SANDBOX-1357: update kube & openshift dependencies to 4.19

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.31.2	v0.32.2
controller-runtime	v0.19.7	v0.20.4
controller-tools	v0.16.5	v0.17.2

Related PRs

• SANDBOX-1357: update kube & openshift dependencies to 4.19 api#484
• SANDBOX-1357: update kube & openshift dependencies to 4.19 toolchain-common#491
• SANDBOX-1357: update kube & openshift dependencies to 4.19  member-operator#696
• SANDBOX-1357: update kube & openshift dependencies to 4.19 host-operator#1196
• SANDBOX-1357: update kube & openshift dependencies to 4.19 registration-service#547
• SANDBOX-1357: update operator-sdk and operator-registry toolchain-cicd#151
• SANDBOX-1357: update kube & openshift dependencies to 4.19 kubesaw/ksctl#125

Issue ticket number and link

SANDBOX-1357

Summary by CodeRabbit

• Chores

  • Upgraded Go toolchain to 1.23.12 across build and CI images.
  • Migrated module to Go 1.23 and refreshed Kubernetes/OpenShift and related dependencies; added explicit replacements for forks.
  • Enabled an additional linter to improve code quality.
  • Cleared the ignored vulnerabilities list used by vulnerability scanning.

• Documentation

  • Bumped required Go version to 1.23.x in docs.
  • Updated required tool versions: operator-sdk to 1.40.0+ and opm to v1.55.0+.

[coderabbitai]

Warning

Rate limit exceeded

@rsoaresd has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 27 minutes and 39 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 703cf86 and ef5f210.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

Walkthrough

Go toolchain and Docker images bumped to go1.23.12; go.mod updated with widespread dependency upgrades and replacements; linters enabled copyloopvar; vulnerability ignore list cleared; documentation updated for new required tool versions.

Changes

Cohort / File(s)	Change Summary
Linting Configuration .golangci.yml	Enabled the copyloopvar linter in linters.enable; no other linter settings changed.
Vulnerability Scanning Config .govulncheck.yaml	Removed previously listed ignored vulnerabilities and replaced the block with a single empty list: ignored-vulnerabilities: [].
Documentation: Prereqs and Tools README.adoc, required_tools.adoc	Bumped required tool versions: Go → 1.23.x (1.23.12+); operator-sdk → 1.40.0+; opm → v1.55.0+.
Docker Toolchain Bumps build/sandbox-ui/Dockerfile, openshift-ci/Dockerfile.tools	Updated GOLANG_VERSION to go1.23.12 and GOLANG_SHA256 to d3847fef...454f90; build steps unchanged.
Module / Dependency Graph go.mod	Upgraded go directive to 1.23.0, toolchain to go1.23.12; wide set of Kubernetes/OpenShift and indirect dependency upgrades; added explicit replace entries for forked modules (rsoaresd), and refreshed many indirects.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120+ minutes

Poem

I thump my paw — a toolchain bright,
New Go and deps leap into sight.
Lints sniff loops, old vulns depart,
Docs updated, builds restart.
Hop on, friends, the repo’s light! 🥕🐇

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly states the primary intent — upgrading Kubernetes and OpenShift dependencies to 4.19 and includes the ticket reference for traceability. The changeset (go.mod upgrades, Dockerfile/tooling updates, and documentation updates) aligns with that intent, so the title is clear, specific, and appropriate for history scanning.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, rsoaresd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,rsoaresd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.govulncheck.yaml (1)

1-1: Add trailing newline to satisfy linters.

YAMLlint flags missing EOL.

Apply:

-ignored-vulnerabilities: []
+ignored-vulnerabilities: []
+

If CI previously ignored advisories, expect new findings; confirm pipeline status after this change.

openshift-ci/Dockerfile.tools (1)

58-60: Pin external tool versions (kustomize and oc) for reproducible builds.

curl | bash with moving latest bits risks drift.

Consider:

-# Install kustomize
-RUN curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash \
-    && mv kustomize /usr/local/bin
+# Install kustomize (pinned)
+ARG KUSTOMIZE_VERSION=5.4.3
+RUN curl -sSL -o /usr/local/bin/kustomize "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64" \
+ && chmod +x /usr/local/bin/kustomize

-# Install oc CLI
-RUN curl -LO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz && \
+## Install oc CLI (pin to OCP 4.19)
+ARG OCP_VERSION=4.19.0
+RUN curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${OCP_VERSION}/openshift-client-linux.tar.gz" && \
     tar -xzvf openshift-client-linux.tar.gz -C /usr/local/bin oc && \
     chmod +x /usr/local/bin/oc && \
     rm -f openshift-client-linux.tar.gz

Also applies to: 69-72

build/sandbox-ui/Dockerfile (1)

34-36: Also pin kustomize and oc here to avoid “latest” drift.

Align with CI image pinning.

-# Install kustomize
-RUN curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash \
-    && mv kustomize /usr/local/bin
+# Install kustomize (pinned)
+ARG KUSTOMIZE_VERSION=5.4.3
+RUN curl -sSL -o /usr/local/bin/kustomize "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64" \
+ && chmod +x /usr/local/bin/kustomize

-# Install oc CLI
-RUN curl -LO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz && \
+## Install oc CLI (pin to OCP 4.19)
+ARG OCP_VERSION=4.19.0
+RUN curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${OCP_VERSION}/openshift-client-linux.tar.gz" && \
     tar -xzvf openshift-client-linux.tar.gz -C /usr/local/bin oc && \
     chmod +x /usr/local/bin/oc && \
     rm -f openshift-client-linux.tar.gz

Also applies to: 45-48

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b44c578 and b75c2fa.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• .golangci.yml (1 hunks)
• .govulncheck.yaml (1 hunks)
• README.adoc (1 hunks)
• build/sandbox-ui/Dockerfile (1 hunks)
• go.mod (4 hunks)
• openshift-ci/Dockerfile.tools (1 hunks)
• required_tools.adoc (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.govulncheck.yaml

[error] 1-1: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build & push Developer Sandbox UI image for UI e2e tests
• GitHub Check: Build & push operator bundles for e2e tests

🔇 Additional comments (10)

README.adoc (1)

10-10: Go 1.23.12 prerequisite—LGTM.

Matches go.mod/toolchain and Dockerfiles.

.golangci.yml (1)

33-33: copyloopvar enabled; no lint violations detected

required_tools.adoc (2)

2-2: Go 1.23.x tool requirement—LGTM.

---

4-4: Confirmed: operator-sdk v1.40 targets Kubernetes 1.32 (uses k8s.io/client-go v0.32.1); adjacent cluster versions supported per the client-go compatibility matrix.

openshift-ci/Dockerfile.tools (1)

12-13: Go 1.23.12 bump—LGTM.

build/sandbox-ui/Dockerfile (1)

11-12: Go 1.23.12 bump—LGTM.

go.mod (4)

26-31: K8s bumped to v0.32.3—description says 0.32.1.

Update PR description or pin to 0.32.1 if that was intended.

---

148-151: Go/toolchain directives—LGTM.

---

31-31: Compatibility confirmed: controller-runtime v0.20.4 is tested with client-go v0.32 (Kubernetes v1.32) and requires Go 1.23. (github.com)

---

144-147: Remove temporary replace directives before merging.

Verified that the module graph resolves and all packages build without these replaces; removing them prevents breaking downstream consumers.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

openshift/api pinned to release-4.19 commit—LGTM.

Ensure all OpenShift libs used (direct/indirect) align with 4.19 where applicable.

---

🏁 Script executed:

#!/bin/bash
# List resolved OpenShift modules and their versions
rg -nP '^github.com/openshift/' go.mod

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Search for openshift modules in go.mod (root and subdirectories)
rg -n 'github\.com/openshift/' -g '**/go.mod'

Length of output: 247

---

Annotate indirect OpenShift dependency
Line 102 of go.mod: add a comment above

github.com/openshift/library-go v0.0.0-20250826065405-6d18d1191f49 // indirect

e.g.

// using latest commit from 'github.com/openshift/library-go branch release-4.19'

and confirm the commit matches the 4.19 branch.

🤖 Prompt for AI Agents

In go.mod around lines 16 to 19, add a comment line immediately above the
existing github.com/openshift/library-go v0.0.0-20250826065405-6d18d1191f49 //
indirect entry that documents the source and branch, e.g. "// using latest
commit from 'github.com/openshift/library-go branch release-4.19'"; verify the
commit hash (6d18d1191f49) corresponds to the release-4.19 branch tag/commit in
the openshift/library-go repo and adjust the comment or dependency if it does
not match.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

opm v1.55.0+—verify it maps to OpenShift 4.19 tooling.

Sanity-check against OCP 4.19 release notes/matrix.

---

🌐 Web query:

Which opm version corresponds to OpenShift 4.19?

💡 Result:

Use the opm binary packaged for OCP 4.19 — e.g. opm 4.19.10 (tarballs named opm-4.19.* are provided on the OpenShift clients mirror). [1][2]

Sources: OpenShift 4.19 CLI docs (opm) [1]; OpenShift clients mirror listing showing opm-src/opm-windows 4.19.10 [2].

---

Update opm version to match OCP 4.19
In required_tools.adoc (lines 10–11), replace opm v1.55.0+ with the OCP 4.19–packaged binary (e.g. opm v4.19.10+).

🤖 Prompt for AI Agents

In required_tools.adoc around lines 10 to 11, the listed opm version is
incorrect for OCP 4.19; update the line that currently says "opm v1.55.0 +" to
the OCP 4.19–packaged opm version (for example "opm v4.19.10+"), ensuring the
version matches the OpenShift 4.19 binary and update any adjacent note if it
references the old version format.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

go.mod (1)

102-102: Annotate OpenShift library-go source (repeat of prior ask).

Add a branch note like for openshift/api to clarify it tracks release-4.19:

+	// using latest commit from 'github.com/openshift/library-go branch release-4.19'
 	github.com/openshift/library-go v0.0.0-20250826065405-6d18d1191f49 // indirect

To verify the commit is on release-4.19:

#!/bin/bash
set -euo pipefail
git ls-remote https://github.com/openshift/library-go.git refs/heads/release-4.19 | awk '{print $1}'
# Expect to find 6d18d1191f49 reachable on the release-4.19 branch (compare via GitHub UI if needed).

🧹 Nitpick comments (1)

go.mod (1)

54-55: json-patch/jsonpath bumps—fine.

Looks aligned with newer k8s deps. Consider running go mod tidy -compat=1.23 after all changes settle.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b75c2fa and 703cf86.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build & push Developer Sandbox UI image for UI e2e tests
• GitHub Check: Build & push operator bundles for e2e tests

🔇 Additional comments (5)

go.mod (5)

16-18: OpenShift 4.19 pin looks correct—nice.

The inline note + commit pin for openshift/api to release-4.19 reads well.

---

24-31: K8s modules at v0.32.3 vs PR summary (v0.32.1).

Either keep 0.32.3 and update the PR text, or downgrade to 0.32.1 for cross-repo consistency. Please confirm target. If you intend 0.32.1, apply:

-	k8s.io/api v0.32.3
-	k8s.io/apimachinery v0.32.3
-	k8s.io/client-go v0.32.3
-	k8s.io/kubectl v0.32.3
-	k8s.io/metrics v0.32.3
+	k8s.io/api v0.32.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
+	k8s.io/kubectl v0.32.1
+	k8s.io/metrics v0.32.1

---

61-70: go-openapi + google/btree updates—fine.

No issues spotted; these are common with newer kube-openapi.

---

132-141: Indirect k8s toolchain pins verified as coming from the Kubernetes 0.32.x transitive graph (no 1.33 bleed).

go mod graph shows k8s.io/api, client-go, cli-runtime, kubectl (all @v0.32.3) pulling k8s.io/kube-openapi and sigs.k8s.io/{json,kustomize,structured-merge-diff} at the versions listed in go.mod.

---

117-126: golang.org/x & protobuf bumps — run govulncheck and verify drift.

go mod graph shows top-level pins newer than k8s v0.32.3 (e.g. golang.org/x/net v0.38.0, golang.org/x/crypto v0.36.0, google.golang.org/protobuf v1.36.5) — justify these bumps or revert to k8s-aligned versions. govulncheck failed in the sandbox (govulncheck: command not found). Re-run locally (go install golang.org/x/vuln/cmd/govulncheck@latest; ensure $(go env GOPATH)/bin is in PATH) and attach govulncheck ./... output; if no vulns, document why the bumps are required.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Go toolchain: ok to keep go 1.23.0 with toolchain 1.23.12.

Confirm CI images/tooling already use 1.23.12 (AI summary suggests yes). No action if aligned.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Sanity: ensure no other go.mod disagrees (monorepo style)
fd go.mod | xargs -I{} rg -n '^go ' {}

Length of output: 13

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) show go.mod go directive(s):"
rg -n --hidden -S '^go ' || true
echo

echo "2) check .github/workflows for actions/setup-go or explicit go versions (go-version / 1.23 / 1.23.12):"
if [ -d .github/workflows ]; then
  for wf in .github/workflows/*.{yml,yaml}; do
    [ -f "$wf" ] || continue
    echo "== $wf =="
    rg -n --hidden -S 'actions/setup-go|uses:.*actions/setup-go|with:.*go-version|with:.*version|go-version' "$wf" || true
    rg -n --hidden -S '1\.23(\.12)?' "$wf" || true
    echo
  done
else
  echo "No .github/workflows directory"
fi
echo

echo "3) search repo for explicit '1.23.12' or '1.23' mentions:"
rg -n --hidden -S '1\.23\.12|1\.23(\.|\b)' || true
echo

echo "4) search Dockerfiles for golang base images:"
rg -n --hidden -S 'FROM\s+golang:' || true
echo

echo "5) check other CI files (.circleci, .gitlab-ci.yml, cloudbuild):"
for f in .circleci/config.yml .gitlab-ci.yml cloudbuild.yaml cloudbuild.yml; do
  if [ -f "$f" ]; then
    echo "== $f =="
    rg -n --hidden -S 'actions/setup-go|setup-go|go-version|golang:|1\.23' "$f" || true
    echo
  fi
done

echo "done."

Length of output: 1842

---

CI will use go 1.23.0 unless workflows are changed — update CI or go.mod

go.mod currently says go 1.23.0 and toolchain go1.23.12; GitHub's setup-go with go-version-file: go.mod reads the go directive (and will use the exact patch if specified) and does not currently honor the toolchain directive, so workflows using go-version-file: go.mod will pick 1.23.0, not 1.23.12. (github.com)

• Fix: either set go-version: '1.23.12' in the setup-go steps in .github/workflows (e.g. ci-build.yml) or change go 1.23.0 → go 1.23.12 in go.mod so go-version-file resolves the desired patch. Files to check: go.mod (lines ~148-150) and .github/workflows/* (setup-go usage).

🤖 Prompt for AI Agents

In go.mod around lines 148–150 the module declares "go 1.23.0" while the
toolchain directive is "go1.23.12", which causes GitHub Actions using setup-go
with go-version-file: go.mod to pick 1.23.0; update either go.mod to "go
1.23.12" so go-version-file resolves the desired patch, or update your
.github/workflows/* setup-go steps to set go-version: '1.23.12' (or both for
clarity) and commit the change.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud