SANDBOX-1465: update kube & openshift dependencies to 4.20

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.32.2	v0.33.4
controller-runtime	v0.20.4	v0.21.0
controller-tools	v0.17.3	v0.18.0

NOTE THAT result.Requeue is deprecated

Related PRs

codeready-toolchain/api#495
codeready-toolchain/toolchain-common#503
codeready-toolchain/host-operator#1226
codeready-toolchain/toolchain-e2e#1239
codeready-toolchain/registration-service#565
codeready-toolchain/toolchain-cicd#165
kubesaw/ksctl#137
wa#311
https://github.com/codeready-toolchain/sandboxctl/pull/59
https://github.com/codeready-toolchain/sandbox-sre/pull/2815
https://github.com/codeready-toolchain/mcp-server-devsandbox/pull/49

Issue ticket number and link

SANDBOX-1465

Summary by CodeRabbit

• Chores

  • Upgraded Go toolchain to 1.24.11 and aligned Kubernetes/OpenShift dependencies and tooling versions.
  • Updated CI/tooling images and module dependency versions for compatibility.
  • Adjusted kustomize scorecard configuration entries.

• Documentation

  • Bumped required Go toolchain version in the README build instructions.

• Configuration

  • Cleared previously ignored vulnerability entries in the vulnerability config.

• Behavior

  • Reconcile timing now uses delayed requeue semantics (uses requeue-after timing).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR clears ignored vulnerabilities, upgrades the Go toolchain and Docker toolchain image to Go 1.24, bumps many Go module and Kubernetes/OpenShift dependency versions, updates controller-gen Kubebuilder annotation versions in CRD metadata, and switches reconciler requeue usage from Requeue to RequeueAfter.

Changes

Cohort / File(s)	Summary
Vulnerability & Config \.govulncheck.yaml	Cleared ignored-vulnerabilities from populated entries to an empty array.
Go Tooling & Docs README.adoc, openshift-ci/Dockerfile.tools	Bumped required Go/toolchain version from 1.23.x to 1.24.x (go1.24.11) and updated SHA256 in Dockerfile; README reflects new minimum Go version.
Go Module Dependencies go.mod	Large dependency upgrades: Go version set to 1.24., multiple k8s.io / sigs.k8s.io / openshift/ and indirect dependency bumps across the module graph.
CRD Metadata Annotation Updates config/crd/bases/... config/crd/bases/toolchain.dev.openshift.com_* (idlers, memberoperatorconfigs, memberstatuses, nstemplatesets, spacebindingrequests, spacerequests, toolchainclusters, useraccounts, workspaces)	Updated controller-gen.kubebuilder.io/version annotation from v0.17.3 to v0.18.0 across CRD base YAML files (metadata-only changes).
Controller Requeue Semantics controllers/idler/idler_controller.go, controllers/memberoperatorconfig/memberoperatorconfig_controller.go, controllers/useraccount/useraccount_controller.go	Reconcile results now use Result.RequeueAfter (timed requeue) instead of Result.Requeue = true; comments updated to reflect RequeueAfter semantics.
Tests controllers/idler/idler_controller_test.go	Adjusted tests to stop asserting res.Requeue == true; tests rely on res.RequeueAfter and related conditions instead.
Kustomize / Scorecard config/scorecard/kustomization.yaml	Replaced patchesJson6902 key with patches and added patches/olm.config.yaml entry.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Update API & toolchain-common (to check removal of che config) #705: updates codeready-toolchain/api and toolchain-common versions in go.mod (dependency alignment).
• update controller gen version to v0.17.3 in crds #702: prior CRD metadata annotation bumps for controller-gen/kubebuilder versions in the same CRD files.

Suggested labels

lgtm

Suggested reviewers

• jrosental
• rajivnathan
• MatousJobanek
• mfrancisc

Poem

🐰 From patch to patch I hop and spin,
Cleared ignores and set Go to 1.24 within,
Annotations bumped, requeues now delay,
Dependencies aligned—hip hop hooray! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating Kubernetes and OpenShift dependencies to version 4.20, which is the primary focus across go.mod, CRD files, and related configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca97f04 and c4d9991.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• config/scorecard/kustomization.yaml
• go.mod

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-02T10:28:33.280Z

Learnt from: fbm3307
Repo: codeready-toolchain/member-operator PR: 692
File: controllers/nstemplateset/nstemplatetier.go:137-141
Timestamp: 2025-09-02T10:28:33.280Z
Learning: In the member-operator codebase, MEMBER_OPERATOR_NAMESPACE is only used in OpenShift templates (with ${MEMBER_OPERATOR_NAMESPACE} syntax), not in go templates (which would use {{.MEMBER_OPERATOR_NAMESPACE}} syntax). Go templates in TierTemplateRevision resources use other parameters like SPACE_NAME, NAMESPACE, CONFIG_VALUE, etc., but not MEMBER_OPERATOR_NAMESPACE.

Applied to files:

• go.mod

📚 Learning: 2026-01-02T20:13:02.289Z

Learnt from: MikelAlejoBR
Repo: codeready-toolchain/member-operator PR: 720
File: build/Dockerfile.debug:24-25
Timestamp: 2026-01-02T20:13:02.289Z
Learning: For debug builds in the member-operator repository, using `latest` for Delve installation is acceptable. The team prefers to keep Delve up-to-date in debug images and will only pin a specific version if compatibility issues with the Golang version arise.

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: Build & push operator bundles & dashboard image for e2e tests
• GitHub Check: Test with Coverage

🔇 Additional comments (5)

config/scorecard/kustomization.yaml (2)

10-15: The OLM patch file exists and is correctly structured.

The patches/olm.config.yaml file is present and contains valid RFC 6902 JSON patch operations that add five OLM-specific test configurations to the scorecard Configuration. Both the OLM and basic patches correctly target the same scorecard.operatorframework.io/v1alpha3 Configuration resource named config, and Kustomize will merge them appropriately using strategic merge.

---

3-3: LGTM: Kustomize patches field migration.

The migration from patchesJson6902 to patches aligns with modern Kustomize conventions and the controller-tools upgrade to v0.18.0. The scaffold marker is correctly updated to match. Both patch files (patches/basic.config.yaml and patches/olm.config.yaml) exist and are properly referenced with correct target specifications. Kustomize v5.6.0 fully supports this field format.

go.mod (3)

15-22: Kubernetes/OpenShift module versions are consistent.

All k8s.io core modules (api, client-go, apimachinery, apiextensions-apiserver, code-generator, kubectl, cli-runtime) are aligned at v0.33.4, and secondary tooling (controller-runtime v0.21.0, controller-tools v0.18.0) follows expected version alignment. This is well-coordinated.

---

129-129: Verify Go 1.24.4 compatibility with updated dependencies.

Go has been upgraded from 1.23.x to 1.24.4 (and toolchain to go1.24.11), which is a recent release. Ensure that all k8s.io v0.33.4 modules, openshift/api, and golang.org/x updates are fully compatible with Go 1.24.4, especially given the substantial indirect dependency changes (crypto, net, sys, tools, etc.).

Also applies to: 131-131

---

77-77: No action needed. The github.com/kylelemons/godebug v1.1.0 dependency is a legitimate transitive dependency from upstream modules (controller-runtime, prometheus/client_golang, openshift/library-go, and k8s.io packages). This package is a well-established debugging utility in the Go ecosystem with no security or licensing concerns.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rsoaresd]

temporary

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7f4a5d0 and 8299c2a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (17)

• .govulncheck.yaml (1 hunks)
• README.adoc (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_idlers.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_memberoperatorconfigs.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_memberstatuses.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_nstemplatesets.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_spacebindingrequests.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_spacerequests.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_toolchainclusters.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_useraccounts.yaml (1 hunks)
• config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml (1 hunks)
• controllers/idler/idler_controller.go (1 hunks)
• controllers/idler/idler_controller_test.go (0 hunks)
• controllers/memberoperatorconfig/memberoperatorconfig_controller.go (1 hunks)
• controllers/useraccount/useraccount_controller.go (2 hunks)
• go.mod (5 hunks)
• openshift-ci/Dockerfile.tools (1 hunks)

💤 Files with no reviewable changes (1)

• controllers/idler/idler_controller_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: Test with Coverage
• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🔇 Additional comments (15)

config/crd/bases/toolchain.dev.openshift.com_memberstatuses.yaml (1)

6-6: LGTM!

Controller-gen version annotation update from v0.17.3 to v0.18.0 is consistent with the controller-tools upgrade.

config/crd/bases/toolchain.dev.openshift.com_toolchainclusters.yaml (1)

6-6: LGTM!

Controller-gen version annotation update is consistent with the controller-tools upgrade.

config/crd/bases/toolchain.dev.openshift.com_memberoperatorconfigs.yaml (1)

6-6: LGTM!

Controller-gen version annotation update is consistent with the controller-tools upgrade.

config/crd/bases/toolchain.dev.openshift.com_idlers.yaml (1)

6-6: LGTM!

Controller-gen version annotation update is consistent with the controller-tools upgrade.

config/crd/bases/toolchain.dev.openshift.com_spacebindingrequests.yaml (1)

6-6: LGTM!

Controller-gen version annotation update is consistent with the controller-tools upgrade.

config/crd/bases/toolchain.dev.openshift.com_nstemplatesets.yaml (1)

6-6: LGTM! CRD regeneration verified.

All CRD files have been consistently regenerated with controller-gen v0.18.0. The version annotation update in the metadata is correct across all 9 CRDs in config/crd/bases/, confirming proper regeneration as part of the controller-tools upgrade.

config/crd/bases/toolchain.dev.openshift.com_useraccounts.yaml (1)

6-6: LGTM!

The Kubebuilder controller-gen version annotation update aligns with the controller-tools upgrade in go.mod (v0.17.3 → v0.18.0).

README.adoc (1)

13-13: LGTM!

The Go version requirement update is consistent with the go.mod and Dockerfile.tools updates in this PR.

config/crd/bases/toolchain.dev.openshift.com_spacerequests.yaml (1)

6-6: LGTM!

Kubebuilder annotation update is consistent with the controller-tools upgrade across all CRD files.

controllers/useraccount/useraccount_controller.go (2)

8-9: LGTM!

Minor import formatting change, likely from auto-formatting.

---

68-68: LGTM!

The comment update accurately reflects the requeue semantics. The change aligns with the PR description noting that result.Requeue is deprecated.

config/crd/bases/toolchain.dev.openshift.com_workspaces.yaml (1)

6-6: LGTM!

Kubebuilder annotation update is consistent with the controller-tools upgrade.

go.mod (1)

128-130: LGTM!

Go toolchain version updates are consistent with the README and Dockerfile changes.

openshift-ci/Dockerfile.tools (1)

12-13: SHA256 hash for Go 1.24.11 is correct. The provided hash matches the official Go distribution and maintains supply chain security.

.govulncheck.yaml (1)

1-1: This file was newly created in the initial commit with an empty vulnerabilities list. There were no previously ignored vulnerabilities, so no verification is needed.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Incorrect comment syntax.

The comment states "Result.Requeue > 0 is true", but Result.Requeue is a boolean field. The comparison operator > cannot be applied to a boolean type.

Apply this fix to correct the comment:

-// Result.Requeue > 0 is true, otherwise upon completion it will remove the work from the queue.
+// Result.Requeue is true or Result.RequeueAfter > 0, otherwise upon completion it will remove the work from the queue.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Result.Requeue > 0 is true, otherwise upon completion it will remove the work from the queue.
	// Result.Requeue is true or Result.RequeueAfter > 0, otherwise upon completion it will remove the work from the queue.

🤖 Prompt for AI Agents

controllers/memberoperatorconfig/memberoperatorconfig_controller.go around line
48: the inline comment incorrectly suggests using "Result.Requeue > 0" which
implies numeric comparison on a boolean; change the comment to state that
Result.Requeue is a boolean (e.g. "Result.Requeue is true" or "Result.Requeue ==
true") and/or rephrase to "when Result.Requeue is true the item will be
requeued" so it no longer uses the '>' operator.

[rsoaresd]

temporary

[rsoaresd]

/retest

flaky test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.29%. Comparing base (7f4a5d0) to head (c4d9991).
⚠️ Report is 1 commits behind head on master.

❌ Your changes status has failed because you have indirect coverage changes. Learn more about Unexpected Coverage Changes and reasons for indirect coverage changes.

Additional details and impacted files

@@             Coverage Diff             @@
##           master     #718       +/-   ##
===========================================
- Coverage   82.53%   63.29%   -19.24%     
===========================================
  Files          48       48               
  Lines        3596     3594        -2     
===========================================
- Hits         2968     2275      -693     
- Misses        477     1171      +694     
+ Partials      151      148        -3     

Files with missing lines	Coverage Δ
controllers/idler/idler_controller.go	92.37% <ø> (-0.04%)	⬇️
...roperatorconfig/memberoperatorconfig_controller.go	75.00% <ø> (ø)
controllers/useraccount/useraccount_controller.go	84.34% <ø> (+0.21%)	⬆️

... and 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[MatousJobanek]

btw, idler controller still uses the Result.Requeue - shouldn't it be removed?

member-operator/controllers/idler/idler_controller.go

Line 128 in ac152c2

Requeue: true,

[rsoaresd]

Yes, thanks!! It was a leftover

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

make/run-cicd-script.mk (1)

11-11: Update comment to reflect current branch.

The comment references "master" but line 1 currently points to the update_4_20_cicd branch. While this entire change is temporary, the comment should be accurate or generic (e.g., "using version from configured branch").

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8299c2a and 5c67df1.

📒 Files selected for processing (4)

• controllers/idler/idler_controller.go (1 hunks)
• controllers/memberoperatorconfig/memberoperatorconfig_controller.go (1 hunks)
• controllers/useraccount/useraccount_controller.go (2 hunks)
• make/run-cicd-script.mk (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• controllers/memberoperatorconfig/memberoperatorconfig_controller.go
• controllers/idler/idler_controller.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🔇 Additional comments (1)

controllers/useraccount/useraccount_controller.go (1)

68-68: LGTM! Correctly migrated from deprecated Result.Requeue to RequeueAfter.

The changes properly address the deprecation of Result.Requeue by using RequeueAfter: time.Second, which maintains the postponed reconciliation behavior while aligning with controller-runtime v0.21.0 best practices. The documentation comment on line 68 has also been updated to reflect this change.

Also applies to: 140-142

[MatousJobanek]

Thanks

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, rsoaresd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,rsoaresd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c67df1 and ca97f04.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-02T10:28:33.280Z

Learnt from: fbm3307
Repo: codeready-toolchain/member-operator PR: 692
File: controllers/nstemplateset/nstemplatetier.go:137-141
Timestamp: 2025-09-02T10:28:33.280Z
Learning: In the member-operator codebase, MEMBER_OPERATOR_NAMESPACE is only used in OpenShift templates (with ${MEMBER_OPERATOR_NAMESPACE} syntax), not in go templates (which would use {{.MEMBER_OPERATOR_NAMESPACE}} syntax). Go templates in TierTemplateRevision resources use other parameters like SPACE_NAME, NAMESPACE, CONFIG_VALUE, etc., but not MEMBER_OPERATOR_NAMESPACE.

Applied to files:

• go.mod

📚 Learning: 2026-01-02T20:13:02.289Z

Learnt from: MikelAlejoBR
Repo: codeready-toolchain/member-operator PR: 720
File: build/Dockerfile.debug:24-25
Timestamp: 2026-01-02T20:13:02.289Z
Learning: For debug builds in the member-operator repository, using `latest` for Delve installation is acceptable. The team prefers to keep Delve up-to-date in debug images and will only pin a specific version if compatibility issues with the Golang version arise.

Applied to files:

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🔇 Additional comments (4)

go.mod (4)

15-22: Kubernetes and OpenShift dependency consistency looks good.

All k8s.io/* dependencies are consistently pinned to v0.33.4, and sigs.k8s.io/controller-runtime is at v0.21.0 with matching versions for related tooling (controller-tools v0.18.0, kustomize/v5 v5.6.0). The comment on line 8-9 clarifies that openshift/api is sourced from the release-4.20 branch, which aligns with the PR objectives.

---

4-5: Confirm parallel upstream repository updates referenced in PR objectives.

The codeready-toolchain internal modules (api, toolchain-common) and openshift/api are pinned to recent pseudo-versions with no go.sum conflicts. Verify that the related pull requests listed in the PR objectives document corresponding updates to these upstream repositories at the versions specified (api: 20260108101803, toolchain-common: 20260108104612, openshift/api: 20251202204302).

---

128-130: Verify result.Requeue usage with controller-runtime v0.21.0 upgrade.

controller-runtime v0.21.0 deprecated the Result.Requeue field. If the codebase uses this field, it must be migrated to RequeueAfter or return a non-nil error for immediate requeue. Go 1.24 maintains backward compatibility with nearly all existing code, so the version bump itself is not a blocking concern.

---

20-20: No action required — the codebase does not use the deprecated result.Requeue = true pattern. All usages already employ result.RequeueAfter, which is compatible with controller-runtime v0.21.0.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud