ROSAENG-58014 : Vulnerability mitigation for certman operator

[rpodishe]

June 2026 vulnerability mitigation for certman-operator (ROSAENG-58014). Updated Go module dependencies and boilerplate base image to resolve 41 of 44 reported CVEs.

Changes

• Updated golang.org/x/crypto v0.49.0 to v0.52.0 (12 CVEs fixed - 7 Critical, 2 High, 3 Medium)
• Updated golang.org/x/net v0.52.0 to v0.55.0 (7 CVEs fixed - 1 Critical, 1 High, 5 Medium)
• Updated golang.org/x/sys v0.42.0 to v0.45.0 (1 CVE fixed - Low)
• Boilerplate updated to image-v8.4.0 (Go 1.25.9 to Go 1.26.3, fixes 19 stdlib CVEs)
• UBI9 minimal base image updated from 9.8-1780378819 to 9.8-1781496742 (1 openssl-libs CVE fixed)
• E2E Dockerfile updated to golang-builder rhel_9_1.26

Remaining (3 CVEs)

GO-2026-5037, GO-2026-5038, GO-2026-5039 require Go 1.26.4 which was released upstream on June 2nd but is not yet available in go-toolset RPM. Will be addressed in a follow-up boilerplate update.

Verification

• govulncheck scan confirms 41 of 44 CVEs resolved
• All unit tests passing
• Image built and deployed on ROSA classic staging cluster
• All 14 e2e tests passed (0 failed, 0 skipped)

Summary by CodeRabbit

• Chores
  • Updated CI/CD build configuration to use a newer base image tag for improved compatibility and stability.
  • Upgraded the e2e container build environment to a newer Go builder version.
  • Refreshed ownership and review settings by updating the listed aliases and removing outdated reviewer/approver entries.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rpodishe
Once this PR has been reviewed and has the lgtm label, please assign rafael-azevedo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f9cb5cdc-ee29-4881-9095-023f99d87588

📥 Commits

Reviewing files that changed from the base of the PR and between 81bca6a and 254c907.

⛔ Files ignored due to path filters (9)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/_lib/subscriber-propose-update is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-e2e/update is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/update is excluded by !boilerplate/**
• build/Dockerfile is excluded by !build/**
• build/Dockerfile.olm-registry is excluded by !build/**

📒 Files selected for processing (4)

• .ci-operator.yaml
• .tekton/OWNERS
• OWNERS_ALIASES
• test/e2e/Dockerfile

💤 Files with no reviewable changes (2)

• .tekton/OWNERS
• OWNERS_ALIASES

✅ Files skipped from review due to trivial changes (2)

• .ci-operator.yaml
• test/e2e/Dockerfile

---

Walkthrough

The CI operator build root image tag and the e2e Dockerfile builder image tag were updated. OWNERS_ALIASES entries were removed from the srep-functional-team-hulk and srep-functional-team-security alias lists.

Changes

Maintenance Updates

Layer / File(s)	Summary
Image bumps .ci-operator.yaml, test/e2e/Dockerfile	build_root_image tag updated to image-v8.4.1, and the e2e builder FROM image updated to rhel_9_1.26.
OWNERS alias updates OWNERS_ALIASES	devppratik, dem4gus, and casey-williams-rh were removed from the listed team aliases.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	analyze_failure.py prints raw build-log lines and error snippets unredacted, which can expose secrets/PII if present in CI logs.	Redact or omit raw log excerpts; mask tokens/PII/internal hostnames and keep only sanitized summaries or pattern counts.
Test Structure And Quality	⚠️ Warning	The install e2e test mutates the cluster inside Eventually and uses an Expect there, so retries can fail immediately instead of polling.	Create resources once before Eventually, then poll only for CSV/pod readiness using false-on-error returns (no Expect inside the callback) and avoid sleeps in the wait loop.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the PR’s main goal of mitigating certman-operator vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR changes only config/OWNERS/Dockerfile files; no Ginkgo titles were added or edited, and the existing e2e titles are static strings.
Microshift Test Compatibility	✅ Passed	PR only changes image/owner metadata and the e2e Dockerfile; no new Ginkgo e2e tests or MicroShift-unsafe OpenShift APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates boilerplate/config files; no new Ginkgo e2e tests were added, and existing e2e tests are API-level with no multi-node assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Touched files are CI image/dependency and owners metadata only; no anti-affinity, topology spread, nodeSelector, PDB, or control-plane scheduling logic was introduced.
Ote Binary Stdout Contract	✅ Passed	The e2e binary built by test/e2e/Dockerfile has no init/TestMain/suite-level stdout writes; its fmt.Print* calls are only inside It blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new or modified Ginkgo e2e test files were added; the PR only changes config, OWNERS, deps, and Dockerfiles.
No-Weak-Crypto	✅ Passed	No weak primitives or custom crypto in the touched files; the only token-like compare is DNS TXT propagation, not a secret auth check.
Container-Privileges	✅ Passed	Changed files are boilerplate/OWNERS/Dockerfile updates only; no privileged:true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation:true found.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.14%. Comparing base (09ed286) to head (254c907).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #496   +/-   ##
=======================================
  Coverage   57.14%   57.14%           
=======================================
  Files          29       29           
  Lines        2170     2170           
=======================================
  Hits         1240     1240           
  Misses        812      812           
  Partials      118      118           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@rpodishe: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.