodic CI job. See the full report for token usage, cost breakdown, and detailed output.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated monitoring and observability framework to latest stable versions for improved platform compatibility and performance.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@hypershift-jira-solve-ci[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

Weekly consolidation of dependabot dependency updates.

Consolidated PRs

• build(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 #8335: chore(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0
• build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 #8188: chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0

Commits

1. chore(deps): update root module dependencies
2. chore(deps): update vendored dependencies

---

Assisted-by: Claude (via Claude Code)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates Go module dependencies in go.mod. The OpenTelemetry packages (go.opentelemetry.io/otel, go.opentelemetry.io/otel/metric, go.opentelemetry.io/otel/sdk, and go.opentelemetry.io/otel/trace) are upgraded from version v1.40.0 to v1.43.0. Additionally, golang.org/x/sys is upgraded from v0.41.0 to v0.42.0. All updated dependencies are marked as indirect requirements. No public API declarations are altered by these changes.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: a weekly consolidation of dependabot dependency updates affecting OpenTelemetry packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This pull request modifies only dependency files and vendored dependencies with no test file modifications. Since no test files were changed, the Ginkgo test naming check passes automatically.
Test Structure And Quality	✅ Passed	PR contains only dependency version updates in go.mod with no modifications to test files or Ginkgo test code, making this check not applicable.
Microshift Test Compatibility	✅ Passed	PR contains only dependency version updates in go.mod; no new Ginkgo e2e tests are being added, making the MicroShift compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only modifies go.mod to upgrade OpenTelemetry and golang.org/x/sys dependencies. No new Ginkgo e2e tests are added, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only dependency version updates in go.mod files and does not modify deployment manifests, operator code, or controllers. The topology-aware scheduling check is explicitly scoped to changes introducing scheduling constraints in these components, making it not applicable.
Ote Binary Stdout Contract	✅ Passed	PR contains only go.mod dependency updates with zero modifications to Go source code, preventing any stdout contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only modifies dependency versions in go.mod, go.sum, and vendored dependencies. No new Ginkgo e2e tests are being added to the hypershift codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 277-282: go.mod lists otlp trace exporter modules at v1.37.0 which
conflicts with core OpenTelemetry packages updated to v1.43.0; update the
versions for go.opentelemetry.io/otel/exporters/otlp/otlptrace and
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc to v1.43.0 in
go.mod so they match the core packages (ensure go.sum is updated by running `go
mod tidy` after changing the versions).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e5938083-3234-49e0-ada2-e86142860bb9

📥 Commits

Reviewing files that changed from the base of the PR and between 7aa6235 and b8d21a9.

⛔ Files ignored due to path filters (72)

• go.sum is excluded by !**/*.sum
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !vendor/**, !**/vendor/**, !**/*_string.go
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/errorhandler/errorhandler.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/state.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/syncfloat64.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/metric/syncint64.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/config.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_readfile.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/error_type.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/exception.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/otelconv/metric.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/schema.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/aliases.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !vendor/**, !**/vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify OpenTelemetry version compatibility and security advisories

echo "=== Checking latest versions available ==="
curl -s https://proxy.golang.org/go.opentelemetry.io/otel/@v/list | tail -5
curl -s https://proxy.golang.org/go.opentelemetry.io/otel/sdk/@v/list | tail -5
curl -s https://proxy.golang.org/go.opentelemetry.io/otel/exporters/otlp/otlptrace/@v/list | tail -5

echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "go.opentelemetry.io/otel") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

echo -e "\n=== Checking module info for v1.43.0 ==="
curl -s https://proxy.golang.org/go.opentelemetry.io/otel/@v/v1.43.0.info

echo -e "\n=== Checking exporter compatibility ==="
# Check if exporter v1.37.0 supports otel v1.43.0
curl -s https://proxy.golang.org/go.opentelemetry.io/otel/exporters/otlp/otlptrace/@v/v1.37.0.mod | grep "go.opentelemetry.io/otel"

Repository: openshift/hypershift

Length of output: 1340

---

🌐 Web query:

OpenTelemetry Go v1.43.0 release notes and breaking changes

💡 Result:

OpenTelemetry Go v1.43.0 was released on 2026-04-03. Official release notes are available at https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0 and in CHANGELOG.md https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md. Key additions: - Added IsRandom and WithRandom on TraceFlags, IsRandom on SpanContext in go.opentelemetry.io/otel/trace for W3C Trace Context support (#8012). - Added service detection with WithService in go.opentelemetry.io/otel/sdk/resource (#7642). - Added DefaultWithContext and EnvironmentWithContext in resource detection (#8051). - Support for attribute.EMPTY in various OTLP exporters (trace, metric, log; gRPC and HTTP) and metricdatatest (#8038). - Per-series start time tracking for cumulative metrics in sdk/metric (env var OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true) (#8060). - WithCardinalityLimitSelector for metric reader (#7855). - Performance improvements in attribute slice handling (#8039), span metric recording (#8067), and metric data diffs (#8073). Deprecations: - Deprecate attribute.INVALID; use EMPTY instead (#8038). Breaking changes: - TraceIdRatioBased sampler now returns spec-compliant description (behavioral change for spec compliance) (#8027). Fixes: - Race condition in sdk/metric lastvalue aggregation (#8056). - HTTP response body limited to 4 MiB in OTLP HTTP exporters (trace, metric, log) to prevent excessive memory use; large responses are non-retryable (#8108). - WithHostID detector fix for BSD (#8113). - Missing request.GetBody in otlploghttp for HTTP2 GOAWAY (#8096). Full changelog: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

Citations:

• 1: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
• 2: https://github.com/open-telemetry/opentelemetry-go/releases
• 3: https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md
• 4: https://newreleases.io/project/github/open-telemetry/opentelemetry-go/release/v1.43.0
• 5: open-telemetry/opentelemetry-go@v1.42.0...v1.43.0

---

🌐 Web query:

OpenTelemetry Go exporter compatibility with SDK v1.43.0

💡 Result:

The OpenTelemetry Go SDK v1.43.0 (released 2026-04-03) is fully compatible with the official exporters included in the monorepo, such as OTLP (gRPC and HTTP for traces/metrics/logs), Prometheus (metrics), stdout, and Zipkin (traces). These exporters were updated and released together as part of v1.43.0, with changes like support for empty attributes (attribute.EMPTY), response body limits in OTLP HTTP exporters, and observability metrics guarded by Enabled checks. Exporters are separate Go modules (e.g., go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0), but the SDK depends on matching versions of otel/trace, otel/metric, otel/sdk/metric (all v1.43.0). Projects using SDK v1.43.0 commonly pair it with exporter v1.43.0, as shown in go.mod updates from Dependabot across multiple repositories. No compatibility issues or breaking changes affecting exporters are noted in the v1.43.0 release notes or changelog. Official docs confirm all listed exporters work with the current SDK.

Citations:

• 1: open-telemetry/opentelemetry-go@v1.40.0...v1.43.0
• 2: https://github.com/open-telemetry/opentelemetry-go
• 3: https://github.com/open-telemetry/opentelemetry-go/releases
• 4: https://newreleases.io/project/github/open-telemetry/opentelemetry-go/release/v1.43.0
• 5: https://opentelemetry.io/docs/languages/go/exporters/
• 6: https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md
• 7: https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.43.0/sdk/go.mod
• 8: open-edge-platform/infra-core@8fa0af6
• 9: https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
• 10: https://pkg.go.dev/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.41.0
• 11: https://libraries.io/go/go.opentelemetry.io%2Fotel%2Fexporters%2Fotlp%2Fotlptrace%2Fotlptracehttp
• 12: Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.40.0 to 1.43.0 openconfig/featureprofiles#5325

---

Update OTLP trace exporters to v1.43.0 to resolve version mismatch with core packages.

The OpenTelemetry core packages are upgraded to v1.43.0, which patches a HIGH severity security vulnerability (CVE affecting versions 1.36.0–1.40.0 with baggage header DoS amplification; fixed in v1.41.0+). However, the OTLP trace exporters remain at v1.37.0, which explicitly depends on otel v1.37.0, otel/sdk v1.37.0, otel/trace v1.37.0, and otel/metric v1.37.0. This version mismatch creates a dependency conflict and should be resolved by updating the exporters to v1.43.0.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 277 - 282, go.mod lists otlp trace exporter modules at
v1.37.0 which conflicts with core OpenTelemetry packages updated to v1.43.0;
update the versions for go.opentelemetry.io/otel/exporters/otlp/otlptrace and
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc to v1.43.0 in
go.mod so they match the core packages (ensure go.sum is updated by running `go
mod tidy` after changing the versions).

[hypershift-jira-solve-ci]

The version mismatch between otel core (v1.43.0) and the OTLP trace exporters (v1.37.0) is benign — Go's Minimum Version Selection resolves the shared dependency (go.opentelemetry.io/otel) to v1.43.0 at build time, which satisfies the exporters' requirement of ≥v1.37.0. There is no actual dependency conflict.

Regarding the security advisory (baggage header DoS, CVE affecting v1.36.0–v1.40.0): this is already addressed since the core go.opentelemetry.io/otel package is at v1.43.0. The exporters themselves are not independently affected by that CVE.

That said, updating the exporters to v1.43.0 for version consistency is reasonable and could be done in a follow-up PR. This PR is a dependabot consolidation that bundles the updates dependabot flagged — the exporters weren't included in that set.

---

AI-assisted response via Claude Code

[coderabbitai]

Skipped: comment is from another GitHub bot.

[hypershift-jira-solve-ci]

The security concern here is already mitigated — the CVE (baggage header DoS amplification, affecting v1.36.0–v1.40.0) is in the core go.opentelemetry.io/otel package, which this PR updates to v1.43.0.

The OTLP trace exporter's require go.opentelemetry.io/otel v1.37.0 is a minimum version requirement, not a pin. Go's Minimum Version Selection (MVS) resolves the core packages to v1.43.0 in the final build since the root module requires that version. The exporter compiles against the patched v1.43.0 core — there is no actual dependency conflict or security gap.

That said, aligning the exporter versions to v1.43.0 is a reasonable cleanup. However, since these are indirect dependencies (not directly imported by HyperShift) and the version is MVS-selected based on the transitive dependency graph, bumping them in this automated consolidation PR would expand its scope. This can be addressed in a follow-up dependency update.

---

AI-assisted response via Claude Code

[coderabbitai]

Skipped: comment is from another GitHub bot.

[hypershift-jira-solve-ci]

The version mismatch flagged here is benign. Go's Minimum Version Selection (MVS) resolves the shared go.opentelemetry.io/otel dependency to v1.43.0 regardless of what the OTLP exporter modules declare as their minimum. The security concern (baggage header DoS amplification, CVE affecting v1.36.0–v1.40.0) is addressed by this PR's update of the core otel package to v1.43.0. No action needed.

---

AI-assisted response via Claude Code

[coderabbitai]

Skipped: comment is from another GitHub bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.71%. Comparing base (6e734a9) to head (b8d21a9).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8395   +/-   ##
=======================================
  Coverage   36.71%   36.71%           
=======================================
  Files         768      768           
  Lines       93396    93396           
=======================================
  Hits        34286    34286           
  Misses      56426    56426           
  Partials     2684     2684           

Flag	Coverage Δ
cmd-support	30.45% <ø> (ø)
cpo-hostedcontrolplane	37.19% <ø> (ø)
cpo-other	37.73% <ø> (ø)
hypershift-operator	47.84% <ø> (ø)
other	27.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/area ci-tooling

[bryan-cox]

/approve
/verified by e2e

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, hypershift-jira-solve-ci[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/lgtm cancel

[csrwng]

/lgtm

[openshift-merge-bot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[bryan-cox]

/verified by e2e

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by e2e.

Details

In response to this:

/verified by e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-05-01T17:56:37Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-02T10:31:45Z
• View Job
• View Job History

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 03e1f02 and 2 for PR HEAD b8d21a9 in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 302e42b and 1 for PR HEAD b8d21a9 in total

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2050297199308312576 | Cost: $5.034114350000002 | Failed step: hypershift-azure-run-e2e

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[hypershift-jira-solve-ci]

e2e-aks — pull-ci-openshift-hypershift-main-e2e-aks / 2050297199308312576

Result: ❌ failure
Failed test: TestNodePool/HostedCluster0/Main/TestNTOMachineConfigAppliedInPlace

Error

util.go:571: Failed to wait for 2 nodes to become ready for NodePool
e2e-clusters-xs4qm/node-pool-bhz46-test-ntomachineconfig-inplace in 45m0s:
context deadline exceeded

eventually.go:384: observed invalid *v1.Node state after 45m0s
eventually.go:401:  - observed *v1.Node collection invalid: expected 2 nodes, got 1

Summary

The TestNTOMachineConfigAppliedInPlace test creates a NodePool with 2 replicas using UpgradeTypeInPlace, then waits up to 45 minutes for both nodes to become Ready. Only 1 of 2 Azure VMs successfully registered its kubelet with the hosted cluster API server. The 2nd VM (node-pool-bhz46-test-ntomachineconfig-inplace-8snl2) was fully provisioned at the Azure infrastructure level (VM running, CAPI Machine marked Provisioned) but its kubelet never completed registration — no Kubernetes Node object appeared with a matching ProviderID. All other 295 tests passed; the 4 reported failures are this single test cascading upward through the test hierarchy. This is an infrastructure flake unrelated to the dependabot dependency update in PR #8395.

Root Cause

Category: Infrastructure flake — Azure VM bootstrap / kubelet registration failure

The Azure CAPI provider successfully created both VMs and both CAPI Machine objects reached Provisioned phase. However, machine node-pool-bhz46-test-ntomachineconfig-inplace-8snl2 never had a corresponding Kubernetes Node register with the hosted cluster's API server. The kubelet on the 2nd VM failed to start or failed to reach the hosted cluster API server within the 45-minute timeout window.

This is a known class of transient Azure infrastructure flake where a VM is running at the IaaS level but the guest OS bootstrap (cloud-init → ignition → kubelet start → API server registration) fails silently. Possible sub-causes include:

• Azure VM extension (custom script / cloud-init) timeout or failure
• Network connectivity issue between the VM and the hosted cluster API server endpoint
• Ignition config fetch failure from the MCS (Machine Config Server)
• Kubelet certificate bootstrap failure

No code regression is indicated — 295/296 unique tests passed, and the failure is isolated to a single VM out of dozens provisioned across the test suite.

Recommendations

1. Retrigger the job — This is a transient infrastructure flake with no relation to the dependabot PR changes. A re-run is expected to pass.
2. No code changes needed — The dependency updates in PR NO-JIRA: chore(deps): weekly dependabot consolidation #8395 do not affect Azure VM provisioning or kubelet registration paths.
3. If flake persists across retriggers — Investigate Azure VM serial console logs and cloud-init output for the failing machine to determine why kubelet bootstrap fails intermittently on AKS-hosted HyperShift clusters.

Evidence

#	Evidence	Source
1	Test expects 2 Ready nodes but only 1 appeared within 45m timeout	build-log.txt lines 2013–2016
2	Test creates NodePool with Replicas: 2, UpgradeType: InPlace	test/e2e/nodepool_nto_machineconfig_test.go — BuildNodePoolManifest()
3	Wait timeout is hardcoded at 45 minutes in WaitForNReadyNodesWithOptions()	test/e2e/util/util.go:571
4	CAPI Machine 8snl2 reached Provisioned phase but no Node registered with matching ProviderID	NodePool status and Machine YAML in step artifacts
5	The working machine (8kkr2) successfully registered as a Node; the failing machine (8snl2) did not	Comparison of both Machine objects
6	295 other tests passed — only this single test failed (4 reported failures are cascade)	build-log.txt test summary: 339 run, 40 skipped, 4 failed
7	Existing CI failure analysis artifact confirms: "infrastructure flake, not a code regression"	claude-failure-analysis-text.txt in job artifacts
8	Pre phase (AKS provision, HyperShift install) succeeded in 12m41s — cluster infra was healthy	junit_operator.xml step timings
9	No symptom labels or interval files found for this job	GCS artifact listing returned empty

---

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 3df2163 and 0 for PR HEAD b8d21a9 in total

[openshift-ci]

@hypershift-jira-solve-ci[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.