OCPBUGS-87411: Updating ose-secrets-store-csi-driver-container image to be consistent with ART for 5.0

[openshift-bot]

Updating ose-secrets-store-csi-driver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-secrets-store-csi-driver.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
  from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

[openshift-bot]

Created by ART pipeline job run https://art-jenkins.apps.prod-stable-spoke1-dc-iad2.itup.redhat.com/job/aos-cd-builds/job/build%252Fsync-ci-images/216

[coderabbitai]

Walkthrough

Build infrastructure configuration is updated to use OpenShift 5.0 with Go 1.26. The CI operator build root image tag and the Dockerfile's builder and runtime base image tags are changed from OpenShift 4.22/Go 1.25 references to OpenShift 5.0/Go 1.26 references, keeping all build steps and workflow unchanged.

Changes

Build and runtime image version upgrade

Layer / File(s)	Summary
Build and runtime image version bump .ci-operator.yaml, Dockerfile.openshift	Build root image tag in CI configuration updated from rhel-9-release-golang-1.25-openshift-4.22 to rhel-9-release-golang-1.26-openshift-5.0; Dockerfile builder and runtime base image tags updated from OpenShift 4.22 to OpenShift 5.0 with Go 1.26.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• openshift/secrets-store-csi-driver#59: Both PRs update the OpenShift image build configuration by aligning .ci-operator.yaml and Dockerfile.openshift image tags across build infrastructure versions.

Suggested labels

jira/valid-reference, lgtm, verified

Suggested reviewers

• emmajiafan
• arkadeepsen
• mytreya-rh

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies build configuration files (.ci-operator.yaml, Dockerfile.openshift). Project uses Go testing with testify, not Ginkgo. No test files are modified. Check is not applicable.
Test Structure And Quality	✅ Passed	Check is not applicable. PR files are configuration/Dockerfile changes with no Ginkgo tests. Repository uses standard Go testing (testing.T), not Ginkgo.
Microshift Test Compatibility	✅ Passed	This PR only modifies build configuration files (.ci-operator.yaml and Dockerfile.openshift) and does not add any new Ginkgo e2e tests. The MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR updates only CI configuration files with Go 1.26/OpenShift 5.0. No Ginkgo e2e tests added, making the SNO compatibility check inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies build configuration files (.ci-operator.yaml, Dockerfile.openshift), not deployment manifests, operator code, or controllers. Check requires changes to these latter types to apply.
Ote Binary Stdout Contract	✅ Passed	This PR modifies a CSI driver binary (secrets-store-csi-driver), not an OTE test binary. The OTE Stdout Contract check applies only to binaries designed for openshift-tests, which this driver is not.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates build configuration files to upgrade Go 1.25→1.26 and OpenShift 4.22→5.0. No new Ginkgo e2e tests added, so IPv6/disconnected network compatibility check does not apply.
No-Weak-Crypto	✅ Passed	PR changes only update build configuration files with version tags; no weak cryptography patterns or secret comparisons detected.
Container-Privileges	✅ Passed	The PR modifies only CI configuration files. No privileged mode, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation found in either .ci-operator.yaml or Dockerfile.openshift.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates base image version references; no new logging statements exposing sensitive data (passwords, tokens, API keys, PII) are introduced.
Title check	✅ Passed	The title references updating container image configuration for OpenShift 5.0, which aligns with the .ci-operator.yaml and Dockerfile.openshift changes that upgrade from Go 1.25/OpenShift 4.22 to Go 1.26/OpenShift 5.0.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87411, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Updating ose-secrets-store-csi-driver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-secrets-store-csi-driver.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-87411, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Updating ose-secrets-store-csi-driver-container image to be consistent with ART for 5.0
TLDR:
Product builds by ART can be configured for different base and builder images than corresponding CI
builds. This automated PR requests a change to CI configuration to align with ART's configuration;
please take steps to merge it quickly or contact ART to coordinate changes.

The configuration in the following ART component metadata is driving this alignment request:
ose-secrets-store-csi-driver.yml.

Detail:

This repository is out of sync with the downstream product builds for this component. The CI
configuration for at least one image differs from ART's expected product configuration. This should
be addressed to ensure that the component's CI testing accurate reflects what customers will
experience.

Most of these PRs are opened as an ART-driven proposal to migrate base image or builder(s) to a
different version, usually prior to GA. The intent is to effect changes in both configurations
simultaneously without breaking either CI or ART builds, so usually ART builds are configured to
consider CI as canonical and attempt to match CI config until the PR merges to align both. ART may
also configure changes in GA releases with CI remaining canonical for a brief grace period to enable
CI to succeed and the alignment PR to merge. In either case, ART configuration will be made
canonical at some point (typically at branch-cut before GA or release dev-cut after GA), so it is
important to align CI configuration as soon as possible.

PRs are also triggered when CI configuration changes without ART coordination, for instance to
change the number of builder images or to use a different golang version. These changes should be
coordinated with ART; whether ART configuration is canonical or not, preferably it would be updated
first to enable the changes to occur simultaneously in both CI and ART at the same time. This also
gives ART a chance to validate the intended changes first. For instance, ART compiles most
components with the Golang version being used by the control plane for a given OpenShift release.
Exceptions to this convention (i.e. you believe your component must be compiled with a Golang
version independent from the control plane) must be granted by the OpenShift staff engineers and
communicated to the ART team.

Roles & Responsibilities:

• Component owners are responsible for ensuring these alignment PRs merge with passing
  tests OR that necessary metadata changes are reported to the ART team
  in #forum-ocp-art on Slack. If necessary, the changes required by this pull request can be
  introduced with a separate PR opened by the component team. Once the repository is aligned,
  this PR will be closed automatically.
• In particular, it could be that a job like verify-deps is complaining. In that case, please open
  a new PR with the dependency issues addressed (and base images bumped). ART-9595 for reference.
• Patch-manager or those with sufficient privileges within this repository may add
  any required labels to ensure the PR merges once tests are passing. In cases where ART config is
  canonical, downstream builds are already being built with these changes, and merging this PR
  only improves the fidelity of our CI. In cases where ART config is not canonical, this provides
  a grace period for the component team to align their CI with ART's configuration before it becomes
  canonical in product builds.

ART has been configured to reconcile your CI build root image (see https://docs.ci.openshift.org/docs/architecture/ci-operator/#build-root-image).
In order for your upstream .ci-operator.yaml configuration to be honored, you must set the following in your openshift/release ci-operator configuration file:

build_root:
 from_repository: true

Change behavior of future PRs:

• In case you just want to follow the base images that ART suggests, you can configure additional labels to be
  set up automatically. This means that such a PR would merge without human intervention (and awareness!) in the future.
  To do so, open a PR to set the auto_label attribute in the image configuration. Example
• You can set a commit prefix, like UPSTREAM: <carry>: . An example.

If you have any questions about this pull request, please reach out in the #forum-ocp-art Slack channel.

Summary by CodeRabbit

• Chores
• Upgraded build infrastructure and container base images to newer platform and language versions for improved compatibility and system performance.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

Dockerfile.openshift (2)

13-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a container healthcheck to satisfy baseline and improve operability.

There is no HEALTHCHECK in the final image. Please define one (or document why it is intentionally omitted).

As per coding guidelines, "HEALTHCHECK defined".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` at line 13, Add a Docker HEALTHCHECK to the final image
near the ENTRYPOINT ([ "/bin/secrets-store-csi" ]) so the container runtime can
detect liveness; implement a simple health probe that runs the shipped binary’s
lightweight status/health command (or a short probe against the process’s local
socket/HTTP endpoint) and return non‑zero on failure, with reasonable
interval/timeout/retries (for example: interval ~30s, timeout ~5s). Ensure the
HEALTHCHECK uses the same path (/bin/secrets-store-csi) and fails the container
when the probe indicates the process is unhealthy.

Source: Coding guidelines

---

8-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the final container as a non-root user.

The final stage has no USER declaration, so it runs as root by default. Add a non-root UID/GID in the runtime stage before ENTRYPOINT.

Proposed hardening

 FROM registry.ci.openshift.org/ocp/5.0:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/_output/secrets-store-csi /bin/secrets-store-csi
+USER 65532:65532

As per coding guidelines, "USER non-root; never run as root".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` around lines 8 - 13, The final image runs as root
because there is no USER set; add a non-root UID/GID user declaration in the
runtime stage before ENTRYPOINT (e.g., create or switch to a non-root user and
group and set USER <uid>:<gid>) and ensure the binary /bin/secrets-store-csi has
appropriate ownership/permissions for that user; update the Dockerfile runtime
stage around the ENTRYPOINT declaration to create/chown a non-root user and then
set USER so the container no longer runs as root.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile.openshift`:
- Line 1: The base image lines in the Dockerfile use registry.ci.openshift.org
images which violate the container baseline policy; update the two FROM
instructions (the Dockerfile's initial builder FROM and the runtime/other FROM
at the second occurrence) to use the approved UBI minimal or distroless images
hosted on catalog.redhat.com (pick the equivalent Red Hat UBI golang or
distroless image for the builder and the approved runtime image for the final
stage), or alternatively add a documented exception for this Dockerfile; ensure
image names and tags are replaced consistently across both occurrences so the
Dockerfile no longer references registry.ci.openshift.org.
- Line 3: The Dockerfile currently uses a broad COPY . . which pulls the entire
build context into the image; replace this with explicit file-by-file copies
(e.g., COPY package.json package-lock.json ./ and COPY src/ ./ or the minimal
build artifacts) and ensure a .dockerignore excludes secrets and dev files so
only required files are added; update the Dockerfile stage(s) that reference
COPY . . to instead list the exact files/directories needed for that stage to
reduce secret exposure and cache churn.

---

Outside diff comments:
In `@Dockerfile.openshift`:
- Line 13: Add a Docker HEALTHCHECK to the final image near the ENTRYPOINT ([
"/bin/secrets-store-csi" ]) so the container runtime can detect liveness;
implement a simple health probe that runs the shipped binary’s lightweight
status/health command (or a short probe against the process’s local socket/HTTP
endpoint) and return non‑zero on failure, with reasonable
interval/timeout/retries (for example: interval ~30s, timeout ~5s). Ensure the
HEALTHCHECK uses the same path (/bin/secrets-store-csi) and fails the container
when the probe indicates the process is unhealthy.
- Around line 8-13: The final image runs as root because there is no USER set;
add a non-root UID/GID user declaration in the runtime stage before ENTRYPOINT
(e.g., create or switch to a non-root user and group and set USER <uid>:<gid>)
and ensure the binary /bin/secrets-store-csi has appropriate
ownership/permissions for that user; update the Dockerfile runtime stage around
the ENTRYPOINT declaration to create/chown a non-root user and then set USER so
the container no longer runs as root.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3306a339-16e8-4c84-ab18-34bea06189ce

📥 Commits

Reviewing files that changed from the base of the PR and between 4bb1e9f and e798e37.

📒 Files selected for processing (2)

• .ci-operator.yaml
• Dockerfile.openshift

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Base image source does not match container baseline policy.

Line 1 and Line 8 use registry.ci.openshift.org/... images, but the container policy for Dockerfiles requires UBI minimal or distroless images from catalog.redhat.com. Please align the base/runtime image source (or document an explicit exception for this file).

As per coding guidelines, "Base image: UBI minimal or distroless from catalog.redhat.com".

Also applies to: 8-8

🧰 Tools

🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` at line 1, The base image lines in the Dockerfile use
registry.ci.openshift.org images which violate the container baseline policy;
update the two FROM instructions (the Dockerfile's initial builder FROM and the
runtime/other FROM at the second occurrence) to use the approved UBI minimal or
distroless images hosted on catalog.redhat.com (pick the equivalent Red Hat UBI
golang or distroless image for the builder and the approved runtime image for
the final stage), or alternatively add a documented exception for this
Dockerfile; ensure image names and tags are replaced consistently across both
occurrences so the Dockerfile no longer references registry.ci.openshift.org.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid copying full build context into the image build stage.

Line 3 uses COPY . ., which violates the rule to copy only required files. This increases accidental secret/file inclusion risk and cache churn.

Proposed tightening

-COPY . .
+COPY go.mod go.sum ./
+COPY cmd/ ./cmd/
+COPY pkg/ ./pkg/
+COPY Makefile ./

As per coding guidelines, "COPY specific files, not entire context".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	COPY . .
	COPY go.mod go.sum ./
	COPY cmd/ ./cmd/
	COPY pkg/ ./pkg/
	COPY Makefile ./

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.openshift` at line 3, The Dockerfile currently uses a broad COPY .
. which pulls the entire build context into the image; replace this with
explicit file-by-file copies (e.g., COPY package.json package-lock.json ./ and
COPY src/ ./ or the minimal build artifacts) and ensure a .dockerignore excludes
secrets and dev files so only required files are added; update the Dockerfile
stage(s) that reference COPY . . to instead list the exact files/directories
needed for that stage to reduce secret exposure and cache churn.

Source: Coding guidelines

[chiragkyal]

/retest

[openshift-bot]

ART wants to connect issue OCPBUGS-87696 to this PR, but found it is currently hooked up to ['OCPBUGS-87411']. Please consult with #forum-ocp-art if it is not clear what there is to do.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: openshift-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 4bb1e9f and 2 for PR HEAD e798e37 in total

[openshift-ci]

@openshift-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp	e798e37	link	true	/test e2e-gcp
ci/prow/e2e-vault-fips	e798e37	link	true	/test e2e-vault-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.