OCPBUGS-65926: UPSTREAM: <carry>: backporting fix for concurrent map iteration and write

[ingvagabund]

Mimicking backports as in openshift/kubernetes#2443. This time for openshift-apiserver.

[openshift-ci-robot]

@ingvagabund: This pull request references Jira Issue OCPBUGS-65926, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-65926 to depend on a bug in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Mimicking backports as in openshift/kubernetes#2443. This time for openshift-apiserver.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ingvagabund]

/hold

[ingvagabund]

openshift/openshift-apiserver#580 as evidence the backported commits pass the CI

[ingvagabund]

/hold cancel

[p0lyn0mial]

was it a clean pick ?
did you run into any conflicts ?

[p0lyn0mial]

I think that this repo is used by: openshift-apiserver, oauth-apiserver and oauth-server
we need to test/validate all servers.

also it looks like all these servers are pinned to v0.0.0-20250917144435-182485d204aa // points to openshift-apiserver-4.20-kubernetes-1.33 on the master branches:

https://github.com/openshift/openshift-apiserver/blob/main/go.mod#L197C9-L197C152
https://github.com/openshift/oauth-apiserver/blob/master/go.mod#L147
https://github.com/openshift/oauth-server/blob/master/go.mod#L122

[ingvagabund]

was it a clean pick ?
did you run into any conflicts ?

All clean, no conflicts.

Double checking again locally:

• 7c7906e (from kubernetes@e6df86e)
• fb6914a (from kubernetes@1ffdd24)
• 550c6e4 (from kubernetes@bda7e28)
• 7bc3c99 (from kubernetes@b45c454)

[ingvagabund]

Evidence PRs:

• OCPBUGS-65926: chore: sync with o/kubernetes-apiserver openshift-apiserver-4.20-kubernetes-1.33 openshift-apiserver#580
• OCPBUGS-65926: chore: sync with o/kubernetes-apiserver openshift-apiserver-4.20-kubernetes-1.33 oauth-apiserver#159
• OCPBUGS-65926: chore: sync with o/kubernetes-apiserver openshift-apiserver-4.20-kubernetes-1.33 oauth-server#204

[ingvagabund]

/hold

until all evidence PRs are green

[p0lyn0mial]

@ingvagabund since the repos/servers are pinned to v0.0.0-20250917144435-182485d204aa // points to openshift-apiserver-4.20-kubernetes-1.33 on the master branches shouldn't we tests against the master branches ?

[ingvagabund]

1.34/master already have the cherry-picked/backported commits based on

• https://github.com/kubernetes/apiserver/commits/release-1.34?author=sxllwx (the top commit)
  and based on
• https://github.com/kubernetes/apiserver/commits/release-1.34?author=dims

Once openshift-apiserver-4.21-kubernetes-1.34 gets created it will be there. So the master branches for all the serves will get tested then. I am not sure when that's going to happen.

[ingvagabund]

Looks like https://github.com/openshift/oauth-server has not been bumped to 1.34 yet. Also, since ocp 4.17 all the rebases have been merged into master branch only.

[ingvagabund]

From oauth-server:

$ make
go build -mod=vendor -trimpath -ldflags "-X github.com/openshift/oauth-server/pkg/version.versionFromGit="v0.0.0-alpha.0-230-g5161935" -X github.com/openshift/oauth-server/pkg/version.commitFromGit="51619356" -X github.com/openshift/oauth-server/pkg/version.gitTreeState="clean" -X github.com/openshift/oauth-server/pkg/version.buildDate="2025-12-03T21:44:31Z" " github.com/openshift/oauth-server/cmd/oauth-server
# github.com/openshift/oauth-server/pkg/oauth/handlers
pkg/oauth/handlers/default_auth_handler.go:118:17: undefined: audit.AuditEventFrom
make: *** [vendor/github.com/openshift/build-machinery-go/make/targets/golang/build.mk:16: build] Error 1

A valid error since AuditEventFrom got removed.

[ingvagabund]

AuditEventFrom partially restored via kubernetes/kubernetes#133765

EDIT: mimicking the code changes from https://github.com/kubernetes/kubernetes/pull/129472/files#diff-4ff3580afd7cb271bca442e8bed618441aca39c8a257e45a5cf329d63e620068R50-R52.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close not-planned

[openshift-ci]

@openshift-bot: PRs cannot be closed as Not Planned.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.