SANDBOX-1357: update kube & openshift dependencies to 4.19

[rsoaresd]

Description

Update dependencies

Tool/Library	Current Version	Updates to Version
k8s.io/*	v0.31.2	v0.32.2
controller-runtime	v0.19.7	v0.20.4
controller-tools	v0.16.5	v0.17.2

Related PRs

• SANDBOX-1357: update kube & openshift dependencies to 4.19 api#484
• SANDBOX-1357: update kube & openshift dependencies to 4.19 toolchain-common#491
• SANDBOX-1357: update kube & openshift dependencies to 4.19  member-operator#696
• SANDBOX-1357: update kube & openshift dependencies to 4.19 host-operator#1196
• SANDBOX-1357: update kube & openshift dependencies to 4.19 toolchain-e2e#1193
• SANDBOX-1357: update operator-sdk and operator-registry toolchain-cicd#151
• SANDBOX-1357: update kube & openshift dependencies to 4.19 kubesaw/ksctl#125

Issue ticket number and link

SANDBOX-1357

Summary by CodeRabbit

• Documentation
  • Updated build requirements to Go 1.23.x (1.23.12 or higher).
• Chores
  • Upgraded Go toolchain and build images to 1.23.12.
  • Refreshed dependency set to newer compatible versions across the ecosystem.
  • Enabled an additional static analysis rule to improve code quality.
  • Cleared the vulnerability ignore list to reflect current status.

[coderabbitai]

Walkthrough

Bump Go toolchain to 1.23.12 (docs and CI), enable the copyloopvar linter, clear the ignored-vulnerabilities list in .govulncheck.yaml, and upgrade numerous dependencies (notably Kubernetes/OpenShift-related) in go.mod.

Changes

Cohort / File(s)	Summary of Changes
Linting config \.golangci.yml	Enabled the copyloopvar linter; no other linter settings changed.
Vulnerability scanning config \.govulncheck.yaml	Replaced the ignored-vulnerabilities block with an empty list; removed previously listed entries (GO-2025-3563, GO-2025-3595, GO-2025-3750, GO-2025-3751).
Toolchain docs README.adoc	Updated required Go version from 1.22.x (1.22.12+) to 1.23.x (1.23.12+).
Dependencies and module config go.mod	Bumped Go version to go 1.23 / toolchain go1.23.12; upgraded many dependencies (k8s.io/, sigs.k8s.io/controller-runtime v0.20.4, go.uber.org/zap v1.27.0, spf13/pflag v1.0.6, google.golang.org/protobuf v1.36.1, evanphx/json-patch v5.9.11, and many golang.org/x/, kube-openapi and OpenShift/Kubernetes-related modules); added/updated various indirect modules (e.g., github.com/google/btree v1.1.3); removed several older indirect revisions.
CI tooling image openshift-ci/Dockerfile.tools	Bumped GOLANG_VERSION to go1.23.12 and updated GOLANG_SHA256 to the corresponding checksum; no other Dockerfile changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I nibble the diff beneath the moonlit tree,
Go bumped and linters whisper "copy me."
Modules stretch, vulnerabilities swept away,
CI hums softly, ready for the day.
A little hop — the repo feels free. 🥕🐇

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48279d2 and 6145c9e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (5 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: Build & push operator bundles for e2e tests
• GitHub Check: Test with Coverage

🔇 Additional comments (5)

go.mod (5)

3-5: Go 1.23 upgrade looks consistent.

Go directive and toolchain align with the stated toolchain bump. LGTM.

---

9-10: Upstream modules pinned via pseudo‑versions — OK.

No forbidden replace directives remain; good for CI and reproducibility.

---

16-20: Kubernetes/OCP 4.19 alignment looks right.

k8s v0.32.2 across api/apimachinery/client-go, controller‑runtime v0.20.4, kustomize v0.18.x, kube‑openapi/json/structured‑merge‑diff updated accordingly. LGTM.

Also applies to: 115-120, 172-174

---

38-39: Minor lib bumps acknowledged.

pflag v1.0.6 and zap v1.27.0 are safe, compatible upgrades. LGTM.

---

152-154: Do not change the comment to "release-4.19" — the pinned commit 5b2b8cafdd82 is not on that branch.
Verification: cloning openshift/api and fetching release-4.19 returned "Commit not on release-4.19".
Action: update the comment to the branch that actually contains 5b2b8cafdd82, or pin a commit that is on release-4.19 (go.mod, lines 152–154).

Likely an incorrect or invalid review comment.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title clearly and concisely describes the primary change—updating Kubernetes and OpenShift dependencies to the 4.19 line—which matches the dependency upgrades in go.mod and related files; ancillary edits (Go toolchain bump, lint config, govulncheck, README) are secondary and do not make the title misleading.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.88%. Comparing base (7d6641d) to head (6145c9e).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #547   +/-   ##
=======================================
  Coverage   80.88%   80.88%           
=======================================
  Files          46       46           
  Lines        3563     3563           
=======================================
  Hits         2882     2882           
  Misses        595      595           
  Partials       86       86           

Flag	Coverage Δ
unittests	80.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rsoaresd]

temporary

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

README.adoc (1)

12-12: Align README version wording with toolchain pin and modern link.

Since go.mod pins toolchain go1.23.12, consider stating “Requires Go 1.23.12” (drop “or higher”) to avoid confusion, and switch link to go.dev.

-Requires Go version 1.23.x (1.23.12 or higher) - download for your development environment https://golang.org/dl/[here].
+Requires Go version 1.23.12 - download for your development environment https://go.dev/dl/[here].

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 282d854 and 1367bab.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .golangci.yml (1 hunks)
• .govulncheck.yaml (0 hunks)
• README.adoc (1 hunks)
• go.mod (6 hunks)
• openshift-ci/Dockerfile.tools (1 hunks)

💤 Files with no reviewable changes (1)

• .govulncheck.yaml

🧰 Additional context used

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 161-161: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 161-161: golang.org/x/crypto 0.32.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🪛 GitHub Actions: ci-check-gomod

go.mod

[error] 1-1: Disallowed module replacement detected in go.mod: the above replacement(s) are not allowed in go.mod.

🔇 Additional comments (5)

.golangci.yml (1)

33-33: Good call enabling copyloopvar.
This will catch common goroutine/closure capture bugs. Please run golangci-lint run locally to surface any new findings and address them before merging.

openshift-ci/Dockerfile.tools (1)

12-13: Manual SHA256 Verification Required (openshift-ci/Dockerfile.tools lines 12–13)
CI images lack sha256sum/openssl; download https://go.dev/dl/go1.23.12.linux-amd64.tar.gz locally and run sha256sum to confirm it matches
d3847fef834e9db11bf64e3fb34db9c04db14e068eeb064f49af747010454f90. Ensure image rebuilds use this exact version.

go.mod (3)

3-6: Go 1.23 + toolchain pin looks good.

The go 1.23.0 with toolchain go1.23.12 pairing is consistent with the repo docs and Dockerfile.

---

152-154: openshift/api branch note likely stale vs PR goal (4.19).

The inline comment still says “release-4.16” while the PR aims at 4.19. Please confirm the commit is from release-4.19 or update either the dependency or the comment accordingly.

---

16-19: Mod tidy and vendor completed—deps aligned
go.mod and vendor have been updated; all k8s.io/* modules are at v0.32.1 and sigs.k8s.io/controller-runtime is v0.20.4, with transitive deps (apiextensions-apiserver, kube-openapi, klog, json, etc.) matching.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Address high-severity advisories in x/crypto and x/oauth2.

OSV flags DoS issues at the pinned versions. Please bump to patched versions.

Also applies to: 163-163

---

🌐 Web query:

What are the latest patched versions for:
- golang.org/x/crypto (advisories GO-2025-3487 / GHSA-hcg3-q754-cr77)?
- golang.org/x/oauth2 (advisories GO-2025-3488 / GHSA-6v2p-p543-phr9)?

💡 Result:

• golang.org/x/crypto — patched in v0.35.0. [1]
• golang.org/x/oauth2 — patched in v0.27.0. [2]

Sources:
[1] pkg.go.dev vuln GO-2025-3487 / GitHub advisory GHSA-hcg3-q754-cr77.
[2] pkg.go.dev / OSV / GitHub advisory GHSA-6v2p-p543-phr9 (GO-2025-3488).

---

Bump x/crypto and x/oauth2 to patched versions

go.mod
• Line 161: update golang.org/x/crypto from v0.32.0 → v0.35.0
• Line 163: update golang.org/x/oauth2 from v0.23.0 → v0.27.0

These versions address OSV advisories GO-2025-3487 and GO-2025-3488.

🧰 Tools

🪛 OSV Scanner (2.1.0)

[HIGH] 161-161: golang.org/x/crypto 0.32.0: Potential denial of service in golang.org/x/crypto

(GO-2025-3487)

---

[HIGH] 161-161: golang.org/x/crypto 0.32.0: golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

(GHSA-hcg3-q754-cr77)

---

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🤖 Prompt for AI Agents

In go.mod around lines 161 to 167, the indirect dependencies golang.org/x/crypto
and golang.org/x/oauth2 are out of date and need security patches; update
golang.org/x/crypto from v0.32.0 to v0.35.0 and golang.org/x/oauth2 from v0.23.0
to v0.27.0, run go get or edit the go.mod entries accordingly, then run go mod
tidy and run your test/CI to ensure modules resolve correctly.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, MatousJobanek, rsoaresd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MatousJobanek,alexeykazakov,rsoaresd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

go.mod (2)

178-180: Remove disallowed replace directives (CI blocker).

The ci-check-gomod job is failing due to local fork replacements. Drop them before merge.

Apply:

-replace github.com/codeready-toolchain/api => github.com/rsoaresd/api v0.0.0-20250910155735-270447f471cd
-
-replace github.com/codeready-toolchain/toolchain-common => github.com/rsoaresd/toolchain-common v0.0.0-20250910164142-aabf15684683

---

161-167: Bump golang.org/x/oauth2 to ≥ v0.27.0 (security)

v0.23.0 is affected by GO-2025-3488 (GHSA-6v2p-p543-phr9); upgrade to v0.27.0 or later.

Apply:

-	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect

File: go.mod — line 163.

🧹 Nitpick comments (2)

.govulncheck.yaml (1)

1-1: Add trailing newline to satisfy YAMLlint.

Fix the “no new line at end of file” linter error.

Apply:

-ignored-vulnerabilities: []
+ignored-vulnerabilities: []
+

go.mod (1)

16-19: Align all Kubernetes modules to the same patch level.

You’re on k8s.io/{api,apimachinery,client-go} v0.32.2 but cli-runtime/kubectl are v0.32.1. Prefer keeping all k8s 0.32.x modules on the same patch to avoid subtle incompatibilities.

Apply:

-	k8s.io/cli-runtime v0.32.1 // indirect
-	k8s.io/kubectl v0.32.1 // indirect
+	k8s.io/cli-runtime v0.32.2 // indirect
+	k8s.io/kubectl v0.32.2 // indirect

Also applies to: 115-121

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef1d5f6 and 48279d2.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• .govulncheck.yaml (1 hunks)
• go.mod (6 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.govulncheck.yaml

[error] 1-1: no new line character at the end of file

(new-line-at-end-of-file)

🪛 OSV Scanner (2.1.0)

go.mod

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: Unexpected memory consumption during token parsing in golang.org/x/oauth2

(GO-2025-3488)

---

[HIGH] 163-163: golang.org/x/oauth2 0.23.0: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

(GHSA-6v2p-p543-phr9)

🪛 GitHub Actions: ci-check-gomod

go.mod

[error] 1-1: Disallowed go.mod replacements detected. The CI step failed due to replacements in go.mod: 'github.com/codeready-toolchain/api' => 'github.com/rsoaresd/api' and 'github.com/codeready-toolchain/toolchain-common' => 'github.com/rsoaresd/toolchain-common'. The log contains: 'the above replacement(s) are not allowed in go.mod'.

🔇 Additional comments (3)

.govulncheck.yaml (1)

1-1: Good cleanup: stop suppressing advisories.

Empty ignore list will surface real issues in CI. No further changes needed here.

go.mod (2)

3-5: Toolchain bump looks consistent.

go 1.23.0 + toolchain go1.23.12 matches the Dockerfile/README updates.

---

161-161: x/crypto already on a patched release.

v0.36.0 is beyond the patched v0.35.0 for recent DoS advisories. No action needed.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Confirm OpenShift API branch matches the target 4.19 update.

The comment says “release-4.16” while the PR targets 4.19. Ensure this tracks the correct branch for 4.19, or update the comment/dependency accordingly.

---

🌐 Web query:

Which branch/tag of github.com/openshift/api corresponds to OpenShift 4.19? Is there guidance on matching k8s 1.32 (v0.32.x) with the proper openshift/api branch?

💡 Result:

Short answer: use the release-4.19 branch of github.com/openshift/api. OpenShift 4.19 is based on Kubernetes 1.32 (k8s v0.32.x), so match the openshift/api release-4.19 branch with k8s v0.32.x client libraries. [1][2][3]

Sources

• openshift/api branches (release-4.19 branch). [1]
• OpenShift 4.19 docs stating it uses Kubernetes 1.32. [2][3]

---

Replace the incorrect 'release-4.16' comment and pin openshift/api to release-4.19 (OpenShift 4.19 → Kubernetes 1.32 / k8s v0.32.x).

Change the inline comment and verify the go.mod revision is from the release-4.19 branch (or update the dependency to the release-4.19 commit/tag) and ensure k8s client libraries are v0.32.x.

File: go.mod Lines: 151-154

	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
	// using latest commit from 'github.com/openshift/api branch release-4.16'
	github.com/openshift/api v0.0.0-20250904140438-5b2b8cafdd82
	github.com/pelletier/go-toml/v2 v2.1.1 // indirect

🤖 Prompt for AI Agents

In go.mod around lines 151-154, the inline comment incorrectly references
'release-4.16' and the openshift/api module needs to be pinned to release-4.19;
update the comment to reflect "using latest commit from
'github.com/openshift/api branch release-4.19'", replace the current
github.com/openshift/api pseudo-version with a commit or tag from the
release-4.19 branch (or the canonical release-4.19 tag), and ensure any
Kubernetes client library dependencies in go.mod are upgraded/changed to v0.32.x
to match OpenShift 4.19 compatibility.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud