Rebase to CoreDNS v1.13.2

[gcs278]

NOTE: My goal for this PR is testing /rebase command on claude, not necessarily to bump CoreDNS

Summary

This PR rebases the OpenShift CoreDNS fork from v1.13.1 to v1.13.2, incorporating 113 upstream commits while maintaining all necessary OpenShift-specific carries.

Rebase Details

Target Version: CoreDNS v1.13.2
Base Version: v1.13.1
Upstream Commits: 113 commits
Strategy: Clean rebase from v1.13.2 tag + cherry-pick carries + merge helper commit

Carries Forward-Ported (7 total)

All essential OpenShift carries have been forward-ported:

1. ✅ OWNERS automation metadata - OpenShift CI/build configuration
2. ✅ Downstream OWNERS metadata - Team ownership and review process
3. ✅ Disable dependabot - Per OpenShift policy
4. ✅ Make test target - Required by ci-operator
5. ✅ ocp_dnsnameresolver plugin - OpenShift-specific DNS feature
6. ✅ Vendor tree ignore rules - Track vendor for offline builds
7. ✅ Vendor deps - Regenerated for v1.13.2 dependencies

Carry Dropped

• ❌ Go toolchain pin (commit 1457b2e) - Explicitly marked as <drop>
  • Makefile already has GOTOOLCHAIN=local which provides the same functionality

Key Changes in v1.13.2

Upstream Features

• geoip plugin: Upgraded to geoip2-golang v2, added ISO 3166-2 subdivisions support
• forward plugin: Added max connect attempts configuration knob
• auto plugin: Fixed regex length limit vulnerability

Dependency Updates

• Go version: 1.25.5 (we keep 1.24.6 with GOTOOLCHAIN=local)
• AWS SDK v2: Multiple patch bumps (route53, secretsmanager, credentials, config)
• google.golang.org/api: 0.251.0 → 0.257.0
• quic-go: 0.55.0 → 0.57.1
• k8s.io/*: Updated to v0.34.2
• DataDog trace: v2.2.3 → v2.4.0

Vendor Tree

• 1,218 files changed: 174,666 insertions, 67,248 deletions
• Regenerated via GOFLAGS=-mod=vendor go mod vendor
• Major changes:
  • geoip2-golang v1 → v2 migration
  • DataDog appsec reorganization
  • New compression libraries (klauspost/compress, klauspost/cpuid)
  • AWS signin service added

Testing

Build Status

✅ Build successful with GOFLAGS=-mod=vendor make

Test Results

✅ Tests pass - make test completed successfully

• All plugin tests pass
• One known flaky test in proxy package (timing-related, not a blocker)
• Verified plugin ordering: ocp_dnsnameresolver correctly placed before cache

Verification Checklist

• Binary builds successfully
• Unit tests pass
• Plugin files regenerated correctly
• Vendor tree updated
• ocp_dnsnameresolver plugin loads correctly
• QE testing (pending)
• Integration tests (pending)

Risk Assessment

Overall Risk: 🟢 LOW

Mitigated Risks

1. Go version mismatch (1.25.5 vs 1.24.6)

   • ✅ Mitigated via GOTOOLCHAIN=local in Makefile
   • Builds successfully with Go 1.24.6

2. geoip2-golang v2 migration

   • ✅ Upstream handled migration
   • ✅ Vendor tree includes v2
   • Low impact (plugin not heavily used in OpenShift)

3. Dependency churn

   • ✅ Mostly patch/minor bumps on stable APIs
   • ✅ Comprehensive vendor regeneration captures all changes

4. ocp_dnsnameresolver compatibility

   • ✅ Plugin version: v0.0.0-20251118200623-f7b15b30153f (recent)
   • ✅ Compiles successfully with k8s.io/* v0.34.2
   • ✅ Plugin ordering verified

Documentation

Comprehensive rebase documentation has been generated:

• audit_upstream_carry_commits.md - Analysis of all 137 historical carries
• rebase_to_v1.13.2_report.md - Complete rebase guide with action plans

Commit Structure

e38631c78 Update vendor tree and go.sum for v1.13.2 dependencies
0e434676e Merge remote-tracking branch 'origin/main' into rebase-to-v1.13.2
4c07153bf UPSTREAM: <carry>: openshift: vendor deps + track vendor tree
f593a3381 UPSTREAM: <carry>: openshift: document vendor tree ignore rules
9b480cade UPSTREAM: <carry>: openshift: add ocp_dnsnameresolver plugin
bc8cbf21d UPSTREAM: <carry>: openshift: keep make test target for ci-operator
43e7411fe UPSTREAM: <carry>: openshift: disable dependabot
c4c04a7e0 UPSTREAM: <carry>: openshift: document downstream OWNERS metadata
b3357336a UPSTREAM: <carry>: openshift: restore automation metadata
0233f3e7c Add deprecation notice for geoip plugin's behavior of 0 (#7740) [v1.13.2 tag]

Next Steps

1. Code review - Assign team members from OWNERS
2. QE testing - Coordinate with QE team for comprehensive testing
3. Stakeholder review - Present changes to stakeholders
4. Merge - After all approvals

References

• Upstream v1.13.2 release: https://github.com/coredns/coredns/releases/tag/v1.13.2
• Previous rebase PR: NE-2194: Rebase to v1.13.1 report & rebase work #157 (v1.13.1)
• ocp_dnsnameresolver plugin: https://github.com/openshift/coredns-ocp-dnsnameresolver

---

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment