OCPBUGS-94014: Rebase v3.6.12 for 5.0/4.23

[dusk125]

Summary by CodeRabbit

• New Features

  • Added support for updating learner members while preserving learner status.
  • Added stronger validation for file and directory inputs in utility commands.

• Bug Fixes

  • Improved handling of member attribute updates, including peer URL changes.
  • Tightened auth checks for maintenance status operations.
  • Fixed tests and command flows to better handle invalid or inaccessible paths.

• Chores

  • Updated the Go toolchain and bumped related module versions across the project.
  • Updated the public version number to 3.6.12.

[coderabbitai]

Walkthrough

Bumps etcd to v3.6.12 and Go toolchain to 1.25.10 across all modules. Fixes UpdateRaftAttributes to update only PeerURLs (preserving IsLearner). Changes maintenance Status auth from isPermitted to requireAuthInfo. Adds path validation helpers to etcdutl commands. Adds a learner member update integration test.

Changes

Go toolchain and v3.6.12 module version bump

Layer / File(s)	Summary
Version constant and toolchain api/version/version.go, .go-version, api/go.mod, client/pkg/go.mod, client/v3/go.mod, etcdctl/go.mod, etcdutl/go.mod, go.mod, pkg/go.mod, server/go.mod, tests/go.mod, tools/*/go.mod	Version bumped to 3.6.12, Go toolchain to 1.25.10, and all internal go.etcd.io/etcd/*/v3 require entries updated from v3.6.11 to v3.6.12.

Functional fixes and new features

Layer / File(s)	Summary
UpdateRaftAttributes: partial PeerURLs update preserving learner state server/etcdserver/api/membership/cluster.go, server/etcdserver/api/membership/cluster_test.go, tests/integration/clientv3/cluster_test.go	UpdateRaftAttributes now updates only RaftAttributes.PeerURLs instead of the full RaftAttributes struct, adds early return for absent members, and a new learner test case plus integration test verify IsLearner is preserved after peer URL update.
Maintenance Status auth fix server/etcdserver/api/v3rpc/maintenance.go, tests/common/maintenance_auth_test.go	authMaintenanceServer.Status calls requireAuthInfo instead of isPermitted; test updates expectOperationError from true to false for user-authenticated Status.
etcdutl path validation etcdutl/etcdutl/common.go, etcdutl/etcdutl/defrag_command.go, etcdutl/etcdutl/hashkv_command.go, etcdutl/etcdutl/migrate_command.go, etcdutl/etcdutl/snapshot_command.go	New validateDataDir and validateFilePath helpers added; wired as early-exit checks in DefragData, calculateHashKV, migrateCommandFunc, and SnapshotStatusCommandFunc.
Test cleanup: superuser detection client/pkg/fileutil/fileutil_test.go	Replaces user.Current() root check with os.Getuid() == 0 in TestIsDirWriteable, removing the os/user import.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• deads2k
• sandeepknd
• tjungblu

🚥 Pre-merge checks | ✅ 4 | ❌ 11

❌ Failed checks (1 warning, 10 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 9.09% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Stable And Deterministic Test Names	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: rebasing to v3.6.12 for the 5.0/4.23 branches.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@etcdutl/etcdutl/common.go`:
- Around line 41-43: validateFilePath currently only checks os.Stat, so it still
accepts directories and lets invalid inputs reach later backend code. Update
validateFilePath in common.go to verify the path is a regular file (or
explicitly reject directories) after Stat, and return an error for directory
inputs so callers like hashkv and snapshot status get the expected early
validation.

In `@server/etcdserver/api/membership/cluster.go`:
- Around line 628-635: The info log in the cluster membership path is exposing
raw internal peer URLs via raftAttr.PeerURLs, which can leak topology. Update
the logging in the member update flow around the existing c.lg.Info call to
remove the full URL list and instead log a safer identifier such as the member
ID and/or the count of peer URLs. Keep the rest of the diagnostic context intact
while ensuring no internal hostnames are emitted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b9478df3-5295-4859-a5e8-d6504f93016a

📥 Commits

Reviewing files that changed from the base of the PR and between bf6c009 and b92e343.

📒 Files selected for processing (25)

• .go-version
• api/go.mod
• api/version/version.go
• client/pkg/fileutil/fileutil_test.go
• client/pkg/go.mod
• client/v3/go.mod
• etcdctl/go.mod
• etcdutl/etcdutl/common.go
• etcdutl/etcdutl/defrag_command.go
• etcdutl/etcdutl/hashkv_command.go
• etcdutl/etcdutl/migrate_command.go
• etcdutl/etcdutl/snapshot_command.go
• etcdutl/go.mod
• go.mod
• pkg/go.mod
• server/etcdserver/api/membership/cluster.go
• server/etcdserver/api/membership/cluster_test.go
• server/etcdserver/api/v3rpc/maintenance.go
• server/go.mod
• tests/common/maintenance_auth_test.go
• tests/go.mod
• tests/integration/clientv3/cluster_test.go
• tools/mod/go.mod
• tools/rw-heatmaps/go.mod
• tools/testgrid-analysis/go.mod

[openshift-ci-robot]

@dusk125: This pull request references Jira Issue OCPBUGS-94014, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sandeepknd

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary by CodeRabbit

• New Features

• Added support for updating learner members while preserving learner status.

• Added stronger validation for file and directory inputs in utility commands.

• Bug Fixes

• Improved handling of member attribute updates, including peer URL changes.

• Tightened auth checks for maintenance status operations.

• Fixed tests and command flows to better handle invalid or inaccessible paths.

• Chores

• Updated the Go toolchain and bumped related module versions across the project.

• Updated the public version number to 3.6.12.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dusk125]

/test all

[openshift-ci]

@dusk125: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/upstream-integration	b92e343	link	false	/test upstream-integration
ci/prow/upstream-e2e	b92e343	link	false	/test upstream-e2e
ci/prow/e2e-aws-ovn-upgrade	b92e343	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn	b92e343	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.