ROSAENG-58014 : Vulnerability mitigation for certman operator

[rpodishe]

June 2026 vulnerability mitigation for certman-operator (ROSAENG-58014). Updated Go module dependencies and boilerplate base image to resolve 41 of 44 reported CVEs.

Changes

• Updated golang.org/x/crypto v0.49.0 to v0.52.0 (12 CVEs fixed - 7 Critical, 2 High, 3 Medium)
• Updated golang.org/x/net v0.52.0 to v0.55.0 (7 CVEs fixed - 1 Critical, 1 High, 5 Medium)
• Updated golang.org/x/sys v0.42.0 to v0.45.0 (1 CVE fixed - Low)
• Boilerplate updated to image-v8.4.0 (Go 1.25.9 to Go 1.26.3, fixes 19 stdlib CVEs)
• UBI9 minimal base image updated from 9.8-1780378819 to 9.8-1781496742 (1 openssl-libs CVE fixed)
• E2E Dockerfile updated to golang-builder rhel_9_1.26

Remaining (3 CVEs)

GO-2026-5037, GO-2026-5038, GO-2026-5039 require Go 1.26.4 which was released upstream on June 2nd but is not yet available in go-toolset RPM. Will be addressed in a follow-up boilerplate update.

Verification

• govulncheck scan confirms 41 of 44 CVEs resolved
• All unit tests passing
• Image built and deployed on ROSA classic staging cluster
• All 14 e2e tests passed (0 failed, 0 skipped)

Summary by CodeRabbit

• Chores
  • Updated CI/CD build infrastructure to utilize a newer image version for enhanced compatibility and stability across build processes
  • Upgraded Go language builder version in the containerized build environment
  • Refreshed team configuration to reflect current organizational structure

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rpodishe
Once this PR has been reviewed and has the lgtm label, please assign rafael-azevedo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: df3cd4e4-b511-4912-a534-e8a2abfb85ed

📥 Commits

Reviewing files that changed from the base of the PR and between 61761ee and 81bca6a.

⛔ Files ignored due to path filters (8)

• boilerplate/_data/backing-image-tag is excluded by !boilerplate/**
• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/_lib/subscriber-propose-update is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-e2e/update is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/docs/pre-commit.md is excluded by !boilerplate/**
• build/Dockerfile is excluded by !build/**
• build/Dockerfile.olm-registry is excluded by !build/**

📒 Files selected for processing (3)

• .ci-operator.yaml
• OWNERS_ALIASES
• test/e2e/Dockerfile

💤 Files with no reviewable changes (1)

• OWNERS_ALIASES

---

Walkthrough

Three housekeeping changes: the CI operator build root image tag is bumped from image-v8.3.6 to image-v8.4.0, the e2e Dockerfile Go builder stage is updated from rhel_9_1.25 to rhel_9_1.26, and the GitHub user devppratik is removed from the srep-functional-team-hulk alias list.

Changes

Maintenance Updates

Layer / File(s)	Summary
CI and e2e builder image bumps .ci-operator.yaml, test/e2e/Dockerfile	build_root_image tag updated from image-v8.3.6 to image-v8.4.0; e2e builder FROM image updated from rhel_9_1.25 to rhel_9_1.26.
Owner alias removal OWNERS_ALIASES	devppratik removed from the srep-functional-team-hulk alias list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	DNS01 key authorization (sensitive ACME challenge tokens) are logged at cloudflare.go lines 80 and 120 via txtValue parameter, exposing cryptographic sensitive data used in certificate provisioning.	Remove or redact sensitive DNS01KeyAuthorization tokens from logging statements; log only non-sensitive identifiers (e.g., domain/FQDN) instead of actual challenge values.
Test Structure And Quality	⚠️ Warning	E2E Ginkgo tests in test/e2e/certman_operator_tests.go violate single responsibility: 4 of 14 tests assert multiple unrelated behaviors (lines with "and" in test names). Other criteria (timeouts, m...	Refactor tests to isolate single behaviors: split "should create ClusterDeployment and CertificateRequest" into separate tests, likewise for upgrade, recreation, and certificate creation tests.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new e2e test suite downloads manifests from external GitHub URLs (raw.githubusercontent.com) in BeforeAll(), requires external registry (quay.io), and uses URL construction patterns that lack I...	Replace external GitHub downloads with bundled manifests or use internal mirrors. Update URL construction to use net.JoinHostPort() for IPv6 support. Use [Skipped:Disconnected] tag or adapt tests to work offline.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly corresponds to the main objective of the pull request, which is vulnerability mitigation for the certman operator as described in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only CI configuration and build artifacts (.ci-operator.yaml, OWNERS_ALIASES, test/e2e/Dockerfile), not test code. No Ginkgo test declarations were added or modified.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The only changes to test/e2e were in Dockerfile (dependency/image update), not new test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	All 14 Ginkgo e2e tests added in this PR are SNO-compatible; they test operator lifecycle, resource management, and API operations with no multi-node assumptions (no node counting, anti-affinity, s...
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces only infrastructure/dependency updates (boilerplate version, build images, aliases). Deployment manifests contain no topology-incompatible scheduling constraints (no affinity, node se...
Ote Binary Stdout Contract	✅ Passed	All fmt.Printf/Println calls are inside ginkgo.It() test blocks (allowed per check). All log.Printf calls are in helper functions using standard library log (writes to stderr). No stdout writes in...
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom implementations, or insecure comparisons found. PR only updates crypto libraries to CVE-fixed versions.
Container-Privileges	✅ Passed	No privileged container settings (privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation: true, or running as root) found in any K8s manifests or Dockerfiles. All containers con...

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.14%. Comparing base (09ed286) to head (81bca6a).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #496   +/-   ##
=======================================
  Coverage   57.14%   57.14%           
=======================================
  Files          29       29           
  Lines        2170     2170           
=======================================
  Hits         1240     1240           
  Misses        812      812           
  Partials      118      118           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@rpodishe: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	81bca6a	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.