NE-2194: Rebase to v1.13.1 report & rebase work#157
Merged
openshift-merge-bot[bot] merged 510 commits intoopenshift:mainfrom Nov 26, 2025
Merged
NE-2194: Rebase to v1.13.1 report & rebase work#157openshift-merge-bot[bot] merged 510 commits intoopenshift:mainfrom
openshift-merge-bot[bot] merged 510 commits intoopenshift:mainfrom
Conversation
coredns#7301) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.7.0 to 4.7.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@38ecb5b...da24556) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 4.7.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#7299) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.4.2 to 5.4.3. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@ad3126e...18283e0) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 5.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ns#7304) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.72.0 to 1.72.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.72.0...v1.72.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.72.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Add environment variable setup step for Go version in the e2e tests job of the GitHub workflow. This ensures consistent Go version usage across all test jobs and fixes the warning about missing go-version input. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add comprehensive test coverage for the coremain package, focusing on configuration loading, version information, and output formatting. Test coverage improves from 0% to 59.7%. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add tests for previously untested functions: - edns0.go: test supportedOptions function - request.go: test address methods, protocol handling, and EDNS0 options - writer.go: test ScrubWriter implementation Improves overall package test coverage from 39.5% to 77.8%. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Bumps the go-etcd-io group with 2 updates: [go.etcd.io/etcd/api/v3](https://github.com/etcd-io/etcd) and [go.etcd.io/etcd/client/v3](https://github.com/etcd-io/etcd). Updates `go.etcd.io/etcd/api/v3` from 3.5.21 to 3.6.0 - [Release notes](https://github.com/etcd-io/etcd/releases) - [Commits](etcd-io/etcd@v3.5.21...v3.6.0) Updates `go.etcd.io/etcd/client/v3` from 3.5.21 to 3.6.0 - [Release notes](https://github.com/etcd-io/etcd/releases) - [Commits](etcd-io/etcd@v3.5.21...v3.6.0) --- updated-dependencies: - dependency-name: go.etcd.io/etcd/api/v3 dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-etcd-io - dependency-name: go.etcd.io/etcd/client/v3 dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-etcd-io ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This fixes a bug introduced in coredns#6547 which resulted in the zone being added to IPv4 addresses. This bug results in a failure to start when binding to an interface with a link-local IPv4 address assigned to it, with the following error: $ ./coredns -conf=/etc/coredns/Corefile maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined lookup 169.254.1.1%dummy0: no such host Signed-off-by: Mark Mickan <mark.mickan@openlms.net> Co-authored-by: Mark Mickan <mark.mickan@openlms.net>
* feat: enable plugins via environment during build Signed-off-by: Colden Cullen <colden@coldencullen.com> * doc: add note about COREDNS_PLUGINS Signed-off-by: Colden Cullen <colden@coldencullen.com> --------- Signed-off-by: Colden Cullen <colden@coldencullen.com>
Signed-off-by: hansedong <skipiper1314@gmail.com> Co-authored-by: hansedong <skipiper1314@gmail.com>
The rewrite plugin modifies DNS messages, affecting the request size observed in the coredns_dns_request_size_bytes metric. This change captures the original request size before any plugins can modify it. It adds a functional options pattern to Report() to pass this information while maintaining API compatibility. Tests have been added to verify the fix prevents rewrite from affecting the request size metrics. Docs included. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add comprehensive tests for multiple components including server blocks inspection, configuration handling, DoH/DoQ writers, and server startup functions. Increases overall test coverage from 27% to 38.4% with particular focus on register.go, https.go, quic.go, and config.go. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add conditional test skipping for bind and readme tests that rely on Linux-specific loopback interface behavior. These tests reference network configurations that may not exist on for e.g. macOS or other platforms, causing spurious test failures. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
…ns#7326) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.72.1 to 1.72.2. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.72.1...v1.72.2) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.72.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…oredns#7324) Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.51.0 to 0.52.0. - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.51.0...v0.52.0) --- updated-dependencies: - dependency-name: github.com/quic-go/quic-go dependency-version: 0.52.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Enable the usetesting linter in golangci.yml configuration to enforce proper testing practices. Replace manual temporary directory and file creation with t.TempDir() in test files. This improves test reliability by ensuring proper cleanup and follows Go testing best practices. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
…dns#7325) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.233.0 to 0.234.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.233.0...v0.234.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-version: 0.234.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Enable copyloopvar linter and remove redundant variable shadowing in Kubernetes plugin metadata handling. This pattern is no longer needed in Go 1.22+ where loop variables are automatically captured correctly in closures. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add comprehensive unit test coverage for DNS-over-gRPC and DNS-over-QUIC server implementations: - server_grpc_test.go: Tests gRPC server creation, TLS config, lifecycle methods, Query handling, and response writer - server_quic_test.go: Tests QUIC server creation, custom limits, message validation, DOQ message parsing, and writer interface Tests focus on component-level validation with mocks, complementing existing integration tests without overlap. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Add test suite covering thread-safe random number generator with tests for: - Constructor with various seed values (positive, zero, negative) - Deterministic behavior verification with same seeds - Permutation generation and validation - Concurrent access safety with multiple goroutines - Mixed operations under concurrent load Also clarify package documentation to explicitly state this is for load balancing and server selection, not cryptographic use. The math/rand usage is intentional for performance in non-security contexts like upstream server selection and DNS record shuffling. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
This PR updates golang version to 1.24.3, to carry the latest security fixes. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Ensure Dial exits early or returns error when Transport has been stopped, instead of blocking on the dial or ret channels. This removes a potential goroutine leak where callers could pile up waiting forever under heavy load. Add select guards before send and receive, and propagate clear error values so callers can handle shutdown gracefully. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Enable canonicalheader linter to enforce proper HTTP header casing. This ensures headers use Go's canonical format (e.g., "Content-Type" instead of "content-type") for consistency. Fixes header casing in DoH implementation. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* feat(plugin/file): fallthrough implement and test fallthrough for the file plugin Signed-off-by: vdbe <vdbewout@gmail.com> * docs(plugin/file): fallthrough Signed-off-by: vdbe <vdbewout@gmail.com> * docs(plugin/file): regenerate man page `make -f Makefile.doc man/coredns-file.7` Signed-off-by: vdbe <vdbewout@gmail.com> --------- Signed-off-by: vdbe <vdbewout@gmail.com>
Enable intrange linter to enforce modern Go range syntax over traditional for loops, by converting: for i := 0; i < n; i++ to: for i := range n Adding type conversions where needed for compatibility with existing uint64 parameters. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Pre-allocate slice capacity in AutoPath to eliminate unnecessary memory reallocations. This avoids slice growth when appending search domains and sentinel value. Benchmark shows significant performance improvement: - Before: 538.6 ns/op, 560 B/op, 13 allocs/op - After: 436.8 ns/op, 336 B/op, 11 allocs/op - Result: 19% faster, 40% less memory, 15% fewer allocations The optimization benefits Kubernetes clusters using autopath for server-side search path completion. Adds benchmark test to measure AutoPath performance. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Missed in coredns#7323 Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
This PR updates version to 1.12.2 for preparation of a release Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Enable protogetter in golangci config and update all protobuf field access to use getter methods instead of direct field access. Getter methods provide safer nil pointer handling and return appropriate default values, following protobuf best practices. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Downstream policy (carried since 213249c/1b37b38eb) disables Dependabot in the OpenShift forks because ART curates dependencies centrally and the automated PRs get closed immediately. This commit removes `.github/dependabot.yml` and documents the policy in `carry_consolidation/dependabot_policy.md` so future rebases know why we do not re-enable it even though upstream keeps the workflow enabled. Co-authored-by: Ryan Fredette <rfredette@redhat.com> Co-authored-by: Grant Spence <gspence@redhat.com>
Carry the external `ocp_dnsnameresolver` plugin again after the rebase, folding in the previous carry commits (7a4db4b, 6b897ee, 8eab9cb) into one logical change: - register the plugin ahead of `cache` inside `plugin.cfg` and regenerate `core/plugin/zplugin.go` + `core/dnsserver/zdirectives.go` so directives stay ordered the way OpenShift expects. - pull in the released module version via `go.mod`/`go.sum`; this matches the rebased plugin tag that now builds against k8s v0.34.1. - document the reapply steps in `carry_consolidation/ocp_dnsnameresolver.md` (files to touch, commands to run, and validation steps) so reviewers do not need the deleted report to understand the carry. Co-authored-by: Arkadeep Sen <arsen@redhat.com> Co-authored-by: Ryan Fredette <rfredette@redhat.com> Co-authored-by: Grant Spence <gspence@redhat.com>
bentito
force-pushed
the
rebase-to-v1.13.1
branch
from
17c6465 to
1a7984d
Compare
Author
|
Latest rebase moved the |
Author
|
/retest |
|
@bentito: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thank you! /lgtm |
alebedev87
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@bentito: This pull request references NE-2194 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold Holding for @rfredette and @Miciah to have a final look. |
openshift-ci
Bot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
Author
|
/jira-refresh |
|
Ran the regression successfully on AWS normal cluster, GCP FIPS cluster and Openstack cluster except for the CoreDNS version test case which will need a automation change accordance with this PR. Hence marking as verified /verified by @mjoseph |
openshift-ci-robot
added
the
verified
|
@melvinjoseph86: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/unhold Unholding this PR as agreed with the team. |
openshift-ci
Bot
removed
the
do-not-merge/hold
This was referenced Dec 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CoreDNS v1.13.1 Rebase Summary
Table of Contents
Overview
Merge helper commit
We keep a single
git merge --no-ff --strategy=ours origin/maincommit on top so GitHub remembers the branch is reconciled withorigin/maineven after the manual rebase.The helper merge uses the
oursstrategy (same command noted above) which records the relationship without touching the resolved files.Rebases
origin/mainonto upstream tagv1.13.1, collapsing downstream carries into a handful of commits.Maintains Go 1.24.6 toolchain (ART builders), vendored tree, and downstream plugins while aligning with upstream code.
Carries Discussion
Dependabot policy for downstream fork
.github/dependabot.yml. Downstream OpenShift policy disables Dependabot entirely..github/dependabot.ymlin the carry commit and avoid reintroducing it.Downstream
make testtargettesttarget that the OpenShift ci-operator calls.checkto regeneratezplugin.go/zdirectives.go.GOFLAGS=-mod=vendor(either via environment or within the target as shown).ocp_dnsnameresolver carry instructions
Downstream keeps the external
ocp_dnsnameresolverplugin. Upstream v1.13.1 does not ship it, so we must reapply the carry after the merge.Files to edit
plugin.cfg: addocp_dnsnameresolver:github.com/openshift/coredns-ocp-dnsnameresolverbeforecache.core/plugin/zplugin.goandcore/dnsserver/zdirectives.go: regenerated outputs that pick up the plugin entry.go.mod/go.sum: add the released module version forgithub.com/openshift/coredns-ocp-dnsnameresolver.vendor/modules.txtandvendor/github.com/openshift/coredns-ocp-dnsnameresolver/**: repopulated viago mod vendor.replacedirective once the plugin release is tagged (track in action plan).Commands
go.mod(go get github.com/openshift/coredns-ocp-dnsnameresolver@<tag>).go generate coredns.goto refreshzplugin.go/zdirectives.go. (Downstreammake checkdoes this as part of the pipeline.)GOFLAGS=-mod=vendor go mod vendorto repopulatevendor/.plugin.cfg, the regenerated Go files,go.mod,go.sum,vendor/modules.txt, and the vendored plugin tree together.Ordering requirement
ocp_dnsnameresolvermust remain immediately beforecacheinplugin.cfg; the generator preserves this ordering in the generated files.Validation
GOFLAGS=-mod=vendor go test ./plugin/...to ensure registrations compile.Downstream vendoring strategy
We continue to vendor dependencies so downstream builds do not rely on network access.
Regenerating vendor after the rebase
go.modandgo.sumreflect the desired dependency set (rungo mod tidyif needed once conflicts are resolved).GOFLAGS=-mod=vendor go mod vendor(or exportGOFLAGS=-mod=vendorglobally) to repopulatevendor/.vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go) if it is dropped bygo mod vendor.vendor/tree along withgo.mod/go.sumupdates in a single carry commit.Build tooling expectations
Dockerfile.openshift,Dockerfile.openshift.rhel7, etc.) must keepGO111MODULE=onandGOFLAGS=-mod=vendorso container builds consume the vendored tree.GOFLAGS=-mod=vendor(unless the buildroot already enforces it)..gitignore adjustments
vendor/ignore entry; seecarry_consolidation/gitignore.patch.query.log,Corefile,*.swp,/coredns,coredns.exe,/build/,release/.Rebase Report
Rebase to v1.13.1 - Anticipated Challenges
Snapshot of Divergence
main(origin/main) descends fromv1.11.3; merge-base withv1.13.1is commita7ed34658.origin/mainis 270 commits ahead ofv1.11.3and 501 commits behindv1.13.1; within that range we see 82 merge commits (mostly prior "rebase" merges) and 124 commit objects containingUPSTREAMmarkers, which collapse to ~52 unique carry commit messages once duplicates from earlier rebases are deduplicated.Carry Patches and OpenShift Packaging
.ci-operator.yaml,Dockerfile.ocp,Dockerfile.openshift,Makefileoverrides (test,dep-ensure), and repeated image metadata synchronizations with ART. These files do not exist upstream; they must be reintroduced cleanly after the rebase.ocp_dnsnameresolveris currently vendored along with large slices ofgithub.com/openshift/{api,client-go,...}. Upstreamv1.13.1has novendor/tree, so we must decide between re-vendoring the entire OpenShift dependency set or switching to module-aware builds that can fetch these deps.Carry Consolidation Plan
<carry>commits only update OWNERS and related metadata (e.g.,a82419240,c6cbe9feb). Plan: squash into a single "Restore OpenShift OWNERS metadata" commit after the rebase lands.213249c83,5378301ac,433d377a9all toggle Dependabot. Plan: merge into one downstream policy commit and drop the rest.7d3b0d2fe,6a6aca3cc,bc4b0e6f0, plus.gitignoreadjustments like35edb5009,0df6a4cb8,cae06b4bc,a5843d819,69fc73eac,279951d92). Plan: consolidate into (a) one vendoring commit and (b) one.gitignorecommit, rerunninggo mod vendoras needed.acf1e3312,78b2bdbb2,6455c7589duplicate themake testtarget. Plan: keep one canonical downstream build tooling commit and drop the rest.7a4db4ba4,7a9d9ea62,8eab9cb1d,6b897ee50) will be rebased into a single logical commit that injects the plugin, sets ordering, and bumps the version in one place.Toolchain and Dependency Shifts
.go-versionandMakefiletry to auto-download the newest toolchain. Downstream should keep settingGOTOOLCHAIN=localso we stay on our supported Go 1.24 toolchain.GOTOOLCHAIN=local.GOTOOLCHAINis omitted, disconnected environments will see build failures whengotries to fetch a toolchain from the network. Always exportGOTOOLCHAIN=local(or patch the Makefile accordingly) so builds rely on the pre-installed Go toolchain.GOTOOLCHAIN=local; (2) keep the prototype log updated with any Go 1.24-specific quirks; (3) revisit the override only if upstream tooling mandates a higher version in the future.plugin.cfg) shipsroute53,azure, andclouddns, so the jump toaws-sdk-go-v2,azure/autorestbumps, and newer Google Cloud libs must be validated in OpenShift CI even if these plugins are not heavily used. Likewise thetraceplugin now depends ongithub.com/DataDog/dd-trace-go/v2, so downstream tracing deployments (and our CI that imports the package) need exercises with the new APIs enabled.go.modmigrates from legacy dependencies (aws-sdk-gov1, DataDog v1, etc.) to new major versions (aws-sdk-go-v2,dd-trace-go/v2, OpenTelemetry packages, etc.), and bumps Kubernetes libs to v0.34.1. These introduce breaking API changes that our OpenShift carry code (including the external plugin) must accommodate.vendor/tree (same as v1.11.3). Our downstream fork still vendors modules for disconnected builds, so post-rebase we must decide whether to keep regeneratingvendor/viago mod vendor(and update the supporting scripts/Dockerfiles) or to invest in an alternative module-cache solution.Core Runtime and Plugin Differences
plugin.cfginv1.13.1slotsquic/multisocketahead ofcache, but our downstream config already omits them and keepsocp_dnsnameresolverin that slot; after the rebase we just re-rungo generateto bring backzplugin.go/zdirectives.gowith the plugin intact and confirm no conflicts.core/dnsserver/*,coremain/run.go) picked up QUIC/HTTPS refactors and new tests, but we have no downstream carries in those files beyond the generated directive list. Merge risk is minimal; the follow-up is to rerun targeted runtime tests (e.g., DNS-over-HTTPS, cache regression checks) to ensure upstream behaviour changes don’t surprise our ocp plugin or deployment defaults.UPSTREAM: 6354,UPSTREAM: 6277,UPSTREAM: 6692) and are already present in v1.13.1, so they can drop. Remaining rebase work is verifying that ocp_dnsnameresolver and any downstream-only logic still compile against the upgradedk8s.io/*clients.Build, Release, and CI Implications
distroless/static-debian12, adds--no-install-recommends, and resetsWORKDIR, but our downstream images already pin to ART-managed base images; just double-check if we want to pick up the distroless tweaks for parity or leave the current OCP image as-is..golangci.yml), and README build guidance now assume the newer toolchain and add security automation (OpenSSF scorecard, etc.). We can continue disabling Dependabot downstream; just be aware of the upstream workflow drift.make checknow relies ongo generatefollowed bygo getunder modules, which pulls tooling at build-time. We can tolerate that in our existing build environments, but if we need a disconnected rehearsal later we should pre-stage a module cache or keep regeneratingvendor/.Risk Hotspots & Open Questions
github.com/openshift/coredns-ocp-dnsnameresolverwith the upgraded Kubernetes client libraries and Go runtime is unknown; it may require upstream updates before the rebase can land.go mod vendorpost-rebase or mirrored module proxies).coremain/run_test.go, QUIC/HTTPS suites) should pass even though we don’t enable those transports, but they pull in HTTP/3/TLS tooling at test-time. Plan a rehearsalmake testrun in CI; if the new suites require missing system libs or capabilities, decide whether to add them to the test image or skip the specific tests with justification.Suggested Next Steps for Preparation
UPSTREAM:carry commit to classify as "already upstream", "still needed", or "obsoleted" (in progress viaaudit_upstream_report.md).v1.13.1with the OpenShift plugin to gauge compile/API fallout, including a rehearsalmake testrun that covers the new QUIC/HTTPS suites.github.com/openshift/coredns-ocp-dnsnameresolver(and any other external plugin repos) to thek8s.io/*versions used by v1.13.1 and publish updated tags for the rebase branch.GOTOOLCHAIN=local, run compile/test rehearsals to confirm 1.24.x passes, and log any gaps so we can reassess toolchain needs if upstream bumps again.Appendix: Upstream Change Map & Rebase Actions
Core server lifecycle & transport (core/dnsserver, coremain)
Representative upstream commits:
efaed02c6(limit concurrent DoQ streams),eafc352f5(graceful shutdown via ShutdownContext),6ec327836(prevent SIGTERM reload deadlock),c90e70339(export transport timeouts).Downstream carries touched:
7a4db4ba4/7a9d9ea62(ocp_dnsnameresolver plugin),6b897ee50(plugin chain ordering),8eab9cb1d(plugin version bump).Follow-up actions: 1) Re-run
make genafter re-injecting ocp_dnsnameresolver so regeneratedzplugin.go/zdirectives.gopick up new transport hooks. 2) Manually review QUIC/HTTPS server startup paths to ensure the downstream cache tweaks still behave with the new shutdown semantics. 3) Execute targeted DoQ/HTTPS e2e tests once the carry set lands.Second review focus: DNS server maintainers to double-check transport changes alongside the ocp plugin integration.
Plugin registry & generator churn (plugin.cfg, directives_generate.go)
Representative upstream commits:
6c39f4bae(multisocket plugin),83ce0baea(nomad plugin),82323554a(enable plugin selection via environment),0ed689e2d(third-party plugin generation fix).Downstream carries touched:
7a4db4ba4/7a9d9ea62(ocp_dnsnameresolver),6b897ee50(ordering), repeated.gitignoreand vendor carries that keep generated files committed.Follow-up actions: 1) Update
plugin.cfgto include ocp_dnsnameresolver alongside new upstream plugins, preserving the pre-cache ordering. 2) Regeneratezplugin.goandzdirectives.go, confirm the carry commits continue to apply cleanly, and stage the artifacts for review. 3) Validatemake test(carryacf1e3312) still drivesgo generatecorrectly in disconnected builds.Second review focus: @openshift/network-edge reviewers to spot-check the generated artifacts and plugin chain.
Kubernetes plugin & API migrations (plugin/kubernetes, go.mod)
Representative upstream commits:
5c71bd0b8(multicluster support),17eb2eed3(prepare for k8s API upgrade),ab74d3acf(startup timeout option),7c76d534d(deletion timestamp handling).Downstream carries touched: Historical OCP bugfix carries (e.g.,
37a9afe69,59f7d2f51) now superseded, indirect impacts to ocp_dnsnameresolver which vendorsk8s.io/{api,client-go}via7d3b0d2fe/6a6aca3cc.Follow-up actions: 1) Rebase
github.com/openshift/coredns-ocp-dnsnameresolveronto the newk8s.io/* v0.34.1/ Go 1.24+ stack and cut a compatible release before wiring it back into the tree. 2) Compile ocp_dnsnameresolver against those libs and smoke test the watcher flows. 3) Drop or rewrite obsolete OCP bugfix carries that are now upstream to avoid conflicts. 4) Add a focused review checklist for multi-cluster mode to ensure downstream defaults remain unchanged.Second review focus: Kubernetes SIG-Network contacts plus ocp plugin owners for behavioral regressions.
Toolchain & observability stack (go.mod, go.sum, .go-version)
Representative upstream commits:
41a0b70e7(Go toolchain refresh),afdd41a26/3ccbd6ab6(subsequent toolchain bumps),2b273d48a(dd-trace-go v2 migration),43fdf737d(automaxprocs),dd029c931(caddy bump),cbc32d238/83a546e7b(aws-sdk-go-v2 rollouts).Downstream carries touched:
7d3b0d2fe,6a6aca3cc,bc4b0e6f0(vendor tree),.gitignorecarries (35edb5009,0df6a4cb8,cae06b4bc,a5843d819,69fc73eac,279951d92).Follow-up actions: 1) Decide on a vendoring strategy (redo
go mod vendorpost-rebase versus module proxy) and update Dockerfiles accordingly. 2) Keep enforcingGOTOOLCHAIN=localso downstream builds stick with Go 1.24. 3) Exercise the compiledroute53,azure,clouddns, andtraceplugins against AWS SDK v2 / new cloud clients / dd-trace-go v2 to confirm downstream configs still work.Second review focus: Build/ART owners to vet the dependency story and ensure offline builds remain viable; plugin owners for cloud integrations and tracing to confirm runtime behaviour.
Build, CI, and packaging (Dockerfile*, workflows, Make targets)
Representative upstream commits:
517a262e9(base image to distroless debian12),a5388133d(Dockerfile hygiene),39abf5aeb(modernize Go lint config),76ba39ffe(golangci-lint v2),82323554a(env-controlled plugin generation).Downstream carries touched:
90d7eed7b/f5d39cfca(ci-operator config),acf1e3312/78b2bdbb2(make test target),213249c83/433d377a9(disable dependabot),a82419240/c6cbe9feb(OWNERS metadata).Follow-up actions: 1) Reconcile downstream Dockerfiles with the new distroless base while keeping ART requirements intact. 2) Keep the
make testcarry but align it with upstreammake checkchanges so CI still triggers the right steps. 3) Reapply downstream automation metadata (OWNERS, dependabot disable) once the rebase branch stabilizes.Second review focus: Release/CI owners to sign off on buildroot changes and automation toggles.
Action Plan
CoreDNS v1.13.1 Rebase Action Plan
Status legend: ✅ complete · 🔄 in progress · ⬜️ pending · 🚫 blocked
Milestone Summary
| Status | Task | Notes |
| | --- | --- |
| ✅ | Produce carry audit (
audit_upstream_report.md) | Completed; classifies allUPSTREAM/<carry>commits || ✅ | Draft rebase analysis (
rebase_v1.13.1_report.md) | Completed with appendix and consolidation plan || ✅ | Prototype build with rebased
ocp_dnsnameresolver| Prototype branchprototype/v1.13.1-with-ocp; Linux tests passing || ✅ | Publish rebased
coredns-ocp-dnsnameresolvermodule | Upstream merged; CoreDNSgo.modpoints tov0.0.0-20251118…|| ✅ | Execute full rebase of
origin/mainonto upstreamv1.13.1| Merge commit staged; downstream adjustments applied || ✅ | Cut downstream release notes draft | See
notes/coredns-1.13.1-openshift.md|| ✅ | Final CI/regression sweep & hand-off | Waiting on prow rehearsals; schedule rebase review meeting |
| ✅ | Coordinate stakeholder review meeting | Prep Google Meet to walk through rebase status |
Detailed Checklist
1. Tooling & Environment Prep
GOTOOLCHAIN=local.GOTOOLCHAIN=local(or equivalent) so the same toolchain is used everywhere.2. Carry Commit Consolidation
Based on
audit_upstream_report.mdand the consolidation plan insiderebase_v1.13.1_report.md:a82419240,c6cbe9feb, etc.) → consolidate into one commit. ✅v1.13.1(noOWNERS) vs downstream; confirmed entire file is OpenShift-only.carry_consolidation/OWNERS.patchfor post-rebase use.213249c83,5378301ac,433d377a9) → single policy commit. ✅.github/dependabot.ymland document disablement (seecarry_consolidation/dependabot_policy.md)..gitignorecarries (7d3b0d2fe,6a6aca3cc,bc4b0e6f0,35edb5009, …) → one vendoring commit + one.gitignorecommit. ✅carry_consolidation/vendor_workflow.md..gitignorereapply patch (carry_consolidation/gitignore.patch) that keepsvendor/tracked.acf1e3312,78b2bdbb2,6455c7589) → keep one canonical downstream target. ✅make testtarget retained; seecarry_consolidation/makefile.patch(GOFLAGS=-mod=vendor go test -count=1 ./...).make test; update.ci-operator.yamlif prow feedback requires it.ocp_dnsnameresolverchain (7a4db4ba4,7a9d9ea62,8eab9cb1d,6b897ee50) → single reapply commit after rebase. ✅carry_consolidation/ocp_dnsnameresolver.md(plugin.cfg, regenerated files, go.mod/sum, vendor).3. External Plugin & Dependencies
github.com/openshift/coredns-ocp-dnsnameresolverto k8sv0.34.1/ OpenShift 4.22 dependencies (tests passing).4. CoreDNS Rebase Execution
v1.13.1and start rebase/merge workflow on latestorigin/main.go generate(coredns.go) after reinsertingocp_dnsnameresolver.go mod vendor; regenerated vendor tree with Go 1.24).5. Build & Test Matrix
go build+go test ./....make test, e2e suites triggered by CI, QUIC/HTTPS coverage).plugin/dnstap.TestTransport; keep test execution on Linux hosts for rehearsal runs.Artifacts & References
rebase_v1.13.1_report.mdaudit_upstream_report.mdPrototype_Building_v1.13.1_with_OCP_plugin.mdprototype/v1.13.1-with-ocpUpdate this plan as each step completes to keep the rebase effort coordinated and auditable.
Carry Audit
UPSTREAM Carry Audit Against v1.13.1
Summary
Detailed Classification
35edb5009f26970141c48716dfb7a4db4ba4a66edec93213249c837d3b0d2fe0df6a4cb8cae06b4bcacf1e3312make testtarget90d7eed7ba824192408eab9cb1dc87f74bc45839299766b897ee507a9d9ea6237a9afe6959f7d2f51c0451cddd5378301ac6a6aca3cca5843d8194c6110d8878b2bdbb2make testtargetf5d39cfcac6cbe9feb433d377a9bc4b0e6f069fc73eac279951d926455c7589make testtarget99b2d597653e67226847040eaf9b912bfdb7912fc26281b37b38ebd922347b8785e85831d27bea2c2a61557c4amake testtargetc288614cfd2a14b4f5349db7a33461cbbf607a41d2b871d2d4f7673dc197d159176cd5bf488cc73b1make testtargetb648be1951e6995352b1601880b31190470a80b7832fe03c0039c920cd7a701491e0046cmake testtarget6ab41892698da35111a80f04ac9build_root_imagefrom openshift/releasee54582f891bce8b2272750ba410build_root_imagefrom openshift/release77b49b28802ea47f29d6753f9ecc017c6ef748fadedfa532d55088a19338c749879418018ef04d79adefc5c1e9make testtarget78dc38111a8cac43c42c53ec989225d3a35d66fcb277a6961254efee930681be7d8e58f8e27b1500e9600019743f329badb0e0c8923ca4a0530cdc6c6dabf7b61f77bd58ded69559dc34ad9039a3831e3e0d68e78f32afc55a9d17e5f477amake testtarget3c8c3dc2888b0398afdf9d2d5d5ec74fe7f2145d21f19e60e5dbd0358bd8f4e5e1e5be0ec2d92263607acbeb99973ad6860a6e80500emake testtarget73e0eb37940c11e7a7f77295fe6394b61745b65c0ca72ce59f0f55