fix: restore USE_OLM_TLS vendor patches dropped by vuln-0512#29
Merged
chengjingtao merged 1 commit intoMay 13, 2026
Merged
Conversation
PR #28 (fix: vuln 0512) ran `go mod tidy` + `go mod vendor` and regenerated the vendor tree from upstream, which silently reverted PR #25 (fix: using olm cert) — its manual patches lived directly in vendor/knative.dev/pkg/webhook/{webhook.go,resourcesemantics/conversion/reconciler.go}. Without those patches, an OLM-installed operator-webhook fails to start: - webhook server: "server key missing" + "tls: no certificates configured" (default code reads server-key.pem / server-cert.pem; OLM populates tls.key / tls.crt) - WebhookCertificates reconciler: "Secret operator-webhook-service-cert is invalid: data[tls.crt]/data[tls.key] Required value" (tries to write server-*.pem / ca-cert.pem into a kubernetes.io/tls secret, apiserver rejects the type) - ConversionWebhook reconciler: 'secret operator-webhook-service-cert is missing "ca-cert.pem" key' This commit re-applies PR #25's diff verbatim on top of c861803 so the next hotfix build carries both the OLM TLS support and the 0512 dependency bumps. Follow-up: move these patches into a knative-pkg fork referenced via `replace` so future `go mod vendor` runs don't drop them again. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
lentil1016
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-applies PR #25 (
fix: using olm cert) on top of PR #28 (fix: vuln 0512, commitc861803). PR #28 rango mod tidy+go mod vendorand the vendor regeneration silently reverted PR #25's manual patches to:vendor/knative.dev/pkg/webhook/webhook.govendor/knative.dev/pkg/webhook/resourcesemantics/conversion/reconciler.goWhy
Tested on an ACP cluster with the
knative-operator.v3.20.9-hotfix.129.4.gd71ba5e5-fix-vuln-0512CSV (webhook:v1.10.1-c861803b).operator-webhookPod is0/1 Running, log loops:OLM is populating
operator-webhook-service-cert(typekubernetes.io/tls) withtls.crt/tls.key/olmCAKey, and the deployment setsUSE_OLM_TLS=true+WEBHOOK_SECRET_NAME=operator-webhook-service-cert. But the binary inc861803has noUSE_OLM_TLScode path — the vendor patches that introduced it were gone.I verified the regression by fetching
vendor/knative.dev/pkg/webhook/webhook.goatc861803viagh api: noUSE_OLM_TLS, notls.key/tls.crtbranch. The diff in this PR is byte-for-byte the same as PR #25's diff.Follow-up (not in this PR)
Manual vendor patches will keep getting dropped by future
go mod vendorruns (e.g. the next vuln-fix sweep). Recommend moving the OLM TLS support into a fork ofknative.dev/pkg(e.g. AlaudaDevops/knative.dev.pkg or katanomi/knative-pkg) and pinning viareplaceingo.mod, so the patches survive vendor regeneration.Test plan
operator-webhookPod is1/1 Running, noserver key missing/tls: no certificates configuredin logsConversionWebhookreconciles cleanly (nooperator-webhook-service-cert is missing "ca-cert.pem" keyerrors)🤖 Generated with Claude Code